If you only wish to verify particular domains, then I suggest setting in
the main section:
dkim_verify_signers = gmail.com:ebay.com:ebay.de:paypal.com
With that setting, the DKIM acl will always be called for the listed
domains, but only for those domains.
With that setting, then the dkim acl can be as simple as:
deny message = DKIM check failed
dkim_status = none:invalid:fail
Or, if you want to test everything but have a more stringent test for
the special domains, you could create a list of those domains in the
main section:
must_sign_domains = gmail.com:ebay.com:ebay.de:paypal.com
and also set the option:
dkim_verify_signers = $must_sign_domains : $dkim_signers
With this setting, acl_smtp_dkim will be called for all emails from the
must_pass_dkim_domains list (whether signed or not), PLUS all domains
and identities that have signatures in the message. (ref: exim doc,
chapter 56.2)
The acl could be (among various possibilities):
deny message = DKIM check failed for $dkim_cur_signer
# limit this check to the must sign list
dkim_signers = $must_sign_domains
dkim_status = none:invalid:fail
warn log_message = DKIM check failed for $dkim_cur_signer
# handling of all but the must sign list
!dkim_signers = $must_sign_domains
dkim_status = invalid:fail
