--- title: "What is ARC (Authenticated Received Chain) and its role in email security? | AutoSPF" description: "ARC or Authenticated Received Chain helps overcome the shortfalls of DMARC, further strengthening the overall email security standards." image: "https://autospf.com/og/blog/what-is-arc-authenticated-received-chain-role-in-email-security.png" canonical: "https://autospf.com/blog/what-is-arc-authenticated-received-chain-role-in-email-security/" --- Quick Answer ARC or Authenticated Received Chain helps overcome the shortfalls of DMARC, further strengthening the overall email security standards. ARC is an extension of the existing email authentication standards, SPF, DKIM, and DMARC, that has opened gates for validating the sending sources of emails when they pass through multiple intermediate servers. Share [ ](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fautospf.com%2Fblog%2Fwhat-is-arc-authenticated-received-chain-role-in-email-security%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=What%20is%20ARC%20%28Authenticated%20Received%20Chain%29%20and%20its%20role%20in%20email%20security%3F&url=https%3A%2F%2Fautospf.com%2Fblog%2Fwhat-is-arc-authenticated-received-chain-role-in-email-security%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fautospf.com%2Fblog%2Fwhat-is-arc-authenticated-received-chain-role-in-email-security%2F "Share on Facebook") [ ](https://reddit.com/submit?url=https%3A%2F%2Fautospf.com%2Fblog%2Fwhat-is-arc-authenticated-received-chain-role-in-email-security%2F&title=What%20is%20ARC%20%28Authenticated%20Received%20Chain%29%20and%20its%20role%20in%20email%20security%3F "Share on Reddit") [ ](mailto:?subject=What%20is%20ARC%20%28Authenticated%20Received%20Chain%29%20and%20its%20role%20in%20email%20security%3F&body=Check out this article: https%3A%2F%2Fautospf.com%2Fblog%2Fwhat-is-arc-authenticated-received-chain-role-in-email-security%2F "Share via Email") ![email security](https://media.mailhop.org/autospf/images/2024/07/kitterman-spf-1212.jpg) ARC or Authenticated Received Chain helps overcome the [shortfalls of DMARC](https://www.darkreading.com/cloud-security/the-trouble-with-dmarc-4-serious-stumbling-blocks), further strengthening the overall [email security](/) standards. _ARC is an extension of the existing email authentication standards, SPF, DKIM, and DMARC, that has opened gates for validating the sending sources of emails when they pass through multiple intermediate servers_. _ARC (Authenticated Received Chain, [RFC 8617](https://datatracker.ietf.org/doc/html/rfc8617)) was designed to solve SPF’s forwarding problem: when a message is forwarded, the forwarder’s IP fails the original sender’s SPF check. ARC lets each intermediary stamp a sealed chain of authentication results so the final receiver can trust the original verdict. Gmail, Outlook.com, and most major mailbox providers honor ARC chains from trusted intermediaries._ Let’s delve deeper into understanding how ARC helps troubleshoot [email authentication](/spf-too-many-dns-lookups/spf-lookup/)\-related problems by providing valuable insights into the path traveled by an email and any [intermediary servers](https://en.wikipedia.org/wiki/Proxy%5Fserver) it underwent on its way to the intended recipient. ## What is an Authenticated Received Chain? ARC is an email protocol that lets the recipient’s mail server check the authentication results of [forwarded or relayed emails](https://www.pcmag.com/encyclopedia/term/email-forwarding), ensuring nobody tampered with or modified the email content in transit. This relatively new protocol was made public in 2019 and has instilled trust in the email’s origin and unmodified content. _Besides this, ARC also resolves the issue of [false positives](https://www.theregister.com/2023/04/03/3cx%5Ffalse%5Fpositive%5Fsupply%5Fchain%5Fattack/), where emails sent by authorized senders get marked as spam or bounce back because of forwarding or mailing list services._ It addresses this issue by preserving the authentication results throughout the travel path of the email. This way, legitimate emails pass the authentication checks despite passing through multiple intermediate servers. ## What is the problem with the SPF, DKIM, and DMARC authentication process? When you dispatch an email from a domain that is strengthened with [SPF](/blog/what-is-spf-email-a-guide-to-sender-validation-technology/), DKIM, and DMARC, the forwarding server adds a new ‘Received’ header. SPF and DKIM often leave the new ‘Received’ header uncovered, triggering the recipient’s mail server to mark the email as illegitimate. A similar problem also occurs when you send an email via a [mailing list](https://en.wikipedia.org/wiki/Mailing%5Flist) as the email undergoes some modifications like, having the mailing list name added to the subject line or adding an ‘unsubscribe’ button or disclaimer at the end. All these changes make even a legitimate email look spoofed, hence failing DKIM checks. What’s worse is that the forwarding or mailing list mail servers send the same email from a new IP address, causing trouble in SPF authentication as these intermediary servers are not part of the original sending domain’s [SPF