Mailing List Archive

detecting DMARC-protected domain
Is there a way to detect, in the Exim configuration file, whether a
sender domain has a DMARC record?
As far as Google tells me, the only mention of DMARC in the Exim spec
is the acknowledgement of the OpenDMARC library.

I suppose I should explain the reason, in case there's a better way:
one of my users forwards her email to gmail (which I do via formail in
her .procmailrc). Unfortunately, she gets mail from domains with a
DMARC reject policy - so when I'm forwarding a DKIM-signed message, I
munge it to come from us (using the percent hack, for old times' sake
- yes, the acceptance of incoming percent-hacked addresses for relaying is
tightly tied down:), and strip the signature.

Unfortunately again, one of the domains sometimes sends unsigned
messsages. When they go directly to people, the From: address will
authenticate against SPF, so will still pass; but since they're not
signed, I don't detect and munge them, and of course they don't pass
when relayed from me. I would prefer to avoid munging *all* her
relayed mail, but could cope with munging all mail relayed from a
DMARC protected domain.




--
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: detecting DMARC-protected domain [ In reply to ]
On 2018-07-07 at 18:56 +0100, Julian Bradfield via Exim-users wrote:
> Is there a way to detect, in the Exim configuration file, whether a
> sender domain has a DMARC record?

Use a `dnsdb` lookup, look for the DMARC DNS record. The rest of your
mail leads me to suggest a better approach, but to first answer the
question as asked:

${lookup dnsdb{txt=_dmarc.$sender_address_domain}{yes}{no}}

> I suppose I should explain the reason, in case there's a better way:
> one of my users forwards her email to gmail (which I do via formail in
> her .procmailrc). Unfortunately, she gets mail from domains with a
> DMARC reject policy - so when I'm forwarding a DKIM-signed message, I
> munge it to come from us (using the percent hack, for old times' sake
> - yes, the acceptance of incoming percent-hacked addresses for relaying is
> tightly tied down:), and strip the signature.
>
> Unfortunately again, one of the domains sometimes sends unsigned
> messsages. When they go directly to people, the From: address will
> authenticate against SPF, so will still pass; but since they're not
> signed, I don't detect and munge them, and of course they don't pass
> when relayed from me. I would prefer to avoid munging *all* her
> relayed mail, but could cope with munging all mail relayed from a
> DMARC protected domain.

Build Exim from source, either from git on the exim-4_91+fixes branch or
apply the patches from that branch to 4.91 (beware the extra src/ in the
hierarchy for the git repo as compared to release tarballs).

Jeremy would probably appreciate more testing and feedback. :)

It's slightly intricate to configure and probably worth putting inside
".ifdef _HAVE_ARC" guards inside your Exim configuration file, so that
if you have to build without it you still have a mostly-working config.
It will require you to be doing both SPF and DMARC validation already.
But ARC is the way that you can try to chain forward in delivery to
folks like Gmail, saying "I received it from these folks and this is the
result of the validations _I_ did, please accept this as a good-faith
forwarding without penalizing other mail" and if you send enough mail,
Gmail might score your system to have a reputation such that it believes
your claims, and so if it sees that SPF passed for _you_ then it will
accept that.

There's a fair chunk more to ARC. It's all about chains of headers,
redoing the Received: header system with a parallel set of
cryptographically signed headers which integrate more detailed
provenance claims. If you're forwarding email to systems outside your
own administrative control, then ARC needs to be on your radar, if not
deployed already.

-Phil

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: detecting DMARC-protected domain [ In reply to ]
On 2018-07-07, Phil Pennock via Exim-users <exim-users@exim.org> wrote:
> On 2018-07-07 at 18:56 +0100, Julian Bradfield via Exim-users wrote:
>> Is there a way to detect, in the Exim configuration file, whether a
>> sender domain has a DMARC record?

> ${lookup dnsdb{txt=_dmarc.$sender_address_domain}{yes}{no}}

Ah, thank you. Of course, I should have known that, but the exim
manual is quite big these days :)

Thank you for the further suggestions about trying out the ARC
experimental feature. Interesting to know about.
However, although I'm signed up to this list at work (I should change
that) I'm actually only the mail admin for my family (plus occasional
hangers-on) mail server, and it sounds like a bit more work than I
want to mess with just now! But maybe I'll get bored during my
upcoming sabbatical :)

--
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/