Suped

What is the purpose of the ARC 'a=' tag?

The Authenticated Received Chain (ARC) protocol is a crucial email authentication standard designed to address a common problem that plagues mailing lists and forwarding systems. When an email is forwarded, it often fails SPF and DKIM checks at the final destination, even if it was perfectly legitimate when it was first sent. This happens because the forwarding server changes the sending IP address (breaking SPF) and can sometimes modify content like adding a footer (breaking the DKIM signature). ARC was developed to solve this exact issue. It creates a chain of custody for email messages, allowing each server that handles the message to see the authentication results from the previous 'hop'.

The protocol works by adding a new set of headers to an email at each step of its journey. The purpose of these headers is to preserve the initial authentication results, so the final receiving server can make a more informed decision, even if its own direct SPF and DKIM checks fail.

Suped DMARC monitor
Free forever, no credit card required
Get started for free
Trusted by teams securing millions of inboxes
Company logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logo

The ARC-Authentication-Results header

At the heart of the system is the ARC-Authentication-Results header. When a forwarding server or mailing list receives an email, it first performs the standard SPF, DKIM, and DMARC checks. It then records these results in a new ARC-Authentication-Results header that it prepends to the email before sending it on. This is where the a= tag comes into play.

The purpose of the a= tag

The a= tag contains the results of the authentication validation performed by that intermediary server. Think of it as a snapshot of the email's authentication status at that point in its journey. This tag is essentially a copy of the original Authentication-Results header that the intermediary would have produced.

For example, the header might look something like this:

ARC-Authentication-Results: i=1; mx.forwarder.com; dkim=pass header.i=@originalsender.com; spf=pass smtp.mailfrom=@originalsender.com; dmarc=pass

Here, the a= tag isn't explicitly shown because the entire string represents the authentication results that are cryptographically sealed. The information within this header (dkim=pass, spf=pass) is what is preserved. The purpose of this tag is to:

  • Preserve results. It captures the results of SPF, DKIM, and DMARC checks from the moment the email entered the forwarding system.
  • Provide context. It allows the final receiving server to see that the email *was* properly authenticated before being forwarded. This helps distinguish a legitimate, forwarded email from a spoofed one.
  • Enable trust. When combined with the other ARC headers (the ARC-Seal and ARC-Message-Signature), it creates a verifiable, tamper-proof record.

The ARC chain and the cv= tag

When the final destination server receives the email, it sees a chain of one or more ARC header sets. It validates this chain by checking the cryptographic signatures in the ARC-Seal headers, starting with the newest and working backwards.

If the entire chain is valid, the receiving server adds its own final ARC-Authentication-Results header. However, this final header doesn't use an a= tag. Instead, it uses a cv= (chain validation) tag. The value will be either pass if the chain was valid, or fail if it was broken or tampered with.

In summary, the a= tag (or more accurately, the authentication results it represents) is the core payload of an ARC hop. It carries the original, verified authentication status through complex mail routing paths, allowing DMARC policies to be evaluated based on the preserved results rather than the final, broken ones. This ensures legitimate emails sent via mailing lists get delivered, not marked as spam.

Start improving your email deliverability today

Get started