Paubox blog: HIPAA compliant email made easy

Improving email security with Authenticated Received Chain (ARC)

Written by Caitlin Anthoney | May 23, 2024

ARC creates a chain of trust, helping deliver legitimate emails securely and reliably, even when they pass through intermediaries that might alter the message. The added security measure also reduces the risk of phishing attacks, providing enhanced protection for both senders and recipients.

 

Phishing and email authentication

According to Help Net Security, the United States is considered one of the top countries targeted by phishing scams. Furthermore, “Phishing remains a persistent and often underestimated threat within the cybersecurity landscape, growing more sophisticated as threat actors harness cutting-edge advancements in generative AI and manipulate trusted platforms to intensify attacks,” explains Zscaler’s Chief Security Officer, Deepen Desai.

So, as phishing attacks rise, senders and subscribers must use email authentication to protect themselves. More specifically, authentication protocols, like SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail), help validate incoming mail by verifying the sender’s IP address and ensuring the message remains unaltered in transit. However, these authentication protocols are insufficient on their own.

 

Email authentication and DMARC

DMARC (Domain-based Message Authentication, Reporting, and Conformance) was developed about a decade ago to add an additional layer of security to email authentication. It allows senders and domain owners to specify how receiving email servers should handle messages that fail SPF and DKIM checks. 

However, DMARC assumes emails remain unchanged during their journey, which is often not the case. Intermediaries like mailing lists or forwarding services may alter legitimate messages, leading to authentication failures and legitimate emails spoofed and not delivered. 

 

Authenticated Received Chain (ARC) as a solution

Introduced by the IETF in 2019, ARC helps ensure that legitimate emails are not falsely flagged as spam or rejected due to changes made during their journey from the sender to the recipient. More specifically, ARC is an email authentication protocol designed to preserve the results of SPF, DKIM, and DMARC checks as intermediate servers forwards or relays an email. 

Validity explains ARC ultimately “helps preserve email authentication results and verifies the identity of email intermediaries that forward a message on to its final destination.” 

So, when an email passes through a trusted intermediate server, ARC adds three extra headers to emails, creating a verifiable chain of trust:

  • ARC-Authentication-Results: Contains the original email’s authentication results.
  • ARC-Message-Signature: A digital signature covering the entire message and headers.
  • ARC-Seal: A signature validating the authenticity of each intermediate server’s contribution.

ARC ultimately forms a chain of signatures that the recipient’s server can verify to confirm the email’s authenticity, even if changes were made during transit. So, if an email fails DMARC, the recipient’s server can check the ARC results, and if the ARC signatures are valid and from trusted parties, the email may still be accepted.

 

Benefits of ARC in HIPAA compliant emails

Improves email deliverability: While not all HIPAA compliant platforms use ARC, Paubox uses ARC to strengthen its security measures, preventing legitimate emails from being incorrectly flagged as spam, resulting in stricter DMARC policies without sacrificing deliverability. 

Increases email security: Secure platforms, like Paubox, use ARC to verify the authenticity of emails and reduce spoofing and phishing attacks, ultimately protecting sensitive health information and adhering to HIPAA regulations.

Helps email troubleshooting: ARC provides a comprehensive record of all intermediaries that an email passes through, helping solve delivery issues and maintaining the integrity of HIPAA compliant emails.

 

FAQs

What are HIPAA compliant emails?

HIPAA compliant emails ensure the secure transmission of protected health information (PHI) by implementing encryption, access controls, authentication, and other security measures.

Go deeper: HIPAA Compliant Email: The Definitive Guide

 

Is ARC required for HIPAA compliance?

While ARC can improve email security in HIPAA compliant environments, like healthcare organizations, it is not explicitly required by HIPAA regulations. However, it is recommended as part of a comprehensive security strategy like the advanced security practices Paubox uses.

 

Can ARC be used as a standalone security measure for HIPAA compliance?

No, ARC is typically used with other email authentication methods like SPF, DKIM, and DMARC to provide comprehensive security for HIPAA compliant emails.