What are ARC headers (ARC-Seal, ARC-Message-Signature, ARC-Authentication-Results)?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Think of ARC like a receipt book. When your email passes through a forwarding server or mailing list, that server doesn't just pass it along. It adds three stamped receipts to prove "I checked this message. It was authentic. I'm signing that fact."
The three headers are ARC-Authentication-Results (AAR), which records what the server found when it checked SPF, DKIM, and DMARC. Then ARC-Message-Signature (AMS), which is a cryptographic signature over the entire message (body and headers). Finally, ARC-Seal (AS), which signs the whole ARC set itself and links it to any previous ARC sets. That creates the chain.
Why three headers instead of one? Each has a job. AAR says what you found. AMS proves you signed the message. AS ties them together and proves nobody tampered with the chain after the fact. That's what makes ARC trustworthy. When the final receiver gets the email, they can verify the whole chain back to the original sender. It's a path of custody.
Want to see what your own emails look like under the hood? Check out how ARC chains actually validate across multiple hops, or dive into the difference between ARC-Seal and ARC-Message-Signature if you need deeper specifics.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.