ARC (Authenticated Received Chain) is an email authentication protocol that preserves SPF and DKIM results when messages pass through intermediaries like mailing lists, forwarding services, or security gateways. Without ARC, forwarded email often fails DMARC because SPF breaks and DKIM signatures can be invalidated by message modifications. ARC lets the final receiver see what authentication looked like before forwarding.
What Is ARC? When and Why It Matters
The Problem ARC Solves
Email forwarding breaks authentication. When a mailing list or forwarding service relays your message:
- SPF fails because the forwarding server's IP isn't in the original sender's SPF record
- DKIM may fail if the intermediary modifies headers, adds footers, or changes the body
- DMARC fails because neither SPF nor DKIM aligns anymore
This creates a dilemma: enforce DMARC and break forwarded email, or weaken DMARC and allow spoofing.
ARC solves this by creating a documented chain of authentication results at each hop.
How ARC Works
When an intermediary processes a message, it adds three ARC headers:
- ARC-Authentication-Results (AAR) — the authentication results the intermediary observed
- ARC-Message-Signature (AMS) — a DKIM-like signature of the message at that point
- ARC-Seal (AS) — a signature that chains this set of ARC headers to previous ones
Each set is numbered (i=1, i=2, etc.) creating a verifiable chain. The final receiving server can walk the chain backward to see what authentication looked like at each hop.
Practitioner note: Google was the primary driver behind ARC, and Gmail is the biggest consumer of ARC data. If your email gets forwarded through a service that ARC-seals, Gmail is significantly more likely to deliver it despite DMARC failure.
Who Needs to Care About ARC
If you're a domain owner: You don't configure ARC. But understanding it helps you troubleshoot DMARC failures from forwarding. If your forwarded email is failing DMARC, check whether the intermediary supports ARC.
If you run a forwarding service or mailing list: You should implement ARC sealing. It's the responsible thing to do — your service is breaking authentication for everyone who forwards through you.
If you're a receiving server operator: You evaluate ARC chains to make better delivery decisions when DMARC fails.
ARC and DMARC Override
When a message fails DMARC but has a valid ARC chain, the receiving server can choose to override the DMARC failure. This is a local policy decision — ARC doesn't automatically override DMARC. The receiver evaluates:
- Is the ARC chain intact and valid?
- Does the receiver trust the intermediary that sealed the chain?
- What did authentication look like before forwarding?
Gmail, for example, trusts ARC seals from known mailing list providers and forwarding services.
Practitioner note: ARC is the reason mailing lists still work in a world of DMARC enforcement. Without it, every mailing list post from a domain at p=reject would be rejected by Gmail. ARC is doing more heavy lifting than most people realize.
If you're dealing with DMARC failures from forwarded email and want to understand your options, book a consultation.
Sources
- RFC 8617: The Authenticated Received Chain (ARC) Protocol
- Google: ARC Specification
- DMARC.org: ARC Overview
- M3AAWG: ARC Recommendations
v1.0 · April 2026
Frequently Asked Questions
What does ARC stand for in email?
Authenticated Received Chain. It's defined in RFC 8617 and creates a chain of authentication results as an email passes through multiple servers.
Does ARC replace DMARC?
No. ARC supplements DMARC. When DMARC fails due to forwarding, the receiving server can check ARC headers to see if authentication passed before the intermediary modified the message. The receiver decides whether to trust the ARC chain.
Do I need to configure ARC?
Most domain owners don't configure ARC directly. ARC is implemented by intermediaries (mailing list servers, forwarding services, security gateways) and evaluated by receiving servers. If you operate a forwarding service, you should implement ARC sealing.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.