Everything you need to set up ARC-Relay, configure DNS, and start forwarding with full DMARC compliance.
Sign up free — no credit card required. Takes 15 seconds.
We give you the exact MX and TXT records. Copy-paste into your registrar.
All mail to your domain is ARC-sealed and forwarded to your inbox. Done.
Log in to your dashboard and click Domains in the sidebar.
Type the bare domain (e.g. example.com) and click Add Domain. Don't include www. or http://.
You'll see an MX record and a TXT verification record. Add both to your domain's DNS. See DNS Configuration below for details.
We'll check your DNS records. Once both MX and TXT are found, your domain status turns to Verified and forwarding begins immediately.
Add these records at your domain registrar or DNS host. The exact values are always shown in your dashboard — these are the general templates.
If you have existing MX records (e.g. from Google Workspace or Microsoft 365), remove them first — you can only have one mail destination. ARC-Relay will forward everything to your real inbox.
@, Mail server: mx.arc-relay.com, Priority: 10@, Content: your verification tokenDNS propagation: usually instant on Cloudflare.
mx.arc-relay.com priority 10@ and your verification tokenDNS propagation: 1–5 minutes.
@, Points to: mx.arc-relay.com, Priority: 10@, TXT Value: your verification tokenDNS propagation: up to 10 minutes.
The process is the same everywhere:
10 mx.arc-relay.comIf you're stuck, email [email protected] with a screenshot and we'll help.
After adding your DNS records, click the Verify button on your domain card. We check for two things:
mx.arc-relay.comWe do a DNS lookup for your domain's MX records and confirm ours is present.
We look for the unique arcrelay-verify=... string in your domain's TXT records.
When someone sends an email to [email protected], here's what happens:
DNS returns mx.arc-relay.com, so the email is delivered to our server.
We check SPF, DKIM, and DMARC on the original message and record the results.
Three headers are added: ARC-Authentication-Results, ARC-Message-Signature, and ARC-Seal. These cryptographically vouch for the original auth results.
If enabled, we add a DKIM-Signature header signed with your domain's private key. This gives the forwarded message full domain-level authentication on top of ARC.
The envelope sender becomes [email protected]. This fixes SPF because the receiving server checks SPF against our domain. The visible "From" header stays unchanged.
Gmail, Outlook, ProtonMail, or Yahoo sees a valid ARC chain + passing SPF — the email lands in your inbox, not spam.
ARC (Authenticated Received Chain) is defined in RFC 8617. It solves a fundamental problem: when email is forwarded, the original DKIM signature usually breaks because headers get modified in transit.
ARC works by having each intermediary server in the forwarding chain sign a set of headers that attest to the authentication results it observed before the message was modified. If a downstream receiver trusts the ARC sealer, it can accept the message even though the original DKIM no longer validates.
Major providers that evaluate ARC seals: Gmail, Microsoft 365, Yahoo Mail, ProtonMail, Fastmail, Zoho.
SRS (Sender Rewriting Scheme) rewrites the envelope sender so that SPF checks pass at the final destination. Without SRS, forwarded email fails SPF because ARC-Relay's IP address isn't listed in the original sender's SPF record.
The visible From: header in the email is never modified — the recipient still sees the email as coming from the original sender. SRS only affects the invisible envelope sender used for SPF checks and bounce routing.
All plans preserve the original DKIM signature and use ARC sealing to prove it passed at origin. This is usually enough for inbox delivery.
Pro and Business plans can optionally enable per-domain DKIM signing. This adds a DKIM-Signature header signed with your domain's own RSA key, giving the forwarded message full domain-level authentication.
How to enable:
arcdkim._domainkey.yourdomain.com)ARC-Relay operates as a catch-all forwarder by default. This means:
[email protected] is forwarded to your inbox
support@, sales@, yourname@ — they all arrive in one place
All forwarded mail goes to the email address you signed up with. This is the address shown on your account settings page.
