On October 16, the DMARC (Domain-based Message Authentication Reporting and Conformance) group submitted a proposal for the Authenticated Received Chain, or ARC, specification to the Internet Engineering Task Force (IETF) as an Internet Draft. In this post, we will cover what ARC is and why it matters—in plain English.
The problem with indirect mailflow
To understand ARC, we must first understand the problem it solves.
Email authentication standards like DMARC help ensure that legitimate email is properly authenticating against established DKIM (DomainKeys Identified Mail) and SPF (Sender Policy Framework) standards, and that fraudulent activity appearing to come from domains under a brand’s control is blocked.
However, not all mail passes directly from sender to recipient. Some services like mailing lists or account forwarding—also known as intermediaries—receive a legitimate message and might make changes to it before sending it on, potentially resulting in SPF, DKIM, and/or DMARC alignment failure. Thus, the message, despite its legitimacy, may not get delivered.
What is ARC?
ARC helps preserve email authentication results and verifies the identity of email intermediaries that forward a message on to its final destination. There are three key components to ARC:
- ARC Authentication Results header: a header containing email authentication results like SPF, DKIM, and DMARC
- ARC Signature: a DKIM-like signature that takes a snapshot of the message header information, including the to, from, subject, and body
- ARC Seal: another DKIM-like signature that includes the ARC Signature and the ARC Authentication Results header information
How does ARC work?
Consider an email sent from Tom, a parent at Lee Hill Elementary School, to a mailing list of other parents. Tom wants to notify the group that he’s going to bake cookies for the 7th grade play. Here’s what Tom’s outgoing email looks like:
To: Parent Mailing List <parents@leehill.edu>
From: Tom <tom@example.com>
Subject: Cookies for the 7th Grade Play
Dear Parents,
I’m bringing cookies! Hooray.
~ Tom
The parent mailing list (at leehill.edu) checks authentication when it receives Tom’s email from example.com, which has a DMARC policy of p=reject. SPF passes and aligns, DKIM passes and aligns, and the message passes DMARC. Leehill.edu then records these authentication results by adding an ARC Athentication Results header. Here’s an example of what that header might look like:
spf=pass smtp.mfrom=tom@example.com;
dkim=pass
dmarc=pass
Then, leehill.edu adds an ARC Signature, which takes a snapshot of the message header information, including who it was sent to, who it is from, the subject, and the body.
Finally, before sending the message to all the parents on the mailing list, leehill.edu adds an ARC Seal, which, as its name implies, “seals” the information included in the ARC Signature and the ARC Authentication Results header. Now, leehill.edu is ready to forward Tom’s email to all the subscribers on the parent mailing list.
Marsha is one of those subscribers. When receiving the forwarded message, Marsha’s email server checks not only the email authentication results (SPF, DKIM, DMARC) but also the ARC Seal when making its decision to deliver the message to Martha’s inbox or not.
If everything checks out, Marsha will receive the email below (note the changes to the subject field and the body):
To: Parent Mailing List <parents@leehill.edu>
From: Tom <tom@example.com>
Subject: [Parent Mailing List] Cookies for the 7th Grade Play
Dear Parents,
I’m bringing cookies! Hooray.
~ Tom
————-
To unsubscribe click here
If the ARC Seal does not pass, then Marsha’s mail server can apply the p=reject DMARC policy listed in Tom’s example.com domain.
ARC is not a silver-bullet solution
Like any email authentication standard, ARC is not a stand-alone solution. Like DKIM, ARC does not prevent a malicious actor from removing or creating new ARC Authentication Results headers or ARC Signatures.
But we are still excited about ARC. It is an important step forward in helping receivers of indirect messages trace the path of intermediaries and make a safer, more informed delivery decision.
Want to learn more about email authentication? Check out our guide, Getting Started with DMARC.