Re: [exim] detecting DMARC-protected domain

Top Page
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: Julian Bradfield
CC: exim-users
Subject: Re: [exim] detecting DMARC-protected domain
On 2018-07-07 at 18:56 +0100, Julian Bradfield via Exim-users wrote:
> Is there a way to detect, in the Exim configuration file, whether a
> sender domain has a DMARC record?


Use a `dnsdb` lookup, look for the DMARC DNS record. The rest of your
mail leads me to suggest a better approach, but to first answer the
question as asked:

    ${lookup dnsdb{txt=_dmarc.$sender_address_domain}{yes}{no}}


> I suppose I should explain the reason, in case there's a better way:
> one of my users forwards her email to gmail (which I do via formail in
> her .procmailrc). Unfortunately, she gets mail from domains with a
> DMARC reject policy - so when I'm forwarding a DKIM-signed message, I
> munge it to come from us (using the percent hack, for old times' sake
> - yes, the acceptance of incoming percent-hacked addresses for relaying is
> tightly tied down:), and strip the signature.
>
> Unfortunately again, one of the domains sometimes sends unsigned
> messsages. When they go directly to people, the From: address will
> authenticate against SPF, so will still pass; but since they're not
> signed, I don't detect and munge them, and of course they don't pass
> when relayed from me. I would prefer to avoid munging *all* her
> relayed mail, but could cope with munging all mail relayed from a
> DMARC protected domain.


Build Exim from source, either from git on the exim-4_91+fixes branch or
apply the patches from that branch to 4.91 (beware the extra src/ in the
hierarchy for the git repo as compared to release tarballs).

Jeremy would probably appreciate more testing and feedback. :)

It's slightly intricate to configure and probably worth putting inside
".ifdef _HAVE_ARC" guards inside your Exim configuration file, so that
if you have to build without it you still have a mostly-working config.
It will require you to be doing both SPF and DMARC validation already.
But ARC is the way that you can try to chain forward in delivery to
folks like Gmail, saying "I received it from these folks and this is the
result of the validations _I_ did, please accept this as a good-faith
forwarding without penalizing other mail" and if you send enough mail,
Gmail might score your system to have a reputation such that it believes
your claims, and so if it sees that SPF passed for _you_ then it will
accept that.

There's a fair chunk more to ARC. It's all about chains of headers,
redoing the Received: header system with a parallel set of
cryptographically signed headers which integrate more detailed
provenance claims. If you're forwarding email to systems outside your
own administrative control, then ARC needs to be on your radar, if not
deployed already.

-Phil