ARC (Authenticated Received Chain)
What is ARC (Authenticated Received Chain)?
ARC (Authenticated Received Chain)An email standard defined in RFC 8617 that preserves authentication results across forwarding hops by letting each intermediary cryptographically sign the chain of prior checks.
Authenticated Received Chain (ARC), specified in RFC 8617, addresses a common problem with DMARC: legitimate forwarders (mailing lists, secure email gateways) often modify messages in ways that break SPF and DKIM. ARC-compliant intermediaries add three headers — ARC-Authentication-Results, ARC-Message-Signature, and ARC-Seal — that record the SPF/DKIM/DMARC verdicts they saw and sign the cumulative chain. Final receivers can trust an ARC chain from a vetted forwarder and apply local overrides instead of rejecting valid mail. Major mailbox providers including Google, Microsoft, and Yahoo implement ARC. Operators should validate ARC chains, maintain a list of trusted ARC sealers, and monitor for tampering or chain breakage.
● Examples
- 01
A mailing list rewrites the From: address and adds ARC headers so the destination can still trust the original DMARC pass.
- 02
A secure email gateway signs an ARC seal after applying disclaimers, allowing downstream DMARC alignment.
● Frequently asked questions
What is ARC (Authenticated Received Chain)?
An email standard defined in RFC 8617 that preserves authentication results across forwarding hops by letting each intermediary cryptographically sign the chain of prior checks. It belongs to the Network Security category of cybersecurity.
What does ARC (Authenticated Received Chain) mean?
An email standard defined in RFC 8617 that preserves authentication results across forwarding hops by letting each intermediary cryptographically sign the chain of prior checks.
How does ARC (Authenticated Received Chain) work?
Authenticated Received Chain (ARC), specified in RFC 8617, addresses a common problem with DMARC: legitimate forwarders (mailing lists, secure email gateways) often modify messages in ways that break SPF and DKIM. ARC-compliant intermediaries add three headers — ARC-Authentication-Results, ARC-Message-Signature, and ARC-Seal — that record the SPF/DKIM/DMARC verdicts they saw and sign the cumulative chain. Final receivers can trust an ARC chain from a vetted forwarder and apply local overrides instead of rejecting valid mail. Major mailbox providers including Google, Microsoft, and Yahoo implement ARC. Operators should validate ARC chains, maintain a list of trusted ARC sealers, and monitor for tampering or chain breakage.
How do you defend against ARC (Authenticated Received Chain)?
Defences for ARC (Authenticated Received Chain) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for ARC (Authenticated Received Chain)?
Common alternative names include: ARC, Authenticated Received Chain.
● Related terms
- network-security№ 333
DMARC
An email authentication standard defined in RFC 7489 that lets domain owners publish a policy telling receivers what to do with messages that fail SPF or DKIM and aligned domain checks.
- network-security№ 330
DKIM
An email authentication standard defined in RFC 6376 that lets a sending domain add a cryptographic signature to outgoing messages so receivers can verify that headers and body were not altered.
- network-security№ 1076
SPF (Sender Policy Framework)
An email authentication mechanism defined in RFC 7208 that lets a domain publish in DNS which IP addresses or hosts are authorized to send mail using its domain in the envelope MAIL FROM.
- network-security№ 984
Secure Email Gateway
A perimeter or cloud service that filters inbound and outbound email for spam, phishing, malware, data leakage, and policy violations before it reaches user mailboxes.
- attacks№ 375
Email Spoofing
Forging email headers so a message appears to come from a trusted sender, typically to enable phishing, fraud, or malware delivery.
- network-security№ 095
BIMI
An email standard that lets domain owners display a verified brand logo next to authenticated messages in supporting clients, conditional on a DMARC policy of quarantine or reject.