Skip to main content

Configure Authenticated Received Chain (ARC) Inbound

Authenticated Received Chain (ARC) is an authentication system designed to allow an intermediate mail server forwarding service to sign an email's original SPF and DKIM authentication results.

To configure ARC follow these steps:

  1. Go to the Message Rules page.

  2. Create a rule with the following settings:

    Rule component

    Component type

    Match type

    Condition value

    Condition

    Direction

    Matches

    Inbound

    Action

    DMARC Verification Required

    Matches

    DKIM Pass or SPF Pass

    Action

    ARC Signing

    N/A

    N/A

  3. Drag the new rule to a sensible position in your Message Rules list.

    Tip

    If your Service Provider has set up your account with a set of default rules, positioning this new rule just above the Deliver Inbound rule is recommended. Please contact your Service Provider if further assistance is required.

  4. Configure Microsoft 365 to allow the ARC seal domain:

    Note

    For all regions of the Email Security service, the entry scanscope.net is required.

    1. Log in to the Microsoft Defender portal

    2. Click Email & Collaboration > Policies & Rules in the menu on the right side of the screen.

      The Policies & rules page is displayed.

    3. Click Threat Policies.

      The Threat policies page is displayed.

    4. Under Rules, click Email Authentication Settings.

      The Email Authentication Settings page is displayed.

    5. Make sure the ARC tab is selected, and then click + Add

      Note

      If Trusted sealers are already listed on the ARC tab, select Edit.

      The Add trusted ARC sealers panel opens.

    6. Type in scanscope.net and click Save.

      For more information on adding the ARC seal entry in Microsoft 365 please see this Microsoft KB article.

In this section: