20 files changed, 230 insertions, 11 deletions

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index bb7e2cf97..675b0f146 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -9137,6 +9137,31 @@ the expansion result is an empty string.
 If the ACL returns defer the result is a forced-fail.  Otherwise the expansion fails.
 
 
+.new
+.vitem "&*${authresults{*&<&'authserv-id&>&*}}*&"
+.cindex authentication "results header"
+.cindex headers "authentication-results:"
+This item returns a string suitable for insertion as an
+&'Authentication-Results"'&
+header line.
+The given <&'authserv-id'&> is included in the result; typically this
+will ba a domain name identifying the system performing the authentications.
+Methods that may be present in the result include:
+.code
+none
+iprev
+auth
+spf
+dkim
+.endd
+
+Example use (as an ACL modifier):
+.code
+      add_header = :at_start:${authresults {$primary_hostname}}
+.endd
+.wen
+
+
 .vitem "&*${certextract{*&<&'field'&>&*}{*&<&'certificate'&>&*}&&&
        {*&<&'string2'&>&*}{*&<&'string3'&>&*}}*&"
 .cindex "expansion" "extracting certificate fields"
diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index 180f4b8a7..37f53bf89 100644
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -41,6 +41,9 @@ Version 4.91
 
 11. "exim -bP macro <name>" returns caller-usable status.
 
+12. Expansion item ${authresults {<machine>}} for creating an
+    Authentication-Results: header.
+
 
 Version 4.90
 ------------
diff --git a/src/src/dkim.c b/src/src/dkim.c
index 423aad49c..571586130 100644
--- a/src/src/dkim.c
+++ b/src/src/dkim.c
@@ -151,6 +151,12 @@ uschar * s;
 
 if (!sig) return;
 
+if (  dkim_verify_status
+   && (  dkim_verify_status != dkim_exim_expand_query(DKIM_VERIFY_STATUS)
+      || dkim_verify_reason != dkim_exim_expand_query(DKIM_VERIFY_REASON)
+   )  )
+  sig->verify_status |= PDKIM_VERIFY_POLICY;
+
 if (  !dkim_verify_overall
    && dkim_verify_status
       ? Ustrcmp(dkim_verify_status, US"pass") == 0
@@ -166,9 +172,9 @@ logmsg = string_append(logmsg, 2, "d=", s);
 if (!(s = sig->selector)) s = US"<UNSET>";
 logmsg = string_append(logmsg, 2, " s=", s);
 logmsg = string_append(logmsg, 7,
-" c=", sig->canon_headers == PDKIM_CANON_SIMPLE ? "simple" : "relaxed",
-"/",   sig->canon_body    == PDKIM_CANON_SIMPLE ? "simple" : "relaxed",
-" a=", dkim_sig_to_a_tag(sig),
+  " c=", sig->canon_headers == PDKIM_CANON_SIMPLE ? "simple" : "relaxed",
+  "/",   sig->canon_body    == PDKIM_CANON_SIMPLE ? "simple" : "relaxed",
+  " a=", dkim_sig_to_a_tag(sig),
 string_sprintf(" b=" SIZE_T_FMT,
 		(int)sig->sighash.len > -1 ? sig->sighash.len * 8 : 0));
 if ((s= sig->identity)) logmsg = string_append(logmsg, 2, " i=", s);
@@ -179,10 +185,10 @@ if (sig->expires > 0) logmsg = string_cat(logmsg,
 if (sig->bodylength > -1) logmsg = string_cat(logmsg,
 			      string_sprintf(" l=%lu", sig->bodylength));
 
-if (  !dkim_verify_status
-   || (  dkim_verify_status == dkim_exim_expand_query(DKIM_VERIFY_STATUS)
-      && dkim_verify_reason == dkim_exim_expand_query(DKIM_VERIFY_REASON)
-   )  )
+if (sig->verify_status & PDKIM_VERIFY_POLICY)
+  logmsg = string_append(logmsg, 5,
+	    US" [", dkim_verify_status, US" - ", dkim_verify_reason, US"]");
+else
   switch (sig->verify_status)
     {
     case PDKIM_VERIFY_NONE:
@@ -233,7 +239,7 @@ if (  !dkim_verify_status
 	  logmsg = string_cat(logmsg,
 		US"signature did not verify "
 		"(headers probably modified in transit)]");
-	break;
+	  break;
 
 	default:
 	  logmsg = string_cat(logmsg, US"unspecified reason]");
@@ -244,9 +250,6 @@ if (  !dkim_verify_status
       logmsg = string_cat(logmsg, US" [verification succeeded]");
       break;
     }
-else
-  logmsg = string_append(logmsg, 5,
-	    US" [", dkim_verify_status, US" - ", dkim_verify_reason, US"]");
 
 log_write(0, LOG_MAIN, "%s", string_from_gstring(logmsg));
 return;
@@ -771,5 +774,72 @@ expand_bad:
   goto bad;
 }
 
