1. Home
  2. Knowledge Base
  3. Authenticated Received Chain

ARC (Authenticated Received Chain)

ARC, short for Authenticated Received Chain, is an authentication protocol designed to bolster the security of email communication. It aims to address the issue of trustworthiness in message delivery, especially when they traverse through multiple mail servers before reaching their final destination.

ARC in Email Communication

Email authentication is a multi-layered approach to verify the authenticity and integrity of messages. ARC is a critical addition to the authentication ecosystem, enhancing the cooperation between SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance).

SPF and DKIM provide fundamental checks on the sender's domain and the data integrity, respectively. However, these two security solutions are not inerrant:

  • SPF checks can fail when emails are forwarded or relayed through intermediary servers. For example, failing to set up SPF records for subdomains can lead to SPF failures for emails sent from those subdomains due to the break in SPF alignment.
  • DKIM signatures are calculated based on the content of the message. Any modifications to the message, such as adding or removing content, can invalidate the DKIM signature.
  • DMARC adds policy enforcement and reporting capabilities to further enhance control and visibility over email authentication. So, if a message fails both SPF and DKIM, it fails DMARC being considered suspicious, and will be rejected.
Layer 1 Intermediary mailing server relays the message from a different IP address unknown for DNS record (e.g. unregistered subdomain) Outcoming message First intermediary server A message sent from IP address: 192.168.0.1 SPF, DKIM and DMARK passed Recipient's mail server verifies the incoming message DKIM fails because content changed So DMARK fails SPF fails because IP address is invalid Intermediary mailing server changes the content by adding a disclaimer: This email was sent to you via the XYZ mailing list Service. For more information, visit www.xyzmailingservice.com. The message is rejected or marked as spam

ARC ensures that these checks remain valid even when emails pass through intermediaries.

By working together, these protocols create a robust defense against spoofing, phishing attacks, and other email-based threats, ultimately improving security and trust in digital communication. Implementing all these protocols correctly is crucial for organizations aiming to protect their brand reputation and maintain secure email communication.

arc ARC validates the sources and adds authentication results to the message header Intermediary mailing server relays the message from a different IP address unknown for DNS record (e.g. unregistered subdomain) Outcoming message First intermediary server A message sent from IP address: 192.168.0.1 SPF, DKIM and DMARK passed Recipient's mail server verifies the incoming message DKIM fails because content changed So DMARK fails SPF fails because IP address is invalid The message is delivered ARC validated Intermediary mailing server changes the content by adding a disclaimer: This email was sent to you via the XYZ mailing list Service. For more information, visit www.xyzmailingservice.com.

Unveiling ARC Mechanism and Operation

Authenticated Received Chain operates by creating a cryptographic chain of trust within email headers. Each mail server that processes a message adds a header containing a digital signature, allowing the recipient's server to verify the authenticity of the message's path. This chain of trust ensures that modifications made to the email during transit can be detected and authenticated.

Here are the steps involved in ARC signature implementation with examples:

Step 1: Initial Signature (First Server)

When an email is sent, the first mail server adds a DKIM (DomainKeys Identified Mail) signature to the message's header. This DKIM signature attests to the authenticity of the sender's domain. For example: 


      DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com;
      s=selector1; h=from:subject:to; bh=abcdefg1234567=;
      b=XYzABCDeF1234==

Step 2: ARC Signature (Intermediate Servers)

As the email passes through intermediate servers (e.g., forwarding services or mailing lists), each server adds an ARC header with its own cryptographic signature containing the authentication result of the previous check. Thus, the header includes the original DKIM signature from the first step. For example: 


      ARC-Authentication-Results: i=1; mx.google.com;
      dkim=pass header.i=@example.com header.s=selector1;
      arc=pass (i=0 spf=pass dkim=pass);

Signature Components Breakdown

Created by EvoPdf Components Meaning i=1 represents the originating server or the sender's server. alb.mailserver.com specifies the mail server that performed the ARC checks. dkim=pass header.i=@example.com header.s=selector1 reports the results of the DKIM (DomainKeys Identified Mail) authentication. It states that the DKIM check has passed and the email's content and headers were not tampered with during transit and that the sender's domain is legitimate (example.com). arc=pass indicates the result of the ARC check ensuring the integrity of the message as it travels through intermediate servers. (i=0 spf=pass dkim=pass) additional information

Step 3: Final Signature (Last Server)

When the email reaches its final destination, the recipient's mail server validates all the ARC signatures in the chain. It also verifies the DKIM signature from the first step, ensuring that the message's path was legitimate and that no unauthorized modifications occurred during transit. If all signatures are valid, the email is delivered to the recipient's inbox.

Implementing ARC: Best Practices

By implementing an Authenticated Received Chain, organizations can ensure the integrity of their email communication, even when messages pass through multiple intermediate servers. It provides a clear chain of trust, enhancing security and reducing the risk of spoofing and phishing attacks.

If you're considering implementing ARC for your email domain, here are some best practices to follow:

  • SPF and DKIM Setup: Ensure that Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) are correctly configured for your domain. ARC builds upon these existing authentication mechanisms.
  • Choose a Reputable Email Service Provider: If you're not well-versed in email authentication protocols, consider using a service provider that supports ARC. They can guide you through the setup process.
  • Monitoring and Testing: Regular monitoring of email traffic is strongly recommended for any issues related to ARC implementation. Testing is crucial to identify and resolve problems promptly.
  • Keep Policies Updated: As your email infrastructure evolves, update your ARC policies to reflect these changes. Outdated policies can lead to authentication failures.

Frequently asked questions

Addressing Common Questions

What are the benefits of using ARC?

  • Improved Email Deliverability: legitimate emails are prevented from being marked as spam by providers, as it provides a clear chain of trust for the message.
  • Enhanced Security: By verifying the handling of messages throughout their journey, Authenticated Received Chain reduces the risk of spoofing and phishing attacks.
  • Visibility: you can gain insights into how messages are handled by intermediate servers, aiding in troubleshooting and monitoring the delivery.

Do I need to implement ARC for my domain?

Implementing ARC is particularly important for organizations that send a high volume of email and want to ensure their messages are delivered securely. If your business relies on email communication for marketing, customer support, or other critical functions, it can help protect your brand reputation and customer trust.

Are there any prerequisites for implementing ARC?

Yes, before the implementation, it's essential to have SPF and DKIM set up correctly for your domain. ARC builds upon these existing authentication mechanisms to provide a complete authentication chain.

Can ARC cause email delivery issues?

While ARC is designed to enhance email security, it can sometimes lead to delivery issues if not implemented correctly. To avoid problems, it's crucial to carefully configure your policies and monitor email traffic for any issues.

See also:

Curious about the origins of your emails? Meet the Emailerize Header Analyzer - your window into the sender's world. Our advanced tool deciphers email headers, providing valuable insights about the senders and their routes.

Key Insights:

  • Sender Identification
  • Message Routing
  • Authentication Checks
  • Email Source Verification

Access the Emailerize Header Analyzer today and gain a deeper understanding of your inbox.