HOME

TheInfoList



OR:

Authenticated Received Chain (ARC) is an
email Electronic mail (email or e-mail) is a method of exchanging messages ("mail") between people using electronic devices. Email was thus conceived as the electronic ( digital) version of, or counterpart to, mail, at a time when "mail" mean ...
authentication system designed to allow an intermediate mail server like a mailing list or forwarding service to sign an email's original authentication results. This allows a receiving service to validate an email when the email's SPF and
DKIM DomainKeys Identified Mail (DKIM) is an email authentication method designed to detect forged sender addresses in email (email spoofing), a technique often used in phishing and email spam. DKIM allows the receiver to check that an email claimed ...
records are rendered invalid by an intermediate server's processing. ARC is defined in RFC 8617, published in July 2019, as "Experimental".


Overview

DMARC Domain-based Message Authentication, Reporting and Conformance (DMARC) is an email authentication protocol. It is designed to give email domain owners the ability to protect their domain from unauthorized use, commonly known as email spoofing. Th ...
allows a sender's domain to indicate that their emails are protected by SPF and/or
DKIM DomainKeys Identified Mail (DKIM) is an email authentication method designed to detect forged sender addresses in email (email spoofing), a technique often used in phishing and email spam. DKIM allows the receiver to check that an email claimed ...
, and tells a receiving service what to do if neither of those authentication methods passes - such as to reject the message. However, a strict
DMARC Domain-based Message Authentication, Reporting and Conformance (DMARC) is an email authentication protocol. It is designed to give email domain owners the ability to protect their domain from unauthorized use, commonly known as email spoofing. Th ...
policy may block legitimate emails sent through a mailing list or forwarder, as the
DKIM DomainKeys Identified Mail (DKIM) is an email authentication method designed to detect forged sender addresses in email (email spoofing), a technique often used in phishing and email spam. DKIM allows the receiver to check that an email claimed ...
signature will be invalidated if the message is modified, such as by adding a subject tag or footer, and the SPF check will either fail (if the forwarder didn't change the
bounce address {{No footnotes, date=June 2016 A bounce address is an email address to which bounce messages are delivered. There are many variants of the name, none of them used universally, including return path, reverse path, envelope from, envelope sender, MA ...
) or be aligned with the mailing list domain and not with the message author's domain (unless the mailing list rewrites the From: header field.) ARC was devised to solve this problem by giving intermediate servers a way to sign the original message's validation results. Even if the SPF and DKIM validation fail, the receiving service can choose to validate the ARC chain. If it indicates that the original message passed the SPF and DKIM checks, and the only modifications were made by intermediaries trusted by the receiving service, the receiving service may choose to accept the email. Validating an ARC chain only makes sense if the receiver trusts the ARC signers. In fact, an ARC chain can be counterfeited, so ARC processing applies when receivers trust the good faith of ARC signers, but not so much their filtering practices.


Implementation

ARC defines three new mail headers: * ARC-Authentication-Results (abbreviated AAR) - A combination of an instance number (i) and the results of the SPF, DKIM, and DMARC validation * ARC-Seal (abbreviated AS) - A combination of an instance number (i), a DKIM-like signature of the previous ARC-Seal headers, and the validity of the prior ARC entries. * ARC-Message-Signature (abbreviated AMS) - A combination of an instance number (i) and a DKIM-like signature of the entire message ''except'' for the ARC-Seal headers To sign a modification, an intermediate server performs the following steps: * Copies the "Authentication-Results" field into a new AAR field (starting with i=1) and prepends it to the message. * Calculates the AMS for the message (with the AAR) and prepends it to the message. * Calculates the AS for the previous Arc-Seal headers and prepends it to the message. To validate an ARC, the recipient performs the following steps: * Validates the chain of ARC-Seal headers (no missing entries, all ARC-Seal messages state that the prior ARC entries are valid, etc.) * Validates the newest ARC-Message-Signature (based on the instance number)


References


External links

* {{Official website, http://arc-spec.org/, ARC Specification for Email Email authentication Internet architecture Internet governance Network addressing Spam filtering