ARC — Authenticated Received Chain

Standard: RFC 8617 (July 2019, IETF Experimental) Authors: Andersen (LinkedIn) + Long (Google) + Blank (Valimail) + Kucherawy (TDP) Status: Experimental — not Standards Track Headers added: 3 per hop (AAR + AMS + AS) Major implementers: Gmail, Microsoft 365, Yahoo, Fastmail Reading time: 15 minutes
Definition

ARC (Authenticated Received Chain) is the IETF Experimental email authentication protocol defined in RFC 8617 (July 2019) that preserves SPF, DKIM, and DMARC authentication results across forwarding intermediaries — mailing lists, account forwarders, security gateways, and other handlers that modify messages in ways that break original authentication. ARC operates by attaching three new header fields at each ARC-aware intermediary: ARC-Authentication-Results (AAR) records the authentication results observed at that hop, ARC-Message-Signature (AMS) is a DKIM-like signature over the message, and ARC-Seal (AS) signs the chain to create a verifiable history of custody. Major implementations: Gmail, Microsoft 365 (with Trusted Sealer configuration), Yahoo, Fastmail. ARC doesn't replace SPF, DKIM, or DMARC — it preserves their results across forwarding paths that would otherwise break them.

ARC is the gap competitor for the auth cluster. While SPF, DKIM, and DMARC handle direct sender-to-receiver authentication well, they all break in predictable ways when messages traverse intermediaries — mailing lists adding subject prefixes, account forwarders changing the envelope, security gateways rewriting headers. ARC is the experimental protocol that solves this by preserving the original authentication results across the forwarding path, allowing the final receiver to make informed trust decisions even when SPF and DKIM fail at the final hop.

Most published material on ARC falls into one of two camps: vendor-side guides explaining "ARC is the solution to forwarding problems" without operational depth, or RFC summaries that quote definitions without showing real headers. This entry synthesizes the operational reality: the actual three-header structure with annotated examples, the chain validation flow with cv= semantics, the implementation matrix across providers and MTAs, the IETF Experimental status controversy, and the honest decision framework about when senders need ARC and when they don't.

The forwarding problem ARC solves

SPF, DKIM, and DMARC were designed for direct delivery: sender → recipient. They break in predictable ways when messages traverse intermediaries. The most common failure scenarios:

Mailing lists

List manager (Listserv, Sympa, Mailman 3, Google Groups) modifies the message — adds [LIST-NAME] subject prefix, appends a footer, sometimes rewrites the From: header. SPF fails because the list's IP isn't in the original sender's SPF record. DKIM fails because the modified body and headers no longer match the original signature. DMARC fails alignment.

Account forwarders

User auto-forwards work email (Outlook → personal Gmail). The forwarder retransmits the message from a different IP, breaking SPF. The body and headers may pass through unchanged so DKIM might survive, but Return-Path rewriting often breaks DMARC envelope alignment.

Security gateways

Mimecast, Proofpoint, Barracuda, and other email security products receive mail, scan it, and re-deliver to the actual mailbox. The retransmission often modifies headers, sometimes the body (anti-phishing warnings inserted), and always changes the IP. DKIM survives in some configurations but breaks in others.

Internal relays

Corporate environments routing mail through internal MTAs that perform legitimate modifications (header rewriting for internal vs external delivery, footer appending for compliance). Each modification risks breaking DKIM; each new sending IP risks breaking SPF.

In each case, the message itself is legitimate but the authentication signal at the final receiver is broken. Without ARC, the receiver sees an SPF/DKIM/DMARC failure and applies the sender's DMARC policy — quarantine or reject. The legitimate message gets blocked. With ARC, an intermediary can record "I saw this message authenticate cleanly before I modified it; here's the signed proof," letting the final receiver trust the original authentication despite the broken final-hop checks.

The three ARC headers (AAR + AMS + AS)

ARC adds three header fields per intermediary hop, called an "ARC set." Each has a specific role in the chain-of-custody mechanism:

ARC-Authentication-Results

AAR — the evidence

Records the authentication results (SPF, DKIM, DMARC) as the intermediary observed them. Format identical to the standard Authentication-Results header per RFC 8601, with an added i=N instance number.

