Email forwarding is a common practice, used by mailing lists, personal forwarding services, and even some corporate setups. While incredibly useful, it historically presented a significant challenge for email authentication protocols like DMARC, SPF, and DKIM. Often, a legitimate forwarded email would fail these checks because its originating details were altered during the forwarding process.
This is where Authenticated Received Chain (ARC) comes into play. ARC acts as a crucial layer of trust, preserving the authentication results of an email as it travels through multiple intermediaries. The 'chain' concept is central to ARC's ability to maintain DMARC validation, even when legitimate forwarding would otherwise break it.
The challenge of email forwarding and DMARC
The challenge of email forwarding and DMARC
Traditional email authentication methods, such as SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail), are designed to verify the sender's identity at the point of initial transmission. SPF checks if the sending IP address is authorized by the domain owner. DKIM uses a cryptographic signature to ensure the email content hasn't been tampered with and that the sender is legitimate. However, these methods can break down when an email is forwarded.
When an email is forwarded, the forwarding server often changes the 'sending' IP address to its own, which causes the original SPF check to fail. Furthermore, mailing lists sometimes modify the email's subject or body, which invalidates the original DKIM signature. Since DMARC (Domain-based Message Authentication, Reporting & Conformance) relies on SPF and DKIM alignment, these failures can lead to DMARC policies incorrectly marking legitimate forwarded emails as fraudulent.
This scenario creates a significant problem for email deliverability. Legitimate emails sent through forwarding services or mailing lists might be rejected, quarantined, or sent to the spam folder, even though they originated from an authenticated sender. This is the core issue that ARC was developed to address, by providing a way to preserve authentication results across multiple hops.
What is authenticated received chain (ARC)?
What is authenticated received chain (ARC)?
ARC, or Authenticated Received Chain, is an email authentication protocol that allows intermediate mail servers to attest to the authentication status of an email before they process and potentially alter it. It provides a transparent, verifiable chain of custody for an email message, helping recipient servers make informed delivery decisions.
Its primary purpose is to preserve the authentication results. This way, if an email legitimately fails SPF or DKIM after being forwarded (e.g., by a mailing list), the receiving mail server can look at the ARC chain. If the chain is valid, it can infer that the original sender was authenticated and that the intermediate changes were legitimate, thus bypassing a DMARC failure.
An ARC-aware server will add three main headers to an email. These headers encapsulate the message's authentication state. To understand their structure and purpose, you can read more about the three main ARC header fields. They include:
ARC-Authentication-Results: Captures the authentication results (like SPF, DKIM, and DMARC) at the point the ARC signer received the email.
ARC-Message-Signature (AMS): A DKIM-like signature over immutable parts of the message and the ARC-Authentication-Results header.
ARC-Seal (AS): A signature over all the previous ARC headers (including the AMS and AS of the previous hop) and a hash of the current message. This is the crucial element that forms the ARC seal header that links the chain together.
ARC's foundational role
Augments DMARC: ARC doesn't replace DMARC, SPF, or DKIM. Instead, it provides an additional layer of trust. Learn more about how ARC augments DMARC.
Improves deliverability: Crucial for maintaining good email deliverability, especially for organizations that use mailing lists or forwarders.
Maintains reputation: Helps prevent legitimate emails from being incorrectly flagged as spam, protecting sender reputation.
Dissecting the ARC chain
Dissecting the ARC chain
The 'chain' in ARC refers to a sequence of cryptographic endorsements. As an email travels from its original sender through one or more intermediate servers (like a mailing list or a forwarding service), each ARC-enabled intermediary adds a new set of ARC headers to the message. Each set of headers acts as a 'link' in the chain.
When an intermediate server receives an email, it first checks the existing authentication results (SPF, DKIM, DMARC). It then takes a snapshot of these results, along with the message headers and body. This snapshot is cryptographically signed and added as the ARC-Authentication-Results and ARC-Message-Signature headers. Finally, it creates an ARC-Seal header that signs the entire previous ARC chain, along with aspects of the current message. This ARC header indicates the chain of authentication results.
This process is repeated by every ARC-aware intermediary. Each server adds a new set of ARC headers on top of the existing ones, creating a chronological, verifiable trail. This chain allows the final recipient mail server to see not just the immediate authentication results, but also the history of authentication as the email passed through various trusted entities.
Validating the ARC chain
Validating the ARC chain
When an email arrives at the final destination server, it checks the ARC chain starting from the most recent ARC-Seal header. It validates the cryptographic signature of this seal. If valid, it then verifies the previous ARC-Seal, and so on, working its way back through each link in the chain to the original sender. This ensures that no intermediate server has tampered with the message or falsified the authentication history.
If all the ARC-Seal signatures in the chain are cryptographically valid, the entire chain is considered intact and trustworthy. The receiving server can then use the original authentication results (from the bottom of the chain) to inform its DMARC policy decision, even if the SPF or DKIM failed on arrival due to forwarding.
The outcome of this validation is indicated by the cv (chain validation) tag within the ARC-Authentication-Results header. A cv=pass means the chain is good. A cv=fail indicates a broken chain. You can further explore what ARC header field indicates the chain.
ARC significantly improves the handling of legitimate emails sent via intermediaries. It helps solve the problem of DMARC failing for mail from forwarding services and mailing lists. This means fewer legitimate emails end up in spam folders or are rejected outright, which is a huge win for both senders and recipients. You can learn more about implementing ARC.
By preserving authentication context, ARC reduces false positives in spam filtering and helps maintain a sender's good domain reputation. This is vital for overall email deliverability and ensuring your communications reach their intended audience. It's an essential component for robust email security today.
For effective DMARC monitoring and managing your email authentication, including ARC, SPF, and DKIM, a robust platform is essential. Suped offers AI-powered recommendations and real-time alerts to simplify complex issues, along with a unified platform for comprehensive email security and deliverability insights. With our generous free plan, you can start monitoring your DMARC records and see the impact of ARC on your email flow immediately.
Scenario
DMARC outcome (without ARC)
DMARC outcome (with ARC)
Legitimate email, forwarded
Often fails DMARC due to SPF/DKIM breaks
DMARC passes, preserving original authentication
Spam email, forwarded
Might pass if DMARC policy is p=none
Still fails if original email was not authenticated
Mailing list email
High risk of DMARC failure due to changes
Significantly improves DMARC pass rates
Strengthening email security with ARC
Strengthening email security with ARC
The ARC 'chain' concept is a critical advancement in email security, specifically designed to bridge the gap between DMARC's strict authentication requirements and the realities of email forwarding. It provides a mechanism for maintaining trust and context across legitimate email relays, preventing good emails from being mistakenly blocked or marked as spam.
By creating a verifiable history of an email's authentication status, ARC ensures that legitimate messages are not incorrectly flagged, thereby safeguarding your sender reputation and improving deliverability. It's an indispensable component for any organization that wants to ensure its communications reach their intended recipients, especially when dealing with complex email flows involving intermediaries.
Implementing and monitoring ARC, alongside SPF and DKIM, is a best practice for any organization serious about email deliverability. Tools like Suped provide detailed DMARC monitoring and reporting, helping you to understand and act on ARC validation results, ensuring your emails reach their intended inboxes consistently. Our AI-powered recommendations guide you in leveraging ARC to enhance your email security posture.
