How to implement ARC (Authenticated Received Chain) and how does it affect DMARC failures from forwarding?

Key findings

• Intermediary role: ARC is primarily implemented by intermediary mail servers and mail transfer agents (MTAs), not by the original sender's email service provider (ESP) or domain owner.
• DMARC preservation: Its main purpose is to allow DMARC to validate emails successfully even after they've been altered by forwarding, by providing a chain of authentication results.
• Mechanism: ARC adds a new set of headers (ARC-Authentication-Results, ARC-Message-Signature, and ARC-Seal) to the email, cryptographically signing the previous authentication status and message headers.
• Preventing spoofing: While helping legitimate forwarding, ARC also ensures that these forwarded messages haven't been tampered with, adding another layer of security against spoofing.
• Mailbox provider adoption: Major mailbox providers like Google and Microsoft widely support ARC, processing its headers to inform their DMARC validation decisions.

Key considerations

• Sender responsibility: As a sender, you generally do not implement ARC directly on your outbound mail stream. Your focus should be on proper SPF, DKIM, and DMARC configuration, allowing intermediary servers to apply ARC if they support it.
• Forwarding impact: Understand that email forwarding inherently challenges DMARC, as it often breaks SPF (due to changed sending IP) and DKIM (if the message body or headers are altered). ARC helps mitigate this.
• Policy enforcement: If you are monitoring DMARC reports, you may observe DMARC failures for forwarded emails. ARC-aware receivers can override these failures based on the ARC chain's validity. This is especially relevant when transitioning to p=quarantine or p=reject.
• RFC 8617: The technical specifications for ARC are detailed in RFC 8617, which outlines the protocol for ARC sealing and validation.

Key opinions

• Frustration with DMARC failures: Marketers frequently report DMARC failures for forwarded emails and are actively looking for solutions to resolve these issues.
• Misconception about ARC control: There's a common belief among marketers that ARC is something they need to set up or configure on their end, similar to SPF or DKIM.
• Seeking technical guidance: Many are keen to understand the technical implementation of ARC and how it interacts with existing email authentication protocols.
• Impact on deliverability: Marketers are concerned about how DMARC failures from forwarding might negatively affect their overall email deliverability rates.

Key considerations

• Focus on DMARC: Instead of implementing ARC, marketers should ensure their SPF and DKIM records are correctly configured and aligned with their DMARC policy. This lays the foundation for ARC to function effectively when intermediaries forward mail.
• Monitoring DMARC reports: Leverage DMARC aggregate and forensic reports to identify patterns of forwarding and DMARC failures. These reports can provide insights into how your emails are being handled by various receiving servers, even when ARC is involved. Tools for understanding DMARC reports are very helpful.
• Policy adjustments: Be aware that setting a DMARC policy to p=reject might increase the visibility of DMARC failures for forwarded mail, but ARC-aware recipients should mitigate this.
• Understanding limitations: Accept that DMARC is designed to break forwarding in certain scenarios. While ARC aims to fix this, not all forwarders or receivers may fully support it, leading to occasional, unavoidable failures.

Key opinions

• Sender non-involvement: Senders (like those using an ESP for outbound mail) typically do not implement ARC. It's the responsibility of the intermediary mail server or mail forwarding service.
• DMARC and forwarding: DMARC is designed to detect and block email spoofing, and this often means that legitimate forwarded emails will fail DMARC checks because the forwarding process can break SPF and DKIM.
• Purpose of ARC: ARC exists to provide a mechanism for receiving mail servers to validate the original authentication results of an email that has passed through one or more intermediaries.
• Specific use cases: ARC implementation is relevant for entities that act as intermediaries, such as mailing list operators or email forwarding services, to preserve authentication details.
• Policy overrides: Even with DMARC failures for forwarded mail, receivers that support ARC may apply policy overrides based on the valid ARC chain, allowing the email to pass.

Key considerations

• Architectural understanding: It's crucial to understand the roles of different parties in the email flow. Senders are responsible for initial authentication (SPF, DKIM, DMARC), while intermediaries are responsible for maintaining the ARC chain. For more on this, check out our guide on how email authentication standards work.
• Expected failures: Acknowledge that some DMARC failures, particularly those due to forwarding, are an expected outcome of the DMARC protocol working as intended. ARC aims to provide context, not to eliminate all such failures from DMARC reports.
• DMARC policy impact: When moving to stricter DMARC policies like p=quarantine or p=reject, the importance of ARC by intermediaries for forwarded emails becomes even more pronounced. Understanding DMARC enforcement strategies is key.
• Reporting analysis: Pay close attention to policy override flags within DMARC reports, as these indicate that an ARC-aware receiver may have successfully validated an otherwise failing message.

Key findings

• Standardization: ARC is an IETF standard defined in RFC 8617, providing a formal framework for its implementation and use.
• Chain of custody: It creates a verifiable 'chain' of authentication results, allowing a final receiver to trust the initial authentication status despite intervening modifications.
• Header components: The protocol specifies three headers: ARC-Authentication-Results (AAR), ARC-Message-Signature (AMS), and ARC-Seal (AS), which are added by each participating intermediary.
• Validation process: Receiving mail servers validate the ARC chain by verifying each signature, ensuring the message hasn't been tampered with since the last ARC-Seal.
• Addressing DMARC failures: ARC directly addresses the issue of DMARC authentication failures that arise from legitimate forwarding by allowing receiving domains to re-evaluate the DMARC status contextually.

Key considerations

• Role of intermediaries: Documentation specifies that ARC is for "participating ARC intermediaries" (IETF Datatracker, RFC 8617), not the initial email sender.
• Signature requirements: Each intermediary in the chain must add its own ARC-Seal, signing the current state of the message and the authentication results it observed.
• DKIM and SPF preservation: ARC provides a way for recipients to assess the validity of an email's original SPF and DKIM authentication even after modifications that would normally cause these to fail.
• DMARC alignment: The ultimate goal of ARC is to allow a DMARC-enforcing receiver to accept messages that would otherwise fail DMARC because of forwarding, provided the ARC chain is valid. Our guide on DMARC implementation has more details.