record](/spf-record-checker/create-spf-record/). Due to this, SPF authentication also fails. As you know, if an email fails SPF and/or [DKIM](/10-reasons-for-regular-spf-record-checks-in-cybersecurity/dkim-record-check/), it also fails the DMARC check. This is where ARC comes in handy. Let’s use an example to understand this. Imagine an email sent from your domain to Gmail. You have a [custom Return-Path](https://help.zoho.com/portal/en/kb/campaigns/deliverability-guide/best-practices/articles/what-is-a-custom-return-path-and-why-is-it-important#What%5Fis%5Fa%5Freturn-path%5Faddress) set up with DKIM and a [DMARC policy in DNS](https://www.emailonacid.com/blog/article/email-deliverability/why-strong-dmarc-policy/). This ensures emails from your domain are authenticated and “fully aligned” at ISPs like Gmail or Outlook. Here’s an example of what the headers might look like: ``` Authentication-Results: mx.google.com; dkim=pass header.i=@domain.com header.s=20130519032151.pm header.b=SaTOwM7u; dkim=pass header.i=@pm.mtasv.net header.s=pm header.b=uUBEpN9j; spf=pass (google.com: domain of pm_bounces@bounces.domain.com designates 50.31.156.124 as permitted sender) ``` Now, if your customer forwards this email to a Yahoo account, the message will fail SPF alignment because the Return-Path headers have changed. Additionally, DKIM will likely fail because the message content has changed. This happens because the new sender is Gmail, not your domain, which you verified in SPF. ![How ARC works](https://media.mailhop.org/autospf/images/2024/07/spf-checker-5.jpg) ## How does ARC fix the problem? In simpler words, ARC generates a trusted chain of authentication by adding three extra email headers that ensure no additional headers or modifications by intermediate servers cause the email to fail SPF, DKIM, and [DMARC](/10-reasons-for-regular-spf-record-checks-in-cybersecurity/dmarc-record-check/) authentication checks. The recipient’s server then verifies this chain of authentication results upon reception. The three email headers contain- - ARC authentication results: This includes a copy of the email’s SPF, DKIM, and DMARC results. - ARC message signature: This is a DKIM-like signature that contains the entire message and headers, except the ARC-Seal header. - ARC-Seal: This is again a DKIM-like signature that contains the ARC headers generated by each intermediate server. ### How do intermediate servers sign the message? When an [ARC-enabled](https://www.bleepingcomputer.com/news/microsoft/office-365-enables-arc-for-enhanced-anti-spoofing-detection/) message arrives at the intermediary mail server, such as a forwarder or mailing list, the server performs the following steps: - _Copies the original Authentication-Results into a new ARC-Authentication-Results header with a sequence number starting at 1_. - Generates an [ARC-Message-Signature](https://proton.me/blog/what-is-authenticated-received-chain-arc#what-does-arc-do) to cover the message contents. - Creates an [ARC-Seal](https://learn.microsoft.com/en-us/defender-office-365/email-authentication-arc-configure) to validate the chain by covering the previous ARC headers. - _Inserts the new ARC headers at the top of the message_. - Forward the email with the added ARC headers. _Each subsequent intermediary repeats this process, incrementing the sequence number each time._ ## Getting started with ARC All major email service providers support [ARC adoption](https://www.bleepingcomputer.com/news/microsoft/microsoft-365-will-get-support-for-custom-arc-configurations/). However, establishing the right foundation is your responsibility. Here’s how you can get started with ARC to overcome the shortcomings of SPF, DKIM, and DMARC- - Implement foundational standards: Set up SPF, DKIM, and DMARC for your domain. - Verify ARC support: Ensure your [email service provider](/blog/major-email-service-providers-emphasize-dmarc-deployment/) (ESP) supports ARC. Check the documentation or contact support. - Configure ARC signing: Set up your email system to add and sign ARC headers. Steps will vary by system. - Test and validate: _Send test emails to check that ARC headers are added correctly_. - Monitoring: Evaluate [DMARC reports](/mimecast-alternatives/) to understand how your email-sending domain is being used and whether there are any instances of false positives. _With ARC, there will be fewer failures resulting from email forwarding and mailing lists._ ![Kitterman spf](https://media.mailhop.org/autospf/images/2024/07/kitterman-spf-1213.jpg) ## How Do You Configure your mail server to validate inbound ARC? Here’s what you need to do to validate inbound ARC-signed mail- - Check MTA Support: Ensure your [MTA](https://www.javatpoint.com/what-is-mta) supports ARC. Most [modern MTAs](https://www.tecmint.com/best-mail-transfer-agents-mta-for-linux/) do. [OpenARC](https://www.openarc.net/) lists compatible software. - Enable ARC Module: Turn on ARC validation and header parsing in your MTA configuration. - List Trusted ARC Signers: Specify trusted domains for ARC headers. _Only accept ARC results from these domains._ - Set ARC Policy: Decide how your MTA handles ARC authentication. _For example, accept emails on ARC pass