What are common ARC validation failures?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
When an ARC chain breaks, receivers get a validation status of cv=fail. That means the message's forwarding history is untrusted. Here's what typically goes wrong.
Broken seals. Someone modified the message after the ARC signer sealed it. Even a tiny change (a single character, a header added by spam filters) breaks the cryptographic seal. The signature no longer matches. This is the most common failure.
Mismatched instance numbers. Each ARC seal has an instance number (i=1, i=2, etc.) showing the order of forwarding hops. If those numbers are out of sequence or missing, the chain doesn't make sense. Receivers reject the whole chain.
Untrusted signer. The server that signed the ARC chain isn't on the receiver's trust list. Maybe it's a brand-new forwarder with no reputation yet, or a known spoofer. The receiver says "I don't trust this signer," and rejects the ARC seal.
Bad keys or missing signatures. The cryptographic key used to sign ARC doesn't match the key published in DNS, or the key is expired. Or there's no signature at all in the headers where one should be. ARC can't verify anything without valid signatures.
Broken chains. The seals don't connect properly. For example, if the second forwarder in the chain didn't seal what the first forwarder sealed, the chain of custody is broken. Receivers can't trace the message back to the original.
The result: mail servers lose confidence in the message's authenticity and may reject it or flag it as spam.
But if you're troubleshooting ARC failures, start by understanding how ARC sealing works, then check how ARC interacts with DMARC to diagnose your specific issue.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.