Adding ARC (Authenticated Received Chain) Headers in Xeams

ARC (Authenticated Received Chain) is an email authentication protocol designed to preserve the original authentication results (SPF, DKIM, and DMARC) as an email travels through intermediaries like your Xeams server. When Xeams modifies a message, such as adding a footer or a security disclaimer, it can break the original sender's DKIM signature. ARC allows Xeams to cryptographically "vouch" for the message's original validity, creating a chain of trust that major providers like Gmail, Microsoft 365, and Outlook use to verify the email's integrity.

Once configured, Xeams will add the following headers to messages that are processed through Xeams.

ARC-Authentication-Results
ARC-Message-Signature
ARC-Seal

Rationale for Using ARC

Assume you're using Xeams to filter junk before Microsoft Exchange Online. Every email for your domain first comes to Xeams, then, good emails are forwarded to Microsoft.

ARC headers preserve the original authentication results (SPF, DKIM, DMARC) and the sequence of intermediary hops when a message is modified or forwarded by Xeams before it reaches Microsoft Exchange Online. This is beneficial because some features in Xeams can modify the message, which can break SPF and cause DMARC to fail - but ARC records the prior authentication status, and the filter's assessment, so Exchange Online can make a trust-aware decision.

When Exchange Online receives a message with valid ARC seals, it can evaluate the ARC chain to see that a trusted intermediary successfully authenticated the original message and applied filtering actions, allowing Exchange to accept or correctly classify the mail despite SPF/DKIM disruptions. This reduces false positives (legitimate forwarded mail marked as junk), improves deliverability for messages routed through security appliances or third-party filters, and helps maintain consistent DMARC enforcement without requiring senders, filters, or recipients to change SPF/DKIM setup.

Note that some providers, such as Microsoft, require you to configure your account to trust ARC sealers.

Configuration Steps in Xeams

Prerequisites:

  • You must be using the Enterprise Edition of Xeams with at least 20 users.
  • You must have DKIM enabled for the domain you want to use as an ARC sealer.
  • You must be running Xeams in either Firewall or Hybrid mode.

Steps:

  • Log in to your Xeams web interface as the administrator
  • Click Filter Management > DKIM
  • Click the link for ARC Management
  • Select the domain name you wish to use as the ARC sealer. Note that you will only see domains that have DKIM configured.
  • Save

Once done, messages will include three additional headers in outbound emails after being filtered by Xeams.