ARC (Authenticated Received Chain) is the IETF Experimental email authentication protocol defined in RFC 8617 (July 2019) that preserves SPF, DKIM, and DMARC authentication results across forwarding intermediaries — mailing lists, account forwarders, security gateways, and other handlers that modify messages in ways that break original authentication. ARC operates by attaching three new header fields at each ARC-aware intermediary: ARC-Authentication-Results (AAR) records the authentication results observed at that hop, ARC-Message-Signature (AMS) is a DKIM-like signature over the message, and ARC-Seal (AS) signs the chain to create a verifiable history of custody. Major implementations: Gmail, Microsoft 365 (with Trusted Sealer configuration), Yahoo, Fastmail. ARC doesn't replace SPF, DKIM, or DMARC — it preserves their results across forwarding paths that would otherwise break them.
ARC is the gap competitor for the auth cluster. While SPF, DKIM, and DMARC handle direct sender-to-receiver authentication well, they all break in predictable ways when messages traverse intermediaries — mailing lists adding subject prefixes, account forwarders changing the envelope, security gateways rewriting headers. ARC is the experimental protocol that solves this by preserving the original authentication results across the forwarding path, allowing the final receiver to make informed trust decisions even when SPF and DKIM fail at the final hop.
Most published material on ARC falls into one of two camps: vendor-side guides explaining "ARC is the solution to forwarding problems" without operational depth, or RFC summaries that quote definitions without showing real headers. This entry synthesizes the operational reality: the actual three-header structure with annotated examples, the chain validation flow with cv= semantics, the implementation matrix across providers and MTAs, the IETF Experimental status controversy, and the honest decision framework about when senders need ARC and when they don't.
The forwarding problem ARC solves
SPF, DKIM, and DMARC were designed for direct delivery: sender → recipient. They break in predictable ways when messages traverse intermediaries. The most common failure scenarios:
Mailing lists
List manager (Listserv, Sympa, Mailman 3, Google Groups) modifies the message — adds [LIST-NAME] subject prefix, appends a footer, sometimes rewrites the From: header. SPF fails because the list's IP isn't in the original sender's SPF record. DKIM fails because the modified body and headers no longer match the original signature. DMARC fails alignment.
Account forwarders
User auto-forwards work email (Outlook → personal Gmail). The forwarder retransmits the message from a different IP, breaking SPF. The body and headers may pass through unchanged so DKIM might survive, but Return-Path rewriting often breaks DMARC envelope alignment.
Security gateways
Mimecast, Proofpoint, Barracuda, and other email security products receive mail, scan it, and re-deliver to the actual mailbox. The retransmission often modifies headers, sometimes the body (anti-phishing warnings inserted), and always changes the IP. DKIM survives in some configurations but breaks in others.
Internal relays
Corporate environments routing mail through internal MTAs that perform legitimate modifications (header rewriting for internal vs external delivery, footer appending for compliance). Each modification risks breaking DKIM; each new sending IP risks breaking SPF.
In each case, the message itself is legitimate but the authentication signal at the final receiver is broken. Without ARC, the receiver sees an SPF/DKIM/DMARC failure and applies the sender's DMARC policy — quarantine or reject. The legitimate message gets blocked. With ARC, an intermediary can record "I saw this message authenticate cleanly before I modified it; here's the signed proof," letting the final receiver trust the original authentication despite the broken final-hop checks.
The three ARC headers (AAR + AMS + AS)
ARC adds three header fields per intermediary hop, called an "ARC set." Each has a specific role in the chain-of-custody mechanism:
ARC-Authentication-Results
Records the authentication results (SPF, DKIM, DMARC) as the intermediary observed them. Format identical to the standard Authentication-Results header per RFC 8601, with an added i=N instance number.
Purpose: Says what the intermediary saw at this hop.
ARC-Message-Signature
A DKIM-like cryptographic signature over the message body and selected headers including the AAR. Generated using the intermediary's signing key.
Purpose: Proves the message at this hop wasn't tampered with after the AAR was recorded. Survives modifications by later intermediaries who add their own ARC sets.
ARC-Seal
Cryptographic signature over the previous ARC sets plus this hop's AAR and AMS. Does NOT sign the message body. Contains the chain validation status (cv=none/pass/fail).
