If you cannot or do not want to install opendmarc, here is a method I
have tested. It uses exim's built in DNS lookup to get the DMARC policy
and can easily be extended to get other aspects, such as DMARC
reporting, etc.
Once you have the DMARC policy, you can then use it AFTER looking up SPF
and DKIM to enable an action according to DMARC policy.
RFC states that BOTH SPF AND DKIM must fail (if both exist) to enforce
DMARC policy. If EITHER SPF or DKIM pass and DMARC exists, the mail must
be accepted.
This gets added in your acl_smtp_rcpt section:
# Get DMARC policy
require
set acl_m_dmarc_txt = ''
set acl_m_dmarcpolicy = ''
warn
set acl_m_dmarc_txt = ${lookup
dnsdb{txt=_dmarc.$sender_address_domain}}
set acl_m_dmarcvalid = 0
# Validate
warn
condition = ${if
match{$acl_m_dmarc_txt}{\N(?i).*(v=DMARC).*\N}{yes}{no}}
set acl_m_dmarcvalid = 1
warn
condition = ${if
match{$acl_m_dmarc_txt}{\N(?i).*(p=reject).*\N}{yes}{no}}
condition = ${if ={$acl_m_dmarcvalid}{1}}
set acl_m_dmarcpolicy = reject
warn
condition = ${if
match{$acl_m_dmarc_txt}{\N(?i).*(p=quarantine).*\N}{yes}{no}}
condition = ${if ={$acl_m_dmarcvalid}{1}}
set acl_m_dmarcpolicy = quarantine
warn
condition = ${if
match{$acl_m_dmarc_txt}{\N(?i).*(p=none).*\N}{yes}{no}}
condition = ${if ={$acl_m_dmarcvalid}{1}}
set acl_m_dmarcpolicy = none
--
Evan Booyens
Platform Engineer
xneelo (Pty) Ltd
SA Contact Centre: 0861 0861 08
International: +27 21 970 2000
<
https://xneelo.co.za>
Disclaimer: xneelo.co.za/email-disclaimer
<
https://xneelo.co.za/email-disclaimer>
