Docs: clarify DKIM verification

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index b1cc46862743cda0f8fc56ebf931a7655d6b5ad2..173d69222845a1f24b748e89f57c404b739cc70f 100644 (file)
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -39037,7 +39037,7 @@ tag value.  Note that Exim does not check the value.
 This option sets the canonicalization method used when signing a message.
 The DKIM RFC currently supports two methods: "simple" and "relaxed".
 The option defaults to "relaxed" when unset. Note: the current implementation
 This option sets the canonicalization method used when signing a message.
 The DKIM RFC currently supports two methods: "simple" and "relaxed".
 The option defaults to "relaxed" when unset. Note: the current implementation

-only supports using the same canonicalization method for both headers and body.
+only supports signing with the same canonicalization method for both headers and body.

 
 .option dkim_strict smtp string&!! unset
 This  option  defines  how  Exim  behaves  when  signing a message that
 
 .option dkim_strict smtp string&!! unset
 This  option  defines  how  Exim  behaves  when  signing a message that


@@ -39071,22 +39071,28 @@ name will be appended.
 .section "Verifying DKIM signatures in incoming mail" "SECDKIMVFY"
 .cindex "DKIM" "verification"
 
 .section "Verifying DKIM signatures in incoming mail" "SECDKIMVFY"
 .cindex "DKIM" "verification"
 

-Verification of DKIM signatures in SMTP incoming email is implemented via the
-&%acl_smtp_dkim%& ACL. By default, this ACL is called once for each
+.new
+Verification of DKIM signatures in SMTP incoming email is done for all
+messages for which an ACL control &%dkim_disable_verify%& has not been set.
+.cindex authentication "expansion item"
+Performing verification sets up information used by the
+&$authresults$& expansion item.
+.wen
+
+.new The results of that verification are then made available to the
+&%acl_smtp_dkim%& ACL, &new(which can examine and modify them).
+By default, this ACL is called once for each

 syntactically(!) correct signature in the incoming message.
 A missing ACL definition defaults to accept.
 If any ACL call does not accept, the message is not accepted.
 If a cutthrough delivery was in progress for the message, that is
 summarily dropped (having wasted the transmission effort).
 
 syntactically(!) correct signature in the incoming message.
 A missing ACL definition defaults to accept.
 If any ACL call does not accept, the message is not accepted.
 If a cutthrough delivery was in progress for the message, that is
 summarily dropped (having wasted the transmission effort).
 

-To evaluate the signature in the ACL a large number of expansion variables
+To evaluate the &new(verification result) in the ACL
+a large number of expansion variables

 containing the signature status and its details are set up during the
 runtime of the ACL.
 
 containing the signature status and its details are set up during the
 runtime of the ACL.
 

-.cindex authentication "expansion item"
-Performing verification sets up information used by the
-&$authresults$& expansion item.
-

 Calling the ACL only for existing signatures is not sufficient to build
 more advanced policies. For that reason, the global option
 &%dkim_verify_signers%&, and a global expansion variable
 Calling the ACL only for existing signatures is not sufficient to build
 more advanced policies. For that reason, the global option
 &%dkim_verify_signers%&, and a global expansion variable