MSFT Floats an ARC

As far back as 2015, the group responsible for Domain-based Message Authentication, Reporting & Conformance (DMARC) specification realized that one implementation was not going to solve the problem of email spoofing.

It was apparent that some users (like those working with mailing lists) would be negatively impacted by the changes DMARC brought. Some workarounds were quickly deployed by service providers and those mailing lists. Two long-term solutions were submitted to the IETF for consideration. One of these, the Authenticated Received Chain (ARC), had a goal to engage the technical community in helping to refine and test the proposed solution with deployers such as Google, Microsoft and Yahoo.

Specifications of the ARC protocol were published in June 2019 by the IETF.

ARC protocol provides an authenticated "chain of custody" for a message, allowing each entity that handles the message to see what entities handled it before and what the message's authentication assessment was at each step in the handling.

Using ARC, signatures from domains that participate in it can be reliably linked to that domain. Also, intermediaries that alter a message can do so with attribution. This makes it extremely useful for forwarded messages.

Before ARC, modifications performed by intermediaries in email routing, like forwarding rules or automatic signatures, could cause email authentication results to fail by the time the email reached the recipient mailbox.

MSFT has said that, as of October 2019, it has integrated ARC into its Office 365 product by enabling it on Office 365 mailboxes. They further describe its use as, "All hosted mailboxes in Office 365 will now gain the benefit of ARC with improved deliverability of messages and enhanced anti-spoofing detection."

At the beginning of the effort, MSFT has only committed to using ARC in Office 365. MSFT says in the new roadmap that "Initially ARC will only be utilized to verify authentication results within Office 365, but plan to add support for third party signers in the future."

"More and more companies have been adopting DMARC and email authentication over the past few years, with more vendors and service providers adding the necessary support to their offerings in order to make that adoption simpler," Steven Jones, executive director of DMARC.org, said in 2015.

"With new protocols like ARC emerging to address the traditional email use cases that were problematic under some DMARC policies, and the leadership of forward-thinking companies like Google, Microsoft and Yahoo, I expect to see the rate of adoption accelerate globally."

But actually getting ARC done and implemented has taken a long period of time. Other major message handlers have added their own handlers and workarounds to deal with messages. However, Gmail and AOL validate through ARC at the present time so MSFT is playing a bit of the catch-up game.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.