--- title: "Learn to configure trusted ARC sealers | DuoCircle" description: "Learn to configure trusted ARC sealers." image: "https://www.duocircle.com/images/og-default.png" canonical: "https://www.duocircle.com/blog/email-security/learn-to-configure-trusted-arc-sealers/" --- Quick Answer ARC (Authenticated Received Chain, RFC 8617) preserves SPF, DKIM, and DMARC results across intermediaries that legitimately modify messages, like email gateways adding footers or rewriting URLs, mailing lists, and forwarders. Each handler adds three headers: ARC-Authentication-Results (AAR) capturing the SPF/DKIM/DMARC verdict at that hop, ARC-Message-Signature (AMS) signing body and headers, and ARC-Seal (AS) signing the previous ARC sets. The final receiver validates seal integrity, intermediary trust, and consistency across hops. To add a trusted ARC sealer in Microsoft 365: in the Defender portal go to Email & Collaboration > Policies & Rules > Threat policies > Email Authentication Settings > ARC, click Add (or Edit if sealers exist), and enter the intermediary's domain. Use trusted sealers only when DMARC is failing for messages legitimately modified in transit by a known service. Learn to configure trusted ARC sealers Your browser does not support the audio element. [ Download episode](https://media.mailhop.org/duocircle/images/2024/07/Learn-to-configure-trusted-ARC-sealers.mp3) Share [ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Femail-security%2Flearn-to-configure-trusted-arc-sealers%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Learn%20to%20configure%20trusted%20ARC%20sealers&url=undefined%2Fblog%2Femail-security%2Flearn-to-configure-trusted-arc-sealers%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Femail-security%2Flearn-to-configure-trusted-arc-sealers%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Femail-security%2Flearn-to-configure-trusted-arc-sealers%2F&title=Learn%20to%20configure%20trusted%20ARC%20sealers "Share on Reddit") [ ](mailto:?subject=Learn%20to%20configure%20trusted%20ARC%20sealers&body=Check out this article: undefined%2Fblog%2Femail-security%2Flearn-to-configure-trusted-arc-sealers%2F "Share via Email") ![email security](https://media.mailhop.org/duocircle/images/2024/07/anti-phishing-software-3.jpg) [Email authentication](/resources/email-authentication) has become a **non-negotiable standard** for companies and governments, as it prevents phishing, spoofing, [ransomware](https://thehackernews.com/2024/07/new-hardbit-ransomware-40-uses.html), and other [email-based cyberattacks](https://www.cybersecuritydive.com/news/hpe-cyberattack-email-stolen/705615/). Email authentication protocols also raise alerts for modified email contents as these changes indicate **tampering done by threat actors**. While most alterations are malicious, **some are legitimate**, too. There are some genuine email service providers that modify messages before they are placed in your Microsoft email inbox. These modifications trigger SPF, DKIM, and [DMARC](/email/dmarc) to fail for legitimate emails as well. _[DKIM](/resources/what-is-dkim) behaves as a robust [email security](/) protocol when dealing with **uncomplexed relay situation**s, but it fails when an intermediate server modifies the message in transit._ Typical violations of DKIM include legitimate processes, such as an [email gateway](/content/email-gateway) adding a footer or rewriting URLs. When these modifications are part of a legitimate business process, using an [Authenticated Received Chain (ARC)](/email-security/how-does-arc-subside-shortcomings-of-spf-dkim-dmarc/) is important. ARC helps **preserve authentication results** across intermediaries. ARC resolves these issues and helps **minimize email authentication failures** for legitimately modified incoming emails. It works by preserving the original email authentication information at the email service, which also helps determine if alterations made to an email are safe or suspicious. ## How does ARC work? Here’s a simple breakdown of how ARC works to ensure the authenticity of email modifications by **maintaining a chain** of [cryptographic signatures](https://learn.microsoft.com/en-us/dotnet/standard/security/cryptographic-signatures). ### ARC Seal Creation Each **email handler** (like forwarding services) adds an ARC header set, which includes: 1. **ARC-Authentication-Results (AAR):** Shows the email’s **authentication status** (e.g., [SPF](/content/spf-record-check), DKIM, DMARC) at that point. 2. **ARC-Message-Signature (AMS)**: A digital signature covering the email body and headers. 