ARC stands for Authenticated Received Chain. It was developed in 2016 to resolve some issues that may arise with indirect mail flow and SPF, DKIM and DMARC.

DMARC currently relies on the pass result and alignment of either SPF or DKIM. If one protocol fails but the other passes and aligns then DMARC will pass. However, in some cases with indirect mailflow both SPF and DKIM might fail resulting in DMARC failure. The issue is that if a sender has a DMARC policy of reject and email travels through a mailing list, forwarding or filtering device then both SPF and DKIM might fail and hence DMARC will fail as well. This will cause the emails to be rejected and never reach the end user’s mailbox. 

SPF tends to break during forwarding due to the change of IP address during forwarding. DKIM may also break if the content of the email is altered in transit, whether something is added or removed, it will cause the DKIM signature to fail.

ARC was developed to preserve the authentication results of emails when travelling across many hops and insert its own headers. If DMARC fails during transit the recipient might choose to look at the ARC results instead, override the results from DMARC and accept the emails. Some examples of where SPF, DKIM and DMARC might break are shown in Table 1 below. 

Table 1. Examples when SPF, DKIM and DMARC can pass or fail.

Some filtering devices may modify the messages as they forward them and hence DKIM is shown that can break. 

ARC was not designed to indicate whether intermediaries of indirect mailflow can be trusted or not, or that content added by them can be trusted. ARC is still in its early stages but some well known ESPs and ISPs have already implemented it and others are on the way.