top of page

Microsoft Defender for Office 365with ARC Sealers

Authenticated Received Chain (ARC) is a relatively new email authentication system that was introduced in 2016. Microsoft adopted it in 2019 as part of its Microsoft-sealed ARC signatures. Admins can now create a list of known and trusted ARC sealers by using Microsoft's new tool. The chain of email authentication is strengthened if ARC sealers provide valid and trustworthy signatures during their hop.

Business Email Compromise (BEC) attacks threaten users and organizations and impede the delivery of emails unless emails are authenticated. To address email verification issues and prevent tampering with emails in transit, multiple authentication mechanisms have been employed by industry, including SPF, DKIM, and DMARC. There is, however, a possibility that some legitimate intermediate services could change the content or routing of the email. Such changes can prevent the email from being authenticated.

Microsoft introduced Enhanced Filtering for Connectors, which conserves the original IP address over hops and enables accurate Sender Policy Framework (SPF) checks within Office 365. Following this, Sender Rewriting Scheme (SRS) was added, which even further strengthened this capability. Furthermore, Domain Keys Identified Mail (DKIM) became more popular for the purpose of ensuring emails were not tampered with enroute and facilitating authentication.

The DKIM is more resilient in complex relay cases than in simple ones. However, it can be abused to prevent a message from being sent and received by an end-user. Some examples of violations include when an email gateway adds a disclaimer or changes the URL. An effective way to prevent unauthorized activities is to use an authenticated received chain (ARC). This is done using an intermediary's authentication.

Without ARC Seal:

With Trusted ARC Sealer:

With the release of the new Trusted ARC Sealer, administrators can now perform a variety of tasks and manage their protection stack with ease. Whether they are migrating to Microsoft Defender for Office365 or maintaining complex routing to provide layered defense, the ability to preserve more original authentication results is very important. This allows them to improve the effectiveness of their protection stack.

What is the ARC process?

ARC consists of 3 parts:

  1. ARC Authentication Results – Stores authentication headers.

  2. ARC signature – An encrypted snapshot of message header information and entire message body,

  3. ARC seal – Seals any preceding ARC headers before routing the message to external servers.

Use ARC with O365

Despite the early adoption of the Adaptive Resource Classification (ARC), it is still in its early stages of being used. To help push the envelope and provide a more secure mail experience, Microsoft has started allowing tenants to add the new generation of trusted ARC sealers to their protection stack.

Take these steps to add an intermediary to the trusted list if you're using an intermediary to route your emails to Office 365:

  • Search for any third parties you use in the ARC signature for their ARC signing domain. The Microsoft ARC signature, for example, will have d =

  • In the absence of ARC signatures, email that is routed through intermediaries must be signed by ARC.

  • Microsoft 365 Defender portal > ARC trusted sealers > Add the intermediary’s domain to the ARC trusted sealers list.

bottom of page