+
+
+
+gstring *
+authres_dkim(gstring * g)
+{
+pdkim_signature * sig;
+
+for (sig = dkim_signatures; sig; sig = sig->next)
+  {
+  g = string_catn(g, US";\\n\\tdkim=", 10);
+
+  if (sig->verify_status & PDKIM_VERIFY_POLICY)
+    g = string_append(g, 5,
+      US"policy (", dkim_verify_status, US" - ", dkim_verify_reason, US")");
+  else switch(sig->verify_status)
+    {
+    case PDKIM_VERIFY_NONE:    g = string_cat(g, US"none"); break;
+    case PDKIM_VERIFY_INVALID:
+      switch (sig->verify_ext_status)
+	{
+	case PDKIM_VERIFY_INVALID_PUBKEY_UNAVAILABLE:
+          g = string_cat(g, US"tmperror (pubkey unavailable)"); break;
+        case PDKIM_VERIFY_INVALID_BUFFER_SIZE:
+          g = string_cat(g, US"permerror (overlong public key record)"); break;
+        case PDKIM_VERIFY_INVALID_PUBKEY_DNSRECORD:
+        case PDKIM_VERIFY_INVALID_PUBKEY_IMPORT:
+          g = string_cat(g, US"neutral (syntax error in public key record)");
+          break;
+        case PDKIM_VERIFY_INVALID_SIGNATURE_ERROR:
+          g = string_cat(g, US"neutral (signature tag missing or invalid)");
+          break;
+        case PDKIM_VERIFY_INVALID_DKIM_VERSION:
+          g = string_cat(g, US"neutral (unsupported DKIM version)");
+          break;
+        default:
+          g = string_cat(g, US"permerror (unspecified problem)"); break;
+	}
+      break;
+    case PDKIM_VERIFY_FAIL:
+      switch (sig->verify_ext_status)
+	{
+	case PDKIM_VERIFY_FAIL_BODY:
+          g = string_cat(g,
+	    US"fail (body hash mismatch; body probably modified in transit)");
+	  break;
+        case PDKIM_VERIFY_FAIL_MESSAGE:
+          g = string_cat(g,
+	    US"fail (signature did not verify; headers probably modified in transit)");
+	  break;
+        default:
+          g = string_cat(g, US"fail (unspecified reason)");
+	  break;
+	}
+      break;
+    case PDKIM_VERIFY_PASS:    g = string_cat(g, US"pass"); break;
+    default:                   g = string_cat(g, US"permerror"); break;
+    }
+  if (sig->domain)   g = string_append(g, 2, US" header.d=", sig->domain);
+  if (sig->identity) g = string_append(g, 2, US" header.i=", sig->identity);
+  if (sig->selector) g = string_append(g, 2, US" header.s=", sig->selector);
+  g = string_append(g, 2, US" header.a=", dkim_sig_to_a_tag(sig));
+  }
+return g;
+}
+
+
 # endif	/*!MACRO_PREDEF*/
 #endif	/*!DISABLE_DKIM*/
diff --git a/src/src/expand.c b/src/src/expand.c
index c7ebf9870..44e8e1ba0 100644
--- a/src/src/expand.c
+++ b/src/src/expand.c
@@ -103,6 +103,7 @@ alphabetical order. */
 
 static uschar *item_table[] = {
   US"acl",
+  US"authresults",
   US"certextract",
   US"dlfunc",
   US"env",
@@ -133,6 +134,7 @@ static uschar *item_table[] = {
 
 enum {
   EITEM_ACL,
+  EITEM_AUTHRESULTS,
   EITEM_CERTEXTRACT,
   EITEM_DLFUNC,
   EITEM_ENV,
@@ -1656,6 +1658,24 @@ return yield;
 
 
 
