ARC-Authentication-Results

Learn what the ARC-Authentication-Results header records, how it preserves SPF, DKIM, and DMARC results, and how DMARCeye validates authentication chains.

Jack Zagorski

Oct 6, 2025

What is ARC-Authentication-Results?

The ARC-Authentication-Results header is part of the Authenticated Received Chain (ARC) framework, designed to preserve email authentication results as a message passes through intermediaries such as mailing lists, forwarders, or gateways. It records the results of SPF, DKIM, and DMARC checks at each hop, ensuring that downstream systems can verify the message’s authentication history.

ARC was developed to solve a long-standing problem in email authentication: when messages are legitimately forwarded, they often fail DMARC alignment because headers or sending IPs change. The ARC-Authentication-Results header ensures that a receiving server can see what the authentication results were when the message first arrived.

How ARC-Authentication-Results Works

When a message passes through an intermediary mail server that supports ARC, the server adds three headers:

ARC-Seal - Verifies the integrity of the ARC chain
ARC-Message-Signature - Signs the message content
ARC-Authentication-Results - Records authentication results such as SPF, DKIM, and DMARC

Example ARC-Authentication-Results header:

ARC-Authentication-Results: i=1; mx.example.net; dkim=pass header.d=example.com; spf=pass smtp.mailfrom=example.com; dmarc=pass header.from=example.com;

The “i=1” indicates the position in the chain (first hop), while each authentication result is clearly listed. When the next server receives the message, it can validate the chain and confirm that no data was altered in transit.

Benefits of ARC

Preserves authentication results across forwarding and mailing lists
Prevents false DMARC rejections
Improves trust in intermediary relays and gateways
Provides visibility into message handling across systems