Email authentication methods were designed to make email deliverability easier and verify senders, preventing phishing attacks, spam attacks, and other fraudulent email behavior. However, authentication methods aren’t foolproof and there’s always a need for an extra way to check emails.
Since email sending methods differ from one service provider to another, DMARC, the authentication protocol that protects email domains, can sometimes give false information about perfectly safe and legitimate emails. ARC was introduced to prevent this from happening and is now commonly used by ESPs (email service providers) worldwide.
In this article, I’ll tell you more about this protocol/authentication method and why it’s so important.
TLDR: ARC is an email authentication protocol that significantly improves email deliverability by allowing your server to see previous authentication protocols. It makes it easier and safer to send emails to mailing lists and forward emails whose usual authentication protocols often break.
What is ARC Email?
ARC, short for Authenticated Received Chain, is an email authentication system that allows mail servers to receive authentication results from other mail servers that have previously handled the email message.
This process enables ARC to keep the previous authentications and help the email get approved by the final server, even if the receiving server negatively judges one or some of these checks. ARC is also not foolproof, but it’s pretty efficient in serving as extra protection for the delivery of legitimate emails.
What is ARC Composed Of?
ARC has three components:
ARC Authentication Results Header - this is the central part of ARC; it contains all the preceding authentications, including DKIM, DMARC, and SPF.
ARC Signature - this signature resembles the DKIM signature and incorporates the body of the message and the headers.
ARC Seal - it has both of the components listed above in the style of a DKIM-type of signature.
Why is ARC Email So Important?
ARC works in combination with other authentication methods, the most common and widely used being SPF, DKIM, and DMARC. So, in order to tell you why ARC is so important, let’s quickly explain what the other methods entail.
The SPF method or protocol is focused on email domains, and its role is to stop scammers from obtaining your domain and sending messages on your behalf. Therefore, SPF allows you to specify which IPs have the authorization to send emails from your account and on your behalf. When an SPF check is conducted, the sender’s IP has to match the authorized list of IPs; otherwise, the SPF fails.
DKIM is similar to SPF in terms of the role it performs. Its job is to make sure that nobody uses your email domain to send emails from your name without authorization. DKIM authentication is sent with the email itself, and it contains the body of the email message as well as hashed headers. These elements are decrypted when the message arrives and they are verified in accordance with the originaly received message. DKIM fails when the two messages don’t match.
DMARC is a type of authentication protocol that requires either SPF or DKIM, or sometimes both, in order to let the message pass through the email server. Alongside this, it also requires an alignment test which allows the email user to determine how to handle failed emails.
The Role of ARC Email
The thing is, though, that even though these three authentication methods are pretty common in the email world, not every email domain owner and email server will authorize the address for all of them. Sometimes people use forwarding services that scan the emails for harmful elements, so the other authentications aren’t activated.
So what ARC does is prevent the email from being discarded by the final server. It tells the receiving server that the email looked perfectly fine in the last couple of checks (done by the forwarding services, let’s say), so it can let the email arrive at the recipient. Servers usually listen to this and approve the email landing in the inbox.
How Does ARC Work Exactly?
ARC works by following the three-part structure that I explained earlier.
The server that receives the email adds the AAR field (ARC’s authentication results) to a new field and then adds this to the email.
After this, the server formulates the AMS for the email (ARC’s message signature). In this process, it also features the AAR from before and adds all of this to the email.
The last step happens when the server builds the AS seal - the ARC seal that corresponds to the previously made ARC seal headers, and then adds this to the email as well.
Every time the server adds a new ARC, a new sequence is created and is added alongside each element included in the process mentioned above. These sequences start with “i=1”, and then continue on with “i=2”, and “i=3”, depending on how many servers the email goes through.
The Process of ARC Validation
ARC finally gets validated in the last step of the email’s journey to the inbox.
In the first part of the validation process, the server has to verify the ARC seal headers chain. It checks whether certain entries are missing and if all the seals say that the previous entries are indeed valid. In the second part, the server is responsible for validating the latest message signature, the latest AMS, which is the one that has the highest number sequence. The email will arrive in the desired inbox if everything is in place and the authentication results are positive.
Why is ARC Important for You?
There are two main reasons why ARC is important for you as an owner and user of an email domain.
As a member or a creator of a mailing list, you can send emails to all the members on the list with one click. But if you do this, the DMARC authentication will not be able to validate these kinds of messages even though the email’s source is perfectly legitimate.
Why does this happen? It’s mostly because of the SPF protocol, which actually breaks once a message is being forwarded.
And because the mailing list often also includes additional information in the body of the email, the DKIM signature can also fail because of the changes in the message’s content.
When you receive forwarded messages, they come from an intermediate server, which means they are not being directly sent through the original sender’s server. Also, some people who have forwarded the email have also altered its content, making the DKIM signatures invalid as well. In these events, as I mentioned above, SPF breaks as does DMARC.
As you can see, ARC can help you enhance the email deliverability of your mailing list and deliver and receive forwarded messages. Of course, ARC is not a 100% guarantee that your emails will get delivered, but it’s an important authentication protocol that’s very recommended.