I've set up DKIM on Exim with the domain set like:
DKIM_DOMAIN = ${sender_address_domain}
However, the domain is always set to the same domain (my primary domain), which causes DMARC validation to fail, because of alignment, when sending emails for other domains (I host several websites).
From reading the documentation, I think the sender_address_domain is the envelope address and not the From field. How can I change the envelope address so that it matches the From field of a given email (I assume this will also allow SPF alignment to be correct)?
Also, for security, is it possible to have a whitelist of allowable domains, so Exim refuses to send emails that have another domain in the From field?
Best Answer
Add the rewrite rule to the Exim4 configuration:
The rule rewrites the Envelope-from header to match the From header, allowing DMARC alignment to work correctly. Recommendation is to append it to the end of the section to avoid conflicts with current rules.
You can find this configuration in the file
/etc/exim4/conf.d/rewrite/10_from_rewriteor in the section calledrewrite/31_exim4-config_rewritingof the file/etc/exim4/exim4.conf.template(for Debian). It depends on the type of your configuration – called single monolithic or split Exim4 config file with possible need to run the commandupdate-exim4.conf.Restart Exim after reconfiguration using
systemctl restart Exim4.The rule explanation:
*of the*@+local_domains= for all "local_parts" e.g. users.+local_domains= for all domains served by Exim4 server (defined indc_other_hostnamesanddc_readhostvariables) and not by other domains (redirection attempts etc.).${local_part}@${domain}composes RFC2822 compliant e-mail address from From field. Variables are described in exim4 documentation – string expansions. You can use just "$header_from:", but addresses in a form as "John Doe <john.doe@example.net>" will fail and get recorded to paniclog because of the "John Doe" part.F= target field of rewrite operation is the Envelope-from. see exim4 documentation – address rewriting.