[Exim] How to mark authenticated senders in the header?

Hello,

I wondered how people mark authenticated senders in mail headers.
RFC822 mentions that Sender: should be authenticated, but does not
describe what it means by authenticated. Quite some mails have
X-authenticated-sender:, but you can not know if the user inserted
that field to confuse people or if it is authentic. I feel tempted
to remove such fields on unauthenticated connections and add my own on
authenticated ones, but that might make abuse processing harder, so it
is probably a bad idea. Any comments?

Further, I have a wish for more featureful authenticators. For one,
it would be great if I could have a couple of them. If one fails to
authenticate the user, the next would be tried, so I don't have to squeeze
all lookups into one. Then I would like to set a restriction on which
sender addresses could be passed as authenticated senders via "AUTH=".
If I trust an admin of a remote host to get his authentication model
right, I would allow all senders, but if a single user authenticates
himself, he should only be allowed to specify authenticated senders that
actually belong to him. Something like being able to set an authenticator
variable to a string that is expanded for each "AUTH=" address and must
expand to "true" would be great.

Finally, how about putting the $authenticated_id inside the comment part
of Received: lines, where helo is noted, too?

Michael