How to Explain Authenticated Received Chain (ARC) in Plain English

minute read

Post Image

On October 16, the DMARC (Domain-based Message Authentication Reporting and Conformance) group submitted a proposal for the Authenticated Received Chain, or ARC, specification to the Internet Engineering Task Force (IETF) as an Internet Draft. In this post, we will cover what ARC is and why it matters—in plain English.

The problem with indirect mailflow
To understand ARC, we must first understand the problem it solves.

Email authentication standards like DMARC help ensure that legitimate email is properly authenticating against established DKIM (DomainKeys Identified Mail) and SPF (Sender Policy Framework) standards, and that fraudulent activity appearing to come from domains under a brand’s control is blocked.

However, not all mail passes directly from sender to recipient. Some services like mailing lists or account forwarding—also known as intermediaries—receive a legitimate message and might make changes to it before sending it on, potentially resulting in SPF, DKIM, and/or DMARC alignment failure. Thus, the message, despite its legitimacy, may not get delivered.

What is ARC?
ARC helps preserve email authentication results and verifies the identity of email intermediaries that forward a message on to its final destination. There are three key components to ARC:

  1. ARC Authentication Results header: a header containing email authentication results like SPF, DKIM, and DMARC
  2. ARC Signature: a DKIM-like signature that takes a snapshot of the message header information, including the to, from, subject, and body
  3. ARC Seal: another DKIM-like signature that includes the ARC Signature and the ARC Authentication Results header information

How does ARC work?
Consider an email sent from Tom, a parent at Lee Hill Elementary School, to a mailing list of other parents. Tom wants to notify the group that he’s going to bake cookies for the 7th grade play. Here’s what Tom’s outgoing email looks like:

To: Parent Mailing List <[email protected]>

From: Tom <[email protected]>

Subject: Cookies for the 7th Grade Play

Dear Parents,

I’m bringing cookies! Hooray.

~ Tom

The parent mailing list (at checks authentication when it receives Tom’s email from, which has a DMARC policy of p=reject. SPF passes and aligns, DKIM passes and aligns, and the message passes DMARC. then records these authentication results by adding an ARC Athentication Results header. Here’s an example of what that header might look like:

spf=pass [email protected];

Then, adds an ARC Signature, which takes a snapshot of the message header information, including who it was sent to, who it is from, the subject, and the body.

Finally, before sending the message to all the parents on the mailing list, adds an ARC Seal, which, as its name implies, “seals” the information included in the ARC Signature and the ARC Authentication Results header. Now, is ready to forward Tom’s email to all the subscribers on the parent mailing list.

Marsha is one of those subscribers. When receiving the forwarded message, Marsha’s email server checks not only the email authentication results (SPF, DKIM, DMARC) but also the ARC Seal when making its decision to deliver the message to Martha’s inbox or not.

If everything checks out, Marsha will receive the email below (note the changes to the subject field and the body):

To: Parent Mailing List <[email protected]>

From: Tom <[email protected]>

Subject: [Parent Mailing List] Cookies for the 7th Grade Play

Dear Parents,

I’m bringing cookies! Hooray.

~ Tom


To unsubscribe click here

If the ARC Seal does not pass, then Marsha’s mail server can apply the p=reject DMARC policy listed in Tom’s domain.

ARC is not a silver-bullet solution
Like any email authentication standard, ARC is not a stand-alone solution. Like DKIM, ARC does not prevent a malicious actor from removing or creating new ARC Authentication Results headers or ARC Signatures.

But we are still excited about ARC. It is an important step forward in helping receivers of indirect messages trace the path of intermediaries and make a safer, more informed delivery decision.

For more tips to maximize your email performance, read Validity’s eBook, “Secrets of Best-in-Class Email Senders.”



BriteVerify email verification ensures that an email address actually exists in real-time


The #1 global data quality tool used by thousands of Salesforce admins


Insights and deliverability guidance from the only all-in-one email marketing solution

GridBuddy Cloud

Transform how you interact with your data through the versatility of grids.

Return Path

World-class deliverability applications to optimize email marketing programs

Trust Assessments

A revolutionary new solution for assessing Salesforce data quality


Validity for Email

Increase inbox placement and maximize subscriber reach with clean and actionable data

Validity for Data Management

Simplify data management with solutions that improve data quality and increase CRM adoption

Validity for Sales Productivity

Give your sales team back hours per day with tools designed to increase productivity and mitigate pipeline risks in real-time

DemandTools Elements Features

DemandTools Features

GridBuddy Connect Features

Everest Features

Everest Features