and reject on ARC fail_. - Test with Known ARC Headers: Send test emails with valid ARC headers to ensure they are authenticated correctly. - Honor ARC Results: Once ARC validation works, accept valid forwarded emails that would otherwise fail DMARC. ## Final words Please note that ARC only fixes the problem of false positives for legitimate emails that are forwarded or sent through mailing lists as they pass through intermediate servers. It doesn’t provide [end-to-end encryption](https://www.ibm.com/topics/end-to-end-encryption) for emails. ## Topics [ ARC ](/tags/arc/)[ email security ](/tags/email-security/)[ SPF record ](/tags/spf-record/) ![Brad Slavin](https://media.mailhop.org/autospf/images/authors/brad-slavin.jpg) [ Brad Slavin ](/authors/brad-slavin/) General Manager Founder and General Manager of DuoCircle. Product strategy and commercial lead for AutoSPF's 2,000+ customer base. [LinkedIn Profile →](https://www.linkedin.com/in/bradslavin) ## Ready to get started? Try AutoSPF free — no credit card required. [ Book a Demo ](/book-a-demo/) ## Related Articles [ Intermediate 6m 10 Reasons Why DIY-ing SPF isn’t a Good Choice for Companies Apr 4, 2024 ](/blog/10-reasons-diy-ing-spf-isnt-good-choice-for-companies/)[ Intermediate 3m 3 points to consider before setting your SPF record to -all (HardFail) May 22, 2025 ](/blog/3-points-to-consider-before-setting-your-spf-record-hardfail/)[ Intermediate 3m 5 key contributors to the development of the Sender Policy Framework Nov 12, 2024 ](/blog/5-key-contributors-to-sender-policy-framework-development/)[ Intermediate 5m Are Your SPF and DKIM Identifiers Aligned? Jul 18, 2024 ](/blog/are-your-spf-and-dkim-identifiers-aligned/) ```json {"@context":"https://schema.org","@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com","logo":{"@type":"ImageObject","url":"https://autospf.com/images/autospf-logo.png"},"description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138897474","https://www.linkedin.com/company/autospf","https://x.com/autospf01","https://www.g2.com/products/autospf/reviews"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://autospf.com/contact-us/"},"knowsAbout":["SPF Record Flattening","Sender Policy Framework","Email Authentication","DNS Management","DMARC","DKIM"]} ``` ```json {"@context":"https://schema.org","@type":"WebSite","name":"AutoSPF","url":"https://autospf.com","description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","publisher":{"@type":"Organization","name":"AutoSPF","url":"https://autospf.com","logo":{"@type":"ImageObject","url":"https://autospf.com/images/autospf-logo.png"},"description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}} ``` ```json {"@context":"https://schema.org","@type":"BlogPosting","headline":"What is ARC (Authenticated Received Chain) and its role in email security?","description":"ARC or Authenticated Received Chain helps overcome the shortfalls of DMARC, further strengthening the overall email security standards.","url":"https://autospf.com/blog/what-is-arc-authenticated-received-chain-role-in-email-security/","datePublished":"2024-07-04T12:21:16.000Z","dateModified":"2026-04-18T02:36:41.000Z","dateCreated":"2024-07-04T12:21:16.000Z","author":{"@type":"Person","@id":"https://autospf.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://autospf.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind AutoSPF, DMARC Report, Phish Protection, and Mailhop. He founded DuoCircle in 2014 to solve the SPF 10-DNS-lookup problem at scale and has led the company's growth to 2,000+ customers. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement) rather than hands-on DNS engineering.","image":"https://media.mailhop.org/autospf/images/authors/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"AutoSPF","url":"https://autospf.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com","logo":{"@type":"ImageObject","url":"https://autospf.com/images/autospf-logo.png"},"description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138897474","https://www.linkedin.com/company/autospf","https://x.com/autospf01","https://www.g2.com/products/autospf/reviews"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://autospf.com/contact-us/"},"knowsAbout":["SPF Record Flattening","Sender Policy Framework","Email Authentication","DNS Management","DMARC","DKIM"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://autospf.com/blog/what-is-arc-authenticated-received-chain-role-in-email-security/"},"articleSection":"intermediate","keywords":"ARC, email security, SPF record","wordCount":1015,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/autospf/images/2024/07/kitterman-spf-1212.jpg","caption":"email security","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}} ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://autospf.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://autospf.com/blog/"},{"@type":"ListItem","position":3,"name":"Intermediate","item":"https://autospf.com/intermediate/"},{"@type":"ListItem","position":4,"name":"What is ARC (Authenticated Received Chain) and its role in email security?","item":"https://autospf.com/blog/what-is-arc-authenticated-received-chain-role-in-email-security/"}]} ```