Purpose: Links this ARC set to the chain of previous sets, creating a verifiable history. Records whether the chain was valid when this hop processed it.
Each ARC-aware intermediary that handles a message adds one complete ARC set (AAR + AMS + AS) with an incrementing instance number — first sealer adds i=1, second adds i=2, and so on. The final receiver validates the chain backwards from the highest instance number to verify each hop's signatures, and reads the original authentication results from the i=1 AAR (the first hop's record of the original SPF/DKIM/DMARC results before any modifications).
Real ARC headers in code
Here's an actual ARC set generated by Gmail when forwarding a message — abbreviated for readability but showing the real structure:
# Original message arrives at Gmail with valid SPF + DKIM + DMARC # Gmail receives it, will forward to user's other mailbox # Before forwarding, Gmail seals the original authentication into ARC ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@example.com header.s=20230601 header.b="abc123..."; spf=pass (google.com: domain of sender@example.com designates 203.0.113.10 as permitted sender); dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=example.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=to:subject:message-id:date:from:mime-version:content-type:dkim-signature:arc-authentication-results; bh=ABCDEF1234567890...; b=Cryptographic-message-signature-here-base64-encoded... ARC-Seal: i=1; a=rsa-sha256; t=1714843200; cv=none; d=google.com; s=arc-20160816; b=Cryptographic-seal-signature-here-base64-encoded... # cv=none because this is the first ARC set (no prior chain) # Gmail then forwards the message to the user's destination mailbox # If the destination is also ARC-aware (e.g., another Gmail account, Microsoft 365), # it would add i=2 ARC set to the message preserving the chain
The same message after passing through a second ARC-aware intermediary (say Microsoft 365) would have:
# Second intermediary adds i=2 ARC set (prepended above i=1) ARC-Authentication-Results: i=2; outlook.office365.com; dkim=fail (signature did not verify); # DKIM broke after Gmail forwarding spf=fail (sender IP not in SPF); # SPF broke (Gmail's IP, not original) dmarc=fail; arc=pass header.b="AbCdEf..." (i=1 chain validation passed) # ARC chain still valid! ARC-Message-Signature: i=2; a=rsa-sha256; d=outlook.com; s=arc-2024; # [...signature over current message + Gmail's ARC set...] ARC-Seal: i=2; a=rsa-sha256; cv=pass; d=outlook.com; s=arc-2024; # cv=pass because the i=1 chain validated successfully ARC-Authentication-Results: i=1; mx.google.com; ... # Gmail's original AAR preserved ARC-Message-Signature: i=1; ... # Gmail's original AMS preserved ARC-Seal: i=1; ... # Gmail's original AS preserved
The receiver evaluates the chain by validating each AS signature backwards from the highest instance number. If the entire chain validates, the receiver can trust the i=1 AAR — Gmail's record of the original SPF/DKIM/DMARC results — even though the final-hop SPF and DKIM failed.
Chain validation status (cv=)
The cv= tag in the most recent ARC-Seal header records the status of the previous chain. Three possible values:
i=1. The intermediary is the first ARC-aware handler.The receiving MTA uses cv= to decide whether to trust the original authentication: cv=pass means the chain is valid and the original authentication results recorded in the i=1 AAR can be trusted; cv=fail or chain-validation-failure means the message can't benefit from ARC and falls back to standard SPF/DKIM/DMARC results — which by definition will fail because the chain failed for a reason.