3. **ARC-Seal (AS)**: _A signature that covers all previous [ARC header](https://blog.mystrika.com/arc/) sets, including AMS and AAR_. [![email sending](https://media.mailhop.org/duocircle/images/2024/07/email-smtp-service-0808.jpg)](https://media.mailhop.org/duocircle/images/2024/07/email-smtp-service-0808.jpg) ### Validation of ARC Chains When the email arrives at its final destination, the recipient’s email service checks the [ARC chain](https://www.theregister.com/2023/02/19/forwarding%5Femail%5Fsecurity/) by verifying: 1. **ARC-Seal integrity**: Ensures **no tampering occurred** after the seal was applied. 2. **Legitimacy of intermediaries**: Confirms the domains in the ARC-Seal are recognized and trusted. 3. **Consistency of authentication results**: Compares AAR results at different stages for discrepancies. ### Decision Making _If all ARC-Seals are intact and from trusted domains, the modifications are **likely legitimate**._ If there are broken seals, [untrusted signatures](https://mailsignature.org/apple-mail-untrusted-signature-what-does-it-mean/), or inconsistent results, the modifications might be suspicious and possibly from a [threat actor](https://thehackernews.com/2024/03/hackers-target-indian-defense-and.html). ## When to use trusted ARC sealers? If you are a **Microsoft 365 suite user**, you need to identify trusted ARC sealers only if the emails delivered to [Microsoft 365](/dmarc/how-microsoft-365-manage-inbound-email-dont-pass-dmarc-checks/) recipients are frequently experiencing the following- - Getting modified by intermediary services. - Messages are failing email authentication checks because of modifications, such as changes made to the headers and footers or [removal of attachments](https://www.bleepingcomputer.com/news/security/major-us-energy-org-targeted-in-qr-code-phishing-attack/). After you add a trusted ARC sealer to your [Defender portal](https://learn.microsoft.com/en-us/defender-xdr/microsoft-365-defender-portal), Microsoft 365 validates the message’s authenticity using the original authentication information packed by the **ARC sealer**. ## Adding trusted ARC sealers using the Microsoft Defender portal 1. In the Microsoft Defender portal at , navigate to: - **Email & Collaboration > Policies & Rules > Threat policies > Email Authentication Settings** in the Rules section > **ARC**. - Alternatively, go directly to the Email authentication settings page using . 2\. Next, you will come across the **Email authentication settings** page, where you have to verify that the **ARC** tab is selected. If yes, click **Add**. **Tip:** If Trusted sealers are already listed on the ARC tab, click **Edit**. 3\. In the **Add trusted ARC sealers** flyout that opens, add the trusted signing domain to the given space. - The **domain name must match** the domain shown in the [d](https://www.ietf.org/archive/id/draft-chuang-replay-resistant-arc-06.html) [value in the ARC-Seal](https://www.ietf.org/archive/id/draft-chuang-replay-resistant-arc-06.html) and ARC-Message-Signature headers in affected messages. - Use the following methods to view the message header: - View [internet message headers in Outlook](https://support.microsoft.com/en-us/office/view-internet-message-headers-in-outlook-cd039382-dc6e-4264-ac74-c048563d212c). - Use the **Message Header Analyzer** at . _**Repeat this step** as many times as necessary. To remove an existing entry, click the x next to the entry._ 4\. When you’re finished in the **Add trusted ARC sealers** flyout, click **Save**. [![authenticity of email](https://media.mailhop.org/duocircle/images/2024/07/SPF-record-checker.jpg)](https://media.mailhop.org/duocircle/images/2024/07/SPF-record-checker.jpg) ## Adding trusted ARC sealers using the Exchange Online PowerShell If you’d prefer to use PowerShell to **view, add, or remove** trusted ARC sealers, connect to [Exchange Online PowerShell](https://learn.microsoft.com/en-us/powershell/exchange/exchange-online-powershell?view=exchange-ps) and run the following commands: ### View existing trusted ARC sealers `Get-ArcConfig` _If no trusted ARC sealers are configured, the command returns no results._ ### Add or Remove Trusted ARC Sealers Use the following command to use new ARC sealers in place of the existing ones- `Set-ArcConfig -Identity [TenantId\]Default -ArcTrustedSealers "Domain1","Domain2",..."DomainN"` The [TenantId\\ value](https://learn.microsoft.com/en-us/azure/azure-portal/get-subscription-tenant-id) isn’t required in your own organization, **only in delegated organizations**. It’s a GUID visible in many admin