ARC Checker
Check your domain's readiness for Authenticated Received Chain (ARC) — an advanced email authentication protocol for forwarding scenarios.
What is ARC?
ARC (Authenticated Received Chain) is an email authentication system designed to preserve authentication results across mail forwarding hops. When emails are forwarded through mailing lists or forwarding services, SPF and DKIM signatures can break. ARC solves this problem.
When Does ARC Matter?
- Mailing lists — Messages sent to mailing lists are often modified and re-sent, breaking DKIM signatures.
- Email forwarding — Forwarded emails fail SPF because the forwarding server is not authorized in the original domain's SPF record.
- Security gateways — When mail passes through multiple security appliances that modify headers or content.
How ARC Works
Each intermediary in the mail delivery chain adds three ARC headers:
- ARC-Authentication-Results (AAR) — The authentication results as seen by this intermediary.
- ARC-Message-Signature (AMS) — A DKIM-like signature of the message as seen by this intermediary.
- ARC-Seal (AS) — A signature over the previous ARC headers, creating a chain of custody.
ARC and DMARC
DMARC evaluators can use ARC results to recover from authentication failures caused by legitimate forwarding. If the ARC chain is valid and the intermediaries are trusted, the receiver can accept the message even if SPF and DKIM fail at the final hop.
Who Supports ARC?
Major email providers including Google Workspace, Microsoft 365, Proofpoint, and Mimecast support ARC signing and validation. ARC is typically handled automatically by your email provider — no DNS records are needed from domain owners.