Purpose: Says what the intermediary saw at this hop.

ARC-Message-Signature

AMS — the message proof

A DKIM-like cryptographic signature over the message body and selected headers including the AAR. Generated using the intermediary's signing key.

Purpose: Proves the message at this hop wasn't tampered with after the AAR was recorded. Survives modifications by later intermediaries who add their own ARC sets.

ARC-Seal

AS — the chain glue

Cryptographic signature over the previous ARC sets plus this hop's AAR and AMS. Does NOT sign the message body. Contains the chain validation status (cv=none/pass/fail).

Purpose: Links this ARC set to the chain of previous sets, creating a verifiable history. Records whether the chain was valid when this hop processed it.

Each ARC-aware intermediary that handles a message adds one complete ARC set (AAR + AMS + AS) with an incrementing instance number — first sealer adds i=1, second adds i=2, and so on. The final receiver validates the chain backwards from the highest instance number to verify each hop's signatures, and reads the original authentication results from the i=1 AAR (the first hop's record of the original SPF/DKIM/DMARC results before any modifications).

Real ARC headers in code

Here's an actual ARC set generated by Gmail when forwarding a message — abbreviated for readability but showing the real structure:

# Original message arrives at Gmail with valid SPF + DKIM + DMARC
# Gmail receives it, will forward to user's other mailbox
# Before forwarding, Gmail seals the original authentication into ARC

ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@example.com header.s=20230601 header.b="abc123...";
       spf=pass (google.com: domain of sender@example.com designates 203.0.113.10 as permitted sender);
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=example.com

ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
       d=google.com; s=arc-20160816;
       h=to:subject:message-id:date:from:mime-version:content-type:dkim-signature:arc-authentication-results;
       bh=ABCDEF1234567890...;
       b=Cryptographic-message-signature-here-base64-encoded...

ARC-Seal: i=1; a=rsa-sha256; t=1714843200; cv=none;
       d=google.com; s=arc-20160816;
       b=Cryptographic-seal-signature-here-base64-encoded...
       # cv=none because this is the first ARC set (no prior chain)

# Gmail then forwards the message to the user's destination mailbox
# If the destination is also ARC-aware (e.g., another Gmail account, Microsoft 365),
# it would add i=2 ARC set to the message preserving the chain

The same message after passing through a second ARC-aware intermediary (say Microsoft 365) would have:

# Second intermediary adds i=2 ARC set (prepended above i=1)

ARC-Authentication-Results: i=2; outlook.office365.com;
       dkim=fail (signature did not verify);            # DKIM broke after Gmail forwarding
       spf=fail (sender IP not in SPF);             # SPF broke (Gmail's IP, not original)
       dmarc=fail;
       arc=pass header.b="AbCdEf..." (i=1 chain validation passed)   # ARC chain still valid!

ARC-Message-Signature: i=2; a=rsa-sha256;
       d=outlook.com; s=arc-2024;
       # [...signature over current message + Gmail's ARC set...]

ARC-Seal: i=2; a=rsa-sha256; cv=pass;
       d=outlook.com; s=arc-2024;
       # cv=pass because the i=1 chain validated successfully

ARC-Authentication-Results: i=1; mx.google.com; ...    # Gmail's original AAR preserved
ARC-Message-Signature: i=1; ...                          # Gmail's original AMS preserved
ARC-Seal: i=1; ...                                     # Gmail's original AS preserved

The receiver evaluates the chain by validating each AS signature backwards from the highest instance number. If the entire chain validates, the receiver can trust the i=1 AAR — Gmail's record of the original SPF/DKIM/DMARC results — even though the final-hop SPF and DKIM failed.

