What is DMARC ARC?
The Authenticated Received Chain (ARC) system for DMARC, or ARC for short, provides a valid “chain of custody” for email messages, allowing each entity that handles the message to effectively see all entities that previously handled it. In addition, it shows the message’s authentication assessment each step throughout handling.
The prime benefit of ARC and its implementation by the majority of mail servers is that it solves a previous problem that existed when a DMARC protected email was forwarded and caused the email to fail DKIM authentication and thus fail DMARC. With ARC, all of the original authentication information is kept and as an email is forwarded the ARC results provide a chain of custody so that the end recipient's mail server can see that the email with DKIM authenticated before all of the forwarding.
Essentially, ARC is an email authentication protocol designed to permit an intermediate mail server—such as a mailing list or forwarding service—to sign an email’s original authentication results. A benefit of this tool is that it allows a receiving email service to validate a message when the email’s SPF and DKIM records are found invalid by an intermediate server’s processing.
ARC Overview
Becoming DMARC compliant is crucial to your company’s email success. To revisit, DMARC consents a sender’s domain to indicate that their emails are protected by SPF and/or DKIM. Plus, it tells a receiving service what to do if neither of those authentication methods passes—such as accept, quarantine, or reject the message. However, a strict DMARC policy might block legitimate emails sent through a mailing list or forwarder, as the SPF check will fail due to the unapproved sender, and the DKIM signature will be invalidated if the message is modified, such as by adding a subject tag or footer.
Thankfully, ARC helps solve this problem by giving intermediate servers a way to sign the original message’s validation results. Even if the SPF and DKIM validation fail, the receiving service can choose to validate the ARC. To that point, if the ARC specifies that the original message passed the SPF and DKIM checks, and the only modifications were made by intermediates trusted by the receiving service, the receiving service might choose to accept the email.
How ARC Works
The introduction of ARC brought the email world three new mail headers:
- ARC-Authentication-Results (AAR): Combination of an instance number (i) and the results of the SPF, DKIM, and DMARC validation
- ARC-Seal (AS): Combination of an instance number (i), a DKIM-like signature of the previous ARC-Seal headers, and the validity of the prior ARC entries
- ARC-Message-Signature (AMS): Combination of an instance number (i) and a DKIM-like signature of the entire message except for the ARC-Seal headers
Upon receipt of email, the receiving mail server applies those three ARC headers to the message, this way if the message is forwarded or relayed, the original authentication results are preserved (i.e. if you business sends an email that then gets forwarded three times, these headers preserve the original authentication as without the message will fail DKIM). When a mail server forwards an ARC authenticated email, it performs the below functions to preserve the original results:
- Copies the “Authentication-Results” field into a new AAR field (starting with i=1) and prepends it to the message
- Calculates the AMS for the message (with the AAR) and prepends it to the message
- Calculates the AS for the previous ARC-Seal headers and prepends it to the message
When the recipient server receives the message, it will then try to validate an ARC by performing the following steps:
- Validates the chain of ARC-Seal headers (no missing entries, all ARC-Seal messages state that the prior ARC entries are valid, etc.)
- Validates the newest ARC-Message-Signature (based on the instance number)
If the ARC headers have been modified in any way the message will show a fail for DKIM authentication. If all mail servers involved in the transmission of the message correctly sign and transmit ARC then the email should preserve the DKIM authentication results.