ARC email authentication

Authenticated Received Chain (ARC) is an email standard that verifies email authentication for messages that have been forwarded or redirected to the final recipient. ARC reduces the possibility that forwarded messages will fail email authentication.

Sometimes, message forwarding can change the content of the forwarded message. When the message content is changed in forwarded messages, legitimate messages can fail SPF or DKIM authentication. ARC helps prevent authentication failure by:

• Saving previous authentication results for forwarded messages
• Verifying forwarding servers
• Adding headers to messages to indicate message authentication status.

ARC has 3 parts in the form of message headers:

• ARC authentication results header: Indicates the forwarding server's DKIM and SPF results for the message. This header might also include the results of the ARC authentication check.
• ARC message signature header: A DKIM message signature that includes the information from the original message, including the To, From, Subject, and message body. Typically, the original sending server signs the message with DKIM. Forwarding servers typically do not sign messages with DKIM.
• ARC seal header:  Adds a DKIM signature for all three ARC headers. The signature and authentication results are added to forwarded messages. This header includes a chain validation tag: cv=. This tag has one of the following values, which indicates ARC chain evaluation results: none, fail, or pass. 

Important: ARC does not:

• Evaluate or provide information about sender and forwarder reputation.
• Prevent forwarding servers from adding harmful content to messages.
• Prevent forwarding servers from removing ARC headers from messages.

Related information

• Learn how to help prevent spoofing, phishing, and spam with email authentication
• Learn more about forwarding, redirecting, and routing email with Google Workspace
• Visit the ARC standard: RFC 8617, Authenticated Receive Chain (ARC) Protocol