Chain validation status (cv=)

The cv= tag in the most recent ARC-Seal header records the status of the previous chain. Three possible values:

cv=none
No prior chain. This is the first ARC set in the message. i=1. The intermediary is the first ARC-aware handler.
cv=pass
Prior chain validated. All previous AS signatures verified, all AMS signatures verified. The chain of custody is intact through this hop.
cv=fail
Chain validation failed. At least one previous ARC set didn't validate. Per RFC 8617, sealers MUST NOT add a new ARC set to a failed chain.

The receiving MTA uses cv= to decide whether to trust the original authentication: cv=pass means the chain is valid and the original authentication results recorded in the i=1 AAR can be trusted; cv=fail or chain-validation-failure means the message can't benefit from ARC and falls back to standard SPF/DKIM/DMARC results — which by definition will fail because the chain failed for a reason.

ARC chain across a forwarding hop

Concrete example showing what happens at each step when a legitimate authenticated message gets forwarded through an ARC-aware intermediary:

Authentication preservation across forwarding

Original sender
Sends message from marketing@example.com with valid SPF, DKIM signature, DMARC alignment. SPF: pass, DKIM: pass, DMARC: pass.
Gmail receives
Validates authentication, all checks pass. User has auto-forward configured to send mail to user@personal-domain.com via another mailbox provider.
Gmail seals
Before forwarding, Gmail adds the i=1 ARC set: AAR records original results, AMS signs the message, AS contains cv=none. ARC chain initialized.
Gmail forwards
Message retransmitted from Gmail's outbound IP to the destination. Headers may be slightly modified (Received: chains added, possibly Return-Path rewritten).
Destination receives
Final receiver checks SPF: fail (Gmail's IP not in example.com SPF). DKIM: fail (body modifications by Gmail's forwarding broke signature). DMARC: fail.
ARC validation
Receiver validates Gmail's i=1 ARC set: AS signature verifies against Gmail's public key, AMS signature verifies against the message + AAR. ARC chain validates.
ARC override
Receiver reads the i=1 AAR — Gmail's record of the original authentication. Original SPF/DKIM/DMARC all passed. Receiver can trust the message despite the final-hop authentication failure.
Delivery
Message delivered to inbox instead of being quarantined or rejected. ARC successfully preserved authentication across the forwarding path.

Implementation matrix: who actually uses ARC

ARC's value depends on adoption — both at the sealer side (intermediaries that record original authentication) and the validator side (receivers that trust ARC chains). The 2026 state:

ImplementationTypeARC VerifyARC SealNotes
Gmail / Google Workspace Mailbox provider ✓ Yes ✓ Yes Most aggressive ARC implementer. Verifies incoming chains, seals outgoing forwarded mail.
Microsoft 365 / Exchange Online Mailbox provider Configurable ✗ No Verifies but requires explicit Trusted ARC Sealers config to grant DMARC override.
Yahoo Mail Mailbox provider ✓ Yes Partial Verifies inbound. ARC sealing for forwarding limited.
Fastmail Mailbox provider ✓ Yes ✓ Yes Bron Gondwana (Fastmail) is one of RFC 8617's editors.
Sympa MLM (v6.2.38+) Mailing list manager ✓ Yes ✓ Yes Sympa was an early ARC adopter for MLM use case.
Mailman 3 Mailing list manager ✓ Yes ✓ Yes ARC support in Mailman 3 core.
Google Groups Group software ✓ Yes ✓ Yes Inherits Google's broader ARC infrastructure.
OpenARC (milter) Postfix/Sendmail integration ✓ Yes ✓ Yes Reference open-source implementation. Active project.
authentication_milter Perl milter (Postfix/Sendmail) ✓ Yes ✓ Yes Combined SPF/DKIM/DMARC/ARC milter. Used by Fastmail.
Halon (commercial MTA) Programmable MTA ✓ Yes ✓ Yes ARC built into the MTA scripting model.
MailerQ (commercial MTA) Commercial MTA ✓ Yes ✓ Yes ARC support included.
Postfix (native) Open-source MTA ✗ Plugin only ✗ Plugin only Native Postfix has no ARC support; OpenARC milter required.
PowerMTA Commercial MTA Partial ✗ No PowerMTA is outbound-only; ARC sealing not typical use case.
KumoMTA Open-source MTA Lua-extensible Lua-extensible ARC implementable via Lua policy hooks; not built-in.
Combined ARC-aware coverage is high. If your message gets forwarded through Gmail, Microsoft 365 (with Trusted Sealer config), Yahoo, Fastmail, or a Sympa/Mailman list, the original authentication is preserved. The gap: forwarding through any non-ARC-aware intermediary breaks the chain — but the receiver still falls back to standard SPF/DKIM/DMARC, no worse than pre-ARC behavior.

