Fixing the "Received-SPF: none" email header in Debian Exim

Update the Exim SPF macro

The section on SPF in spec.txt.gz that comes with Debian's exim4-base (version 4.92-8+deb10u4), is a little out of date. It refers to which stopped working sometime last year.

If your Exim SPF section refers to, perhaps it also tells you to use the now obsolete libmail-spf-query-perl. Use spf-tools-perl, instead. This change was introduced a while ago, ahem, in January 2011.

If, like me, you did not update the SPF macro at all, then the warn part of it will likely not work correctly. This results in a header like this:

Received-SPF: none

to all of the email coming in, somewhere close to the body text.

A week ago, I thought I had it sorted and posted my solution to the Debian Exim mailing list. Andreas, the kind Debian Exim maintainer pointed out that I probably just never had applied the new default SPF macro to my template file. Indeed I had not.

While you're here: you can also add ":at_start:" to the message, to move the header up. And you can add a few details to the header, like the sender's IP address, envelope-from and helo. The end result will be something like this, as one of the first mail headers:

Received-SPF: pass

Here is my current SPF macro:

    message = [SPF] $sender_host_address is not allowed to send mail from \
              ${if def:sender_address_domain {$sender_address_domain}{$sender_helo_name}}.  \
              Please see check your setup;identity=${if def:sender_address_domain \
    log_message = SPF check failed.
    !acl = acl_local_deny_exceptions
    condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \
                   ${quote:$sender_host_address} --identity \
                   ${if def:sender_address_domain \
                       {--scope mfrom  --identity ${quote:$sender_address}}\
                       {--scope helo --identity ${quote:$sender_helo_name}}}}\
                   {no}{${if eq {$runrc}{1}{yes}{no}}}}

    message = Temporary DNS error while checking SPF record.  Try again later.
    !acl = acl_local_deny_exceptions
    condition = ${if eq {$runrc}{5}{yes}{no}}

    condition = ${if <={$runrc}{6}{yes}{no}}
    add_header = Received-SPF: ${if eq {$runrc}{0}{pass}\
                                {${if eq {$runrc}{2}{softfail}\
                                 {${if eq {$runrc}{3}{neutral}\
                                  {${if eq {$runrc}{4}{permerror}\
                                   {${if eq {$runrc}{6}{none}{error}}}}}}}}}\
                                } client-ip=$sender_host_address; \
                                ${if def:sender_address_domain \
                                   {envelope-from=${sender_address}; }{}}\

    log_message = Unexpected error in SPF check.
    condition = ${if >{$runrc}{6}{yes}{no}}
Gijs Hillenius
Context for Digital Government

Policy specialist on open source in public services, knowlegde transfer expert