A Complete Guide to ARC Authentication for Email Security

Email forwarding causes failed deliveries? ARC to the rescue! Authenticated Received Chain (ARC) preserves email authentication across multiple hops.

Learn everything about ARC including how it works, implementing ARC, best practices, and the future of this revolutionary protocol.

What is ARC Authentication and How Does it Work?

Email is a crucial communication tool for businesses and consumers alike. But it also comes with risks like spam, phishing, and spoofing attacks. That’s why methods like SPF, DKIM, and DMARC were introduced – to authenticate emails and confirm they actually came from the claimed sender.
However, these protocols aren’t foolproof. Legitimate emails often fail authentication checks when relayed or modified in transit. Enter ARC – the email authentication protocol purpose-built to address this issue.

An Introduction to ARC

Authenticated Received Chain (ARC) is an email authentication standard designed to verify forwarded or mailing list emails. It was formalized in RFC 8617 in 2019.

ARC complements SPF, DKIM, and DMARC by preserving and validating authentication status as an email passes through intermediary mail servers.

Here’s a quick rundown of how the original protocols work:

• SPF checks the sending IP address against authorized servers listed in DNS.
• DKIM cryptographically verifies email headers and content using public key encryption.
• DMARC aligns the SPF and DKIM results with the domain in the From header.

But DMARC assumes emails travel directly from sender to recipient. When a message is forwarded or sent via a mailing list, legitimate modifications often cause DKIM and SPF checks to fail – and therefore DMARC fails too.

ARC provides a workaround, allowing receivers to authenticate emails even if DKIM/SPF fail due to forwarding.

How ARC Solves Email Authentication Issues

Here’s how ARC preserves authentication across multiple hops:

1. The original email passes SPF, DKIM, and DMARC checks.
2. When it reaches the first intermediary server, this server copies the original Authentication-Results into a new ARC header.
3. The intermediary server adds its own ARC signature to verify itself as a trusted forwarder.
4. Further intermediaries repeat steps 2-3, creating a chain of verified ARC results and signatures.
5. The final recipient’s mail server validates the ARC signatures and sees the original auth results.

So even if the current DKIM/SPF checks fail, the recipient knows the message passed authentication originally.

As long as all intermediary servers are trusted, the final server can rely on the ARC results to deliver the email rather than rejecting it as spam.

The Components of ARC Email Headers

ARC introduces three types of headers that receivers use to validate ARC authentication:

ARC-Authentication-Results

This contains the original authentication results – basically a copy of the Authentication-Results header added at the first hop.

It includes results for SPF, DKIM, and DMARC checks from the first receiving server.

ARC-Seal

The ARC-Seal header contains a DKIM-style digital signature covering the ARC headers added by each intermediary server.

It allows receivers to authenticate each entity in the ARC chain.

ARC-Message-Signature

This also includes a DKIM-like signature, but covering the whole message (minus the ARC-Seal header).

It lets the final receiver verify the integrity of the message contents.

How Intermediary Servers Sign ARC Headers

When an ARC-enabled message reaches an intermediary mail server like a forwarder or mailing list, the server:

1. Copies the original Authentication-Results into a new ARC-Authentication-Results header with a sequence number starting at 1.
2. Generates an ARC-Message-Signature covering the message contents.
3. Creates an ARC-Seal covering the previous ARC headers to validate the chain.
4. Inserts the new ARC headers at the top of the message.
5. Forwards the email with the added ARC headers.

Subsequent intermediaries repeat this process, incrementing the sequence number each time.

Validating the ARC Chain on the Recipient Server

When the message lands on the final recipient’s mail server, the server validates the ARC chain as follows:

1. Checks the ARC-Seal headers have the correct sequence with no gaps.
2. Verifies the digital signature on the latest ARC-Message-Signature.
3. Verifies the digital signatures of each ARC-Seal in sequence.

If all ARC signatures validate properly, the message passes ARC authentication.

The server can now inspect the original auth results in the first ARC-Authentication-Results header.

