On 2018-07-07 at 18:56 +0100, Julian Bradfield via Exim-users wrote: > Is there a way to detect, in the Exim configuration file, whether a > sender domain has a DMARC record?
Use a `dnsdb` lookup, look for the DMARC DNS record. The rest of your mail leads me to suggest a better approach, but to first answer the question as asked: ${lookup dnsdb{txt=_dmarc.$sender_address_domain}{yes}{no}} > I suppose I should explain the reason, in case there's a better way: > one of my users forwards her email to gmail (which I do via formail in > her .procmailrc). Unfortunately, she gets mail from domains with a > DMARC reject policy - so when I'm forwarding a DKIM-signed message, I > munge it to come from us (using the percent hack, for old times' sake > - yes, the acceptance of incoming percent-hacked addresses for relaying is > tightly tied down:), and strip the signature. > > Unfortunately again, one of the domains sometimes sends unsigned > messsages. When they go directly to people, the From: address will > authenticate against SPF, so will still pass; but since they're not > signed, I don't detect and munge them, and of course they don't pass > when relayed from me. I would prefer to avoid munging *all* her > relayed mail, but could cope with munging all mail relayed from a > DMARC protected domain. Build Exim from source, either from git on the exim-4_91+fixes branch or apply the patches from that branch to 4.91 (beware the extra src/ in the hierarchy for the git repo as compared to release tarballs). Jeremy would probably appreciate more testing and feedback. :) It's slightly intricate to configure and probably worth putting inside ".ifdef _HAVE_ARC" guards inside your Exim configuration file, so that if you have to build without it you still have a mostly-working config. It will require you to be doing both SPF and DMARC validation already. But ARC is the way that you can try to chain forward in delivery to folks like Gmail, saying "I received it from these folks and this is the result of the validations _I_ did, please accept this as a good-faith forwarding without penalizing other mail" and if you send enough mail, Gmail might score your system to have a reputation such that it believes your claims, and so if it sees that SPF passed for _you_ then it will accept that. There's a fair chunk more to ARC. It's all about chains of headers, redoing the Received: header system with a parallel set of cryptographically signed headers which integrate more detailed provenance claims. If you're forwarding email to systems outside your own administrative control, then ARC needs to be on your radar, if not deployed already. -Phil -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/