M365 Changelog: Tenant Trusted ARC Sealers for Email Authentication

MC390410 – Authenticated Received Chain (ARC) is an email authentication mechanism that helps preserve authentication results across intermediaries. Email authentication mechanisms like SPF, DKIM, DMARC are used to verify the senders of emails for the safety of mail recipients, but some legitimate services may make changes to the email between the send and receipt. This intervention from legitimate services may accidentally cause the message to fail email authentication at subsequent hops. 

The ARC trusted sealers feature lets admins add trusted intermediaries in the Microsoft 365 Defender portal. This allows Microsoft to honor ARC signatures from your list of trusted intermediaries, to help authenticate the message.

This message is associated with Microsoft 365 Roadmap ID 85684

When this will happen:

Tenant Trusted ARC Sealer support will begin to roll out in Microsoft 365 Defender in early June and is expected to be completed by early July.

How this will affect your organization:

If you have had third-party service before Office 365 that modifies the email content and supports ARC, administrators can add these services as a trusted ARC sealers for your tenant. This will help messages pass email authentication checks and prevent these messages from being treated as spoof due to authentication failures.

As Microsoft is rolling out the new Email Authentication Settings page gradually, the company is also moving DKIM to the DKIM tab in the Email Authentication Settings page.

During the migration, you may see two entries of the DKIM page.

What you need to do to prepare:

Identify any third-parties your organization has located before email is delivered to your Office 365 tenant and also modify content. Check if this service supports ARC and add the ARC sealer to your tenants ARC Sealer trusted domains.

Learn More: 

Additional information