If the intermediary servers are trusted, a DMARC failure can be overridden based on the original SPF/DKIM results. And the email gets delivered rather than discarded as spam.

So in summary, ARC provides a way for receivers to authenticate forwarded emails and mail list messages. By preserving the original auth status across multiple hops, ARC prevents legitimate emails from failing checks and getting blocked.

It brings message authentication into the modern, interconnected era of email communication. And combined with standards like SPF, DKIM, and DMARC, ARC offers a robust layered defense against email spoofing, phishing, and abuse.

When and Why is ARC Authentication Used?

Email authentication standards like SPF, DKIM, and DMARC verify that emails truly originated from the domain specified in the From address. This protects against spoofing, phishing, and other attacks.
But legitimate scenarios like forwarding and mailing lists can undermine these protocols and cause authentication failures. ARC provides a solution to preserve authentication in these cases.

Forwarding and Mailing Lists Causing Authentication Failures

Say Alice receives emails at [email protected]. She sets up a filter to forward certain emails to [email protected].

When Bob receives a forwarded message from Alice, here’s what happens:

• The From address changes from [email protected] to [email protected].
• The Sending IP changes from Example Inc’s mail server to the forwarding service’s IP.
• Content like the subject line or footer often gets modified.

As a result:

• SPF fails because the new sending IP isn’t authorized in Example Inc’s SPF record.
• DKIM fails because the content modifications invalidate the signature.
• DMARC fails because both SPF and DKIM failed.

The same thing happens with mailing list services. When a message gets sent to a list, subscribers receive it from the list address, not the original sender.

Again, SPF and DKIM break due to changes by the intermediary service.

Without ARC, these legitimate emails would get blocked or marked as spam because of DMARC failures.

How ARC Preserves Authentication Across Multiple Hops

ARC provides a workaround for intermediary-related auth failures.

Here’s how it preserves the original authentication status as emails get forwarded or relayed by lists:

1. Alice sends an email that passes SPF, DKIM, and DMARC.
2. The first intermediary server copies the original Authentication-Results into a new ARC header.
3. It adds an ARC signature to verify itself.
4. When Bob’s Email Service receives the forwarded message, it sees the original auth results in the ARC header.
5. It can override DMARC and accept the message as valid based on the ARC data.

So ARC essentially acts as a chain of custody vouching for the message’s legitimacy at each hop. As long as all intermediaries are trusted, the final receiver knows a message was authenticated originally before any changes.

The Benefits of Using ARC Authentication

There are several advantages to implementing ARC:

Improved deliverability

ARC prevents legitimate emails from failing DMARC checks and getting wrongly blocked or marked as spam when forwarded or distributed via mailing lists.

Enhanced security

ARC gives receivers a mechanism to validate emails even if DKIM/SPF fail. This provides an additional layer of protection against phishing and spoofing.

Better reporting

ARC headers create an audit trail showing each intermediary server the message passed through. This aids troubleshooting and analysis of email flows.

Higher DMARC policy

With ARC, receivers can set stricter DMARC policies like Reject or Quarantine without impacting legitimate forwarding and mailing list emails protected by ARC.

So in summary, ARC closes an important authentication gap for indirect mail flows like forwards and mailing lists. Implementing ARC alongside standards like SPF, DKIM, and DMARC provides maximum email security and deliverability.

Implementing and Configuring ARC Authentication

Now that we’ve covered the rationale and mechanics behind ARC, let’s look at how to actually implement ARC authentication for your domain.
Whether you manage your own email infrastructure or use a provider, here are the key steps to start applying ARC security to your outbound and inbound mail.

Requirements for ARC Implementation

To use ARC, you’ll need:

• A domain with SPF, DKIM, and DMARC already deployed. ARC builds on these protocols, so get them configured first.
• Access to modify mail server settings. For self-managed infrastructure, this is straightforward. For commercial email providers, check if they support ARC configuration.
• Software that supports ARC signing. Open source options are available like OpenARC and libarccore. Commercial email platforms may also include ARC capabilities.
• A plan for managing ARC trust. Decide which intermediary servers/services you’ll allow to forward your mail and trusting their ARC headers.

