ARC (Authenticated Received Chain, RFC 8617) lets your gateway seal each message with a cryptographic record of the authentication results it observed (SPF, DKIM, DMARC). When the message is later forwarded — and SPF or DKIM inevitably break — the next hops can still trust your gateway's original verdict by validating the ARC chain.
When a message goes through a forwarder (mailing list, alias, relay, migration gateway), the forwarding hop changes the sending IP and often rewrites parts of the message:
SPF fails at the destination because the forwarder's IP is not in the author domain's SPF record.
DKIM often fails because mailing lists modify the subject or the body.
As a result, DMARC fails and legitimate forwarded mail gets quarantined or rejected.
ARC preserves the authentication verdict computed before forwarding, in a tamper-evident chain that each hop extends.
Forwarded mail survives DMARC: receivers that evaluate ARC (Gmail, Microsoft 365...) can accept mail whose SPF/DKIM broke in transit but whose ARC chain proves it authenticated correctly upstream.
Chain validation: Artica Milter validates any existing ARC chain (cv=pass / cv=fail / cv=none) before adding its own seal, so a forged chain cannot be laundered through your gateway.
Same key infrastructure as DKIM: ARC reuses the /etc/dkimPKs/<domain>/<selector>.pem layout — no separate key tooling.
Fail-open by design: if a key cannot be loaded or sealing fails, the message is delivered unsealed and the error is logged. ARC never blocks your mail flow.