portal URLs in Microsoft 365 (the tid= value), for example, a32d39e2-3702-4ff5-9628-31358774c091. This example configures “cohovineyard.com” and “tailspintoys.com” as the only trusted ARC sealers in the organization: `Set-ArcConfig -Identity Default -ArcTrustedSealers "cohovineyard.com","tailspintoys.com"` To keep existing ARC sealers, make sure to list them along with any new ones you want to add. For more detailed operations, such as adding or removing ARC sealers without affecting other entries, refer to the **Examples section** in the [Set-ArcConfig documentation](https://learn.microsoft.com/en-us/powershell/module/exchange/set-arcconfig?view=exchange-ps). ## Topics email securityUpdates ![Brad Slavin](https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg) Brad Slavin General Manager General Manager at DuoCircle. Product strategy and commercial lead across the email security portfolio. ## Secure your email infrastructure Protect, authenticate, and deliver. Contact our team to find the right solution. [Contact Sales](/contact/) [Explore Products](/products/) ## Related Articles [ Email Security 7m 10 Crucial Tips that Will Help You Avoid Spam Filters and Send Better Emails Feb 14, 2023 ](/blog/email-security/10-crucial-tips-that-will-help-you-avoid-spam-filters-and-send-better-emails/)[ Email Security 6m 5 Reasons Why Your Website Needs an SPF Record Flattener? Sep 26, 2023 ](/blog/email-security/5-reasons-why-your-website-needs-an-spf-record-flattener/)[ Email Security 8m Best Practices to Follow When Implementing SPF, DKIM, and DMARC Mar 19, 2024 ](/blog/email-security/best-practices-to-follow-when-implementing-spf-dkim-and-dmarc/)[ Email Security 3m Best Ways to Secure Emails in 2024 Apr 26, 2024 ](/blog/email-security/best-ways-to-secure-emails-in-2024/) ```json {"@context":"https://schema.org","@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}],"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://www.g2.com/products/phish-protection-by-duocircle/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://support.duocircle.com"},"knowsAbout":["Email Security","Email Authentication","SPF","DKIM","DMARC","Phishing Protection","Spam Filtering","SMTP Relay","Email Deliverability","Email Forwarding"]} ``` ```json {"@context":"https://schema.org","@type":"WebSite","name":"DuoCircle LLC","url":"https://www.duocircle.com","description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}} ``` ```json [{"@context":"https://schema.org","@type":"BlogPosting","headline":"Learn to configure trusted ARC sealers","description":"Learn to configure trusted ARC sealers.","url":"https://www.duocircle.com/blog/email-security/learn-to-configure-trusted-arc-sealers/","datePublished":"2024-07-16T14:52:17.000Z","dateModified":"2025-04-28T15:43:17.000Z","dateCreated":"2024-07-16T14:52:17.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/email-security/learn-to-configure-trusted-arc-sealers/"},"articleSection":"email-security","keywords":"email security, Updates","wordCount":821,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2024/07/anti-phishing-software-3.jpg","caption":"email security","width":900,"height":535},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":2,"name":"Email Security"},{"@type":"ListItem","position":3,"name":"Learn to configure trusted ARC sealers","item":"https://www.duocircle.com/blog/email-security/learn-to-configure-trusted-arc-sealers/"}]}] ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://www.duocircle.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":3,"name":"Email Security","item":"https://www.duocircle.comundefined"},{"@type":"ListItem","position":4,"name":"Learn to configure trusted ARC sealers","item":"https://www.duocircle.com/blog/email-security/learn-to-configure-trusted-arc-sealers/"}]} ``` ```json {"@context":"https://schema.org","@type":"BlogPosting","headline":"Learn to configure trusted ARC sealers","description":"Learn to configure trusted ARC sealers.","url":"https://www.duocircle.com/blog/email-security/learn-to-configure-trusted-arc-sealers/","datePublished":"2024-07-16T14:52:17.000Z","dateModified":"2025-04-28T15:43:17.000Z","dateCreated":"2024-07-16T14:52:17.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/email-security/learn-to-configure-trusted-arc-sealers/"},"articleSection":"email-security","keywords":"email security, Updates","wordCount":821,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2024/07/anti-phishing-software-3.jpg","caption":"email security","width":900,"height":535},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}} ```