Authenticated Received Chain (ARC)

What it is

Authenticated Received Chain — RFC 8617 (Experimental). An intermediary (mailing list, alias forwarder, security gateway) signs three header fields — ARC-Authentication-Results, ARC-Message-Signature, ARC-Seal — capturing the auth state it observed. The next hop verifies the chain instead of re-running SPF/DKIM against a forwarder.

Why it matters

Forwarding rewrites headers and strips DKIM body alignment, so legitimate mail through alumni aliases, university lists, or corporate forwarding lands in spam under DMARC `p=reject`. ARC lets receivers trust the original verdict if a known intermediary sealed it.

Who it applies to

Domains operating mailing lists, forwarders, or security gateways — and anyone whose users heavily forward mail.

How WQI scores it

Web Quality Index considers this standard satisfied when the supporting factor passes.

Related standards

See also

DMARC , DKIM , SPF

Standards that share factors with this one

Auto-computed from overlapping factor tickets in satisfiedBy, excluding standards already listed under "See also" above. Strong overlap suggests these standards rise and fall together when sites are scored.

• Bulk-sender requirements (Apple / Google / Yahoo) 1 shared factor Email health The de-facto standard for marketing mail since February 2024. SPF + DKIM + DMARC, RFC 8058 one-click unsubscribe, and a spam-complaint rate under 0.30%. Miss any of these and Gmail / Yahoo throttle or reject.
• DKIM key rotation 1 shared factor Email health DKIM keys aren't fire-and-forget. Rotate at least annually, retire old selectors, and use 2048-bit RSA. The mechanics are spelled out in RFC 6376 §3.1.

Other references

• rfc RFC 8616 — Email Authentication for Internationalized Mail
• guidance M3AAWG ARC implementation guidance