How to configure Authenticated Received Chain (ARC) Inbound

Updated 6 months ago by admin

Authenticated Received Chain (ARC) is an authentication system designed to allow an intermediate mail server forwarding service to sign an email's original SPF and DKIM authentication results.

To configure ARC you need to follow a 2-step process:

  1. Configure an Email Security Message Rule
  2. Configure Microsoft 365 to allow the Email Security service ARC seal domain

Configure an Email Security Message Rule

  1. Login to the Dashboard and navigate to Products -> Email Security -> Message Rules
  2. Click + to create a new Message Rule
  3. Enter a sensible name for the Rule e.g. "Inbound ARC Verification", and click +
  4. Add a Direction Condition, with the logic set to Matches: Inbound
  5. Add a DMARC Verification Required Action, with the value set to Matches: DKIM Pass or SPF Pass
  6. Add an ARC Signing Action
  7. Do not add any Final Actions
  8. Make sure that the Active checkbox is enabled, so that the new rule will start working straight away
  9. Click Save
  10. Drag the new rule to a sensible position in your Message Rules list. If your Service Provider has set up your account with a set of default rules, positioning this new rule just above the Deliver Inbound rule is recommended. Please contact your Service Provider if further assistance is required

The rule should look like this example:

Configure Microsoft 365 to allow the ARC seal domain

 For all regions of the Email Security service the entry scanscope.net is required.

  1. In the Microsoft Defender portal, navigate to Email & Collaboration -> Policies & Rules -> Threat Policies -> Email Authentication Settings in the Rules section -> ARC. Alternatively, you can open the Email Authentication Settings page
  2. On the Email Authentication Settings page, verify that the ARC tab is selected, and then click + Add. If Trusted sealers are already listed on the ARC tab, select Edit
  3. In the Add trusted ARC sealers panel that opens, enter the trusted signing domain in the box scanscope.net

For more information on adding the ARC seal entry in Microsoft 365 please see:https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-authentication-arc-configure?view=o365-worldwide#validate-a-trusted-arc-sealer (external link)


How did we do?