3,932 Australian domains analysed. Most fail basic email authentication. [2026 Report]

ARC

A protocol that lets intermediate mail servers preserve the original authentication results of a message as it is forwarded, so the final receiver can still trust them.

Definition

ARC (Authenticated Received Chain, RFC 8617) is a protocol that solves a long-standing problem with email forwarding. When a mailing list, alias, or shared inbox forwards a message, the original SPF result is broken (the forwarding server's IP is not in the original sender's SPF record), and DKIM may also break if the forwarder modifies the body or relevant headers. Without ARC, this means legitimate forwarded mail fails DMARC at the final destination and gets quarantined or rejected. ARC fixes this by letting each intermediate server in the forwarding chain stamp the original authentication results into the message in a verifiable way.

How it works

Each ARC-aware intermediary adds three headers to a message it forwards: ARC-Authentication-Results (a snapshot of the SPF/DKIM/DMARC results when the message arrived), ARC-Message-Signature (a DKIM-style signature over the message body and selected headers), and ARC-Seal (a signature over the previous ARC headers, chaining each intermediary's assertion). Each intermediary increments the i= instance counter, so a chain can be replayed and verified end-to-end.

The final receiver can then evaluate the chain: if the original authentication passed at the first hop and every intermediary signed faithfully, the receiver can trust the original result even though SPF/DKIM no longer verify against the connecting IP. Major mailbox providers — Google, Microsoft, Yahoo, and most major forwarders — implement ARC. ARC does not replace SPF, DKIM, or DMARC; it complements them by making forwarding survivable.

Example

A simplified view of ARC headers a forwarding server adds:

ARC-Seal: i=1; a=rsa-sha256; cv=none; d=forwarder.example; s=arc-2026; t=...; b=...
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=forwarder.example; h=From:To:Subject; s=arc-2026; b=...
ARC-Authentication-Results: i=1; forwarder.example; spf=pass smtp.mailfrom=original.example; dkim=pass header.d=original.example; dmarc=pass header.from=original.example

A subsequent forwarder would add a second set of these headers with i=2, and the final receiver verifies the entire chain.

Related Terms

DMARC An email authentication policy framework that uses SPF and DKIM to detect and prevent doma... DKIM A cryptographic signature attached to outbound email that proves the message was authorise... SPF A DNS-published list of IP addresses and hostnames authorised to send email on behalf of a...

Automate your DMARC

DMARC Busta puts SPF, DKIM, and DMARC management on autopilot — across one domain or 10,000.

Start free trial