TL;DR: ARC (Authenticated Received Chain) is an email standard that preserves your original SPF/DKIM results when a message is forwarded or sent through a mailing list — situations that normally break authentication and make legitimate mail fail DMARC. It's mostly handled by the big mail providers, so as a domain owner you rarely configure it — but understanding it explains a lot of "why did my real email fail?" cases. Scan your domain free to check your core setup.
The problem ARC solves
When an intermediary forwards your message — a personal forward, or a mailing list that adds a footer — it changes the path and often the content. That breaks SPF (the path changed) and DKIM (the content changed). The final receiver then sees a DMARC failure, even though the message was genuinely from you. Without ARC, forwarded legitimate mail can be junked.
How ARC works
Each hop that handles the message can add an ARC seal recording the authentication results it saw — "when this reached me, SPF and DKIM passed." This builds a chain. The final receiver can then evaluate the chain and decide to trust the earlier, pre-forwarding result, delivering the message instead of failing it on a broken DKIM signature.
Who handles ARC?
ARC is implemented by mailbox providers and forwarders — Google, Microsoft and major mailing-list software add and check ARC seals automatically. As a sender, you don't publish an ARC record like SPF or DMARC; the value comes from the intermediaries supporting it.
What it means for you
- It's why some forwarded mail that "should" fail DMARC still gets delivered.
- It doesn't replace SPF, DKIM or DMARC — you still need those set up correctly first.
- If your own legitimate mail fails via forwarding, ensure at least one of SPF or DKIM aligns before forwarding, and rely on receivers' ARC handling for the rest.
FAQ
Do I need to set up ARC?
Generally no — it's a forwarder/receiver feature. Focus on getting SPF, DKIM and DMARC right; ARC then helps your mail survive forwarding.
Does ARC weaken DMARC?
No — it gives receivers more context to avoid wrongly failing legitimate forwarded mail. They still choose whether to trust a chain.
Why did my mailing-list email still fail?
Not every receiver trusts every ARC chain. The most robust fix is making sure DKIM aligns with your domain before the message is forwarded.
Want your core authentication rock-solid so forwarding is the only edge case left? Scan your domain, then reply to your report — we're developers and we'll get SPF, DKIM and DMARC right for you.