With the basics in place, implementing ARC involves:

1. Adding ARC headers to outbound email.
2. Configuring your MTA to validate incoming ARC headers.
3. Testing to confirm ARC is working as expected.

Adding ARC Headers to Outbound Emails

To apply ARC protection on your outgoing mail:

1. Check DKIM and SPF are working – Use a DKIM validator](https://dmarcian.com/dkim-inspector/) and [SPF survey tool to confirm existing auth protocols are properly configured.
2. Select ARC signing software – Options include OpenARC](http://www.openarc.net), [libarccore, or commercial software.
3. Install and configure the software – Follow the vendor’s instructions to integrate the ARC signing software with your mail transfer agent (MTA) like Postfix, Sendmail, etc.
4. Set ARC parameters – Most software will let you choose the ARC signing domain, selector, and cryptographic options like digest algorithm.
5. Add ARC private key – Generate a new private key for ARC signing and install it on your outbound MTA/MSA server.
6. Test on non-production domains first – Once configured, send test messages to free accounts on domains like Gmail or Outlook and examine the ARC headers.

After positive testing, roll out ARC signing in production across your email infrastructure.

Configuring Your Mail Server to Validate Inbound ARC

To authenticate incoming ARC-signed mail:

1. Check MTA supports ARC – Most modern MTAs have ARC support. The OpenARC site lists compatible software.
2. Enable ARC module – In your MTA config, switch on ARC validation and header parsing. For Postfix, you add smtpd_milters = inet:localhost:12301 to point to the ARC milter.
3. List trusted ARC signers – Specify domains whose ARC headers you’ll trust as legit intermediaries. Only honor ARC results from servers under these trusted domains.
4. Set ARC policy – Configure how your MTA handles ARC auth failures compared to successes. For example, accept on ARC pass but reject on ARC fail.
5. Test with known ARC headers – Verify your ARC config by sending emails with valid ARC headers and checking they’re authenticated as expected.

Once ARC validation is working, you can start honoring ARC results to accept valid forwarded mail that would otherwise fail DMARC.

Testing and Troubleshooting Your ARC Setup

When testing and maintaining ARC, useful tools include:

• Email header analyzers – Inspect ARC headers on both sent and received messages to confirm they’re present and well-formed. MHA is an excellent free analyzer.
• SPF/DKIM checkers – Use these to validate ARC isn’t breaking existing auth protocols on your mail.
• DMARC aggregate reports – Monitor your DMARC reports for ARC-related policy overrides on forwarded mail.
• ARC validators – Purpose-built tools like ARC-Validator verify ARC signature syntax and chain of trust.
• Test messages – Send emails via forwarders and lists to confirm ARC is working end-to-end.

When troubleshooting ARC issues, common problems include:

• Invalid ARC signatures on outbound mail (check key configuration and syntax).
• ARC headers stripped by overzealous filters (whitelist ARC headers if needed).
• Failure to verify ARC seals if multiple intermediaries are involved (verify order and sequence).
• ARC chains broken by non-ARC-aware servers (may need to rebuild chain manually).

With attention to configuration details and testing, ARC can deliver an additional layer of protection for indirect mailflows. If issues persist, don’t hesitate to ask the community or seek help from your software vendor.

Best Practices for Ongoing ARC Management

Once ARC is up and running, be sure to:

• Rotate ARC keys periodically to improve security.
• Limit trusted ARC signers to only intermediaries you expressly approve to avoid abuse.
• Check aggregate reports for ARC auth results and identify any problem mailflows.
• Stay updated on ARC recommendations from the IETF as implementations mature.
• Educate partners/recipients on the purpose of ARC to ensure proper handling.
• Use ARC judiciously – It’s a workaround, not a replacement for underlying authentication protocols.

