When an email is forwarded, standard email authentication methods like SPF, DKIM, and DMARC often break because the forwarding server changes the message envelope or headers. This can cause legitimate forwarded messages to be flagged as spam or rejected outright. ARC (Authenticated Received Chain) is an email authentication standard that preserves the original authentication results across forwarding hops. This article explains what ARC headers are, how they work in Outlook, and how you can verify whether a forwarded message is trustworthy.
ARC headers allow each intermediate mail server that handles a forwarded message to add a seal of approval for the authentication results it received. By examining these headers in Outlook, you can determine if the email passed authentication checks before being forwarded. This guide covers the technical background of ARC, step-by-step instructions for viewing ARC headers in Outlook and Outlook on the web, and common issues you may encounter when verifying forwarded mail trust.
Key Takeaways: How to Verify Forwarded Mail Trust with ARC Headers in Outlook
- View message source in Outlook for Windows (File > Properties > Internet Headers): Displays the full ARC header chain for any selected email.
- View message source in Outlook on the web (three dots > View > View message details): Shows ARC headers in a side panel for forwarded messages.
- Check ARC-Authentication-Results and ARC-Seal headers: Confirm that each hop’s authentication result was signed and validated by the next server.
Why ARC Headers Matter for Forwarded Email Trust
Email authentication standards SPF, DKIM, and DMARC verify that a message came from an authorized server for the sender’s domain. However, when a message is forwarded, the forwarding server becomes the new delivery server. This breaks SPF because the IP address of the forwarder does not match the sender’s SPF record. DKIM signatures may also fail if the forwarder modifies the message body or subject line. DMARC policies that reject or quarantine unauthenticated mail then cause forwarded messages to be lost or flagged.
ARC solves this by creating a chain of authentication results. Each server that handles the message adds three ARC headers: ARC-Seal, ARC-Message-Signature, and ARC-Authentication-Results. The ARC-Seal header contains a cryptographic signature that validates the previous server’s authentication results. When the final receiving server checks this chain, it can see that the message passed authentication at earlier hops, even if the final hop does not fully authenticate. Outlook does not automatically display ARC status, but you can inspect the raw headers to verify the chain.
How to View ARC Headers in Outlook for Windows
Outlook for Windows stores the full message source, including ARC headers, in the Internet Headers field. You can access this field through the message properties dialog. This method works for Outlook 2016, 2019, 2021, and Microsoft 365 versions.
- Open the message in its own window
Double-click the email in your inbox or any folder to open it in a separate window. Single-click reading pane view does not expose the properties dialog. - Open the Properties dialog
Click File in the upper-left corner of the message window. Then click the Properties button in the ribbon. The Properties dialog appears with the Internet Headers field at the bottom. - Locate the ARC headers
In the Internet Headers text box, scroll through the header lines. Look for lines that begin with ARC-Seal, ARC-Message-Signature, and ARC-Authentication-Results. Each forwarding hop adds a numbered instance, such as ARC-Seal: i=1 and ARC-Authentication-Results: i=1. The highest number is the most recent hop. - Copy the headers for analysis
Select the entire header text, press Ctrl+C to copy, then paste into a text editor. This allows you to examine the chain more easily and verify the signatures if needed.
What to Look For in the ARC Header Chain
Each ARC-Authentication-Results line shows the authentication method used at that hop (spf, dkim, dmarc) and the result (pass, fail, neutral). Each ARC-Seal line includes a cryptographic signature created by the server that added that hop. The receiving server validates that the ARC-Seal signature matches the ARC-Message-Signature and ARC-Authentication-Results of the previous hop. If any signature in the chain is invalid, the entire ARC chain fails. A valid ARC chain indicates that the message was authenticated at each intermediate server before reaching you.
How to View ARC Headers in Outlook on the Web
Outlook on the web (OWA) provides a message details panel that shows the full internet headers, including ARC headers. This method works in Microsoft 365 and Exchange Online mailboxes.
- Open the message in Outlook on the web
Sign in to your Outlook on the web account and click the email you want to inspect. The message opens in the reading pane or a new window depending on your settings. - Open the message details panel
Click the three-dot menu (More actions) in the toolbar above the message. Select View and then View message details. A side panel opens displaying the full internet headers. - Find the ARC headers
Scroll through the header text in the side panel. Look for the same ARC header lines described in the Outlook for Windows steps. The headers are listed in chronological order from the oldest hop at the top to the newest at the bottom. - Copy and analyze the headers
Click the copy icon in the message details panel to copy the entire header block. Paste it into a text editor for analysis. Check each ARC-Authentication-Results line for pass results and confirm that each ARC-Seal signature is present and properly formatted.
Common Issues When Verifying ARC Headers in Outlook
ARC Headers Are Missing Entirely
If you do not see any ARC headers in the message source, the sending or forwarding servers do not support the ARC standard. This is common for older mail servers or small organizations that have not implemented ARC. In this case, you must rely on other indicators such as the sender’s reputation, the subject line, and the content of the message to assess trust. Outlook does not generate ARC headers; it only displays what the receiving server provides.
ARC Chain Shows a Fail or Invalid Signature
An invalid ARC-Seal signature means that a server in the chain modified the message after the signature was applied, or the signature was generated incorrectly. This can happen when a forwarding server modifies the message body, subject, or headers in a way that breaks the cryptographic seal. A failed ARC chain does not automatically mean the message is malicious, but it reduces the trust level. You should treat such messages with caution, especially if they contain links or attachments.
Outlook Does Not Show ARC Status in the UI
Outlook for Windows and Outlook on the web do not display a visual ARC status indicator like they do for SPF, DKIM, or DMARC results. You must manually inspect the internet headers to see ARC information. This limitation means that most users will not notice ARC failures unless they specifically look for them. Third-party add-ins or email security gateways may provide ARC status visualizations, but these are not built into Outlook.
ARC Header vs DMARC: Key Differences for Forwarded Mail
| Item | ARC Header | DMARC |
|---|---|---|
| Purpose | Preserve authentication results across forwarding hops | Define policy for unauthenticated mail from a domain |
| Applies to | Forwarded messages | All messages claiming to be from a domain |
| Breaks on forward | No — ARC is designed to survive forwarding | Yes — SPF and DKIM often fail after forwarding |
| Visibility in Outlook | Only visible in internet headers | Visible in internet headers and sometimes in email security banners |
| Standard status | RFC 8617 (proposed standard) | RFC 7489 (standard) |
ARC and DMARC serve different roles. DMARC tells receiving servers what to do when authentication fails. ARC tells them that the authentication results were valid before the message was forwarded. When both are used together, a forwarded email that fails DMARC can still be trusted if the ARC chain is intact. Many email security systems now check ARC before applying DMARC policies on forwarded mail.
You can now inspect ARC headers in Outlook for Windows and Outlook on the web to verify the trustworthiness of forwarded emails. Start by checking the ARC-Authentication-Results lines for pass results and confirming that the ARC-Seal signatures form a valid chain. For deeper analysis, copy the headers into an online ARC validator or use a tool like PowerShell’s Get-MessageTrackingLog to trace the full path. Remember that ARC is only as reliable as the servers that sign the chain, so always combine ARC inspection with other security practices such as link scanning and sender verification.