Microsoft recently rolled out trusted ARC seals to authorize legitimate indirect email flows and truth be told, it’s an excellent step. Why? Here’s why: 

• Your staple email authentication protocols (DMARC, SPF, and DKIM) fall short when it comes to authenticating emails sent indirectly 
• This can make your legitimate emails fail authentication 
• Subsequently, this leads to email delivery issues 

This is when Microsoft’s trusted ARC seal sweeps in to save the day. By adding ARC signatures to outbound messages, the email source can be easily identified and authorized during sender verification even if its header and content have been altered by a trusted intermediary party.  

View Microsoft’s document here.

Which category of users is the Microsoft Trusted ARC Seal applicable to?

This trusted ARC seal can be deployed by users signed in for the following Microsoft services: 

• Exchange Online Protection
• Microsoft Defender for Office 365 plan 1 and plan 2
• Microsoft 365 Defender

What is a direct email flow? 

This is when an email sent from a source domain directly reaches its recipient’s email server. Unless the communication is intercepted by a malicious third party, the email remains untouched and the message headers are preserved, thereby passing DMARC authentication checks. 

What are indirect mailflows?

This is when an email sent from the source domain is routed through one or more intermediary servers (like in the case of email forwarding). These intermediaries can alter the message by making modifications to the header information and body, making the email fail DMARC.  

Why is the Trusted ARC Seal necessary?

Authentication failures in indirect email flows

Enterprises may often outsource their email marketing campaigns through a third party that routes messages from the owner’s domain to the recipients through an intermediary server(s). This is mainly noticeable during email forwarding or usage of mailing lists. 

The header information for these emails gets altered in the process as it takes up the header information of the respective intermediary. This causes an inconsistency in the Mail from: and return-path headers thereby failing SPF. Intermediaries can also alter the content inside the mail body by adding footers, which will further break DKIM. 

While the latter is a rare occurrence, it does happen. When both SPF and DKIM fail for the messages, DMARC inevitably fails and the message (although legitimate) is perceived as fraudulent. If the sender is on p=reject, these legitimate messages would never be delivered! 

Specifying trusted intermediaries through Microsoft’s trusted ARC seal

Admins who are logged into the Microsoft 365 defender portal can add trusted intermediaries on the admin portal. During sender verification, Microsoft will verify the DMARC ARC signatures of emails that are sent from these trusted ARC sealers and help them pass authentication checks and get delivered safely. 

This is done with respect to how ARC preserves the original authentication information for messages before alterations are made by a middleman, which can be verified by receiving servers.  

Important points to remember while using Trusted ARC Seal

The ARC seal needs to be configured by the admin-trusted intermediaries

If you as the domain admin have a list of trusted intermediaries whom you want to route your emails through, you need to get in touch with them today! Have an open discussion with them, asking them to configure ARC for the respective intermediary domains. 

Upload this list of trusted ARC sealers to your defender portal

Your next step should be logging into your Microsoft defender portal and uploading the list of trusted ARC sealers. Here you can add the domain names of these trusted intermediaries who have enabled ARC on your request. You can do so by heading over to your email authentication settings page on your portal dashboard and clicking on the “Add” button. 

Alternatively, 

You can also add your list of trusted ARC sealers through Exchange Online Powershell by running the following Powershell script mentioned by Microsoft: 

Set-ArcConfig -Identity default -ArcTrustedSealers {followed by the domain names of your intermediaries separated by commas}

How to find the domain name of your Trusted ARC Sealers

To find the domain name of your trusted ARC senders on your Outlook mailbox, follow the steps below: 

• Open the email by double-clicking on it 
• Go to file > Properties 
• The properties window will appear. You can view your message header information in the Internet Headers box
• Here you will find the domain name mentioned in the “d=” tag in the email’s ARC signature. This is the domain of your trusted ARC sealer.

You can also use your email’s header information to validate your trusted ARC seal by fishing for “pass” in your ARC authentication results. 

Is ARC a replacement for DMARC? 

Long story short: No, it’s not. For best results, ARC should be used in conjunction with DMARC, SPF, and DKIM. ARC is an added security measure that helps you prevent your legitimate emails from failing authentication when the email passes through an intermediary server that makes modifications to the header and content. 

To start taking advantage of Microsoft’s Trusted ARC seal, configure DMARC at your organization today. Take a free DMARC trial with PowerDMARC.

Related Articles

• DMARC office365 setup guide
• Microsoft Office 365 DKIM Setup
• Microsoft Office 365 SPF Setup

• About
• Latest Posts

Yunes Tarada

Yunes is an Operations Team Lead at PowerDMARC with expert knowledge in email authentication and security. Yunes is a Microsoft-certified Azure Administrator Associate with certifications in CompTIA A+ and many more.

Latest posts by Yunes Tarada (see all)

• SPF Softfail Vs Hardfail: What’s the Difference? - April 26, 2024
• FTC Reports Email is a Popular Medium for Impersonation Scams - April 16, 2024
• SubdoMailing and the Rise of Subdomain Phishing - March 18, 2024