+/* Append an "iprev" element to an Autherntication-Results: header
+if we have attempted to get the calling host's name.
+*/
+
+static gstring *
+authres_iprev(gstring * g)
+{
+if (sender_host_name)
+  return string_append(g, 3, US";\\n\\tiprev=pass (", sender_host_name, US")");
+if (host_lookup_deferred)
+  return string_catn(g, US";\\n\\tiprev=temperror", 21);
+if (host_lookup_failed)
+  return string_catn(g, US";\\n\\tiprev=fail", 15);
+return g;
+}
+
+
+
 /*************************************************
 *               Return list of recipients        *
 *************************************************/
@@ -4100,6 +4120,34 @@ while (*s != 0)
 	}
       }
 
+    case EITEM_AUTHRESULTS:
+      /* ${authresults {mysystemname}} */
+      {
+      uschar *sub_arg[1];
+
+      switch(read_subs(sub_arg, nelem(sub_arg), 1, &s, skipping, TRUE, name,
+		      &resetok))
+        {
+        case 1: goto EXPAND_FAILED_CURLY;
+        case 2:
+        case 3: goto EXPAND_FAILED;
+        }
+
+      yield = string_append(yield, 3,
+			US"Authentication-Results: ", sub_arg[0], US"; none");
+      yield->ptr -= 6;
+
+      yield = authres_iprev(yield);
+      yield = authres_smtpauth(yield);
+#ifdef SUPPORT_SPF
+      yield = authres_spf(yield);
+#endif
+#ifndef DISABLE_DKIM
+      yield = authres_dkim(yield);
+#endif
+      continue;
+      }
+
     /* Handle conditionals - preserve the values of the numerical expansion
     variables in case they get changed by a regular expression match in the
     condition. If not, they retain their external settings. At the end
diff --git a/src/src/functions.h b/src/src/functions.h
index 6dc3e4973..8a45ae48d 100644
--- a/src/src/functions.h
+++ b/src/src/functions.h
@@ -104,6 +104,14 @@ extern void    auth_show_supported(FILE *);
 extern uschar *auth_xtextencode(uschar *, int);
 extern int     auth_xtextdecode(uschar *, uschar **);
 
+extern gstring *authres_smtpauth(gstring *);
+#ifdef SUPPORT_SPF
+extern gstring *authres_spf(gstring *);
+#endif
+#ifndef DISABLE_DKIM
+extern gstring *authres_dkim(gstring *);
+#endif
+
 extern uschar *b64encode(uschar *, int);
 extern int     b64decode(const uschar *, uschar **);
 extern int     bdat_getc(unsigned);
diff --git a/src/src/pdkim/pdkim.h b/src/src/pdkim/pdkim.h
index 1a7a0c8d0..775581be7 100644
--- a/src/src/pdkim/pdkim.h
+++ b/src/src/pdkim/pdkim.h
@@ -57,6 +57,7 @@
 #define PDKIM_VERIFY_INVALID   1
 #define PDKIM_VERIFY_FAIL      2
 #define PDKIM_VERIFY_PASS      3
+#define PDKIM_VERIFY_POLICY    BIT(31)
 
 #define PDKIM_VERIFY_FAIL_BODY                    1
 #define PDKIM_VERIFY_FAIL_MESSAGE                 2
diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c
index f54838991..1b7df5c30 100644
--- a/src/src/smtp_in.c
+++ b/src/src/smtp_in.c
@@ -5743,6 +5743,23 @@ while (done <= 0)
 return done - 2;  /* Convert yield values */
 }
 
+
+
+gstring *
+authres_smtpauth(gstring * g)
+{
+if (!sender_host_authenticated)
+  return g;
+
+g = string_append(g, 4, US";\\n\\tauth=pass"
+	" (", sender_host_authenticated, US") smtp.auth=", authenticated_id);
+if (authenticated_sender)
+  g = string_append(g, 2, US" smtp.mailfrom=", authenticated_sender);
+return g;
+}
+
+
+
 /* vi: aw ai sw=2
 */
 /* End of smtp_in.c */
diff --git a/src/src/spf.c b/src/src/spf.c
index 9fdc0baec..a2f93b0ce 100644
--- a/src/src/spf.c
+++ b/src/src/spf.c
@@ -146,4 +146,16 @@ while ((spf_result_id = string_nextinlist(&list, &sep, NULL, 0)))
 return FAIL;
 }
 
