What is RFC 8617 (ARC)?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

You've set up SPF, DKIM, and DMARC correctly. Everything looks clean. Then someone forwards one of your emails through a mailing list, and suddenly DMARC fails. No spoofing happened. No one did anything wrong. The forwarding just broke the authentication chain. That's the exact problem ARC was built to fix.

RFC 8617 defines ARC (Authenticated Received Chain), published in 2019. It's a way for email intermediaries to pass authentication results along as a message moves through multiple hops before it reaches the final inbox.

Here's why that matters. SPF and DKIM are checked against the original sending domain. But when a mailing list or forwarding service touches a message, it often changes things. The server IP changes (breaking SPF). The message body might get a footer added (breaking DKIM). When the receiving mailbox then runs DMARC, it sees a failed authentication and has no way to know whether that failure came from a spoofer or just a legitimate mailing list doing its job.

ARC solves this by having each intermediary in the chain seal what it saw before it modified anything. Think of it like a notarized handoff. Each stop adds a signed record saying "when I received this, here's what the authentication looked like." The final receiver can follow that chain back and see that the authentication was valid at the original source, even if it broke somewhere in the middle.

In practice, you're most likely to run into ARC in these scenarios:

  • Email forwarding (someone forwards work email to a personal inbox)
  • Mailing list software that adds subject tags or footers
  • Security gateways that scan and re-route messages before delivery

As a sender, you don't configure ARC yourself. It's handled by the intermediaries. But understanding it helps you make sense of why DMARC reports sometimes show failures that aren't actually your fault. Major providers like Gmail and Outlook both evaluate ARC chains when deciding how to treat forwarded messages.

ARC is one of those specs that runs quietly in the background. You might never think about it until a legitimate message starts failing, and then it's suddenly the most important thing in the room. If you're seeing unexpected DMARC failures in your reports and forwarding is in the picture, ARC is where to look. You can analyze the email headers directly with our free Email Header Analyzer to see if ARC seals are present and what they're reporting.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Diagnose my DMARC forwarding failures

I'm seeing DMARC failures in my reports but I don't think anyone is spoofing my domain. My emails go through a mailing list or get forwarded before they arrive. Can you help me figure out whether ARC is involved, what the failures actually mean, and whether there's anything I should do about it on my end?

Edit the yellow boxes, then send to the AI of your choice.