Does Google trust Cloudflare's ARC signature?

What is the name of the domain?

example.com

What is the issue you’re encountering

Does Google trust Cloudflare ARC?

What are the steps to reproduce the issue?

When an email is forwarded or placed on a mailing list, the “forwarding/rewriting” process invalidates all DMARC data (SPF and DKIM).

ARC was invented to solve that: The forwarding server (Cloudflare Email Routing in this example) verifies the DMARC data, and then signs the message with its own ARC signature that says “I have checked, and the DMARC passed, the email I am forwarding is legitimate, not spoofed”.

Next, the forwarding server (Cloudflare Email Routing) contacts the forwarding target (such as GMail) and submits the email. GMail sees that the DMARC/SPF/DKIM are all invalid (since the message was rewritten by Cloudflare Email Routing), but it sees the ARC header which verifies that Cloudflare has verified the original DMARC/SPF/DKIM data.

Finally, it’s up to the recipient server (GMail): If it trusts the ARC sender, then it will accept its word that the email was legitimate, and will deliver it. If not, it will reject the email that failed DMARC/SPF/DKIM and had an untrusted ARC sender.

So, that’s the technology behind how ARC works.

Then the biggest question becomes:

• Does GOOGLE trust CLOUDFLARE’s ARC signature?

If so, it means the days of missing emails due to Cloudflare Email Routing forwarding are finally over…

Here’s more reading materials about ARC:

Hi,

Thank you for reaching out to us. While Cloudflare takes into consideration complexities such as DMARC, SPF, and DKIM and also make sure that emails are forwarded correctly, the final decision of accepting or not an email relies on the recipient server. Cloudflare cannot force the destination to accept the email. We suggest for the most up-to-date response that you reach out to Google’s support directly regarding this question, as they may provide you with insights on this.

Please let us know if you still have questions.