What problem does ARC solve?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Your email goes through a mailing list or a forwarding service. The service has to resend it from a different IP address and might modify the headers or content slightly. Now SPF fails because the IP isn't in your original domain's SPF record. DKIM fails because the message got modified. Legitimate mail dies in a DMARC failure, trapped in spam folders through no fault of the original sender. That's the forwarding problem, and it's more common than you'd think.
Companies using DMARC enforcement (p=quarantine or p=reject) run into this constantly. Mailing list operators hit it. Anyone using Gmail's email forwarding feature, a corporate gateway that scans mail, or a service like ARC aware forwarding can end up here. Without something to bridge the gap, the receiving mail server sees a failed DMARC check and has no reason to trust the message. To understand what's happening under the hood, review how DMARC alignment affects forwarded mail.
ARC fixes this by having each intermediary sign off on the authentication results it saw before it modified anything. The signature proves. this message checked out upstream. The receiving server can then trust the original authentication, override the DMARC failure, and deliver the legitimate mail to the inbox instead of spam. It's not a free pass. DMARC policy still matters. But it's the difference between having evidence of the original authentication and just seeing a broken chain.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.