Email signing between two domains on same server

Problem Description

A colleague and myself both send and receive email using Gmail’s POP3/IMAP send/receive function via my Sympl server. We are using different domains, but both domains are hosted on the same sympl server.
I’ve noticed that when I send him an email Exim does not sign the email properly. Therefore when it is collected by Gmail via POP3 it fails SPF (gmail thinks it was sent via the google server) and DKIM (no signature is added).

I have added “include:_spf.google.com” to my domain’s SPF record to avoid the email being considered spam straight away, however I’d quite like to remove this as it seems spammers also send email using google’s servers.

Is there a way to force Exim to add the DKIM signature and for the SPF check to assume the server’s IP address rather than google’s IP address?

When I send emails to other domains or directly to gmail, then SPF and DKIM works perfectly. DMARC reports are all looking good (I recommend GitHub - liuch/dmarc-srg: A php parser, viewer and summary report generator for incoming DMARC reports. as a nice simple way to parse the DMARC reports).

Any Error Messages

DMARC reports suggest DKIM and SPF checks fail.

Headers according to google of one example email:

Authentication-Results: mx.google.com;
spf=pass (google.com: domain of trevor@example1.com designates 209.85.208.170 as permitted sender) smtp.mailfrom=trevor@example1.com
Received-SPF: pass (google.com: domain of trevor@example1.com designates 209.85.208.170 as permitted sender) client-ip=209.85.208.170;
Received: by [my server’s IPv6 address] with POP3 id c17mf13043323lfv.5;
Mon, 07 Feb 2022 11:47:28 -0800 (PST)
X-Gmail-Fetch-Info: gary@servername.com 6 servername.com 995 gary@servername.com
Return-path: trevor@example1.com
Envelope-to: gary@example2.com
Received: from mail-lj1-f170.google.com ([209.85.208.170]) by servername.com with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from trevor@example1.com) id 1nH9yW-0004hV-Iq for gary@example2.com; Mon, 07 Feb 2022 19:47:00 +0000
Received: by mail-lj1-f170.google.com with SMTP id o17so21271673ljp.1
for gary@example2.com; Mon, 07 Feb 2022 11:47:00 -0800 (PST)
X-Gm-Message-State: AOAM532GI7/cIU/mATn+tB47lU4fpt3A+BHrENKNun1Wn8cxblAI2lJc 0T9TQQTHf6pNBPGmsZYEVlcrie16WxJIr8TrgGI=
X-Received: by 2002:a2e:2c12:: with SMTP id s18mr618646ljs.391.1644263219898; Mon, 07 Feb 2022 11:46:59 -0800 (PST)
MIME-Version: 1.0
From: “Trevor” trevor@example1.com
Date: Mon, 7 Feb 2022 19:46:23 +0000
X-Gmail-Original-Message-ID: CADynOERpc5xL6s-SN==u50D9TwxvUWz0RFQ1kdbusvhx6LWjGg@mail.gmail.com
Message-ID: CADynOERpc5xL6s-SN==u50D9TwxvUWz0RFQ1kdbusvhx6LWjGg@mail.gmail.com
Subject: XXXXXX
To: Gary gary@example2.com

Environment

• Sympl Version 10.0:
• Sympl Testing Version? No
• Debian Version Buster:
• Hardware Type? Virtual
• Hosted On? Brightbox

That’s sort of expected, at least at the moment, as you don’t typically need to sign mail unless it’s going out somewhere, but the above is a very good example of why it’s useful.

I’ll have a look into what would be required to have Exim treat all mail as external, although it may not be that trivial to do it safely.

Thank you!

although it may not be that trivial to do it safely

Yes - I did a bit of googling and it sounded a bit scary so I decided not to fiddle

I bumped into something similar but different to this today - only the one domain involved, Sympl used for outgoing email and DKIM signing (so /srv/<domain>/config/dkim and dkim.key exist), but the email isn’t stored on the Sympl server (though it probably should be, that’s by the by). For almost all emails, this works lovely, but if an email is sent both from and to emails @<domain>, it isn’t DKIM signed even though it is being sent out (as it doesn’t match dnslookup_with_dkim, but matches vhost_no_local_mail). I think in this case I can create a copy of vhost_no_local_mail as vhost_no_local_mail_with_dkim with the extra check/different transport.