Spam and phishing are major problems for email users. That's why mail services employ various methods to verify sender identity and prevent users from getting tricked. The Authenticated Received Chain (ARC) is one such method that’s worth knowing about. This article will dive into ARC's importance, inner workings, and benefits for the email ecosystem.
What is ARC?
Authenticated Received Chain (ARC) is a protocol that enables mail servers to verify an email's authenticity despite the email being altered in transit. This protocol allows a third-party service to validate an email’s legitimacy even when SPF and DKIM cannot.
The importance of ARC
An email doesn’t always go directly from the sender’s server to the recipient’s one. It often passes through several intermediate servers before reaching its final destination. An intermediate server can alter an email in transit, changing its subject, body or headers. This is often the case with emails forwarded via mailing lists, where the maillist server might add a standard footer or prepend the subject line with a special notice.
When such altered email arrives at the final recipient’s server, DKIM check will fail because its digital signature no longer matches the modified body or subject line. Consequently, the message might be considered illegitimate and rejected while actually being authentic.
The ARC protocol allows receiving servers to validate emails even when the original message has been altered in transit. For this, the intermediate server adds a few headers to the email, creating a new signature. The procedure can occur multiple times, once for each intermediate server – hence the “chain”.
The inner workings of ARC
To understand ARC, you need to refresh the basics of the three main email authentication protocols:
- SPF (Sender Policy Framework)
- DKIM (DomainKeys Identified Mail)
- DMARC (Domain-based Message Authentication, Reporting, and Conformance)
SPF verifies that an email claiming to originate from a specific domain actually comes from an IP address authorized to send emails on behalf of that domain. For example, if you purportedly receive an email from your insurance firm, your receiving server must verify its legitimacy. To do that, it consults your insurance firm’s domain records in the DNS to check if the email comes from an IP address authorized to send emails on the firm’s behalf. If so, the email is considered legitimate.
DKIM cryptographically verifies that no one has altered the email sender's address and message contents in transit. If you receive an email claiming to be from your insurance firm, your email provider first runs an SPF check. Then, it notes the email’s DKIM signature and verifies that it matches the email’s headers and content using the public DKIM key listed on your insurance firm’s domain records. If so, the message is considered legitimate and passed to your inbox.
But what happens when a message is considered illegitimate? In such cases, your email provider checks the insurance firm's DMARC records for the next instruction. It can list one of these options:
- None – Take no action and deliver the message to the recipient.
- Quarantine – Mark the message as spam and send it to the recipient's spam folder.
- Reject – Reject (bounce) the message so the recipient never sees it in their mailbox.
The above details show how an email gets authenticated before it gets to your inbox. Major mailbox providers like Gmail, Yahoo Mail, and Microsoft are currently making the use of SPF, DKIM, and DMARC mandatory for high volume senders to prevent users from receiving dodgy messages and getting tricked by malicious actors.
However, the SPF-DKIM-DMARC combo isn’t perfect. Emails often pass through multiple servers before reaching the final recipient, and the above system assumes that emails are unchanged as they get from one server to another. In reality, legitimate emails can have some records changed in transit, e.g., the header gets changed by a forwarding server, or the message is forwarded from a new IP address. As a result, these fully legitimate emails could fail SPF and DKIM checks and be rejected according to the domain’s DMARC setting. That’s where the Authenticated Received Chain (ARC) protocol comes into play.
How does ARC work?
On each intermediate server, ARC adds three additional headers to an email to create a chain of trust back to the original server. These are the three headers:
ARC header | Explanation |
ARC-Authentication-Results | The email's authentication results for SPF, DKIM, and DMARCARC-Message-SignatureA digital signature that's similar to a DKIM signature for the whole email and headers (except for the ARC-Seal header)ARC-SealA DKIM-like signature of the ARC headers generated by previous servers in the chain |
ARC-Message-Signature | A digital signature that's similar to a DKIM signature for the whole email and headers (except for the ARC-Seal header) |
ARC-Seal | A DKIM-like signature of the ARC headers generated by previous servers in the chain |
An email can pass through many intermediate servers before reaching its intended recipient. Each intermediate server signs the email with ARC headers, and the next receiving server verifies these headers.
How the intermediate server signs the email
For every server an email passes through on its way to the recipient, the server:
- Copies the original SPF and DKIM authentication results into a new ARC-Authentication-Results header and adds a sequence number beginning with i=1 (this number inсrements for each new server).
- Generates an ARC-Message-Signature digital key that includes the sequence number and prepends it to the message.
- Generates an ARC-Seal for all previous ARC-Seal headers and prepends it to the message.
In summary, if any intermediate server alters the original email, it digitally signs it to confirm that the change is legitimate.
How the receiving server validates the email
The email passes through various intermediate servers before reaching the final receiving server. If the receiving server sees the email has failed the SPF and DKIM checks, it can then check the ARC records for further authentication:
- The server validates the chain of ARC-Seal headers.
- The server validates the latest ARC-Message-Signature (according to the sequence number).
If the above validations are successful, the server will consider the message legitimate and pass it on to the recipient. This means that even if a message fails the SPF and DKIM checks because it was altered in transit, it can still pass the ARC email check and reach the final recipient instead of being rejected or quarantined.
Benefits of ARC
Higher deliverability
ARC improves email deliverability by preventing legitimate emails from being marked as spam or rejected by mailbox providers. It preserves the original SPF and DKIM authentication records so that legitimate emails don’t get false-flagged by security filters.
Improved security
ARC enables mail servers to verify an email's authenticity even if it fails other authentication checks. The protocol provides a tamper-proof chain of custody, which makes it more difficult for hackers to spoof legitimate brands and individual email senders.
Efficient troubleshooting
The ARC protocol provides detailed information about an email's authentication path. This information helps email providers analyze and resolve deliverability issues. They can easily trace the chain of custody to find and fix the source of the problem.
ARC limitations
ARC improves email security in certain cases but it isn’t a one-and-only protocol to tackle spam, phishing, and other email-based malicious actors. Most importantly, ARC does not replace the existing SPF, DKIM, and DMARC authentication protocols. Instead, you use the ARC email protocol together with the traditional authentication protocols (SPF, DKIM, and DMARC) to bolster security.
Conclusion
ARC complements the SPF, DKIM, and DMARC protocols to provide more robust email authentication for email forwarding scenarios. Thanks to this protocol, legitimate emails don't get flagged just because intermediate servers have altered them in transit. ARC improves email security and deliverability for businesses and individual senders.
Another thing that enhances security and deliverability is choosing a reliable email service provider with a robust infrastructure. Luckily, UniOne is here for you, offering speedy and secure email deliveries with an intuitive interface to manage your email marketing efforts.