ARC-Message-Signature
Learn how the ARC-Message-Signature preserves authentication through forwarding and how DMARCeye analyzes ARC headers to maintain message integrity.
What is an ARC-Message-Signature?
The ARC-Message-Signature is a cryptographic header used in the Authenticated Received Chain (ARC) framework to preserve authentication results when an email passes through intermediaries such as mailing lists or forwarders. Similar to DKIM, it uses digital signatures to verify that message content remains unaltered. However, its primary role is to maintain the original authentication results so that recipient servers can trust forwarded messages.
ARC solves one of the biggest challenges in email authentication: legitimate forwarding often breaks SPF or DKIM alignment, causing DMARC failures. The ARC-Message-Signature ensures that these authentication results can be validated even after forwarding.
How the ARC-Message-Signature Works
Each forwarding hop adds its own ARC set of headers:
ARC-Authentication-Results- Records SPF, DKIM, and DMARC verification outcomesARC-Message-Signature- Signs the message and authentication results for integrityARC-Seal- Signs all previous ARC sets to preserve the chain of custody
Example ARC-Message-Signature header:
ARC-Message-Signature: i=1; a=rsa-sha256; d=example.com; s=arcselector; bh=abc123...; b=def456...Here:
i=- Indicates the instance number (hop count)d=- Domain that generated the signatures=- Selector used to find the public key in DNSbh=andb=- Contain the message and signature hashes
Benefits of ARC-Message-Signature
ARC allows intermediary systems to forward authenticated mail without breaking the trust chain. This is especially valuable for mailing lists, forwarding services, and ticketing systems that alter message routing but not content. With ARC, receiving servers can decide whether to honor previous authentication results even if SPF or DKIM checks fail at final delivery.
ARC-Message-Signature and DMARCeye
DMARCeye validates and interprets ARC-Message-Signature data in its authentication analytics. By reviewing ARC headers across forwarded messages, the platform helps organizations identify whether legitimate mail flows are being disrupted by forwarding and whether ARC is implemented correctly.
Through its detailed reporting, DMARCeye ensures that complex mail paths — including forwarding services and list processors — maintain authentication integrity and deliver legitimate messages without rejection.
Sign up for a free trial of DMARCeye today and secure your email domain.
To learn more about DMARC and DMARC-related terms, explore the DMARCeye Glossary.