What is the primary function of the ARC-Authentication-Results header?

Its primary function is to record the email's authentication results (SPF, DKIM, DMARC) at each point an ARC-enabled intermediary processes and re-seals the message. This creates a snapshot of the email's authentication status at that specific point in its journey.

How does ARC prevent DMARC failures for forwarded emails?

ARC provides a verifiable record of prior authentication results. If an email fails DMARC upon arrival due to forwarding, the receiving server can check the ARC chain. If the ARC chain is valid and indicates a previous 'pass' result, the server can then trust the email's authenticity despite the current DMARC failure.

Does ARC replace SPF or DKIM?

No, ARC does not replace SPF or DKIM . Instead, it works in conjunction with them. ARC's purpose is to preserve the original authentication results when an email is forwarded, allowing them to be trusted even if standard SPF or DKIM checks fail later in the delivery path.

What does the 'arc-status' field in the ARC-Authentication-Results header mean?

The 'arc-status' field indicates whether the ARC chain itself has been successfully validated. A status of 'pass' means the chain is intact and trustworthy, while 'fail' or 'temperror' suggest issues with the ARC chain validation. This field helps recipient servers decide whether to trust the preserved authentication results.

What is the role of the 'Authentication-Results' header in ARC? - ARC - Email authentication - Knowledge base

An illustration showing how email authentication results are preserved across multiple hops.

When an email is forwarded or relayed through multiple servers, the original email authentication results (like SPF and DKIM) can often break. This poses a significant challenge for email security, as legitimate emails might fail DMARC checks simply because an intermediary server modified the message or altered its path. The Authenticated Received Chain (ARC) was developed to address this very issue, providing a mechanism to preserve authentication results across these intermediate hops.

Central to ARC's functionality is the 'Authentication-Results' header, specifically the version that ARC appends, known as the ARC-Authentication-Results header. This header plays a critical role in recording the authentication status of an email at each step of its journey, effectively creating a verifiable chain of authentication results. It allows downstream recipients to trust the authentication data, even when forwarding would normally invalidate it.

The impact of forwarding

The challenge of email forwarding

Email forwarding is a common practice, but it disrupts traditional email authentication. Sender Policy Framework (SPF) often fails when an email is forwarded because the forwarding server's IP address is typically not authorized in the original sender's SPF record. Similarly, DomainKeys Identified Mail (DKIM) can break if the message body or headers are altered during forwarding, which is a frequent occurrence with mailing lists or email aliases.

When SPF and DKIM fail, the email will consequently fail DMARC authentication, leading to legitimate emails being marked as spam or rejected outright by the recipient mail server. This creates a frustrating experience for users and can significantly impact email deliverability for organizations that rely on forwarding or mailing list services. The lack of a clear chain of custody makes it difficult for receiving servers to distinguish between legitimate forwarded mail and malicious spoofed emails.

Traditional authentication

SPF failures: When an email is forwarded, the IP address of the forwarding server changes, causing SPF to often fail.
DKIM breaks: Modifications to email headers or body during forwarding invalidate DKIM signatures.
DMARC failure risk: Legitimate forwarded emails fail DMARC checks, leading to delivery issues.

ARC's solution

Preserves authentication: ARC creates a chain of trust for forwarded messages.
Verifiable results: Each server in the chain cryptographically signs the email's authentication state.
Improved deliverability: Helps legitimate forwarded mail pass DMARC checks.

Understanding ARC's architecture

How ARC bridges the authentication gap

ARC works by introducing three new email headers to create a verifiable record of an email's authentication status. These headers are added by an ARC Sealer (typically a mailing list or forwarding service) before the email is passed to the next hop. The three core headers are:

ARC-Authentication-Results: This header captures the authentication results (SPF, DKIM, DMARC) at the point of sealing. This is the focus of our discussion.
ARC-Message-Signature: A cryptographic signature of the message's relevant headers and body, ensuring integrity.
ARC-Seal: A signature over the previous ARC-Seal and ARC-Message-Signature headers, forming the chain.

Each time an ARC-enabled intermediary (or ARC Sealer) processes an email, it appends a new set of these three ARC headers. The receiving mail server can then validate this chain to determine the email's authentication status before it was modified, rather than relying solely on the potentially broken current results. This helps in correctly identifying legitimate mail and preventing false positives for spam filtering.

Anatomy of the ARC-Authentication-Results header

Dissecting the ARC-Authentication-Results header

The 'Authentication-Results' header within ARC (specifically, the ARC-Authentication-Results header) is crucial because it contains a snapshot of the email's authentication evaluation at the point it was last sealed by an ARC-enabled intermediary. It essentially re-records the results of SPF, DKIM, and DMARC checks, along with an ARC-specific status field.

Example ARC-Authentication-Results headertext

ARC-Authentication-Results: i=1; mx.google.com;
 spf=pass (google.com: domain of sender@example.com designates 203.0.113.42 as permitted sender) smtp.mailfrom=sender@example.com;
 dkim=pass header.d=example.com;
 dmarc=pass (p=none sp=none dis=none) header.from=example.com;
 arc=none

In this example, i=1 indicates the instance number in the ARC chain. The arc=none at the end is the 'arc-status' field, which shows the status of the ARC chain validation itself. This field can have different values depending on whether the ARC chain is valid and unbroken. The receiving mail server can look at this arc-status along with the previous authentication results to make an informed delivery decision.

Value	Description
none	No ARC signature found, or ARC processing was not performed.
pass	The ARC chain successfully validated, meaning the email’s integrity was maintained through intermediaries.
fail	The ARC chain failed validation, indicating tampering or a broken chain of trust.
temperror	A temporary error occurred during ARC validation, usually due to transient network issues.

An illustration of ARC protecting an email's authentication through a chain of trust.

ARC's role in deliverability and security

Practical implications and benefits

For receiving mail servers, the ARC-Authentication-Results header, combined with the other ARC headers, provides crucial context. If an email fails SPF or DKIM upon arrival, but the ARC chain validates as 'pass', the recipient server knows that the original authentication was legitimate before the forwarding process intervened. This allows the server to override DMARC failures that would otherwise occur, ensuring that important, legitimate emails reach the inbox.

Implementing ARC doesn't replace DMARC or SPF/DKIM, but rather enhances them. It provides an additional layer of trust for complex mail flows. For organizations, adopting ARC where appropriate, especially for mailing list operators, can significantly improve deliverability and reduce the chances of legitimate emails being blocked due to authentication failures. It's a critical component in ensuring email security and reliability in today's interconnected email ecosystem.

Boost your DMARC with Suped

Monitoring your DMARC reports, including ARC data, is crucial for maintaining excellent email deliverability. Suped offers a DMARC monitoring platform with industry-leading features:

AI-Powered Recommendations: Get clear, actionable advice to fix issues and strengthen your DMARC policy quickly.
Real-Time Alerts: Stay informed with instant notifications about potential threats or deliverability issues.
Unified Platform: Combine DMARC, SPF, DKIM, and blocklist monitoring for a comprehensive view.
SPF Flattening: Automatically manage your SPF records to avoid the 10-lookup limit.
Generous Free Plan: Start protecting your domains today with our powerful free offering at suped.com.

Conclusion

The 'Authentication-Results' header, as used within the ARC protocol, is a vital mechanism for preserving email authentication across intermediary servers. By providing a cryptographically verifiable chain of custody, it allows receiving mail servers to accurately assess the legitimacy of forwarded emails, preventing DMARC failures and ensuring proper inbox placement. Understanding this header is key to grasping how ARC enhances email security and deliverability in today's complex email landscape.