What is email ARC (Authenticated Received Chain)

Learn how the email ARC (Authenticated Received Chain) Protocol protects senders and consumers by improving the security of email forwarding.
what is arc

Email is one of the world’s most powerful and prevalent communication channels, but it also has the potential to damage consumers and brands. Fortunately, experts have developed standards and protocols to improve email security and reliability at scale— one of the big leaps forward is with the email Authenticated Received Chain (ARC) Protocol.

Email ARC works to improve the security of email forwarding, a gap that’s exposed individuals to phishing attacks at large. Below, we’ll walk you through everything you need to know about ARC to better protect your brand and customers.

What is the Authenticated Received Chain (ARC) protocol?

Email ARC (Authenticated Received Chain) is an email authentication protocol designed to improve the reliability and security of email forwarding. It is an extension of the existing email authentication standards:

  • SPF (Sender Policy Framework)
  • DKIM (DomainKeys Identified Mail)
  • DMARC (Domain-based Message Authentication, Reporting, and Conformance)

When an email is forwarded, the forwarding server adds a new “Received” header to the message, indicating that it has been relayed. However, this can sometimes cause issues with SPF and DKIM authentication, as the original SPF and DKIM signatures may not cover the new Received header.

ARC solves this problem by introducing a mechanism for preserving and validating email authentication results across multiple hops or forwarding steps. It allows each intermediary mail server to sign the headers it adds to the email, creating a chain of trust. 

The recipient’s mail server then verifies these signatures to ensure the message’s integrity and authenticity.

The Internet Engineering Task Force (IETF) introduced ARC Protocol in Request for Comments (RFC) 8617 in July 2019. It’s not perfect, but it adds an additional layer of security that inbox providers need regarding messaging forwarding. 

How email ARC works

Here’s a high-level overview of how ARC works:

  1. Signing: The original sender’s domain signs the email using DKIM, indicating that the message is legitimate and hasn’t been tampered with.
  2. Received header: When the email reaches an intermediary mail server that adds a new Received header, it creates a signature for the existing headers, including the DKIM signature.
  3. ARC header: The intermediary server adds an ARC header containing its own signature and includes the original DKIM signature.
  4. Chain process: If the email is forwarded again, subsequent intermediaries repeat the process, creating a chain of ARC signatures.
  5. Final verification: When the email reaches the final recipient’s mail server, it can verify the ARC signatures to ensure that the message hasn’t been modified in transit and that the original DKIM signature is valid.

ARC is a scalable solution that benefits both high-volume and low-volume senders and receivers of email. It addresses significant challenges faced by large-volume mail receivers when it comes to accurately attributing incoming mail. With ARC, authorization information can be reliably passed along even in complex internal routing scenarios, effectively resolving previously difficult authorization issues related to multi-tenant and multi-party email routing.

In many cases, large mail systems are composed of interconnected smaller systems, resulting in authentication information being lost during mail transfers between subsystems. ARC simplifies this complex situation by enabling larger mail systems to function as cohesive entities that properly share authentication information.

Why ARC is important

Email forwards have notoriously been difficult to validate. Every time an email gets forwarded, it risks being modified in transit. However, thanks to ARC, consumers can trust that forwarded emails came from the original source.

ARC helps prevent legitimate emails from being marked as spam or phishing emails appearing as if they originated from trusted sources. By establishing a reliable chain of trust, ARC enhances email deliverability and improves the accuracy of spam filtering systems.

While ARC provides valuable authentication and integrity checks, it does not directly address email spoofing or guarantee the sender’s reputation. It’s not a standalone end-all, be-all solution.

Instead, ARC is most effective when used in conjunction with other email authentication protocols like SPF, DKIM, BIMI, and DMARC. When your brand uses all these standards to protect itself, you mitigate risks and make it harder for bad actors to impersonate your brand and spoof customers.

Benefits of ARC for brands and consumers

Here’s a short list that touches on the short-term and long-reaching benefits of ARC:

  • Improved email deliverability: ARC helps ensure that legitimate emails pass through forwarding servers without being marked as spam or rejected by recipient mail servers. It enhances the chances of email delivery to the intended recipients.
  • Enhanced security: ARC helps detect tampering or modification of the message during transit, providing additional protection.
  • Reduced false positives: With ARC, legitimate emails that are forwarded through intermediaries are less likely to be falsely identified as spam. This helps recipient mail servers make more accurate decisions regarding email categorization and reduce false positives.
  • Improved reporting: ARC allows for better visibility into an email’s path through various forwarding servers. This information can help troubleshoot and investigate email delivery issues.
  • More complete coverage: With DMARC, DKIM, SPF, and BIMI, you can ensure you have the most comprehensive, up-to-date email security. 

How to get started with the Authenticated Received Chain Protocol

Many of the largest inbox providers have adopted full support for ARC, but you’ll need to make sure you get your foundation in order before you can trust it’ll protect your messages.

Here’s how you can get started with ARC:

  1. Implement the foundational standards: First, you’ll want to implement SPF, DKIM, and DMARC. Ensure these are properly set up and configured for your domain. Need help? Get started for free
  2. Verify ARC support: Double-check that the email service provider (ESP) you use to send email campaigns or transactional emails supports ARC. You might need to check the documentation or contact your support team to confirm compatibility. 
  3. Configure ARC signing: Configure your email infrastructure to add ARC headers and sign the relevant headers. The exact steps will vary depending on your email system or service.
  4. Test and validate: Test your ARC implementation to ensure it’s working. Try sending emails through your infrastructure and check that the ARC headers have been added appropriately. 
  5. Monitor DMARC reports: Check your DMARC reporting to get feedback from recipient mail servers. You want to find out if messages are being falsely marked as spam or if bad actors might be using your domains to spoof customers.

Protect your domains with Valimail Enforce

Valimail has played a big part in ARC’s journey and development, creating an ARC test suite for developers and engineers to test that the specs worked correctly. We’ve contributed to open-source packages for implementing ARC and helped develop software to make this standard a modern-day reality. 

Valimail Enforce gives you trusted, continuous DMARC protection at scale. It accelerates your journey to DMARC enforcement without any manual DKIM or SPF configuration. You better protect your sending domains and customers with DMARC automation, one-click authorization, improved deliverability, and real-time insights.

Want to see for yourself how Valimail can help eliminate DNS management and help you take control of your domains at scale? Schedule a demo with our team to learn how we can work together to better protect your brand.

Get started for free
with Monitor

Start your path to DMARC enforcement with a panoramic view of the traffic being sent on your behalf.
No trial offers, credit cards, or obligations.

Explore all Valimail
has to offer

Go one step further than visibility…Take action! Reach DMARC enforcement faster. Stay compliant with evolving sender requirements. All while protecting your brand.

Phishing and BEC protection starts with your domain — verify your DMARC status with the Valimail Domain Checker.