Trusted ARC signers

What is the purpose of Authenticated Received Chain (ARC)?

SPF, DKIM and DMARC are important mechanisms in the fight against spam and phishing:

SPF defines the IP addresses and names of the allowed senders for its SMTP domain.
DKIM signs emails and thus protects them against alteration and forgery.
DMARC determines how strictly the receiver should implement the settings made by SPF and DKIM.

Problems can always occur when emails are redirected or forwarded. This often happens, for example, with mailing lists or when applying automatic signatures or email disclaimers.

ARC stores the results of the email authentication performed by SPF, DKIM and DMARC of all servers involved. (Deliberate) modifications of the email thus no longer lead to errors. Each intermediate station that verifies an email with regard to SPF, DKIM and DMARC and adapts the header of the email accordingly also signs its own results with an ARC entry. If the email is sent to the next server via redirection or forwarding, this server must also verify all ARC information of the intermediate stations according to the RFC. This is how the so-called Chain of Custody is created.

When is ARC applied?

NoSpamProxy applies ARC as part of the reputation check by default.

NOTE: If one or more DMARC-type checks, i.e. SPF, DKIM or DMARC fail, this result is overwritten by an intact ARC control chain. In such a case, no penalty points are awarded, which would increase the Spam Confidence Level (SCL).

Configuring trusted ARC signers

Using a list of signers curated by NoSpamProxy

Go to People and Identities > Email authentication > Trusted ARC signers > Curated signer list.
Click Modify.
Check the box Automatically download and use the list.
Click Save and close.

Using additional ARC signers

Go to Identities > Email authentication > Trusted ARC signers > Additional ARC signers.
Click Add.
Enter one or more domains into the input field and click Add.
Click Save and close.