[exim] SPF and DKIM error processing when receiving emails

Top Page
Delete this message
Reply to this message
Author: Mark Elkins
Date:  
To: exim-users
Subject: [exim] SPF and DKIM error processing when receiving emails
I've got the following in exim.conf....

acl_check_dkim:
    deny dkim_status = fail
            message = DKIM validation failed: $dkim_verify_status
            log_message = DKIM validation failed: $dkim_verify_status \
                (address=$sender_address, domain=$dkim_cur_signer), \
                signature is bad
    defer dkim_status = invalid
            message = DKIM signature invalid: $dkim_verify_status
            log_message = DKIM signature invalid: $dkim_verify_status \
                (address=$sender_address, domain=$dkim_cur_signer), \
                invalid signature
    # NOTE: dkim_status = none should never happen in this ACL
    accept
            # Add an X-DKIM header to the message
            add_header = :at_start: X-DKIM: DKIM validation passed: \
                (address=$sender_address domain=$dkim_cur_signer), \
                signature is good
            logwrite = DKIM validation passed

This is breaking some of my customers...
How can I soften the blow? - so they can get their incorrectly signed
emails from these broken servers (some of which live in my countries
banking system and are otherwise completely valid)

I've got something similar for SPF....

# SPF Checks
acl_check_mail:

  # SPF validation
  deny spf = fail : softfail
          message = SPF validation failed: \
                  $sender_host_address is not allowed to send mail from \
                  ${if def:sender_address_domain \
                      {$sender_address_domain}{$sender_helo_name}}
          log_message = SPF validation failed\
                  ${if eq{$spf_result}{softfail} { (softfail)}{}}: \
                  $sender_host_address is not allowed to send mail from \
                  ${if def:sender_address_domain \
                      {$sender_address_domain}{$sender_helo_name}}
  deny spf = permerror
          message = SPF validation failed: \
                  syntax error in SPF record(s) for \
                  ${if def:sender_address_domain \
                      {$sender_address_domain}{$sender_helo_name}}
          log_message = SPF validation failed (permerror): \
                  syntax error in SPF record(s) for \
                  ${if def:sender_address_domain \
                      {$sender_address_domain}{$sender_helo_name}}
  defer spf = temperror
          message = temporary error during SPF validation; \
                  please try again later
          log_message = SPF validation failed temporary; deferred
  # Log SPF none/neutral result
  warn spf = none : neutral
          log_message = SPF validation none/neutral

  # Use the lack of reverse DNS to trigger greylisting. Some people
  # even reject for it but that would be a little excessive.

  warn condition = ${if eq{$sender_host_name}{} {1}}
       set acl_m_greylistreasons = Host $sender_host_address \
           lacks reverse DNS\n$acl_m_greylistreasons

  accept
          # Add an SPF-Received header to the message
          add_header = :at_start: $spf_received
          logwrite = SPF validation passed

I think I have to allow this sort of stuff through for now - but would
love it to come through with readable error messages for now - give
people a chance to fix their errors.



--

Mark James ELKINS  -  Posix Systems - (South) Africa
mje@??? Tel: +27.826010496 <tel:+27826010496>
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
<https://ftth.posix.co.za>