In case you have missed out on this important inclusion amongst all the humdrum surrounding Google’s new sender guidelines, ARC or Authenticated Received Chain is now a part of their latest requirements starting February 2024.
ARC secures email authentication information in situations where an email passes through multiple servers – thereby working as an additional layer of protection.
Google ARC – Staying One Step Ahead of SPF and DKIM
SPF and DKIM email authentication protocols are effective measures in ensuring that messages sent from your domain are verified before they reach your client’s inbox, However, they are not perfect.
SPF is ineffective during email forwarding
SPF verifies email messages against an authorized list of IP addresses. During email forwarding, the email passes through an intermediate server whose IP may not be included in the sender’s SPF list. This leads to unwanted SPF failures even for legitimate emails.
DKIM isn’t always the saviour
DKIM adds digital signatures to your emails which can be encrypted using a public key to verify the source and authenticity of the message. To do so, DKIM uses a hash value that is generated using the email header and body. However, during email forwarding scenarios, additional elements like custom footers or extended subject lines can be added to the email – invalidating DKIM.
Google Recommends Adding ARC Headers to Outgoing Emails
Email headers and message content get altered during email forwarding, due to which SPF and DKIM fail for the email as a result of unsuccessful verification. When the forwarding MTA applies ARC for the email, three additional ARC headers are applied to the email as well as the SPF and DKIM authentication data of the original message. The three new headers are as follows:
- AAR(ARC-Authentication-Results)
- AS(ARC-Seal)
- AMS(ARC-Message-Signature)
During the DMARC check, the protocol takes into consideration the ARC headers referring to the authentication information of the original message to verify the legitimacy of the message – overriding the changes made by any intermediary server. In case the forwarded message is legitimate, DMARC passes for it.
The Need for Authenticated Received Chain
ARC steps up in situations where SPF and DKIM fall short by preserving email authentication header information for the original message, despite it passing through intermediary servers. This helps:
When Should Google Senders Implement ARC?
Google senders must implement ARC if:
- They regularly or frequently forward emails
- They use mailing lists
- They use inbound gateways
Google explains that they have opted to include ARC as a part of their latest sender guidelines as ARC headers would be able to identify messages as “forwarded” instead of unauthorized, as well as recognize the original forwarding address or domain.
On top of ARC, google’s email authentication requirements go into great detail about various other measures that general as well as bulk senders need to implement before February 2024 to comply with the latest mandates as a responsible approach toward ensuring a less spammy inbox for Gmail users.
PowerDMARC helps organizations comply with Google and Yahoo’s sender guidelines through effortless DMARC, SPF, DKIM, and ARC implementation. Sign up to achieve compliance today!
- Travel Cybersecurity Threats and How to Stay Protected - December 18, 2024
- Cybersecurity Best Practices for Digital Nomads in Japan - December 17, 2024
- NCSC Mail Check Changes & Their Impact on UK Public Sector Email Security - December 13, 2024