Fixing the "Received-SPF: none" email header in Debian Exim

18 Jun 2020 2 min read

Update the Exim SPF macro

The section on SPF in spec.txt.gz that comes with Debian's exim4-base (version 4.92-8+deb10u4), is a little out of date. It refers to http://www.openspf.org which stopped working sometime last year.

If your Exim SPF section refers to opensfp.org, perhaps it also tells you to use the now obsolete libmail-spf-query-perl. Use spf-tools-perl, instead. This change was introduced a while ago, ahem, in January 2011.

If, like me, you did not update the SPF macro at all, then the warn part of it will likely not work correctly. This results in a header like this:

Received-SPF: none

to all of the email coming in, somewhere close to the body text.

A week ago, I thought I had it sorted and posted my solution to the Debian Exim mailing list. Andreas, the kind Debian Exim maintainer pointed out that I probably just never had applied the new default SPF macro to my template file. Indeed I had not.

While you're here: you can also add ":at_start:" to the message, to move the header up. And you can add a few details to the header, like the sender's IP address, envelope-from and helo. The end result will be something like this, as one of the first mail headers:

Received-SPF: pass

Here is my current SPF macro:

 .ifdef CHECK_RCPT_SPF
  deny
    message = [SPF] $sender_host_address is not allowed to send mail from \
              ${if def:sender_address_domain {$sender_address_domain}{$sender_helo_name}}.  \
              Please see check your setup;identity=${if def:sender_address_domain \
              {$sender_address}{$sender_helo_name}};ip=$sender_host_address
    log_message = SPF check failed.
    !acl = acl_local_deny_exceptions
    condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \
                   ${quote:$sender_host_address} --identity \
                   ${if def:sender_address_domain \
                       {--scope mfrom  --identity ${quote:$sender_address}}\
                       {--scope helo --identity ${quote:$sender_helo_name}}}}\
                   {no}{${if eq {$runrc}{1}{yes}{no}}}}

  defer
    message = Temporary DNS error while checking SPF record.  Try again later.
    !acl = acl_local_deny_exceptions
    condition = ${if eq {$runrc}{5}{yes}{no}}

  warn
    condition = ${if <={$runrc}{6}{yes}{no}}
    add_header = Received-SPF: ${if eq {$runrc}{0}{pass}\
                                {${if eq {$runrc}{2}{softfail}\
                                 {${if eq {$runrc}{3}{neutral}\
                                  {${if eq {$runrc}{4}{permerror}\
                                   {${if eq {$runrc}{6}{none}{error}}}}}}}}}\
                                } client-ip=$sender_host_address; \
                                ${if def:sender_address_domain \
                                   {envelope-from=${sender_address}; }{}}\
                                helo=$sender_helo_name

  warn
    log_message = Unexpected error in SPF check.
    condition = ${if >{$runrc}{6}{yes}{no}}
  .endif
Avatar
Gijs Hillenius
Context for Digital Government

Policy specialist on open source in public services, knowlegde transfer expert