ARC chain across a forwarding hop
Concrete example showing what happens at each step when a legitimate authenticated message gets forwarded through an ARC-aware intermediary:
Authentication preservation across forwarding
marketing@example.com with valid SPF, DKIM signature, DMARC alignment. SPF: pass, DKIM: pass, DMARC: pass.user@personal-domain.com via another mailbox provider.i=1 ARC set: AAR records original results, AMS signs the message, AS contains cv=none. ARC chain initialized.example.com SPF). DKIM: fail (body modifications by Gmail's forwarding broke signature). DMARC: fail.i=1 ARC set: AS signature verifies against Gmail's public key, AMS signature verifies against the message + AAR. ARC chain validates.i=1 AAR — Gmail's record of the original authentication. Original SPF/DKIM/DMARC all passed. Receiver can trust the message despite the final-hop authentication failure.Implementation matrix: who actually uses ARC
ARC's value depends on adoption — both at the sealer side (intermediaries that record original authentication) and the validator side (receivers that trust ARC chains). The 2026 state:
| Implementation | Type | ARC Verify | ARC Seal | Notes |
|---|---|---|---|---|
| Gmail / Google Workspace | Mailbox provider | ✓ Yes | ✓ Yes | Most aggressive ARC implementer. Verifies incoming chains, seals outgoing forwarded mail. |
| Microsoft 365 / Exchange Online | Mailbox provider | Configurable | ✗ No | Verifies but requires explicit Trusted ARC Sealers config to grant DMARC override. |
| Yahoo Mail | Mailbox provider | ✓ Yes | Partial | Verifies inbound. ARC sealing for forwarding limited. |
| Fastmail | Mailbox provider | ✓ Yes | ✓ Yes | Bron Gondwana (Fastmail) is one of RFC 8617's editors. |
| Sympa MLM (v6.2.38+) | Mailing list manager | ✓ Yes | ✓ Yes | Sympa was an early ARC adopter for MLM use case. |
| Mailman 3 | Mailing list manager | ✓ Yes | ✓ Yes | ARC support in Mailman 3 core. |
| Google Groups | Group software | ✓ Yes | ✓ Yes | Inherits Google's broader ARC infrastructure. |
| OpenARC (milter) | Postfix/Sendmail integration | ✓ Yes | ✓ Yes | Reference open-source implementation. Active project. |
| authentication_milter | Perl milter (Postfix/Sendmail) | ✓ Yes | ✓ Yes | Combined SPF/DKIM/DMARC/ARC milter. Used by Fastmail. |
| Halon (commercial MTA) | Programmable MTA | ✓ Yes | ✓ Yes | ARC built into the MTA scripting model. |
| MailerQ (commercial MTA) | Commercial MTA | ✓ Yes | ✓ Yes | ARC support included. |
| Postfix (native) | Open-source MTA | ✗ Plugin only | ✗ Plugin only | Native Postfix has no ARC support; OpenARC milter required. |
| PowerMTA | Commercial MTA | Partial | ✗ No | PowerMTA is outbound-only; ARC sealing not typical use case. |
| KumoMTA | Open-source MTA | Lua-extensible | Lua-extensible | ARC implementable via Lua policy hooks; not built-in. |
Microsoft 365: configuring Trusted ARC Sealers
Microsoft 365 verifies ARC chains by default but requires administrators to explicitly configure "Trusted ARC Sealers" to grant DMARC override authority. Without configuration, ARC chains are seen but not used for authentication decisions.
# Microsoft 365 Defender portal: configure Trusted ARC Sealers # Email & Collaboration > Policies & Rules > Threat policies # > Email authentication settings > ARC tab # Or via Exchange Online PowerShell: Connect-ExchangeOnline # View current trusted sealers Get-ArcConfig # Add a trusted sealer (e.g., Gmail) Set-ArcConfig -Identity Default -ArcTrustedSealers "google.com" # Add multiple trusted sealers Set-ArcConfig -Identity Default -ArcTrustedSealers "google.com","fastmail.com","fabrikam.com" # The d= value in ARC-Seal headers must match exactly # Use Outlook View > Internet Headers or https://mha.azurewebsites.net to inspect
The Experimental status and the controversy
RFC 8617 was published as IETF Experimental status, not Standards Track. This is a specific designation per RFC 7841 meaning the protocol is published for examination, experimental implementation, and evaluation rather than widespread mandated deployment. The community had public review and IESG approved publication, but with explicit acknowledgment that ARC's effectiveness in real-world conditions wasn't fully proven.
The honest 2026 assessment:
- ARC is the best available solution for preserving authentication across forwarding — no alternative protocol with comparable deployment exists.
- ARC has substantial production deployment — Gmail, Microsoft 365 (with config), Yahoo, Fastmail, Sympa, Mailman all participate.
- ARC's security is reputational, not cryptographic — the chain proves what each intermediary asserted, not whether the assertion was true.
- ARC is an imperfect tool and the IETF community is exploring DKIMv2 or other approaches as longer-term replacements.
- For 2026 deployment decisions, ARC is the right answer; DKIMv2 isn't ready for production use.
Do I need to deploy ARC sealing?
