The 'arc-method' field is a component within an email's Authentication-Results header. It indicates the validation status of the Authenticated Received Chain (ARC) for that message. In simple terms, ARC is an email authentication protocol designed to preserve the original authentication results (like SPF, DKIM, and DMARC) even when an email is forwarded or passes through an intermediary, like a mailing list.
When an email is forwarded, the authentication can break. The 'arc-method' tells the final receiving server whether the chain of custody established by ARC is intact and trustworthy.
What problem does ARC solve?
The biggest challenge ARC was created to solve is the failure of authentication in indirect mailflows. When you send an email directly from your server to a recipient's server, SPF and DKIM validation is straightforward. However, when an intermediary is involved, things get complicated.
Mailing lists are a classic example. When you send a message to a list, the list's server receives it and then sends a new copy to all subscribers. This breaks the original authentication:
- SPF fails: The email is now being sent from the mailing list's IP address, which isn't listed in your domain's SPF record. The check fails.
- DKIM fails: Many mailing lists add a footer to messages (like an "unsubscribe" link). This modification of the email body breaks the original DKIM cryptographic signature.
When both SPF and DKIM fail, the message will also fail its DMARC check, making it highly likely to be marked as spam or rejected. ARC provides a way for the mailing list server to sign the email with its own headers, preserving the original authentication results in a verifiable way. The final recipient's server can then check this ARC chain and see that the email was originally legitimate before it was forwarded.
Understanding the role of the 'arc-method'
When a server that understands ARC processes a message, it adds a set of special ARC headers. But the 'arc-method' itself appears later. After a message passes through all intermediaries, the final receiving mail server performs all its authentication checks. It checks SPF, DKIM, DMARC, and it also validates the entire ARC chain present in the headers.
The receiving server then adds a final Authentication-Results header summarising all its findings. This is where you find the 'arc-method'. If the ARC chain was cryptographically sound, the server will add arc=pass to this header. If it was broken or invalid, it will add arc=fail.
Therefore, seeing arc=pass in an Authentication-Results header is a strong signal. It tells the receiving system, "Even though SPF and DKIM alignment might have failed at this final hop, I have validated a chain of trust back to when the message did pass authentication."
This allows receiving systems like Gmail and Microsoft to make a more informed decision and deliver the email, rather than rejecting it based on a DMARC failure that was caused by a legitimate forwarder.
