Log in
CaptainDNS

Propagation & diagnostics

Compare resolvers worldwide and inspect returned answers.

Email authentication

Tools to verify and validate your email authentication setup.

SPF syntax validator

Review include chains and DNS query limits before publishing changes.

SPF record inspector

Resolve the published TXT record, flag lookup limits and decode each mechanism.

DKIM syntax validator

Quickly check the syntax of your DKIM records.

DKIM record check

Resolve a selector and analyse the published DKIM TXT record.

DMARC syntax validator

Check rua/ruf destinations, alignment modes and the active policy before publishing.

DMARC record inspector

Resolve the published policy, surface diagnostics and confirm enforcement before switching to reject.

BIMI syntax validator

Validate BIMI tags, the logo fetch and the VMC certificate before publishing.

BIMI record inspector

Resolve the published BIMI record, inspect logo and VMC diagnostics in one place.

Email deliverability audit

Audit MX, SPF, DKIM and DMARC to confirm a domain is ready to send.

Mail header analyzer

Decode participants, authentication results and routing from raw headers.

DMARC record generator

Create compliant DMARC records with all policy and reporting options.

Text

Transform, encode and measure your content in seconds.

Text case converter

Convert any block of text to upper or lower case instantly.

Base64 encoder / decoder

Encode or decode any content in Base64 without leaving the browser.

Slug generator

Transform any sentence into an SEO-friendly slug in seconds.

Word & character counter

Measure the length of any text, with instant word and character counts.

Images

Preview and validate your BIMI logos before publishing.

BIMI logo lookup

Inspect a BIMI logo URL—format, metadata and live rendering—before rollout.

Certificates

Inspect CSRs, BIMI logos and VMC certificates before you deploy.

CSR parser

Inspect a CSR, extract subject details, fingerprints and requested SANs.

VMC inspector

Inspect a Verified Mark Certificate—issuer, validity and SAN coverage—before you publish BIMI.

IP

Look up addresses, owners, reverse records and ranges.

Reverse lookup

Resolve a PTR record and validate DNS consistency.

IP WhoIs

Identify the owner of an IP range and its contacts.

IPv4 netmask

Calculate network, broadcast and usable hosts for any IPv4 block.

My IP address

Detect your IPv4/IPv6 addresses and their geolocation.

ARC: keeping trust in an email as it crosses intermediaries

By CaptainDNS
Published on October 23, 2025

  • #Email
  • #ARC
  • #SPF
  • #DKIM
  • #DMARC
  • #Security

In a nutshell: ARC (Authenticated Received Chain) is a standard that lets relays (mailing lists, anti-spam gateways, forwarders, etc.) preserve and seal the authentication results (SPF, DKIM, DMARC) they observed. The recipient can then make an informed decision to trust the message even if SPF/DKIM legitimately fail after a modification or forward.

Diagram: email path and ARC seals added at each relay

Why do we need ARC?

Without ARC, a legitimate message can be rejected after being forwarded:

  • SPF fails because the sending IP becomes the relay's IP;
  • the original DKIM signature can break if the relay tweaks headers or body (banner, footer, anti-spam tagging);
  • therefore DMARC fails on the receiving side, even though the email was valid at the source.

ARC lets the relay state: “I received a message that passed SPF/DKIM/DMARC; here are my results and I’m signing them.”
The final server reviews the chain of seals to decide whether the email remains trustworthy.

How ARC works (overview)

At every relay, three ARC headers are appended, with an index i=1, i=2, …:

  1. ARC-Authentication-Results (AAR) — copies the SPF/DKIM/DMARC results as seen by the relay.
  2. ARC-Message-Signature (AMS) — cryptographic signature of the message as observed by the relay (analogous to DKIM).
  3. ARC-Seal (AS) — a seal that signs the whole package (AAR + AMS + previous seals) to chain the trust.

The three ARC headers and their role (AAR, AMS, AS)

Example ARC headers (simplified)

ARC-Seal: i=1; a=rsa-sha256; d=relay.example.net; s=arc1; cv=none; b=...
ARC-Message-Signature: i=1; a=rsa-sha256; d=relay.example.net; s=arc1; h=from:to:subject:date:message-id; bh=...; b=...
ARC-Authentication-Results: i=1; relay.example.net; spf=pass smtp.mailfrom=example.org; dkim=pass header.d=example.org; dmarc=pass header.from=example.org
  • i=: position in the chain (1 at the first relay, then +1 at each hop).
  • d= / s=: domain and selector (like DKIM) used to publish the DNS public key.
  • cv= (in ARC-Seal): Chain Validation declared by the relay for the chain it sees; usual values are none, pass, fail.
  • h=, bh=, b=: standard signature fields (list of headers signed, body hash, signature blob).

“I see ARC headers even without forwarding—is that normal?”

Yes. Major providers (webmail, collaboration suites, security gateways) often sign inbound traffic with ARC by default.
Goals: set an internal point of truth, trace the message’s path inside their infrastructure, and ease any later forwarding without losing trust.

How does the recipient evaluate the ARC chain?

  1. Verify every ARC-Message-Signature and ARC-Seal, starting from the highest i.
  2. Check continuity: no i gaps; each seal must cover the previous ones.
  3. Inspect cv= in the last ARC-Seal (the signer’s declared view of the chain).
  4. Cross-check with DMARC: if the current SPF/DKIM fail, decide whether to trust the recorded results in trusted ARC-Authentication-Results.

Important: ARC does not force acceptance of a message; it provides verifiable context so the recipient can decide more precisely.

Legend for cv=none/pass/fail values in ARC-Seal

Best practices (operator side)

  • Sign and validate ARC on your relays (lists, aliases, security gateways).
  • Keep existing ARC headers; do not strip valid seals.
  • Manage your keys (rotation, DNS TTL, monitoring signature failures).
  • Limit message changes once sealed (banners, rewrites) or re-seal after modification.
  • Log DMARC decisions influenced by ARC to measure impact.

Common pitfalls

  • Adding an ARC-Authentication-Results without an ARC-Message-Signature and ARC-Seal.
  • Breaking the chain (duplicate/missing i, seal not covering the prior entries).
  • Blindly trusting any unknown d= domain. The signer’s reputation matters.

Frequently asked questions

Does ARC replace DKIM/DMARC?
No. It complements SPF/DKIM/DMARC by preserving the results observed by relays.

Who can add ARC?
Any transport intermediary (MTA, gateway, email service) that handles the message.

What does cv= actually mean?
It’s the signer’s statement about the state of the chain it sees: none (no prior chain), pass (coherent and verifiable), fail (invalid chain). The recipient still performs its own validation.

Why does the same message have multiple i= values?
Each relay increments i and adds its own AAR/AMS/AS triplet.

Learn more

Cheat sheet

  • Purpose: preserve and seal SPF/DKIM/DMARC results across relays.
  • 3 headers: ARC-Authentication-Results (results) + ARC-Message-Signature (message signature) + ARC-Seal (chain seal).
  • Recipient decision: valid signatures + signer reputation + internal DMARC policy.