Quoting Jeremy Harris via Exim-users (exim-users@lists.exim.org): > Thanks. a5e7a642059e is an initial go; I'd appreciate your > evaluation. I've not looked into any effect it has on DMARC, > only that it seems to be doing the right thing for one DKIM test.
Awesome. This does exactly what i would expect, setting dkim_verify_minimal to true. | Exim version 4.97-a5e7a64 #1 built 10-Jul-2024 07:34:56 With dkim_verify_minimal set to false, both DKIM sigs get validated. DMARC passes: | dkim--pass--bf02x.hubspotemail.net----bf02x.hubspotemail.ne...@bf02x.hubspotemail.net-- | dkim--pas...@bf02x.hubspotemail.net----bf02x.hubspotemail.net-...@bf02x.hubspotemail.net-- | dkim--pass--lease-a-bike.nl----lease-a-bike.n...@lease-a-bike.nl-- | dkim--pas...@lease-a-bike.nl----lease-a-bike.nl-...@lease-a-bike.nl-- | DMARC results: spf_domain=bf02x.hubspotemail.net dmarc_domain=lease-a-bike.nl spf_align=no dkim_align=yes enforcement='Accept' With dkim_verify_minimal set to true, the first encountered DKIM sig gets validated. No further attempts are performed. DMARC passes: | dkim--pass--bf02x.hubspotemail.net----bf02x.hubspotemail.ne...@bf02x.hubspotemail.net-- | DMARC results: spf_domain=bf02x.hubspotemail.net dmarc_domain=lease-a-bike.nl spf_align=no dkim_align=yes enforcement='Accept' With dkim_verify_minimal set to false, and one of the DKIM sigs broken, the last DKIM signature still validates, DMARC passes: | dkim--fail--bf02x.hubspotemail.net--bodyhash_mismatch--bf02x.hubspotemail.ne...@bf02x.hubspotemail.net-- | dkim--fai...@bf02x.hubspotemail.net--bodyhash_mismatch--bf02x.hubspotemail.ne...@bf02x.hubspotemail.net-- | dkim--pass--lease-a-bike.nl----lease-a-bike.n...@lease-a-bike.nl-- | dkim--pas...@lease-a-bike.nl----lease-a-bike.nl-...@lease-a-bike.nl-- | DMARC results: spf_domain=bf02x.hubspotemail.net dmarc_domain=lease-a-bike.nl spf_align=no dkim_align=yes enforcement='Accept' With dkim_verify_minimal set to true, and one of the DKIM sigs broken, the first broken sig is tested invalid, the next one validates, no further attempts are made, DMARC passes: | dkim--fail--bf02x.hubspotemail.net--bodyhash_mismatch--bf02x.hubspotemail.ne...@bf02x.hubspotemail.net-- | dkim--fai...@bf02x.hubspotemail.net--bodyhash_mismatch--bf02x.hubspotemail.ne...@bf02x.hubspotemail.net-- | dkim--pass--lease-a-bike.nl----lease-a-bike.n...@lease-a-bike.nl-- | DMARC results: spf_domain=bf02x.hubspotemail.net dmarc_domain=lease-a-bike.nl spf_align=no dkim_align=yes enforcement='Accept' With dkim_verify_minimal set to false, and both DKIM sigs broken, both are attempted, none succeed, DMARC fails: | dkim--fail--bf02x.hubspotemail.net--bodyhash_mismatch--bf02x.hubspotemail.ne...@bf02x.hubspotemail.net-- | dkim--fai...@bf02x.hubspotemail.net--bodyhash_mismatch--bf02x.hubspotemail.ne...@bf02x.hubspotemail.net-- | dkim--fail--lease-a-bike.nl--bodyhash_mismatch--lease-a-bike.n...@lease-a-bike.nl-- | dkim--fai...@lease-a-bike.nl--bodyhash_mismatch--lease-a-bike.n...@lease-a-bike.nl-- | DMARC results: spf_domain=bf02x.hubspotemail.net dmarc_domain=lease-a-bike.nl spf_align=no dkim_align=no enforcement='Reject' And not unexpected: with dkim_verify_minimal set to true, and both DKIM sigs broken, both are attempted, none succeed, DMARC fails as well. As far as i can tell, this is how it should be! Regards, -Sander. -- | With her marriage she got a new name and a dress. | 4096R/20CC6CD2 - 6D40 1A20 B9AA 87D4 84C7 FBD6 F3A9 9442 20CC 6CD2 -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/