Email Authentication helps validate mail sent to and from your Microsoft 365 organization to prevent spoofed senders that are used in business email compromise (BEC), ransomware, and other phishing attacks.
Authenticated Received Chain (ARC) can help minimize authentication failures from such modifications. ARC retains the original email authentication details from the service that altered the message. In Microsoft 365, you can configure your system to trust the modifying service and use that retained information during email authentication checks.
A Microsoft 365 organization needs to identify trusted ARC sealers only when messages delivered to Microsoft 365 recipients are regularly affected in the following ways.
- The intermediary service modifies the message header or email content.
- The message modifications cause authentication to fail for other reasons (for example, by removing attachments).
Basically, ARC helps reduce inbound email authentication failures from message modification by legitimate email services.
As the modern email landscape grows more complex, ensuring the authenticity and security of messages has become crucial. Various email services, including legitimate ones, often modify messages during transit, leading to failures in standard email authentication protocols like SPF, DKIM, and DMARC. To address these challenges, Authenticated Received Chain (ARC) offers a solution that preserves and verifies the original authentication information, ensuring more reliable email processing. In this article, we’ll explore what ARC is, how it works, and how you can configure it in Microsoft 365 to improve email security.
Why Email Authentication Fails?
Before diving into ARC, let’s understand why email authentication might fail.
- SPF (Sender Policy Framework): SPF verifies that the sending mail server’s IP address is authorized to send on behalf of the domain. When messages are modified or relayed through intermediary services, the IP address might change, causing SPF to fail.
- DKIM (DomainKeys Identified Mail): DKIM uses a digital signature linked to the email's content. Any modification to the email—such as changes made by security gateways or mailing lists—can break the DKIM signature, leading to authentication failure.
- DMARC (Domain-based Message Authentication, Reporting & Conformance): DMARC ties together SPF and DKIM results to determine the authenticity of the email. If both SPF and DKIM fail, DMARC also fails, leading to the email potentially being rejected or flagged as suspicious.
However, many legitimate services, like mailing list processors, email forwarding systems, or security filters, alter the message in transit. These modifications are typically harmless but can inadvertently lead to these authentication failures.
What is an Authenticated Received Chain (ARC)?
Authenticated Received Chain (ARC) is an email authentication protocol designed to help mitigate failures caused by message modification during delivery. Unlike SPF, DKIM, and DMARC, which operate under strict rules about message integrity, ARC aims to provide additional flexibility without compromising security.
ARC works by preserving the original authentication results even if the message is altered by trusted intermediaries. It adds a series of headers to the email that includes the authentication status at each point of modification. This chain of information can then be used to validate the message’s authenticity, even after changes, such as adding a mailing list footer or passing through a forwarding service.
How does ARC Work?
When a message passes through an intermediary email service that modifies the message (like an email filter, mailing list, or forwarding service), ARC captures the original SPF, DKIM, and DMARC authentication results. The intermediary service then attaches ARC headers to the message, which includes the original authentication results and signs the message with a cryptographic signature.
The receiving email system, such as Microsoft 365, can then examine these ARC headers. If the intermediary is trusted, Microsoft 365 can use the original authentication results for its validation process, rather than relying on the post-modification state, which would likely fail.
Benefits of ARC
- Reduced False Positives: By preserving the original authentication results, ARC helps reduce the number of legitimate messages flagged as suspicious or rejected because of modifications by intermediary services.
- Improved Email Deliverability: Legitimate emails that might otherwise be caught in spam filters due to broken SPF or DKIM signatures can be successfully delivered.
- Better Security Insights: ARC provides a transparent chain of custody for email messages, giving receiving organizations a clearer picture of how the message has been processed along the way.
- Trust-Based Framework: ARC works on the assumption that certain intermediary services are trusted by the receiving organization. It allows these services to vouch for the authenticity of the original message.
To Configure
Goto Microsoft Defender Portal à Email & Collaboration à Policies & rules à Threat Policies à Email Authentication settings.
![Microsoft Defender]()
Before ARC Seal applies.
![ARC seal]()
After the ARC Seal is applied.
![DNS]()