ARC? Is that DMARC light or something? No, not really. ARC is a new protocol which stands for “Authenticated Received Chain” and has been developed to correct situations in which DMARC would fail.
We’ll first take a look at the situations which can be corrected with ARC. After doing this, we’ll take a look at the actual solution ARC proposes and the current implementers of ARC.
In which situations can ARC help?
When you’re a member of a mailing list, you’re able to send a message to all members of that list by addressing the mailing list itself. That receiving address will then ‘forward’ your message to all of the list members. The list often addresses extra information to the body of the message, for instance, a notification of the list of membership with options to unsubscribe.
Currently, these messages fail when applying DMARC, which is quite logical as their mail servers will break the SPF for that message. Due to the fact that the content of the mail changes, the DKIM signature is also invalidated.
When you have set up an account which forwards messages to another mailbox, you may experience issues with messages from senders with a DMARC policy set to reject or quarantine. This is because the forwarding services will break the SPF for that messages. Some forwarders also change the content of the email by adding spam filtering results, additional disclaimers or footers.
These situations can be summed up as ‘Indirect mail flows’. They are mail flows in which the initial receiver of the message is not the final receiver and acts as an intermediary.
How can ARC help?
As the forwarders in the above-described situation have initially received emails with a DMARC valid setup, it would be useful to forward these results encrypted to the next receiver of the messages.
ARC is designed as a specification which allows the Authentication-Results header (which described the result of the messages) to be passed on to the next ‘hop’ in the line of the messages delivery.
When a receiver validates the results of an incoming messages and sees the DMARC results failing, they will try to validate the provided ARC chain. When this proves valid, they can extract the Authentication-Results of the initial hop.
Based on the results of these headers they may choose to use the ARC information to override the DMARC policy, depending on the reputation of the ARC intermediaries.
What does ARC do?
When a receiver can successfully validate an ARC chain, they have the following information:
- The Authentication-Results as seen by the first ARC participant handling the message. This includes the DMARC / DKIM and SPF results.
- The information to validate the sent data
- The information to link the sent signature to their intermediary to build up a reputation
This would allow intermediaries to add content to the message, providing they forward the message with a new (and correct) DKIM signature.
Furthermore it provides data to reputation systems on the intermediaries handling the messages.
What does ARC not do?
Initially, the ARC results doesn’t say anything about the reputation of the intermediaries. Using the ARC results, a receiver is able to build (or feed) reputation systems which eventually can help with this. As ARC itself says nothing about the contents, this should be taken into consideration while evaluating the ARC policies.
The intermediaries may adjust the content of the message and are therefore able to add the previously described data like spam filtering results, additional disclaimers or footers, but this can also be bad content.
What is the status?
The ARC specification was initially launched in 2016. In the following months the specification has been fine-tuned and has some early adopters. AOL has been validating and signing messages with ARC for some time and in the past few weeks Google has rolled out ARC on their servers as well. Microsoft and Yahoo! have announced ARC on their nearby roadmap.
ARC will eventually decrease the number of DMARC invalid messages. This will also greatly help in the adoption of DMARC.
Start using DMARC Analyzer to check who’s sending email on behalf of your domain.