How to implement ARC (Authenticated Received Chain) and how does it affect DMARC failures from forwarding?

Summary

ARC (Authenticated Received Chain) is a pivotal email authentication mechanism designed to preserve authentication results across email forwarding hops, thereby mitigating DMARC failures that often occur with legitimate forwarding. The responsibility for ARC implementation primarily rests with intermediary mail servers such as ESPs, forwarding services, and mailing lists, rather than the original sender. ARC enables these servers to sign emails with their own DKIM signatures, establishing a chain of trust that validates the authenticity of the message as it traverses multiple servers. This process improves deliverability by allowing forwarded emails to pass authentication checks and maintain sender reputation. While ARC is handled on the receiver side, senders play a critical role by ensuring proper configuration of SPF, DKIM, and DMARC. ARC's function involves adding ARC-Authentication-Results headers, which contain DKIM signatures and authentication check results, to enable improved DMARC evaluation across mail servers. Additionally, the correct configuration helps with policy overrides and keeps overall deliverability and reputation healthy.

Key findings

  • Implementation Responsibility: ARC is primarily implemented by intermediary mail servers, not the original sender.
  • DMARC Impact: ARC mitigates DMARC failures from legitimate email forwarding by preserving authentication results.
  • Chain of Trust: ARC establishes a chain of trust through DKIM signatures and authentication checks at each hop.
  • Sender Configuration: Senders should ensure correct SPF, DKIM, and DMARC configurations for ARC to function effectively.
  • Deliverability Improvement: ARC improves overall email deliverability and ensures emails reach the inbox after forwarding.

Key considerations

  • Technical Protocol: Understanding the technical details of the ARC protocol is essential for proper implementation.
  • Forwarding Scenario: If you operate a forwarding service or mailing list, implementing ARC is crucial.
  • ESP Handling: If using an ESP, ARC configuration is typically handled automatically by the provider.
  • Authentication: Ensuring proper SPF, DKIM, and DMARC setup is critical for ARC to preserve authentication results.
  • Header Implementation: Participating mail servers should correctly implement ARC-Authentication-Results headers.
  • Policy Overrides: Policy overrides in DMARC reports require careful monitoring to ensure appropriate action.

What email marketers say
12Marketer opinions

ARC (Authenticated Received Chain) is a mechanism designed to preserve email authentication results across forwarding hops, addressing DMARC failures that often occur with legitimate forwarding. Its implementation is primarily the responsibility of intermediary mail servers, such as ESPs and forwarding services, rather than the original sender. ARC allows these servers to sign the email with their own DKIM signature, creating a chain of trust that validates the authenticity of the message as it passes through multiple servers. By maintaining sender reputation and ensuring forwarded emails pass authentication checks, ARC improves overall deliverability. Senders should focus on ensuring proper SPF, DKIM, and DMARC configurations, as ARC will then help preserve these results during forwarding, while receivers benefit from enhanced validation, especially in cases of policy overrides.

Key opinions

  • ARC Implementation: ARC implementation is primarily handled by intermediary mail servers, such as ESPs and forwarding services, not the original sender.
  • Sender Responsibility: Senders should focus on ensuring proper SPF, DKIM, and DMARC configurations; ARC will then help preserve these authentication results during forwarding.
  • DMARC Impact: ARC allows forwarded emails to carry authentication information that can override DMARC failures, improving deliverability of legitimate emails.
  • Reputation Maintenance: ARC helps maintain sender reputation by ensuring that forwarded emails don't negatively impact the domain's DMARC record.
  • Trust Chain: ARC creates a chain of trust by allowing each server in the forwarding path to sign the message with its own ARC signature, validating its authenticity.

Key considerations

  • Policy Overrides: Be aware of policy overrides in DMARC reports, particularly when using a 'p=none' policy, as enforced policies may lead to more visible overrides.
  • Forwarding Scenario: If you are a forwarder or mailing list, you should implement ARC. However, if you are sending emails directly without any hops, there's nothing for you to seal.
  • ESP Handling: If you're using an ESP, ARC configuration is generally handled automatically by the provider.
  • Proper Authentication: Ensuring proper SPF, DKIM, and DMARC setup is critical for ARC to effectively preserve authentication results.
  • Intermediate Signing: ARC allows intermediate mail servers to sign emails with their own DKIM signature, verifying the message received was from a trusted source and forwarded without modifications.
Marketer view

Email marketer from Mailjet responds that ARC improves deliverability by allowing forwarded emails to pass authentication checks, which helps maintain sender reputation and ensures emails reach the inbox.

August 2021 - Mailjet
Marketer view

Email marketer from Reddit explains that ARC implementation is mostly on the receiver/forwarder side. As a sender, ensuring proper SPF, DKIM, and DMARC configuration is crucial; ARC will then help preserve these authentication results during forwarding.

April 2022 - Reddit
Marketer view

Email marketer from Validity explains that ARC helps improve email deliverability by allowing receiving mail servers to validate the authenticity of forwarded messages that might otherwise fail DMARC checks.

January 2023 - Validity.com
Marketer view

Email marketer from SparkPost shares that ARC is generally implemented by ESPs and forwarding services, and senders typically don't need to implement it directly unless they are running such a service.

January 2025 - SparkPost
Marketer view

Email marketer from EasyDMARC explains that ARC allows an intermediate mail server, such as a forwarding service or mailing list, to sign the email with its own DKIM signature, attesting to the fact that it received the message from a trusted source and forwarded it without modification.