Microsoft 365: configuring Trusted ARC Sealers

Microsoft 365 verifies ARC chains by default but requires administrators to explicitly configure "Trusted ARC Sealers" to grant DMARC override authority. Without configuration, ARC chains are seen but not used for authentication decisions.

# Microsoft 365 Defender portal: configure Trusted ARC Sealers
# Email & Collaboration > Policies & Rules > Threat policies
#   > Email authentication settings > ARC tab

# Or via Exchange Online PowerShell:
Connect-ExchangeOnline

# View current trusted sealers
Get-ArcConfig

# Add a trusted sealer (e.g., Gmail)
Set-ArcConfig -Identity Default -ArcTrustedSealers "google.com"

# Add multiple trusted sealers
Set-ArcConfig -Identity Default -ArcTrustedSealers "google.com","fastmail.com","fabrikam.com"

# The d= value in ARC-Seal headers must match exactly
# Use Outlook View > Internet Headers or https://mha.azurewebsites.net to inspect
The configuration is per-tenant. All users in the Microsoft 365 tenant inherit the trusted-sealer list. Common patterns: corporate forwarders that route mail through Mimecast or Proofpoint, mailing lists that legitimate mail traverses, internal forwarding domains. Adding a sealer too aggressively means trusting their authentication assertions — only add intermediaries whose security and operations you trust to be honest about original auth results.

The Experimental status and the controversy

RFC 8617 was published as IETF Experimental status, not Standards Track. This is a specific designation per RFC 7841 meaning the protocol is published for examination, experimental implementation, and evaluation rather than widespread mandated deployment. The community had public review and IESG approved publication, but with explicit acknowledgment that ARC's effectiveness in real-world conditions wasn't fully proven.

The Wikipedia controversy: Wikipedia notes "It has been suggested by the IETF that ARC should no longer be used" and that "ARC did not solve the problems with email reputation." Some parts "might be incorporated into DKIMv2." This reflects real concerns in the standards community: ARC verifies a chain of custody but doesn't independently validate the trustworthiness of any intermediary in the chain. A receiver trusting an ARC chain is implicitly trusting the entire chain of intermediaries to be honest — which is a reputation problem, not a cryptographic one.

The honest 2026 assessment:

  • ARC is the best available solution for preserving authentication across forwarding — no alternative protocol with comparable deployment exists.
  • ARC has substantial production deployment — Gmail, Microsoft 365 (with config), Yahoo, Fastmail, Sympa, Mailman all participate.
  • ARC's security is reputational, not cryptographic — the chain proves what each intermediary asserted, not whether the assertion was true.
  • ARC is an imperfect tool and the IETF community is exploring DKIMv2 or other approaches as longer-term replacements.
  • For 2026 deployment decisions, ARC is the right answer; DKIMv2 isn't ready for production use.

Do I need to deploy ARC sealing?

ARC is for intermediaries — not regular senders. The decision framework:

Deploy ARC sealing if you are…

  • A mailing list operator (Listserv, Sympa, Mailman 3 — anything that accepts a message and re-distributes it to subscribers with modifications)
  • An account forwarder (auto-forwarding domain that retransmits mail from one address to another)
  • An email security gateway (Mimecast, Proofpoint, custom anti-phishing layer that modifies headers/body)
  • A mailbox provider with native forwarding (your users auto-forward from your service to other providers)
  • An ESP that forwards transactional mail through internal relays before final delivery
  • Operating any infrastructure where messages are received from one place and re-sent to another with modifications

