Authenticated Received Chain (ARC) is an email authentication mechanism that helps preserve authentication results across intermediaries. Email authentication mechanisms like SPF, DKIM, DMARC are used to verify the senders of emails for the safety of mail recipients, but some legitimate services may make changes to the email between the send and receipt. This intervention from legitimate services may accidentally cause the message to fail email authentication at subsequent hops.
The ARC trusted sealers feature lets admins add trusted intermediaries in the Microsoft 365 Defender portal. This allows Microsoft to honor ARC signatures from your list of trusted intermediaries, to help authenticate the message. This message is associated with Microsoft 365 Roadmap ID 85684.
Email senders use authentication mechanisms like SPF, DKIM, DMARC to authenticate emails, but some legitimate intermediate services may potentially make changes to the email, which might cause the email to fail authentication at subsequent hop. Authenticated Received Chain (ARC) is an authentication mechanism that helps preserve authentication results across intermediaries. With this change, admins will be able to add trusted intermediaries in the Microsoft 365 Defender portal to allow Microsoft to honor these ARC signatures, thereby allowing legitimate messages.
When this will happen
Tenant Trusted ARC Sealer support will begin to roll out in Microsoft 365 Defender in early June and is expected to be completed by early July.
How this will affect your organization
If you have had third-party service before Office 365 that modifies the email content and supports ARC, administrators can add these services as a trusted ARC sealers for your tenant. This will help messages pass email authentication checks and prevent these messages from being treated as spoof due to authentication failures.
As Microsoft is rolling out the new Email Authentication Settings page gradually, the company is also moving DKIM to the DKIM tab in the Email Authentication Settings page.
During the migration, you may see two entries of the DKIM page.
What you need to do to prepare
Identify any third-parties your organization has located before email is delivered to your Office 365 tenant and also modify content. Check if this service supports ARC and add the ARC sealer to your tenants ARC Sealer trusted domains.
- How Microsoft 365 utilizes Authenticated Received Chain (ARC)
- Make a list of trusted ARC Senders to trust legitimate indirect mailflows
- Improving “Defense in Depth” with Trusted ARC Sealers for Microsoft Defender for Office 365
Published: 09 June 2022
Updated: 09 June 2022
Action required by: 23 June 2022
Platform: Online, US Instances, Web, World tenant