ARC is for intermediaries — not regular senders. The decision framework:
Deploy ARC sealing if you are…
- A mailing list operator (Listserv, Sympa, Mailman 3 — anything that accepts a message and re-distributes it to subscribers with modifications)
- An account forwarder (auto-forwarding domain that retransmits mail from one address to another)
- An email security gateway (Mimecast, Proofpoint, custom anti-phishing layer that modifies headers/body)
- A mailbox provider with native forwarding (your users auto-forward from your service to other providers)
- An ESP that forwards transactional mail through internal relays before final delivery
- Operating any infrastructure where messages are received from one place and re-sent to another with modifications
You don't need ARC sealing if you are…
- A regular email sender (marketing platform, SaaS transactional mail, corporate email server)
- Sending mail directly to recipients without intermediation
- Running outbound infrastructure where messages flow from your application to recipient ISPs in one hop
- A typical PowerMTA / KumoMTA / Postfix outbound deployment where each message originates from your IPs and goes directly to recipient MX servers
- An ESP whose messages don't get re-processed before being delivered
For regular senders: focus on getting SPF, DKIM, and DMARC right. ARC is invisible infrastructure that helps your forwarded mail not fail at the recipient — you benefit from ARC without doing anything if your recipients use ARC-aware mail providers (Gmail, Microsoft 365). Your job is making the original authentication clean; ARC handles preservation downstream.
ARC in Cloud Server for Email infrastructure
Our managed email infrastructure handles ARC pragmatically based on customer architecture:
- Outbound senders (most CSE customers): no ARC sealing required. Focus is SPF, DKIM, DMARC enforcement, IP warming, sender reputation. ARC happens transparently at recipient ISPs that forward our customers' mail.
- Mailing list operators: ARC sealing via OpenARC milter or authentication_milter integration with Postfix-based list infrastructure. Mailman 3 + ARC for list-style deployments where preservation across the forwarding boundary matters.
- Email security gateways: ARC sealing essential when our gateway sits in front of customer mail server, modifying headers or body. Without ARC, downstream DMARC enforcement at recipient ISPs would block legitimate mail that traversed our gateway.
- Internal forwarding infrastructure: customer environments where mail traverses multiple internal MTAs before final delivery. ARC sealing at the boundary preserves authentication across the internal relay path.
- Microsoft 365 customers: configuration of
Set-ArcConfig -ArcTrustedSealersfor known forwarders in their environment — Mimecast, Proofpoint, internal compliance gateways, partner forwarding domains. - Diagnostic and remediation: when customers report DMARC failures on legitimate forwarded mail, we analyze ARC chains in the message headers to identify which intermediary broke authentication and whether ARC is being correctly applied across the chain.
The pattern across customers: ARC is rarely the primary investment, but it's frequently the missing piece in incidents where legitimate mail is being blocked due to forwarding-induced DMARC failures.
Related glossary concepts
- SPF — breaks at forwarding boundaries because the IP changes. ARC preserves the original SPF result.
- DKIM — breaks when forwarders modify message body or headers. ARC preserves the original DKIM result.
- DMARC — fails when SPF and DKIM both break. ARC's chain validation lets receivers trust the original DMARC result despite final-hop failures.
- BIMI — requires DMARC at enforcement; ARC helps DMARC survive forwarding so BIMI logos still display for forwarded mail.
- MTA-STS — transport-layer authentication, parallel to but independent of ARC's content-layer authentication preservation.
- Postfix — common MTA for ARC sealing infrastructure via OpenARC milter or authentication_milter.
- SMTP — the protocol over which ARC headers are transported; ARC headers are part of the message DATA payload.
Frequently asked questions
Does ARC require DNS records like SPF and DKIM?
Sort of. ARC sealers publish a public key in DNS using the same format as DKIM — a TXT record at <selector>._domainkey.<sealer-domain> containing the public key. The selector is referenced in the AMS and AS headers via the s= tag. For example, Gmail's ARC public keys are published at arc-20160816._domainkey.google.com. Receivers validating an ARC chain look up the public key for each intermediary's signing domain and verify the AS and AMS signatures. The sealer's DKIM-style key infrastructure must be in place before ARC sealing can work — same operational requirement as DKIM itself, applied to a different signing context.
Can ARC chains be unbounded in length?