With some care and feeding, ARC can provide substantial value in securing indirect mail routing that may otherwise bypass traditional email authentication.

How to Read and Understand ARC Headers

Once you have ARC enabled for your domain, you’ll start seeing ARC headers appear on inbound and outbound emails. But what do these headers mean? Let’s break down how to interpret ARC headers to unlock their value.

Decoding ARC-Authentication-Results Headers

The ARC-Authentication-Results header contains a copy of the original authentication results from before any modifications by intermediary mail servers.

Here’s an example ARC-Authentication-Results header:

ARC-Authentication-Results: i=1; mx.google.com;  
   dkim=pass [email protected] header.s=dkim header.b=WScqTzyp;
   spf=pass (google.com: domain of [email protected] designates 74.125.24.26 as permitted sender) [email protected]; 
   dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=example.com

Let’s break down what this means:

• i=1: The instance number, starting at 1. Increments for each intermediary server.
• mx.google.com: The domain of the first receiving server that added this header.
• dkim=pass: The message passed DKIM authentication.
• spf=pass: The message passed SPF checks.
• dmarc=pass: DMARC alignment passed.

So this shows the message originally passed all authentication checks successfully before any forwarding or mailing lists.

As the message traverses more hops, each intermediary server will add a new ARC-Authentication-Results header with an incrementing instance number.

Understanding ARC-Seal and ARC-Message-Signature

ARC uses two types of cryptographic signatures to validate the ARC chain:

ARC-Seal

The ARC-Seal syntax resembles DKIM headers. For example:

ARC-Seal: i=2; a=rsa-sha256; t=1643267614; 
  s=arc; d=example.org; cv=none; b=XFdwDSHDhhshbhsdFYg6hgH3YPyQ95SgRQQtsduiuFlkd/gGAFjNJtA==

Here’s what each part indicates:

• i=: The instance number, starting at 1.
• a=: The cryptographic algorithm used to generate the signature.
• t=: Timestamp of signature.
• s=: ARC selector string.
• d=: Signing domain – the intermediary adding this header.
• cv=: Chain validation status.
• b=: Base64-encoded digital signature.

ARC-Message-Signature

This also resembles a DKIM signature. For example:

ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed;
  d=example.org; s=arc; h=from:subject:date:content-type:content-transfer-encoding;
  bh=FjueEZS009KLi4llFBlp0CugyXwlOguJjG9atvwIR4Y=; 
  b=UPK5IrUXObJYg27Tyvr7BzxrO3cGSnER6IFpr7XLaksgerVdiLQkHOXT3eeWxxJSZvYG
   VRw5RBvqu3ceCg+WOg==

The key details are:

• c=: Canonicalization algorithm used when signing.
• h=: List of header fields included in the signature.
• bh=: Hash of message body.
• b=: Base64-encoded digital signature.

These signatures allow receivers to validate the ARC chain of trust and verify message contents are intact.

Using ARC Headers for Email Tracking and Troubleshooting

Beyond just authenticating forwarded mail, ARC headers provide visibility into a message’s journey between mail servers.

Some ways ARC aids troubleshooting and analysis:

• Identify all intermediaries that handled the message based on ARC-Seal domains.
• Isolate authentication failures to a specific hop using instance numbers.
• Check for missing sequence numbers indicating broken ARC chains.
• Verify ARC seals and signatures are validating properly.
• Compare original and current auth results to pinpoint changes.
• Confirm ARC results match DMARC reports and rejections.

So while ARC is designed to authenticate mail, its headers also deliver useful telemetry. Software and services can leverage this data to map mailflows and diagnose issues.

Proper ARC implementation will ensure clean, well-formed ARC headers. But if you need to decrypt messy headers, tools like MHA can format and analyze ARC syntax.

With some practice, the logic of ARC headers becomes straightforward. Use them not only to validate mail, but also to optimize your indirect mail routing.

Best Practices for ARC Authentication

To maximize the security and deliverability benefits of ARC, it’s important to implement it thoughtfully. Here are some best practices to follow:

Choosing Trusted Intermediary Servers

The security of ARC hinges on only trusting verified, legitimate intermediaries to forward your mail and append ARC headers.

