How do ARC chains validate?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
You've got a forwarded email that needs to prove it hasn't been tampered with. Here's what happens behind the scenes. When mail hops through intermediaries, each one adds its own ARC set with an instance number (i=1, i=2, i=3, and so on). Think of it like a chain of custody, where each person signs their name next to the previous signature.
The receiving mail server starts at the highest instance number and works backward. It checks: Does the ARC Seal signature actually cover the previous hop's data? Are the instance numbers in order? Has anyone modified the headers after signing? Each verification step has to pass, or the chain breaks. If everything checks out, the receiving server marks it as cv=pass. If even one link fails, it gets cv=fail.
And Here's the practical part. When the chain validates, the receiver trusts the intermediary that signed it. That trust matters when DMARC fails. Instead of rejecting the forwarded message outright, the receiver can say "I don't trust the original domain, but I trust the last intermediary that forwarded this, so I'll deliver it." That's what makes ARC work in practice.
Want to see if your own ARC chain is validating correctly? Test a forwarded email header with our ARC header analyzer to spot breaks in the chain before they cause delivery problems.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.