Home/ Glossary/ Authenticated Received Chain

Authenticated Received Chain (ARC)

Security Glossary - Email Authentication

Definition: ARC (Authenticated Received Chain) preserves email authentication results across intermediary mail servers like mailing lists and forwarding services. When email is forwarded, SPF typically fails because the forwarding server's IP is not in the original sender's SPF record. ARC allows the intermediary to record the original authentication results, providing a chain of custody.

The Importance of ARC

Email forwarding breaks SPF authentication because the forwarding server's IP address is not listed in the original domain's SPF record. This causes legitimate forwarded emails to fail DMARC, even though they were originally properly authenticated. ARC solves this by having each intermediary sign a record of the authentication state at the time it handled the message.

ARC is particularly important for mailing lists (like Google Groups, Mailman, or Listserv) that modify messages (adding footers, rewriting From headers) before redistributing them. These modifications break DKIM signatures, and the different sending IP breaks SPF. Without ARC, mailing list messages frequently fail DMARC.

Major email providers (Google, Microsoft) evaluate ARC signatures when making DMARC decisions. If a message fails SPF and DKIM but has a valid ARC chain from a trusted intermediary, the provider may accept it based on the ARC-recorded authentication results. This preserves email delivery through legitimate forwarding paths.

How to Check

ARC is implemented by mail servers, not by domain owners. You cannot configure ARC in DNS. However, checking if your forwarded emails include ARC headers helps diagnose DMARC failures for forwarded messages. Major email providers handle ARC automatically.

See how your site handles ARC

Check DNS Health

ARC FAQ

Do I need to configure ARC for my domain?
If you run a mailing list or email forwarding service, yes. If you just send and receive email normally, ARC is handled by the email providers in the delivery chain. Major providers like Gmail already implement ARC.
Does ARC replace SPF and DKIM?
No. ARC preserves SPF and DKIM results through forwarding chains. You still need SPF and DKIM configured for your domain. ARC is an additional mechanism that helps when those protocols fail due to legitimate email forwarding.

Related Concepts

Sender Policy Framework DomainKeys Identified Mail Domain-based Message Authentication, Reporting and Conformance Email Deliverability SPF Alignment
Disclaimer: DomainOptic provides automated informational scans only. Results do not constitute professional security advice, compliance certification, or a guarantee of security. Always verify findings independently.