ARC Authentication
Authenticated Received Chain (RFC 8617) preserves email authentication results across forwarding hops so receiving servers can evaluate the original authentication state.
Definition
Authenticated Received Chain (ARC) is a standard defined in RFC 8617 that adds a set of headers allowing each mail server in a forwarding chain to cryptographically sign the authentication results it observed. This preserves SPF, DKIM, and DMARC verdicts that would otherwise be invalidated when a message is forwarded or relayed through intermediaries.
Why It Matters
Forwarding breaks SPF alignment and can break DKIM signatures, which causes legitimate forwarded mail to fail DMARC checks and get rejected or quarantined. ARC gives receiving servers a trusted audit trail of authentication results so they can apply policy more intelligently instead of penalizing legitimate forwarded messages.
How It Works
Each handling mail server appends three ARC headers: ARC-Authentication-Results (the auth results it observed), ARC-Message-Signature (a DKIM-style signature over the message at that point), and ARC-Seal (a signature over the accumulated ARC headers). These headers are numbered sequentially per hop, forming a chain. The final receiving server validates each seal in reverse order to verify the chain has not been tampered with, then uses the original authentication results to inform its delivery decision.
DFIR Platform
Phishing Email Checker
The Phishing Email Checker validates full ARC chains as part of its 26+ analysis modules, tracing authentication results through each intermediary hop to give analysts a complete picture of forwarded email authentication.
View DocumentationRelated Concepts
Try these concepts in practice
Free tier with 100 credits/month. No credit card needed.