Get a 0–100 score and letter grade (A+ to F) for any domain's email authentication setup. The health score checks DMARC, SPF, MX, and DKIM records and returns actionable recommendations.
SVG Badge: Embed a live health badge in your README — https://arc-relay.com/api/tools/health/YOUR-DOMAIN/badge
Try it free on the Email Health Tool page.
Generate API keys from the Settings page. Keys use the prefix ar_live_ and are hashed (SHA-256) at rest — we only show the full key once at creation time.
Name your key (e.g. "CI pipeline") and click Create.
It won't be shown again. Store it in your CI secrets or password manager.
Authorization headerAuthorization: Bearer ar_live_...
Set up automated monitoring for your domains' DNS records. ARC-Relay periodically checks DMARC, SPF, MX, and DKIM and emails you when something changes or breaks.
Click the Monitor button on any verified domain.
Defaults to your account email. We'll send alerts here when scores drop.
Alerts include the old vs new score and specific records that changed. Weekly email digests (Monday 9 AM UTC) summarize all your monitored domains.
Get real-time HTTP callbacks when email events occur. Useful for alerting, analytics pipelines, or triggering workflows in external systems.
Events: email.forwarded, email.bounced, email.blocked
Retries: Failed deliveries are retried up to 3 times with exponential backoff. Endpoints are disabled after repeated failures.
Manage webhooks from Settings → Webhooks in your dashboard. Up to 10 endpoints per account.
Monitor your domain's email health in CI/CD. The action calls the health score API and fails the build if the score drops below your threshold.
Outputs: score, grade, result (full JSON). Supports single domain or bulk checks with an API key.
One-click email health monitoring for WordPress sites. Dashboard widget, settings page with DNS setup guide, and an embeddable shortcode badge.
[arc-relay-score] embeds a live badgeInstall by uploading the arc-relay-email-auth folder to /wp-content/plugins/ and activating. No API key required for basic health checks.
ARC-Relay includes a built-in MCP (Model Context Protocol) server with 28 tools that AI agents can call directly. Agents can manage domains, check health scores, read logs, configure DNS monitoring, and more.
Any page that serves HTML also supports Accept: text/markdown content negotiation — AI agents get clean markdown instead of HTML.
@, others want the field left blank. Don't enter your full domain name (e.g. don't put example.com in the Name field — that would create example.com.example.com).v=DMARC1; p=none record helps.dig MX yourdomain.com or check MXToolbox. You should see mx.arc-relay.com only.| Feature | Free | Pro ($9/mo) | Business ($29/mo) | Enterprise |
|---|---|---|---|---|
| Domains | 3 | 50 | Unlimited | Unlimited |
| Forwards per month | 500 | 10,000 | Unlimited | Unlimited |
| Aliases per domain | 5 | 50 | Unlimited | Unlimited |
| ARC sealing + SRS | ||||
| Per-domain DKIM signing | ||||
| DNS monitoring | 24h checks | 6h checks | 6h checks | |
| API quota (monthly) | 100 | 5,000 | 50,000 | Unlimited |
| Log retention | 7 days | 30 days | 90 days | 90 days |
| Webhook notifications | ||||
| Weekly email digest | ||||
| Support | Community | Priority email | Dedicated | Dedicated + SLA |
Limits reset on the 1st of each month. When a limit is hit, we reject with a temporary error — the sender's server retries automatically. No email is lost. See pricing.
ARC-Relay is a pass-through relay. We process emails in memory, add ARC headers, and forward them immediately. We do not store, read, or index email content.
All connections use TLS (STARTTLS for SMTP, HTTPS for the dashboard). Your emails are encrypted between every hop.
We log sender address, recipient address, domain, and delivery status for your Live Logs and Analytics. This metadata is tied to your account and not shared with third parties. We do not log email subjects or body content.
You can delete your account from the Settings page at any time. This permanently removes all your data — domains, logs, and account info. This action is irreversible.