ARC Explained: How Email Survives Mailing Lists Without Failing DMARC

You set up SPF, DKIM, and a strict DMARC policy. Then a member of your team posts to a mailing list, the list software appends a footer and rewrites the subject, and the message lands in everyone's spam folder — rejected by your own authentication rules. ARC is the standard built to fix exactly this, and it does it in a way that quietly depends on trust.

Modern email authentication rests on three layers that work well together until something in the middle touches the message. SPF checks that the sending server is authorized for the envelope sender's domain. DKIM cryptographically signs selected headers and the body so a recipient can verify nothing was altered. DMARC ties them together and tells receivers what to do when both fail. For a message that travels straight from sender to recipient, this chain is robust. The trouble starts the moment an intermediary stands between them.

Why Forwarders Break Authentication

Mailing lists, forwarding services, and some corporate gateways do not just relay a message — they modify it. A discussion list might prepend [list-name] to the subject, add an unsubscribe footer to the body, or strip an attachment. Each of those edits invalidates the DKIM signature, because the signature covered the exact bytes that just changed.