diff --git a/ChangeLog b/ChangeLog
index c2f58b4..17a0a55 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,6 +2,8 @@ UNRELEASED Version 0.8.2
     - Updates for experimental ARC support:
       - Limit to rsa-sha256, rsa-sha1 not used by ARC and multi-signature
         design TBD
+      - Raise error when ARC signing if i= instance limit value of 50 is
+        exceeded
     - Fix DNS lookups to be compatible with EAI addresses in domains and
       selectors (John Levine)
     - Add type Hinting for sign and verify functions (LP: #1782596)
diff --git a/dkim/__init__.py b/dkim/__init__.py
index 9ea29cb..f467d8a 100644
--- a/dkim/__init__.py
+++ b/dkim/__init__.py
@@ -899,6 +899,7 @@ class ARC(DomainSigner):
   def sign(self, selector, domain, privkey, srv_id, include_headers=None,
            timestamp=None, standardize=False):
 
+    INSTANCE_LIMIT = 50 # Maximum allowed i= value
     # check if authres has been imported
     try:
         AuthenticationResultsHeader
@@ -961,6 +962,8 @@ class ARC(DomainSigner):
     instance = 1
     if len(arc_headers_w_instance) != 0:
         instance = max_instance + 1
+    if instance > INSTANCE_LIMIT:
+        raise ParameterError("Maximum instance tag value exceeded")
 
     if instance == 1 and chain_validation_status != CV_None:
         raise ParameterError("No existing chain found on message, cv should be none")