Authentication
ARC: surviving forwarders without breaking DMARC
ARC adds a signed authentication-results chain so a forwarder can vouch for the original DMARC result even after modifying the message.
Why ARC exists
DMARC breaks on forwarding because forwarders change headers and rewrite envelopes. ARC lets a forwarder say 'I received this message, authentication passed at the time, here's my signed record of that' so the final receiver can trust the chain.
Senders don't sign ARC
ARC is added by intermediaries (forwarders, mailing list servers). Original senders don't publish anything new. You benefit from ARC automatically when your mail traverses an ARC-signing intermediary.
Frequently asked questions
- Should I trust ARC results?
- Only from forwarders you have a reason to trust (Google, Microsoft, established mailing list managers). ARC moves the trust decision from the original sender to the intermediary.