How does ARC subside the shortcomings of SPF, DKIM, and DMARC?
Email authentication protocols like the Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC) are considered to be robust mechanisms to protect against cybersecurity threats such as spoofing and phishing. This is when you are sending emails from your domain, but when it comes to forwarding emails, these protocols fall short.
So, does this mean your forwarded emails are not secure enough? Not really! But this is what the recipient’s mail server would think of them and push them into the spam folder or reject their entry altogether. Thanks to Authenticated Received Chain (ARC), you can now ensure that your forwarded emails land in the intended recipients’ inboxes and no one tampers with them in transit.
In this article, we will examine how ARC works as an extension of authentication protocols SPF, DKIM, and DMARC and how it compensates for their shortcomings.
What is the Authenticated Received Chain (ARC)?
Just like SPF, DKIM, and DMARC, ARC is an authentication standard that works to enhance the trustworthiness and security of email communications.
What sets ARC apart is its ability to preserve the results of email authentication checks across multiple hops, making it especially useful for emails that are forwarded or passed through intermediate servers.
This standard was devised in 2016 to retain the integrity of the emails (verified through SPF and DKIM checks) that pass from one server to another while being forwarded.
When an email passes through an intermediary mail server like a mailing list, the SPF and DKIM checks that happened in previous stages are deemed redundant. This prevents the mail from reaching its destination— the receiver’s inbox.
To overcome this, you can deploy ARC. It considers all of the previous authentication results as the email travels through different servers and lets the server of the final recipient check whether the email has been altered along the way by threat actors or forwarded unscathed.
What are the gaps left by SPF, DKIM, and DMARC?
As you send emails from your domain that is authenticated with SPF, DKIM, and DMARC, these protocols work well to verify the sender’s legitimacy and protect against spoofing and phishing.
However, when the email is forwarded, the real challenge begins! At this stage, the forwarding server adds a new ‘Received’ header to the email, which is usually not covered by SPF and DKIM. This prompts the recipient’s mail server to mark the email as illegitimate.
Additionally, when you send an email through a mailing list, you might encounter a similar problem. This happens because, during its time in transit, the mail undergoes various modifications, such as having the mailing list name added to the subject line or adding an ‘unsubscribe’ button or disclaimer at the end. While there’s nothing wrong with these changes, they might appear as red flags to the receiving server, leading to DKIM failure and giving an impression of a spoofed email. Since the forwarding or mailing list mail servers use a different IP address altogether, which is not listed in the SPF record, it causes SPF authentication to fail and the email to be marked as spam.
Since the email doesn’t pass through SPF and DKIM checks, it fails DMARC authentication by default.
How does ARC work to fill these gaps?
Now that you know, ARC addresses the loopholes in the existing email authentication protocols by ensuring that the integrity and authenticity of an email are preserved as it passes through multiple intermediary servers. Let us take you through the process of what goes behind the scenes of ARC implementation and successful authentication:
Initial signing
Since ARC is essentially an extension of SPF and DKIM, the first step for efficient ARC implementation is verifying that the original email is authenticated. The sending server performs the initial authentication through DKIM signing to establish that the email content has not been tampered with. This ensures that the email is authentic at the start of an ARC process.
Handling by intermediary servers
When the email arrives at an intermediary server, this server adds a ‘Received’ header to the email. However, this can cause issues with the initial DKIM signature because these changes can make the email look suspicious to the recipient’s server.
Adding ARC headers
To address the above-mentioned issue and ensure the authenticity of the email, the server performs authentication checks to verify if the email passes SPF, DKIM, and DMARC. After this, it adds an ARC-Authentication-Results (AAR) header to log the results of these checks. The server then creates a digital signature, known as an ARC-Message-Signature (AMS), which confirms that both the email content and the AAR header have not been tampered with. Finally, the server adds a signature to the entire message, including previous ARC headers, creating an ARC-Seal (AS) that continues the chain of trust indefinitely.
Image sourced from slideshare.net
Chain process
In case the email is further forwarded, the next intermediary server repeats the process and adds its own ARC headers and signatures. This creates a linear chain of events of sorts, which can be traced back to verify each server that handled the email. By doing so, ARC ensures that legitimate emails are correctly identified and delivered to the recipient’s inbox despite the complications introduced by forwarding.
Final verification
When the email reaches the final recipient after passing through multiple servers, the receiving server performs the usual authentication checks. If any one of the checks – SPF, DKIM, or DMARC – fails, the server looks for ARC. It then cross-checks the ARC signatures to confirm that the email has not been tampered with while being forwarded.
Should you bother implementing ARC?
If you know that emails sent by you are frequently forwarded by the original recipients or you rely on mailing lists for your communication, you should have ARC set up. As we have established so far, ARC helps ensure that your legitimate forwarded emails are not outrightly flagged as spam or rejected by the recipient’s mail servers.
In doing this, ARC ensures that your emails maintain their integrity and authenticity by retaining the authentication result across multiple hops, even when those emails go through intermediate servers that add headers or other changes.
Apart from this, there are other benefits of configuring ARC that you shouldn’t miss out on. Let us take a look at some of them:
Enhanced email deliverability
Email forwarding often leads to DMARC failures, which means your email fails to reach the recipient’s inbox. But with ARC, you do not have to worry about it, as it ensures that your genuine emails do pass through the forwarding servers without being marked as spam or rejected by incorporating headers that record and verify authentication results at each stage of the email’s journey. This ultimately increases the chances of your emails reaching the intended recipients.
Improved security
While adding headers at each step of the journey, ARC cross-checks whether the email has been tampered with or modified during transit. If such discrepancies come to the surface, they are considered a sign of a potential phishing attempt and require immediate attention. This continuous verification improves the overall security of the communication.
Lesser false positives
There’s always a possibility of legitimate emails being wrongly identified as spam, especially when they pass through forwarding servers or intermediary services. But with ARC, this is much less likely to happen as the ones that undergo modifications or appear to come from a different source can still be verified by ARC headers. As a result, the number of false positives significantly comes down, and none of the important communications are missed.
Improved reporting
An important aspect of implementing ARC is the enhanced visibility it provides into the email’s journey through various forwarding servers. Once you get a peek into the path that the email takes, you can see how it was handled by each intermediary server. Not to mention, you can leverage this information to identify and troubleshoot any email delivery issues.
All-round protection
ARC is built upon SPF, DKIM, and DMARC, ensuring the most comprehensive and up-to-date email security. With all the forces coming together, you can expect robust and multi-layered defense against email-based threats.
By operating on the foundation laid by the existing authentication protocols, ARC ensures that your emails remain secure and trustworthy from the moment they are sent until they reach the final recipient, providing all-around protection for your email communications.
Having said this, it is important to understand that ARC only solves the problem of false positives regarding legitimate emails being forwarded or sent via mailing lists; it does not provide end-to-end encryption for emails.
Want to know more about the Authenticated Received Chain or get started with email authentication standards? DuoCircle is here to help you with everything! We will take care of everything, from enhancing your email security posture to protecting your brand from spoofing and phishing attacks and ensuring that your legitimate emails reach their intended recipients without being wrongly flagged as spam. Book a demo with us today!