Paste raw email headers to cryptographically verify ARC seals, check chain integrity, and diagnose forwarding authentication issues.
Headers are sent to our server for cryptographic verification against DNS public keys.
ARC (Authenticated Received Chain) is an email authentication protocol defined in RFC 8617 that preserves email authentication results across forwarding hops. When email is forwarded, SPF typically fails because the forwarding server's IP isn't authorized. DKIM may also break if headers are modified.
ARC solves this by adding three headers at each hop: ARC-Seal (cryptographic signature of the chain), ARC-Message-Signature (signature of the message), and ARC-Authentication-Results (authentication results at that hop).
Each ARC instance is numbered (i=1, i=2, etc.) and includes a chain validation result (cv=). The first instance has cv=none, subsequent instances have cv=pass if the previous chain validated correctly.
Major providers (Gmail, Microsoft, Yahoo) recognize and trust ARC chains from reputable sealers. ARC-Relay is a trusted ARC sealer that adds seals automatically to every forwarded email.
cv=none appears on the first instance (i=1) of an ARC chain. It means there was no previous ARC chain to validate. This is normal and expected. Subsequent instances (i=2, i=3, etc.) should have cv=pass, meaning the previous chain links were successfully verified.
ARC validation can fail if a seal's cryptographic signature doesn't match (the message was modified after sealing), if the public key in DNS has changed or been removed, or if the chain is malformed (missing or out-of-order instances). Check that all three ARC headers (ARC-Seal, ARC-Message-Signature, ARC-Authentication-Results) exist for each instance.
Gmail, Microsoft 365, Yahoo, and most major providers recognize ARC chains from trusted sealers. Smaller providers may not check ARC at all, in which case they fall back to standard SPF/DKIM/DMARC checks. ARC support is growing as more providers adopt it.
DKIM signs the original message to prove it hasn't been tampered with. ARC seals the authentication results at each forwarding hop to preserve trust through the chain. DKIM can break when headers are modified by forwarding servers. ARC is specifically designed to survive forwarding by creating a chain of trust from the original authentication results.
Yes, but it requires cryptographic key management and proper implementation of RFC 8617. ARC-Relay handles this automatically — just forward your email through ARC-Relay and it adds proper ARC seals that Gmail, Outlook, and other providers trust.