The 'arc-status' field is a critical component of the Authenticated Received Chain (ARC) protocol, but to understand its role, we first need to understand the problem ARC was designed to solve. When an email is sent directly from a sender to a recipient, authentication checks like SPF and DKIM work perfectly. However, the moment an intermediary, like a mailing list or a forwarding service, gets involved, these checks often break. The intermediary might change the email's content or send it from its own servers, causing SPF and DKIM to fail at the final destination.
ARC was developed to fix this. It creates a chain of custody for email authentication results, allowing a receiving mail server to verify the authenticity of an email even after it has been forwarded.
The ARC header set
ARC works by adding three specific email headers at each step (or 'hop') of the email's journey through an intermediary server. Each server that handles the email and supports ARC will add its own 'set' of these headers, creating a verifiable chain. These headers are:
- ARC-Authentication-Results (AAR): This header is the most important for our discussion. It records the authentication results (SPF, DKIM, DMARC) as seen by the intermediary server. It includes an instance tag (i=1, i=2, etc.) to indicate its position in the chain.
- ARC-Message-Signature (AMS): This is a DKIM-like signature that covers the message's content, including headers. It allows the next hop to verify that the message itself hasn't been altered in a way that would invalidate the original DKIM signature.
- ARC-Seal (AS): This is another DKIM-like signature that covers the previous ARC headers. It 'seals' the ARC-Authentication-Results and ARC-Message-Signature, creating a tamper-proof link in the chain.
What is the 'arc-status' field?
The arc-status field is a specific property found within the ARC-Authentication-Results header. While other parts of the header record the SPF and DKIM results, the arc-status reports on the health of the ARC chain itself. It tells the receiving server whether the ARC headers from the previous hop were valid.
According to the official IETF drafts, the purpose is to record the ARC status in a way that can be evaluated. When a server processes an email with ARC headers, it validates the ARC-Seal from the previous hop. The result of that validation is then recorded in the arc-status field of the new ARC-Authentication-Results header it adds.
Possible values for 'arc-status'
The arc-status field (often shown as arc=pass in the header) has a few key values:
- arc=none: This is the value used by the very first server in the chain (i=1). Since there are no prior ARC headers to validate, the status is 'none'.
- arc=pass: This means the server successfully validated the ARC-Seal of the previous hop. The chain is intact and trustworthy up to this point.
- arc=fail: This indicates that the validation of the previous hop's ARC-Seal failed. The ARC chain is broken, and the authentication results from earlier in the chain cannot be trusted. This could be due to tampering by an untrusted intermediary.
Why does 'arc-status' matter for deliverability?
The final receiving mail server makes its delivery decision based on all available signals. When a forwarded email arrives, its SPF and DKIM checks might fail.
However, if the server sees a valid ARC chain, it can look at the most recent ARC-Authentication-Results header and check the arc-status. If that status is pass, it can trust the entire chain. The server can then look all the way back to the very first ARC-Authentication-Results header (i=1) and use the original, passing SPF and DKIM results to inform its DMARC evaluation. This allows a legitimate, forwarded email to pass DMARC and land in the inbox, whereas without ARC, it might have been rejected or sent to spam.
In short, the arc-status is the seal of approval for each link in the chain, enabling ARC to reliably preserve authentication results and significantly improve email deliverability for complex mail flows.
What ARC header field indicates the chain validation status?
What is the ARC-Authentication-Results header used for?
What ARC header indicates the chain of authentication results?
What is the 'arc-authenticated-results' header?
What is the 'ARC-Message-Signature' header used for?
What is the role of the 'Authentication-Results' header in ARC?
