Does ARC replace SPF, DKIM, or DMARC?

No, ARC does not replace SPF, DKIM, or DMARC. Instead, it works with these protocols to maintain email authentication across forwarding hops, preventing legitimate emails from failing DMARC after being modified in transit. It provides a chain of custody for authentication results.

What is the difference between Authentication-Results and ARC-Authentication-Results?

The standard Authentication-Results header records the authentication results (SPF, DKIM, DMARC) of the immediate receiving server. The ARC-Authentication-Results header is a signed copy of a previous Authentication-Results header, embedded within the ARC chain to preserve historical authentication data for forwarded emails.

How can I check if ARC is working for my emails?

You can inspect the email headers of messages you send through forwarding services or mailing lists. Look for the ARC-Authentication-Results, ARC-Seal, and ARC-Message-Signature headers. A valid ARC chain will have a matching ARC-Status field (e.g., arc=pass) within the ARC-Authentication-Results header. Tools like Suped can also help you monitor DMARC reports, which often indicate ARC validation outcomes.

What are the three main ARC headers?

The three main ARC header fields are: ARC-Authentication-Results , ARC-Seal , and ARC-Message-Signature . Each plays a distinct role in creating an authenticated chain of custody for an email.

What is the ARC-Authentication-Results header used for? - ARC - Email authentication - Knowledge base

An illustration showing an email passing through multiple servers, each adding an ARC seal to maintain authentication.

The ARC-Authentication-Results header plays a crucial role in modern email authentication, especially when messages are forwarded or pass through mailing lists. Without it, legitimate emails could easily fail checks like DMARC and be sent to spam. It provides a mechanism to preserve the original authentication results, allowing recipient mail servers to make informed decisions about an email's legitimacy, even after alterations have been made during transit.

This header is one of the three main components of the Authenticated Received Chain (ARC) protocol, alongside ARC-Seal and ARC-Message-Signature. These work in concert to create a verifiable chain of custody for an email, assuring that any changes made en route are transparently recorded and authenticated. Essentially, it allows intermediate mail handlers, like forwarding services, to sign their modifications to an email without invalidating the sender's original authentication, preventing legitimate emails from being incorrectly flagged as spam or phishing attempts.

Understanding this header is crucial for anyone managing email deliverability or implementing robust security measures. By properly interpreting its contents, you can diagnose issues with forwarded emails, ensure your legitimate messages reach the inbox, and maintain a strong sender reputation.

Understanding the email authentication chain

Purpose of ARC-Authentication-Results header

The primary purpose of the ARC-Authentication-Results header is to capture and transmit the authentication results of an email at each hop in its journey. When an email server receives a message, it performs standard authentication checks like SPF, DKIM, and DMARC. These results are then recorded in a standard Authentication-Results header. However, if the email is then forwarded or processed by a mailing list, the original authentication can break. For example, a forwarding server might change the "From" address or the message body, causing subsequent SPF or DKIM checks to fail.

This is where ARC steps in. Instead of just passing on the potentially failed authentication, ARC captures the Authentication-Results header from the previous hop and includes it within the ARC chain. This allows the final recipient server to see the original, legitimate authentication status of the email before any forwarding or list processing occurred. This historical record is essential for distinguishing between legitimate forwarded mail and malicious spoofed emails. Without ARC, many legitimate emails from mailing lists or forwarded accounts would unfairly end up in spam folders due to authentication failures after modifications in transit.

How ARC resolves forwarding issues

The ARC-Authentication-Results header is fundamental for preventing false negatives in email authentication. It acts as a trusted intermediary, allowing the recipient server to trust the authentication results from a previous hop, even if the current hop's direct authentication fails. This mechanism is critical for maintaining email deliverability for forwarded mail and mailing list subscribers.

Original Authentication: The initial receiving server authenticates the email (SPF, DKIM, DMARC) and generates an Authentication-Results header.
ARC Sealer Processing: A forwarding service or mailing list (an ARC Sealer) processes the email. It takes the previous Authentication-Results header and embeds it into the ARC-Authentication-Results header. It also creates a new ARC-Message-Signature header and an ARC-Seal header, adding its own signature.
Recipient Server Validation: The final recipient server checks the ARC chain. If the current authentication fails but the ARC chain is valid and shows original authentication passed, the email is more likely to be delivered to the inbox.

Anatomy of the header

Components of the ARC-Authentication-Results header

The ARC-Authentication-Results header is essentially a snapshot of the standard Authentication-Results header at a specific point in the email's journey. It contains various tags that provide details about the authentication checks performed by the previous ARC-Sealer.