You don't need ARC sealing if you are…

  • A regular email sender (marketing platform, SaaS transactional mail, corporate email server)
  • Sending mail directly to recipients without intermediation
  • Running outbound infrastructure where messages flow from your application to recipient ISPs in one hop
  • A typical PowerMTA / KumoMTA / Postfix outbound deployment where each message originates from your IPs and goes directly to recipient MX servers
  • An ESP whose messages don't get re-processed before being delivered

For regular senders: focus on getting SPF, DKIM, and DMARC right. ARC is invisible infrastructure that helps your forwarded mail not fail at the recipient — you benefit from ARC without doing anything if your recipients use ARC-aware mail providers (Gmail, Microsoft 365). Your job is making the original authentication clean; ARC handles preservation downstream.

ARC in Cloud Server for Email infrastructure

Our managed email infrastructure handles ARC pragmatically based on customer architecture:

  • Outbound senders (most CSE customers): no ARC sealing required. Focus is SPF, DKIM, DMARC enforcement, IP warming, sender reputation. ARC happens transparently at recipient ISPs that forward our customers' mail.
  • Mailing list operators: ARC sealing via OpenARC milter or authentication_milter integration with Postfix-based list infrastructure. Mailman 3 + ARC for list-style deployments where preservation across the forwarding boundary matters.
  • Email security gateways: ARC sealing essential when our gateway sits in front of customer mail server, modifying headers or body. Without ARC, downstream DMARC enforcement at recipient ISPs would block legitimate mail that traversed our gateway.
  • Internal forwarding infrastructure: customer environments where mail traverses multiple internal MTAs before final delivery. ARC sealing at the boundary preserves authentication across the internal relay path.
  • Microsoft 365 customers: configuration of Set-ArcConfig -ArcTrustedSealers for known forwarders in their environment — Mimecast, Proofpoint, internal compliance gateways, partner forwarding domains.
  • Diagnostic and remediation: when customers report DMARC failures on legitimate forwarded mail, we analyze ARC chains in the message headers to identify which intermediary broke authentication and whether ARC is being correctly applied across the chain.

The pattern across customers: ARC is rarely the primary investment, but it's frequently the missing piece in incidents where legitimate mail is being blocked due to forwarding-induced DMARC failures.

  • SPF — breaks at forwarding boundaries because the IP changes. ARC preserves the original SPF result.
  • DKIM — breaks when forwarders modify message body or headers. ARC preserves the original DKIM result.
  • DMARC — fails when SPF and DKIM both break. ARC's chain validation lets receivers trust the original DMARC result despite final-hop failures.
  • BIMI — requires DMARC at enforcement; ARC helps DMARC survive forwarding so BIMI logos still display for forwarded mail.
  • MTA-STS — transport-layer authentication, parallel to but independent of ARC's content-layer authentication preservation.
  • Postfix — common MTA for ARC sealing infrastructure via OpenARC milter or authentication_milter.
  • SMTP — the protocol over which ARC headers are transported; ARC headers are part of the message DATA payload.

Frequently asked questions

Does ARC require DNS records like SPF and DKIM?

Sort of. ARC sealers publish a public key in DNS using the same format as DKIM — a TXT record at <selector>._domainkey.<sealer-domain> containing the public key. The selector is referenced in the AMS and AS headers via the s= tag. For example, Gmail's ARC public keys are published at arc-20160816._domainkey.google.com. Receivers validating an ARC chain look up the public key for each intermediary's signing domain and verify the AS and AMS signatures. The sealer's DKIM-style key infrastructure must be in place before ARC sealing can work — same operational requirement as DKIM itself, applied to a different signing context.

Can ARC chains be unbounded in length?

RFC 8617 §5.1.1 allows up to 50 ARC sets in a chain. Practical chains are typically much shorter — 1-3 hops. Each ARC set adds substantial header overhead (typically 1-2KB for AAR + AMS + AS combined), so a 50-hop chain would add ~100KB of headers, which most MTAs would consider abusive. Production limits are usually configured at 10-20 hops via MTA configuration. If the limit is exceeded, the validating receiver typically falls back to standard SPF/DKIM/DMARC — not worse than pre-ARC behavior.