When deciding which intermediary servers to trust:

• Stick to well-known providers – Trust established mailing list and forwarding services with good reputations. Avoid obscure or risky providers.
• Verify providers implement ARC properly – Confirm intermediate servers sign ARC headers correctly before trusting them.
• Limit as much as possible – Only trust the specific intermediaries used for your required mail flows. The fewer providers trusted, the better.
• Review regularly – Check aggregate reports periodically for anomalies indicating a trusted provider may have been compromised.

With ARC, you’re handing intermediaries the keys to vouch for your mail’s authenticity. So choose trusted partners judiciously.

Monitoring ARC Results in DMARC Reports

Once ARC is implemented, monitor your DMARC aggregate reports for:

• Overall ARC pass rate – How often do ARC validations succeed/fail overall? Failures may indicate configuration issues.
• ARC pass rate per provider – Are some intermediaries better than others at generating verifiable ARC headers?
• Policy override rate – How frequently does ARC override a DMARC failure? Excessive overrides could signal problems.
• Invalid ARC signatures – Flagged signatures could mean a trusted provider is misbehaving.
• ARC chain errors – Gaps or sequence issues in ARC headers can reveal mailflow problems.

Tuning your ARC stance based on aggregate report data improves security and deliverability over time.

Combining ARC with SPF, DKIM, and DMARC

SPF, DKIM, DMARC, and ARC provide overlapping layers of protection:

• SPF verifies authorized sending IP addresses.
• DKIM checks message integrity and authenticity.
• DMARC aligns SPF and DKIM with sender domains.
• ARC preserves and extends authentication across indirect hops.

To leverage these protocols fully:

• Deploy SPF, DKIM, and DMARC for your domains.
• Implement ARC signing and validation.
• Enable your ARC config to override DMARC as needed based on ARC results.
• Set a DMARC policy like Reject or Quarantine to maximize protection.
• Use aggregate reports to fine-tune ARC and DMARC over time.

The more layers involved, the harder it is for bad actors to spoof or tamper with your emails. ARC strengthens the ecosystem and closes gaps in traditional authentication.

So in summary, be selective in trusting intermediaries, monitor ARC behavior closely via reports, and integrate ARC with existing protocols for defense-in-depth email authentication.

The Future of ARC Authentication

ARC adoption is still gaining steam since the protocol was standardized in 2017. Let’s look at what the future may hold for this email authentication method.

Increasing Adoption Among Email Providers

Since ARC is relatively new, it’s still rolling out across the email ecosystem:

• Major providers like Gmail, Outlook.com, and Yahoo Mail support ARC validation.
• Open-source MTAs like Postfix, Sendmail, and Exim have ARC capabilities.
• Commercial email platforms are releasing ARC-compliant versions.
• ARC signing and validation services are emerging to support implementation.

But plenty of room remains for broader ARC deployment:

• Smaller niche mail services can still benefit from ARC.
• Enterprise email admins should evaluate ARC for their domains.
• Open-source libraries are maturing to simplify ARC adoption.
• More education is needed among email senders and receivers.

Over time, support for ARC is likely to become ubiquitous as part of a robust email authentication stack. But community awareness and pressure will help drive adoption.

Potential Improvements to Prevent Abuse

The ARC specification may evolve to close potential loopholes:

• ARC strips headers – Intermediaries could strip ARC headers, bypassing authentication. Header preservation policies could help.
• Forged ARC data – Safeguards against fabricated ARC-Authentication-Results data are limited currently.
• Re-signing ARC hashes – Tricky to prevent malicious resigning of ARC seals and signatures after modification.
• Centralized ARC authorities – Could improve trust instead of relying on disparate intermediary domains.
• ARC for individual users – Right now ARC is domain-focused. Expanding it to authenticate individual senders could be helpful.
• Compatibility testing – Increased rigor in ARC implementation testing between providers would improve reliability.

