ARC (Authenticated Received Chain) is an email authentication protocol that preserves SPF, DKIM, and DMARC results as an email passes through intermediate servers like mailing lists and forwarding services. When forwarding breaks SPF or DKIM, ARC lets the final receiving server see the original authentication results from trusted intermediaries, preventing legitimate forwarded email from failing DMARC.
What Is ARC in Email? (Authenticated Received Chain Explained)
ARC in 30 Seconds
ARC solves the email forwarding problem. When you forward an email, SPF breaks (wrong IP) and DKIM may break (message modified). ARC preserves the original authentication results in a chain of trust, so the final destination can still verify the email is legitimate.
The Forwarding Problem
Without ARC:
- Sender sends email → SPF pass, DKIM pass, DMARC pass
- Email hits a mailing list or forwarding rule
- Mailing list re-sends from its own IP → SPF fails
- Mailing list adds a footer → DKIM fails
- Final receiver sees both fail → DMARC fails → spam or rejection
With ARC:
- Same as above, but the mailing list adds ARC headers recording the original pass results
- Final receiver checks the ARC chain → sees original authentication passed
- If the intermediary is trusted → DMARC is overridden → delivered
ARC Headers
ARC adds three headers at each hop, each with an instance number (i=):
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.d=example.com;
spf=pass smtp.mailfrom=example.com;
dmarc=pass header.from=example.com
ARC-Message-Signature: i=1; a=rsa-sha256; d=google.com; ...
ARC-Seal: i=1; a=rsa-sha256; d=google.com; cv=none; ...
- ARC-Authentication-Results — what the intermediary observed
- ARC-Message-Signature — the intermediary's signature of the message
- ARC-Seal — the intermediary's signature of the entire ARC chain (
cv=shows chain validation status)
Who Needs ARC
Senders: You don't need to configure anything for ARC. It's handled by intermediaries and receivers.
Intermediaries (mailing lists, forwarding services): If you operate any service that forwards email, implementing ARC signing helps forwarded messages maintain authentication. Read more about ARC and email forwarding.
Receivers: Major providers (Gmail, Microsoft, Yahoo) already evaluate ARC chains from trusted intermediaries.
Practitioner note: ARC doesn't solve everything. It depends on the receiver trusting the intermediary — and trust lists are maintained privately by each provider. If your email is forwarded through an unknown intermediary, ARC headers may be present but ignored.
Practitioner note: I see ARC confusion in DMARC reports constantly. Clients see DMARC failures from Google or Microsoft IPs and panic, but it's just forwarded email. The ARC chain is handling it — the failures in the aggregate report are informational, not necessarily causing spam placement.
If you run a mailing list or forwarding service and need ARC implementation guidance, schedule a consultation.
Sources
- RFC 8617: The Authenticated Received Chain (ARC) Protocol
- Google: ARC Authentication for email
- DMARC.org: Interoperability Issues Between DMARC and Mailing Lists
- M3AAWG: Recommendations for Senders of ARC-Signed Mail
v1.0 · April 2026
Frequently Asked Questions
Why was ARC created?
Email forwarding breaks SPF (the forwarding server's IP isn't in the original domain's SPF) and can break DKIM (if the forwarder modifies the message). ARC was created so trusted intermediaries can vouch for the original authentication results, allowing forwarded email to pass DMARC.
How does ARC work?
Each intermediary server adds three ARC headers: ARC-Authentication-Results (what it observed), ARC-Message-Signature (its signature of the message), and ARC-Seal (its signature of the ARC chain). The final receiver evaluates the chain and trusts results from known intermediaries.
Do I need to set up ARC?
Most senders don't need to configure ARC — it's primarily implemented by intermediaries (mailing lists, forwarding services). However, if you operate a forwarding service or mailing list, implementing ARC signing helps forwarded messages maintain authentication.
Does Gmail use ARC?
Yes. Gmail both signs ARC headers when forwarding email and evaluates ARC chains when receiving. If DMARC fails but a trusted ARC chain vouches for the original authentication, Gmail may still deliver the message to the inbox.
Is ARC a replacement for SPF or DKIM?
No. ARC supplements SPF, DKIM, and DMARC — it doesn't replace them. You still need all three configured. ARC only comes into play when email passes through intermediaries that would otherwise break those protocols.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.