What happens if I use ARC and ARC chain validation fails at the receiver?

The receiver falls back to standard SPF/DKIM/DMARC validation. If the chain failure is because forwarding broke SPF and DKIM, the message will likely fail DMARC and be quarantined or rejected per the original sender's DMARC policy. ARC chain failure doesn't make things worse than pre-ARC — it just means ARC didn't help in this case. The receiver may log the chain failure for diagnostic purposes (e.g., in Authentication-Results with arc=fail) but typically doesn't apply additional penalties beyond the standard SPF/DKIM/DMARC outcomes.

Does ARC affect deliverability for direct (non-forwarded) mail?

No. ARC only matters when messages traverse intermediaries. Direct sender → recipient mail (no forwarding, no mailing list, no security gateway) doesn't generate ARC headers — the original SPF/DKIM/DMARC validation happens at the recipient and ARC plays no role. Some receivers may add an Authentication-Results header noting arc=none (no ARC chain present), but this is informational only and doesn't affect inbox placement. ARC is forwarding-specific infrastructure; it's invisible for direct mail flows.

Are there ARC abuse vectors I should worry about?

Yes — RFC 8617 §9 documents several. Replay attacks: attacker captures an ARC-sealed legitimate message and replays it later or to different recipients; cryptographic signatures still verify because the message hasn't been modified. Mitigation: receivers apply rate-limiting and message-content suspicion. Sealer suspicion: a malicious intermediary adds a fake ARC set claiming successful authentication that didn't actually occur; the cryptographic signature is valid but the assertion is false. Mitigation: receivers must judge whether to trust each sealer (Microsoft requires explicit Trusted ARC Sealers config for this reason). Chain pollution: attackers add ARC headers to messages they didn't legitimately handle, hoping receivers treat the fake claims as evidence. Mitigation: cv= validation catches this — if the prior chain didn't validate against the alleged previous hops, cv=fail and the new ARC set isn't trusted. ARC's overall security model is reputational: trust the sealers you know, treat unknown sealers as untrusted intermediaries.

How does ARC interact with DMARC reporting (RUA/RUF)?

When a receiver applies ARC chain validation to override a failing SPF/DKIM check, this should be reflected in the DMARC aggregate report (RUA). RFC 8617 §7.2.2 specifies that ARC-derived authentication results MAY be included in DMARC reports as a separate authentication mechanism with results like arc=pass. In practice, major DMARC report processors (DMARCian, DMARC Analyzer, Red Sift OnDMARC, Valimail) parse and display ARC information when present. The benefit: when reviewing DMARC reports, you can identify forwarders in your delivery path that are correctly applying ARC vs those that aren't, helping diagnose forwarding-related DMARC failures. ARC reporting is still uneven across providers — Gmail and Microsoft include it consistently, smaller receivers sometimes don't.

If ARC is Experimental, will it ever be obsoleted?

Possibly, but not soon. The IETF DMARC Working Group continues to discuss whether ARC should advance to Standards Track or be replaced by DKIMv2 or another approach. As of 2026, no concrete replacement is imminent. Practical reality: even if a successor protocol emerges, ARC's deployed base (Gmail, Microsoft, Yahoo, Fastmail, Sympa, Mailman) ensures it will remain in production for many years. Any successor would need to coexist with ARC during a multi-year transition. For 2026-2028 deployment decisions, ARC is the right answer; longer-term, watch IETF DMARC WG mailing lists for evolution. Organizations operating intermediaries should not delay ARC deployment hoping for a successor — the operational benefit of ARC today substantially exceeds the migration cost of a future successor.

Last updated: May 2026 · Sources: RFC 8617 (IETF Datatracker), arc-spec.org official, Wikipedia: Authenticated Received Chain, Microsoft: Configure trusted ARC sealers, Google: Best practices for forwarding email, Validity ARC explanation, Postmark ARC overview, OpenARC project, RFC 8601 Authentication-Results header.