Status of ARC
If you are a mailbox provider or mailing list operator, it is time to begin planning your ARC implementation.
The Authenticated Received Chain, or ARC, was adopted as an official work item of the IETF DMARC Working Group in June 2016, and the specification was last updated in October 2018. (Or check for more recent activity at this IETF page.)
Google has deployed ARC in their email services, code libraries and a test suite are freely available, one commercial MTA already includes ARC support, and patches for popular mailing list managers (MLMs) have been released (mid-2018). Links to these items are available on our Resources page.
What is ARC?
When an email sender or Internet domain owner uses email authentication to make it easier to detect fraudsters sending messages that impersonate their domain, some services like mailing lists or account forwarding may cause legitimate messages to not pass those mechanisms, and such messages might not be delivered. These services may be referred to as intermediaries because they receive a message, potentially make some changes to it, and then send it on to one or more other destinations. This kind of email traffic may be referred to as an indirect mailflow.
ARC preserves email authentication results across subsequent intermediaries (“hops”) that may modify the message, and thus would cause email authentication measures to fail to verify when that message reaches its final destination. But if an ARC chain were present and validated, a receiver who would otherwise discard the messages might choose to evaluate the ARC results and make an exception, allowing legitimate messages from these indirect mailflows to be delivered.
Between October 2015 and February 2017, the ARC protocol benefited from community review and input while several parties planned and then developed implementations. A number of interoperability events were held so that these implementations could be tested against each other. The IETF DMARC Working Group spent the better part of two years reviewing the specification in detail, and the document passed through Working Group Last Call in August of 2018. As of this writing (October 2018), it is awaiting some supporting material for Appendix B before being submitted to the IETF’s RFC Editor for final formatting and publication.
How can I learn more and/or participate?
- You can read the current draft specification for ARC.
- You can read the current draft of the recommended usage document for ARC.
- General questions about ARC should be brought to the arc-discuss list operated by DMARC.org. Feel free to visit the list information and subscription page. Please note that this is a technical forum intended for IT professionals, programmers, network operators, etc. Consumers or end-users should contact their service provider’s help desk for assistance.
- Analysis and development of the protocol should be carried out in the IETF DMARC Working Group. Instructions for subscribing are available on the list information and subscription page. If you join, please take the time to read through the list archives and familiarize yourself with the discussion to date.
- You can also read the original press release that announced the ARC protocol in October 2015
What are the next steps for ARC?
The biggest step is having the RFC Editor assign a number and publish the specification as an IETF RFC. This is expected in the fourth quarter of 2018.
If you are a mailbox provider or intermediary (mailing list operator, message forwarder), you should be planning your ARC implementation now (first half of 2018). Google has added ARC verification and sealing to their email services (Gmail, G Suite, and Google Groups). Several other companies will incorporate ARC into their products and services in the first half 2018.
Patches for the most popular mailing list managers (MLMs) will be available later in 2018. Code libraries and modules are already available for those who need to integrate ARC functions into their systems. The commercial MTA MailerQ incorporates ARC, and the milters authentication_milter and OpenARC can be used to deploy ARC with the Postfix, Oracle Communications Messaging Server, and Sendmail MTAs. Be sure to check our Resources page for a more up-to-date listing.