What does the ARC-Seal header indicate?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
You send an email, it passes SPF and DKIM at the first hop. Then a mailing list or forwarding service picks it up and passes it along. By the time it hits the final inbox, both SPF and DKIM have failed. The receiving server has no idea the original message was legitimate. That's the forwarding problem, and it's where ARC comes in.
ARC stands for Authenticated Received Chain. It's a set of three headers that each intermediate server adds when it handles a forwarded message. One of those three headers is the ARC-Seal.
The ARC-Seal is a cryptographic signature that covers the ARC headers added by that particular server. Think of it as a tamper-evident sticker. It says: "These ARC headers are exactly what I wrote. If they've been touched since I signed them, the seal breaks." Every server in the chain adds its own ARC-Seal, creating a layered record you can verify hop by hop.
Here's a quick picture of why this matters. Your email goes from your domain to a Google Group, which rewrites the headers and forwards it on. SPF now fails because the sending IP belongs to Google, not your domain. DKIM may also fail if the Group modified the message body. Without ARC, the final receiving server just sees authentication failures and has to decide whether to trust the message anyway. With ARC, the Google server has signed a record saying "when I received this, it had valid SPF and DKIM." The final server can check that signature, trust the intermediary, and honor the original authentication results.
So what does an ARC-Seal actually tell you when you're reading headers? It confirms the integrity of the full ARC chain up to that point. If even one seal in the chain is broken or missing, the whole chain can't be trusted. A chain with all seals intact means the intermediary servers are vouching for what they saw, and the final receiver can factor that in when making a delivery decision.
A few practical notes. You'll mostly see ARC headers in messages that passed through mailing lists, forwarding rules, or security gateways. Gmail and other major providers already support ARC evaluation. You don't need to implement ARC yourself unless you're running an intermediary server (like a mailing list manager or a corporate email gateway) that forwards messages on behalf of others. In that case, your mail server software would handle signing, not you manually.
If you're debugging a forwarded message that's failing authentication checks, the ARC headers are one of the first places to look. Our free Email Header Analyzer can parse them out for you, or drop into our SOS hotline if you're staring at a chain that isn't making sense.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.