Example ARC-Authentication-Results headerplain

ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@example.com header.s=s1 header.b=AbCdEfGh;
       spf=pass (google.com: domain of user@example.com designates 203.0.113.42 as permitted sender) smtp.mailfrom=user@example.com;
       dmarc=pass (p=quarantine sp=quarantine dis=none) header.from=example.com

Key elements you will typically find within this header include:

Chain Index (i): Indicates the position of this ARC entry in the authentication chain. It increments with each ARC-Sealer.
Authentication Domain: The domain that performed the authentication checks, such as mx.google.com.
DKIM Results: Shows whether the DKIM check passed or failed, along with details like the signing domain (header.i) and selector (header.s). You can find more details about DKIM issues on our knowledge base.
SPF Results: Details the SPF check, including the sender domain and IP address that was validated.
DMARC Results: Indicates the DMARC policy applied (p=), subdomain policy (sp=), and any disposition (dis=).
ARC Status (arc=): This field, often arc=none or arc=pass, confirms the validation status of the ARC chain itself. You can learn more about the arc-status field here.

Each ARC-Authentication-Results header essentially acts as a signed receipt from a previous mail server, vouching for the email's authenticity at that point in time.

Impact on email deliverability

How receiving servers use this header

An email server analyzing ARC seals to determine the legitimacy of a forwarded email.

When a recipient mail server receives an email, it first performs its own email authentication checks. If these checks, particularly SPF and DKIM, fail due to forwarding or list processing, the server then looks for ARC headers. It reconstructs the ARC chain using the ARC-Seal, ARC-Message-Signature, and ARC-Authentication-Results headers. The final server validates the chain by verifying the cryptographic signatures in each ARC-Seal, ensuring that the chain hasn't been tampered with and that each sealer is trusted.

If the ARC chain is valid, the recipient server can then inspect the ARC-Authentication-Results header from the most recent trusted ARC-Sealer to see the original authentication status. This allows the DMARC policy of the sender to be respected, even if direct authentication fails. For instance, Microsoft Defender and other major mail providers utilize ARC to enhance their spam filtering and ensure legitimate forwarded emails are delivered. Without ARC, legitimate messages, particularly those sent through mailing lists that modify the message, would often fail DMARC and be blocked or sent to spam.

Without ARC

DMARC Failure: Forwarded emails often fail DMARC verification because their SPF or DKIM alignment is broken by intermediate servers.
Poor Deliverability: Legitimate messages from mailing lists or forwarded accounts are frequently marked as spam or rejected.
Sender Reputation Damage: Sender domains might suffer from reduced trust due to high volumes of DMARC failures, impacting all their email campaigns. We have a practical guide to understanding domain reputation.

With ARC

Preserved Authentication: The ARC chain provides a verifiable history of authentication results, even if the email has been modified by trusted intermediaries.
Improved Deliverability: Legitimate emails are more likely to reach the inbox, reducing false positives in spam filtering.
Enhanced Trust: Recipient servers can trust the chain of custody, ensuring that emails that were originally authenticated remain trusted.

Ensuring smooth email flow

Monitoring ARC with Suped

Implementing and monitoring ARC (Authenticated Received Chain) is a critical step for organizations sending emails through complex routing, like those using forwarding services or large mailing lists. Suped provides comprehensive DMARC monitoring that includes insights into ARC. Our platform helps you visualize the authentication status of your emails, including those where ARC plays a role in preserving deliverability.

With Suped, you can analyze your DMARC reports to understand how ARC is impacting your email flow. We highlight when ARC is successfully preserving authentication for emails that might otherwise fail. Our platform offers AI-powered recommendations to address any authentication issues, ensuring your legitimate emails consistently reach their intended recipients. Furthermore, our unified platform brings together all aspects of email security, making it simple to manage DMARC, SPF, DKIM, and deliverability from a single dashboard.

Whether you are an SMB or an MSP managing multiple client domains, Suped simplifies the complexities of email authentication. Our generous free plan provides access to essential DMARC monitoring tools, allowing you to quickly identify and fix issues. Our SPF flattening feature also ensures you stay within SPF lookup limits, further boosting your email deliverability. Don't let forwarded emails end up in spam. Use Suped to maintain trust and ensure your messages always reach the inbox.

Key takeaway

The ARC-Authentication-Results header is a vital component of the Authenticated Received Chain protocol, providing a transparent and verifiable history of an email's authentication status. It ensures that legitimate emails, even after being forwarded or processed by mailing lists, can still pass DMARC checks and reach their intended recipients. By understanding and utilizing ARC, organizations can significantly improve their email deliverability and protect their sender reputation from the pitfalls of intermediate mail handling. Monitoring your ARC data, especially through a platform like Suped, provides the insights needed to maintain robust email security and optimal inbox placement.