What is ARC?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Imagine a sealed logbook traveling with your email. Each mail server that touches it adds an entry, and that entry is locked with a digital signature so it can't be forged. That's ARC in a nutshell. Authenticated Received Chain is a protocol that preserves a record of what the original authentication checks (SPF, DKIM, DMARC) actually found before the message got forwarded or modified.
Here's why it matters. When email goes through a forwarding service or mailing list, the original SPF and DKIM signatures often break. The new server has a different IP address, so SPF fails. The message got modified, so DKIM fails. Without ARC, the receiving mailbox has no way to know whether the original sender actually authenticated. All it sees is a failed DMARC check. That can land your legitimate email in spam. ARC solves this by signing the authentication state at each hop, creating a verifiable chain that says. we saw this message authenticate properly upstream, even though something changed after that.
You don't need to set up ARC yourself. Your ESP or forwarding service handles the signing. But if you're using DMARC enforcement (p=reject or p=quarantine), you should understand how ARC rescues forwarded email from authentication failures. Most modern providers already respect ARC headers.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.