diff --git a/libopenarc/arc.c b/libopenarc/arc.c
index 1c6c9ded..781b4448 100644
--- a/libopenarc/arc.c
+++ b/libopenarc/arc.c
@@ -2411,6 +2411,10 @@ arc_parse_header_field(ARC_MESSAGE *msg, u_char *hdr, size_t hlen,
 	while (end > hdr && isascii(*(end - 1)) && isspace(*(end - 1)))
 		end--;
 
+	/* don't allow incredibly large field names */
+	if (end - hdr > ARC_MAXHDRNAMELEN)
+		return ARC_STAT_SYNTAX;
+
 	/* don't allow a field name containing a semicolon */
 	semicolon = memchr(hdr, ';', hlen);
 	if (semicolon != NULL && colon != NULL && semicolon < colon)
@@ -2758,7 +2762,8 @@ arc_eoh(ARC_MESSAGE *msg)
 
 	for (h = msg->arc_hhead; h != NULL; h = h->hdr_next)
 	{
-		char hnbuf[ARC_MAXHEADER + 1];
+		char hnbuf[ARC_MAXHDRNAMELEN + 1];
+		assert(h->hdr_namelen <= ARC_MAXHDRNAMELEN);
 
 		memset(hnbuf, '\0', sizeof hnbuf);
 		strncpy(hnbuf, h->hdr_text, h->hdr_namelen);
diff --git a/libopenarc/arc.h b/libopenarc/arc.h
index 34cf0736..d8107404 100644
--- a/libopenarc/arc.h
+++ b/libopenarc/arc.h
@@ -46,6 +46,8 @@ extern "C" {
 #define ARC_HDRMARGIN		75	/* "standard" header margin */
 #define ARC_MAXHEADER		4096	/* buffer for caching one header */
 #define	ARC_MAXHOSTNAMELEN	256	/* max. FQDN we support */
+#define ARC_MAXLINELEN		1000	/* physical line limit (RFC5321) */
+#define ARC_MAXHDRNAMELEN	(ARC_MAXLINELEN - 3) /* deduct ":" CRLF */
 
 #define	ARC_AR_HDRNAME		"ARC-Authentication-Results"
 #define	ARC_DEFAULT_MINKEYSIZE	1024