How does ARC work?

ARC adds three headers at each hop:

ARC Authentication Results (AAR) which records the SPF, DKIM, and DMARC results observed at that hop using the structure defined in RFC 8601\.

ARC Message Signature (AMS) which signs the message at that hop.

ARC Seal (AS) which signs the entire ARC set and binds it into the chain.

Each hop increments the instance number and signs the previous hop’s ARC data. Receivers evaluate the full chain to see whether earlier authentication was valid and whether the sequence is intact.