ARC addresses some edge cases that were impeding DMARC adoption (mailing lists, forwarders, and SEGs within enterprises). These account for just 1-2% of global mail volume, but that’s an incredibly large number of messages.
Why ARC is needed
Here’s the problem: When messages pass through mailing lists, email gateways, and other message-modifying filters, they often fail to authenticate. Sender Policy Framework (SPF, RFC 7208) breaks under most forwarding circumstances, and DomainKeys Identified Mail (DKIM, RFC 6376) breaks when messages pass through forwarding services that modify content covered by the DKIM signature.
When a message loses its ability to be authenticated due to forwarding, and a policy is supposed to be applied to messages that fail to authenticate, as with Domain-based Message Authentication, Reporting, & Conformance (DMARC), these legitimate messages are treated as if they have been spoofed.
How ARC helps
ARC solves these problems, by providing a means for these forwarding and filtering systems to attest to the authentication status of a message at the time they receive it. These attestations are then signed and bundled with the message as it is forwarded (calling “sealing”), creating an ARC Chain as multiple parties participate. Utilizing this chain, validators further along can examine the attestations to verify that the message was properly authenticated when it originated.
It’s as if you were on an international journey with many stops along the way. You present your passport at an airport in Hungary, and the customs officers inspect it and find it to be valid, so they stamp it with a visa showing that they approve your identification. When you get to Germany, the customs officers have never seen your country’s passport before, and they can’t independently verify its authenticity — but they have seen Hungarian visas and can tell that your Hungarian visa is valid. On the strength of the Hungarian endorsement, the German officials decide to approve your identification as valid, so they put their own stamp in the passport.
Additional Resources
ARC is not merely a protocol. There is a world of community support, and an ARC test suite (https://github.com/Valimail/arc_test_suite) that has proven useful in identifying specific issues and potential bugs to focus on at each interop. There are also numerous mature open source libraries that support ARC:
C: https://github.com/trusteddomainproject/OpenARC
Python: https://launchpad.net/dkimpy
Perl: https://metacpan.org/pod/Mail::DKIM
Mailmain: https://docs.mailman3.org/projects/mailman/en/latest/src/mailman/handlers/docs/arc_sign.html