August 2023 - EasyDMARC
Marketer view

Email marketer from SendGrid shares that if a message passes SPF, DKIM, and DMARC, then each subsequent server in the chain can sign the message with its own ARC signature, creating a chain of trust. Servers that receive the message later can then verify the ARC signatures to determine whether the message was tampered with during transit.

January 2022 - SendGrid
Marketer view

Marketer from Email Geeks shares that if you are a forwarder or mailing list, you should implement ARC. However, if you are sending emails directly without any hops, there's nothing for you to seal.

December 2024 - Email Geeks
Marketer view

Email marketer from Email Deliverability Forum emphasizes that ARC can help maintain sender reputation by ensuring that forwarded emails don't negatively impact your domain's DMARC record. This is particularly important for newsletters and automated forwards.

December 2022 - Email Deliverability Forum
Marketer view

Email marketer from StackOverflow explains that ARC configuration primarily involves setting up ARC-sealing on mail servers. For most senders using ESPs, this is handled automatically by the provider.

July 2024 - StackOverflow
Marketer view

Email marketer from Reddit notes that ARC allows forwarded emails to carry authentication information that can override DMARC failures. This means legitimate emails are more likely to be delivered even after being forwarded.

July 2024 - Reddit
Marketer view

Marketer from Email Geeks explains that ARC is implemented by the intermediary mail server and is not something that the sender sets up.

April 2021 - Email Geeks
Marketer view

Marketer from Email Geeks shares that even with DMARC failures with auto-forwarders, you may be receiving policy overrides in the reports. Senders do not need to take action regarding DMARC failures due to forwarding.

December 2024 - Email Geeks

What the experts say
3Expert opinions

ARC (Authenticated Received Chain) plays a crucial role in mitigating DMARC failures caused by email forwarding. Primarily, the forwarding system or service implementing ARC is responsible for adding the necessary authentication. DMARC's design inherently breaks forwarding, but ARC allows legitimate forwarded messages to maintain their authentication, improving deliverability. Senders should focus on ensuring robust SPF, DKIM, and DMARC configurations, while ARC is handled on the receiver side to validate emails and preserve authentication information.

Key opinions

  • Forwarding System Responsibility: The forwarding system needs to implement ARC for it to function correctly.
  • DMARC and Forwarding: DMARC is designed to break forwarding, but ARC provides a solution to maintain deliverability.
  • Sender Authentication: Senders should ensure proper SPF, DKIM, and DMARC configuration.
  • Validation and Mitigation: ARC validates emails and mitigates DMARC failures, primarily implemented on the receiver side.
  • Preservation of Information: ARC allows forwarded messages to maintain authentication, which prevents DMARC failures.

Key considerations

  • ARC Deployment: ARC is usually deployed by forwarding services to validate emails.
  • Authentication Chain: ARC helps establish a chain of trust by maintaining authentication information through forwarding hops.
  • Deliverability Improvement: Implementing ARC improves overall deliverability by preventing DMARC failures in forwarded messages.
Expert view

Expert from Spam Resource explains that ARC is usually deployed by forwarding services to validate emails and mitigate DMARC failures. As a sender, ensuring proper SPF, DKIM, and DMARC is important and ARC is implemented on the receiver side.

June 2024 - Spam Resource
Expert view

Expert from Word to the Wise shares that ARC allows legitimate forwarded messages to maintain authentication information, which prevents DMARC failures and helps improve overall deliverability. This is particularly useful when subscribers forward emails.

February 2022 - Word to the Wise
Expert view

Expert from Email Geeks explains that the forwarding system has to add ARC and DMARC is designed to break forwarding and is working as intended.

March 2023 - Email Geeks

What the documentation says
4Technical articles

ARC (Authenticated Received Chain) serves as a vital mechanism for preserving email authentication results across forwarding hops. It addresses the challenge of DMARC failures that often occur when emails are legitimately forwarded. By implementing ARC, mail servers can add ARC-Authentication-Results headers containing DKIM signatures and authentication check results, enabling improved DMARC evaluation across multiple servers.

Key findings

  • Preservation Mechanism: ARC is designed to preserve authentication results across email forwarding hops.
  • DMARC Evaluation: ARC enables better DMARC evaluation, even with email forwarding.
  • Mitigation of Failures: ARC helps mitigate DMARC failures resulting from legitimate email forwarding.
  • Header Implementation: Participating mail servers add ARC-Authentication-Results headers to emails, including DKIM signatures and authentication checks.

Key considerations

  • Technical Protocol: Understanding the technical details of the ARC protocol is crucial for implementation.
  • Server Participation: ARC requires cooperation and correct implementation by all participating mail servers.
  • DMARC Interaction: While ARC helps, understanding how DMARC interacts with forwarding is still essential.
Technical article

Documentation from Authorea states that ARC works by having each participating mail server add an ARC-Authentication-Results header to the email, which includes the server's DKIM signature and the results of its authentication checks.

January 2023 - Authorea
Technical article

Documentation from DMARC.org explains that DMARC is designed to make forwarding difficult but ARC can mitigate DMARC failures from legitimate forwarding by preserving authentication results.

November 2024 - DMARC.org
Technical article

Documentation from IETF details the ARC protocol and explains the technical implementation of ARC headers and their validation process for email servers.

August 2022 - datatracker.ietf.org
Technical article

Documentation from RFC Editor provides an overview of ARC, explaining that it's a mechanism to preserve authentication results across email forwarding hops, enabling better DMARC evaluation.

April 2021 - RFC Editor