ARC Signing settings with two outgoing domains - ORF Forums

@Josh: Hello Josh,

Please note that the ARC signature is not added to outbound emails or emails originating from intranet sources. When enabled, ARC signatures are applied to incoming (external) emails only, which of course includes emails that your mail server may later forward to other external mail addresses.

As of writing this (v6.8.3), you can only use one key-record pair for ARC signing, so I recommend using the DKIM key and DKM public key record that has already been successfully employed. Domain-specific configurations (or "Per-Domain" configurations) are expected to be introduced in the upcoming v6.10 update - ARC Signing included.

If you have further questions, just let me know.

@Josh: Even if ORF is installed on a forwarder, having ARC set in the email— even with a signatory different from the sending/recipient domain—will not cause any problems. A valid ARC signature in the email can only help email delivery and will not lead to blacklisting. ARC signing becomes particularly valuable when you have servers with ORF or other ARC-aware agents downstream in the email delivery chain.

If, at any point down the line, the email fails authentication checks such as SPF/DKIM/DMARC, having already been validated by a trusted signatory and recorded in the ARC-Authentication-Results header, the authentication results can be reused. This, in turn, can save an email from potential rejection or classification as spam.