With community vigilance, ARC’s role in the email auth ecosystem can be strengthened over time while limiting the potential for abuse.

Complementing End-to-End Email Encryption

ARC provides a way to authenticate message forwarding while preserving confidentiality:

• ARC verifies message routing – Validates intermediary servers handling encrypted mail.
• End-to-end encryption secures contents – The body and headers stay private and tamper-proof.
• Forwards don’t undermine security – ARC solves authentication issues without impacting encryption.

This one-two combination delivers trustworthy communication without sacrificing user privacy:

• ARC prevents spoofing – Proves messages genuinely originated from the sender’s domain.
• Encryption guarantees privacy – Content remains secret and uncompromised in transit.

Adopting both technologies closes major security gaps in email:

• Forwarding and mailing lists are now trustworthy.
• Raw message data isn’t exposed during routing.

With improving deliverability as well, ARC is poised to drive the next generation of email protection.

So in summary, ARC adoption has room to grow, potential specification improvements may arise, and integrating ARC with encryption could significantly boost email security. The protocol is still young and on an upward trajectory.

Key Takeaways

ARC brings email authentication into the modern era to handle indirect routing:

• ARC preserves original auth results when emails are forwarded, maintaining security.
• Additional ARC headers create a chain of trust between mail servers.
• Mail receivers can validate ARC signatures to authenticate forwarded mail.
• ARC prevents good emails being blocked as spam when mailing lists and forwards modify messages.
• Intermediary servers must add and sign ARC headers properly for ARC to work reliably.
• Carefully choose which intermediaries to trust for signing ARC headers on your mail.
• Use ARC in conjunction with SPF, DKIM, and DMARC for layered email authentication.
• Monitor ARC results in aggregate reports to catch issues early. Tune policies accordingly.
• Proper ARC implementation requires updating mail server software and configurations.
• ARC headers provide visibility into a message’s journey between mail servers.
• As adoption spreads, ARC will close major gaps in email authentication and deliverability.

By gracefully handling indirect mailflows like forwards and mailing lists, ARC brings DMARC and related protocols up to speed with modern email workflows. Understand the basics, implement ARC carefully, and leverage it to boost email protection.

Frequently Asked Questions

What is ARC in email?
ARC (Authenticated Received Chain) is an email authentication standard that allows receivers to validate forwarded or mailing list messages that fail SPF and DKIM checks due to modifications by intermediary mail servers.

How does ARC work?

ARC uses cryptographic signatures to create a chain of custody vouching for a message’s authenticity as it passes through multiple hops. Receivers validate the ARC headers to authenticate the message even if underlying SPF/DKIM checks fail.

What are the components of ARC?

ARC introduces three headers – ARC-Authentication-Results, ARC-Seal, and ARC-Message-Signature. These preserve original auth results and create a verifiable chain of trust between mail servers.

When should ARC be used?

ARC is useful when you send mail via intermediaries like forwarding services and mailing lists that may modify messages in ways that break SPF or DKIM authentication.

How do you implement ARC?

To use ARC, enable ARC signing on your outbound email servers and configure ARC validation on your inbound mail gateways. Most modern mail software includes support for ARC.

What are best practices for ARC?

Carefully select trusted intermediaries, monitor ARC behavior in aggregate reports, and use ARC in conjunction with DMARC, DKIM, and SPF for layered authentication.

How does ARC differ from DKIM, SPF, DMARC?

ARC works alongside these protocols to close gaps related to email forwarding, while DKIM/SPF/DMARC authenticate direct mailflows. ARC preserves and extends auth when mail is indirectly routed.

Is ARC widely adopted?

Major email providers support ARC validation, though smaller players still need to implement it. ARC adoption is increasing but still gaining momentum since the standard was introduced in 2017.

What are the limitations of ARC?

ARC relies on intermediaries properly signing headers. Abuse is possible if arbitrary domains are trusted or ARC headers are stripped. Specification improvements continue to address potential weaknesses.