Authenticated Received Chain setup guide

November 17, 2024

Email authentication is modern email security. You might have heard a lot about phishing, spoofing, and spam attacks. That’s why organizations ensure that their emails remain trustworthy. 

Traditional email authentication protocols like SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) help to verify sender legitimacy.

What Is an Authenticated Received Chain (ARC)?

ARC (Authenticated Received Chain) is an email authentication protocol that saves your authentication results when emails pass through forwarding services. It allows your receiving mail server to verify that forwarded messages are authentic.

Why Was ARC Introduced?

The need for ARC came up because SPF, DKIM, and DMARC often fail when you forward an email. Forwarding services such as mailing lists, email relays, and auto-forwarding rules can alter your message headers, which can break your authentication checks.

ARC is here to solve this issue as it maintains a "chain of trust" for authentication results across multiple hops.

How ARC Differs from SPF, DKIM, and DMARC

  • SPF verifies that an email is sent from an authorized mail server but fails when you forward a message.

  • DKIM ensures the integrity of your message with cryptographic signatures but does not account for changes during forwarding.

  • DMARC relies on SPF and DKIM, so if either fails, DMARC enforcement may reject a legitimate email.

  • ARC records the authentication status of your emails at each step. This helps final recipients to trust messages even after you forward them.

With ARC, receiver mail servers can analyze the full authentication history of an email. This helps you to reduce false positives and improve overall email security.

How ARC Works?

ARC works when you attach a series of cryptographically signed headers to each email as it travels through different mail servers. These headers help you create an authentication chain that saves the legitimacy of a message, even if it is forwarded multiple times.

When you receive an email and it passes SPF, DKIM, and DMARC checks, ARC records these results. If the email is then forwarded, the forwarding server adds its own ARC headers and preserves your existing authentication data. The final receiving server verifies your entire history. So you don’t need to rely on the most recent authentication check.

What Comes Inside an ARC System

  1. ARC-Seal: It’s a cryptographic signature that ensures the integrity of previous ARC headers. It also helps you verify that no one has changed authentication results during forwarding.

  2. ARC-Message-Signature: Similar to DKIM, it signs your email’s content and headers. It allows your recipients to verify that the message has not been altered in transit.

  3. ARC-Authentication-Results: Stores your SPF, DKIM, and DMARC authentication results from the last server. It also helps you in receiving mail servers. This determines if your email was originally authenticated before forwarding.

How ARC Interacts with Mail Transfer Agents (MTAs)

Mail Transfer Agents (MTAs) help you in email delivery. When an email passes through an intermediary MTA, ARC ensures that the authentication details from the original sender are preserved. Each MTA in your delivery chain can add its own ARC headers and maintain the existing authentication history.

Your email reputation is important to ensure messages are delivered to inboxes rather than spam folders. Since authentication failures negatively impact reputation, ARC helps to prevent false SPF, DKIM, and DMARC failures due to forwarding. ARC improves sender reputation and ensures emails reach their intended recipients. It does it all by maintaining authentication integrity. 

How to Implement ARC in Your Email System?

When you set up ARC, ensure that your outgoing and forwarded emails maintain authentication integrity. Here’s a step-by-step way to enable ARC:

  1. Check Your ARC Compatibility: Ensure your email provider supports ARC. Many major platforms, such as Google and Microsoft, have built-in support.

  2. Enable Your ARC in Mail Server Configuration: Update your email server settings to include ARC headers and cryptographic signatures.

  3. Configure Your ARC in Popular Email Servers: ARC is automatically enabled for outbound mail.

  4. Verify Your ARC Functionality: Use email authentication tools to check if ARC headers are correctly added and validated.

ARC Working in Email Providers

Leading email platforms have integrated ARC to improve email authentication. Businesses and organizations are also increasing adoption to enhance their email security.

Common ARC Misconfigurations and How Can You Fix Them

ARC is highly effective yet, misconfigurations can cause you to fail authentication checks. Here are some common issues and their solutions:

1. Issues with ARC Signatures Failing

  • If your ARC signatures fail, check whether your email headers were altered after signing.

  • Ensure the signing server’s DNS records and cryptographic keys are correctly configured.

2. ARC-Seal Validation Errors and Fixes

  • ARC-Seal failures often happen when your email relays do not correctly preserve previous ARC headers.

  • Verify that your mail server properly records and forwards authentication results without stripping signatures.

3. Misconfigured ARC Headers 

  • Incorrect ARC headers can cause your emails to fail authentication.

  • Ensure that all mail servers in the chain correctly sign and transmit ARC-related headers without modification.

FAQs

Does ARC Replace SPF, DKIM, and DMARC? No, ARC complements these protocols and ensures their authentication results remain intact during forwarding.

How Can I Check If My Email System Supports ARC? You can check for ARC headers in received emails by inspecting email headers in your inbox or using online email authentication tools.

Is ARC Required for All Email Servers? ARC is not mandatory, but it is highly recommended for email providers, businesses, and organizations using forwarding mechanisms.

Can ARC Prevent Phishing and Spoofing Completely? ARC reduces phishing risks and it maintains authentication integrity, but it should be used alongside DMARC, SPF, and DKIM for full protection.

Why Do Forwarded Emails Fail DMARC But Pass ARC? DMARC relies on SPF and DKIM, which often fail after you forward it. ARC preserves authentication results across forwarding servers and allows emails to pass authentication even after multiple hops.

Conclusion

Authenticated Received Chain (ARC) is an advancement in email security that addresses one of the biggest weaknesses of traditional authentication methods.

Businesses, email providers, and organizations that rely on mailing lists, auto-forwarding, and relay servers should adopt ARC to double email deliverability and trust. 

Implement ARC is a no-brainer for organizations looking to strengthen their email security posture and prevent authentication-related delivery failures.

February 10, 2025

Setup Keap DMARC, DKIM, SPF Records - Configure Domain Authentication

This article guides you on how to setup SPF, DKIM, and DMARC records for Keap email domain authentication.

Read more →
November 17, 2024

Setup Intercom DNS Records for Domain Authentication

SPF, DKIM, and DMARC are the commonly used email authentication standards that are necessary to protect emails against spoofing and build trust with email inbox service providers (ISPs) like Google.

Read more →
Domain Check

Check your domain for DMARC, DKIM, SPF and MX records. Get a free report.
Tags