RFC 8617 §5.1.1 allows up to 50 ARC sets in a chain. Practical chains are typically much shorter — 1-3 hops. Each ARC set adds substantial header overhead (typically 1-2KB for AAR + AMS + AS combined), so a 50-hop chain would add ~100KB of headers, which most MTAs would consider abusive. Production limits are usually configured at 10-20 hops via MTA configuration. If the limit is exceeded, the validating receiver typically falls back to standard SPF/DKIM/DMARC — not worse than pre-ARC behavior.
What happens if I use ARC and ARC chain validation fails at the receiver?
The receiver falls back to standard SPF/DKIM/DMARC validation. If the chain failure is because forwarding broke SPF and DKIM, the message will likely fail DMARC and be quarantined or rejected per the original sender's DMARC policy. ARC chain failure doesn't make things worse than pre-ARC — it just means ARC didn't help in this case. The receiver may log the chain failure for diagnostic purposes (e.g., in Authentication-Results with arc=fail) but typically doesn't apply additional penalties beyond the standard SPF/DKIM/DMARC outcomes.
Does ARC affect deliverability for direct (non-forwarded) mail?
No. ARC only matters when messages traverse intermediaries. Direct sender → recipient mail (no forwarding, no mailing list, no security gateway) doesn't generate ARC headers — the original SPF/DKIM/DMARC validation happens at the recipient and ARC plays no role. Some receivers may add an Authentication-Results header noting arc=none (no ARC chain present), but this is informational only and doesn't affect inbox placement. ARC is forwarding-specific infrastructure; it's invisible for direct mail flows.
Are there ARC abuse vectors I should worry about?
Yes — RFC 8617 §9 documents several. Replay attacks: attacker captures an ARC-sealed legitimate message and replays it later or to different recipients; cryptographic signatures still verify because the message hasn't been modified. Mitigation: receivers apply rate-limiting and message-content suspicion. Sealer suspicion: a malicious intermediary adds a fake ARC set claiming successful authentication that didn't actually occur; the cryptographic signature is valid but the assertion is false. Mitigation: receivers must judge whether to trust each sealer (Microsoft requires explicit Trusted ARC Sealers config for this reason). Chain pollution: attackers add ARC headers to messages they didn't legitimately handle, hoping receivers treat the fake claims as evidence. Mitigation: cv= validation catches this — if the prior chain didn't validate against the alleged previous hops, cv=fail and the new ARC set isn't trusted. ARC's overall security model is reputational: trust the sealers you know, treat unknown sealers as untrusted intermediaries.
How does ARC interact with DMARC reporting (RUA/RUF)?
When a receiver applies ARC chain validation to override a failing SPF/DKIM check, this should be reflected in the DMARC aggregate report (RUA). RFC 8617 §7.2.2 specifies that ARC-derived authentication results MAY be included in DMARC reports as a separate authentication mechanism with results like arc=pass. In practice, major DMARC report processors (DMARCian, DMARC Analyzer, Red Sift OnDMARC, Valimail) parse and display ARC information when present. The benefit: when reviewing DMARC reports, you can identify forwarders in your delivery path that are correctly applying ARC vs those that aren't, helping diagnose forwarding-related DMARC failures. ARC reporting is still uneven across providers — Gmail and Microsoft include it consistently, smaller receivers sometimes don't.
If ARC is Experimental, will it ever be obsoleted?
Possibly, but not soon. The IETF DMARC Working Group continues to discuss whether ARC should advance to Standards Track or be replaced by DKIMv2 or another approach. As of 2026, no concrete replacement is imminent. Practical reality: even if a successor protocol emerges, ARC's deployed base (Gmail, Microsoft, Yahoo, Fastmail, Sympa, Mailman) ensures it will remain in production for many years. Any successor would need to coexist with ARC during a multi-year transition. For 2026-2028 deployment decisions, ARC is the right answer; longer-term, watch IETF DMARC WG mailing lists for evolution. Organizations operating intermediaries should not delay ARC deployment hoping for a successor — the operational benefit of ARC today substantially exceeds the migration cost of a future successor.
Last updated: May 2026 · Sources: RFC 8617 (IETF Datatracker), arc-spec.org official, Wikipedia: Authenticated Received Chain, Microsoft: Configure trusted ARC sealers, Google: Best practices for forwarding email, Validity ARC explanation, Postmark ARC overview, OpenARC project, RFC 8601 Authentication-Results header.