What is ARC-Seal, ARC-Message-Signature, and ARC-Authentication-Results?

ARC (Authenticated Received Chain) solves the authentication problem caused by email forwarding. When servers forward mail, they often break SPF and DKIM. ARC preserves the original authentication results so receiving servers can make informed decisions.

ARC consists of three headers added by each participating server:

ARC-Authentication-Results: Records the authentication results (SPF, DKIM, DMARC) as this server saw them. Identical format to standard Authentication-Results.

ARC-Message-Signature: A DKIM-like signature over the message and previous ARC headers. Proves this server's ARC set wasn't tampered with.

ARC-Seal: Signs the current ARC headers and links to previous ARC sets in the chain. Creates a verifiable chain of custody.

Each server in the forwarding chain adds its own ARC set with an incrementing instance number (i=1, i=2, etc.). The final receiver can trace back through the chain to see authentication at each step.

Practical impact: Major providers like Gmail use ARC to trust forwarded mail. If your message passes DMARC initially but gets forwarded, ARC helps the final destination understand it was legitimate at origin.

ARC is the chain of custody documentation. Each handler signs off, so the final recipient knows the cargo was verified at every port.