How do ARC chains validate?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

You've got a forwarded email that needs to prove it hasn't been tampered with. Here's what happens behind the scenes. When mail hops through intermediaries, each one adds its own ARC set with an instance number (i=1, i=2, i=3, and so on). Think of it like a chain of custody, where each person signs their name next to the previous signature.

The receiving mail server starts at the highest instance number and works backward. It checks: Does the ARC Seal signature actually cover the previous hop's data? Are the instance numbers in order? Has anyone modified the headers after signing? Each verification step has to pass, or the chain breaks. If everything checks out, the receiving server marks it as cv=pass. If even one link fails, it gets cv=fail.

And Here's the practical part. When the chain validates, the receiver trusts the intermediary that signed it. That trust matters when DMARC fails. Instead of rejecting the forwarded message outright, the receiver can say "I don't trust the original domain, but I trust the last intermediary that forwarded this, so I'll deliver it." That's what makes ARC work in practice.

Want to see if your own ARC chain is validating correctly? Test a forwarded email header with our ARC header analyzer to spot breaks in the chain before they cause delivery problems.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Get step-by-step guidance for your setup

I read this on the Email Almanac about 'How do ARC chains validate': When mail hops through intermediaries, each one adds its own ARC set with an instance number (i=1, i=2, etc.). The receiving mail server works backward through the chain, checking that each ARC Seal signature covers the previous hop's data, instance numbers are in order, and headers haven't been modified. How do I apply this to my specific situation? Please tell me: 1. Do I need to configure anything on my domain or mail server? 2. Which tools can I use to verify my ARC chain is validating? 3. If I'm seeing cv=fail, what does that mean for my deliverability? 4. How do I know if ARC validation is actually helping my emails?

Edit the yellow boxes, then send to the AI of your choice.