SpoofSentrySpoofSentry
Start Free Trial

ARC Checker

Check your domain's readiness for Authenticated Received Chain (ARC) — an advanced email authentication protocol for forwarding scenarios.

What is ARC?

ARC (Authenticated Received Chain) is an email authentication system designed to preserve authentication results across mail forwarding hops. When emails are forwarded through mailing lists or forwarding services, SPF and DKIM signatures can break. ARC solves this problem.

How this check works

This tool checks your domain's readiness for ARC by looking up SPF and DMARC records via DNS and resolving MX hosts to detect whether your email provider supports ARC signing (e.g., Google Workspace, Microsoft 365, Proofpoint). It does not inspect actual email headers or ARC seal chains.

Limitations: ARC readiness is inferred from DNS records and known provider support. This tool cannot verify that ARC headers are being added to forwarded mail or that downstream receivers are honoring ARC results. For live ARC chain validation, inspect email headers directly.

When Does ARC Matter?

  • Mailing lists — Messages sent to mailing lists are often modified and re-sent, breaking DKIM signatures.
  • Email forwarding — Forwarded emails fail SPF because the forwarding server is not authorized in the original domain's SPF record.
  • Security gateways — When mail passes through multiple security appliances that modify headers or content.

How ARC Works

Each intermediary in the mail delivery chain adds three ARC headers:

  • ARC-Authentication-Results (AAR) — The authentication results as seen by this intermediary.
  • ARC-Message-Signature (AMS) — A DKIM-like signature of the message as seen by this intermediary.
  • ARC-Seal (AS) — A signature over the previous ARC headers, creating a chain of custody.

ARC and DMARC

DMARC evaluators can use ARC results to recover from authentication failures caused by legitimate forwarding. If the ARC chain is valid and the intermediaries are trusted, the receiver can accept the message even if SPF and DKIM fail at the final hop.

Who Supports ARC?

Major email providers including Google Workspace, Microsoft 365, Proofpoint, and Mimecast support ARC signing and validation. ARC is typically handled automatically by your email provider — no DNS records are needed from domain owners.

Free ARC Checker - Authenticated Received Chain Validator | SpoofSentry