How does ARC work?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

You've got DMARC set to reject mode. Your emails authenticate perfectly when they go directly to the inbox. But then someone forwards one of your emails to a mailing list, and suddenly DMARC fails on the recipient's server. Your email bounces. That's the problem ARC solves.

When an email gets forwarded or passes through a mailing list, it gets touched by multiple servers (mail hops). Each server modifies the message slightly.adding headers, rewriting the From address, maybe adjusting the subject. These changes are normal, but they break SPF, DKIM, and DMARC alignment. The receiving server sees that the email no longer matches your original authentication, so it assumes the email is forged. DMARC reject policy sends it to spam or rejects it outright.

ARC (Authenticated Received Chain) fixes this by creating a chain of trust that proves the forwarding was legitimate. Here's how it works in practice.

When your email reaches the first intermediary (a mailing list server or mail forwarding service), ARC adds three headers to the message:

  • ARC-Authentication-Results (AAR). This header records what that server saw when it checked your original SPF, DKIM, and DMARC results. It's like saying "We checked your email and it passed."
  • ARC-Message-Signature (AMS). This is a cryptographic signature covering the message body at that point in the hop. It proves the email wasn't tampered with at this station.
  • ARC-Seal (AS). This seals the entire ARC set and signs the previous hop's ARC data. It binds the chain together and ensures nobody inserted false authentication results.

When the email reaches the next hop (another mailing list or forwarding service), that server adds another set of three ARC headers. It increments the instance number (from 1 to 2) and signs the previous hop's ARC data, creating a chain.

Finally, when your email lands in a recipient's mailbox, their server looks at the entire ARC chain. It verifies each signature, checks that the sequence is intact, and evaluates whether the original authentication passed. If the chain is solid and the original DMARC passed, the receiving server trusts that your email is legitimate, even though it's been forwarded multiple times.

The key advantage: ARC preserves your reputation through forwarding. Your legitimate emails get delivered. Forged ones still get caught because a forger would have to break all the signatures in the chain, which is cryptographically hard.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Help me understand ARC authentication

I've heard about ARC headers. What is ARC and how does it help emails pass authentication when they're forwarded?

Edit the yellow boxes, then send to the AI of your choice.