+
+
+gstring *
+authres_spf(gstring * g)
+{
+if (!spf_result) return g;
+
+return string_append(g, 4, US";\\n\\tspf=", spf_result,
+         US" smtp.mailfrom=", expand_string(US"$sender_address_domain"));
+}
+
+
 #endif
diff --git a/test/confs/3403 b/test/confs/3403
index 813b3b941..79fb73fe1 100644
--- a/test/confs/3403
+++ b/test/confs/3403
@@ -7,6 +7,7 @@ primary_hostname = myhost.test.ex
 # ----- Main settings -----
 
 acl_smtp_rcpt = accept
+acl_smtp_data = accept add_header = :at_start:${authresults {$primary_hostname}}
 
 
 # ----- Authentication -----
diff --git a/test/confs/4500 b/test/confs/4500
index 871e0cd22..a952758ae 100644
--- a/test/confs/4500
+++ b/test/confs/4500
@@ -10,6 +10,7 @@ primary_hostname = myhost.test.ex
 
 acl_smtp_rcpt = accept
 acl_smtp_dkim = check_dkim
+acl_smtp_data = accept logwrite = ${authresults {$primary_hostname}}
 
 log_selector = +dkim_verbose
 
diff --git a/test/confs/4600 b/test/confs/4600
index d93b683d9..2934bf160 100644
--- a/test/confs/4600
+++ b/test/confs/4600
@@ -17,6 +17,7 @@ check_rcpt:
 		logwrite =	spf_header_comment $spf_header_comment
 		logwrite =	spf_smtp_comment   $spf_smtp_comment
 		logwrite =	spf_received       $spf_received
+		logwrite =	${authresults {$primary_hostname}}
 
   accept	hosts =		127.0.0.1
 		spf =		pass : softfail : neutral
@@ -24,11 +25,13 @@ check_rcpt:
 		logwrite =	spf_header_comment $spf_header_comment
 		logwrite =	spf_smtp_comment   $spf_smtp_comment
 		logwrite =	spf_received       $spf_received
+		logwrite =	${authresults {$primary_hostname}}
 
   deny
 		logwrite =	spf_result         $spf_result
 		logwrite =	spf_header_comment $spf_header_comment
 		logwrite =	spf_smtp_comment   $spf_smtp_comment
 		logwrite =	spf_received       $spf_received
+		logwrite =	${authresults {$primary_hostname}}
 
 # End
diff --git a/test/log/4500 b/test/log/4500
index 47b81b982..bc4ff5263 100644
--- a/test/log/4500
+++ b/test/log/4500
@@ -3,18 +3,23 @@
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 10HmaX-0005vi-00 signer: test.ex bits: 1024
 1999-03-02 09:44:33 10HmaX-0005vi-00 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=1024 [verification succeeded]
+1999-03-02 09:44:33 10HmaX-0005vi-00 Authentication-Results: myhost.test.ex;\n	dkim=pass header.d=test.ex header.s=sel header.a=rsa-sha1
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss DKIM=test.ex id=qwerty1234@disco-zombie.net
 1999-03-02 09:44:33 10HmaY-0005vi-00 signer: test.ex bits: 512
 1999-03-02 09:44:33 10HmaY-0005vi-00 DKIM: d=test.ex s=ses c=simple/simple a=rsa-sha1 b=512 [verification succeeded]
+1999-03-02 09:44:33 10HmaY-0005vi-00 Authentication-Results: myhost.test.ex;\n	dkim=pass header.d=test.ex header.s=ses header.a=rsa-sha1
 1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss DKIM=test.ex id=qwerty1234@disco-zombie.net
 1999-03-02 09:44:33 10HmaZ-0005vi-00 signer: test.ex bits: 1024
 1999-03-02 09:44:33 10HmaZ-0005vi-00 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha256 b=1024 [verification succeeded]
+1999-03-02 09:44:33 10HmaZ-0005vi-00 Authentication-Results: myhost.test.ex;\n	dkim=pass header.d=test.ex header.s=sel header.a=rsa-sha256
 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss DKIM=test.ex id=qwerty1234@disco-zombie.net
 1999-03-02 09:44:33 10HmbA-0005vi-00 signer: test.ex bits: 512
 1999-03-02 09:44:33 10HmbA-0005vi-00 DKIM: d=test.ex s=ses_sha1 c=simple/simple a=rsa-sha1 b=512 [verification succeeded]
+1999-03-02 09:44:33 10HmbA-0005vi-00 Authentication-Results: myhost.test.ex;\n	dkim=pass header.d=test.ex header.s=ses_sha1 header.a=rsa-sha1
 1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss DKIM=test.ex id=qwerty1234@disco-zombie.net
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 10HmbB-0005vi-00 NOTE: forcing dkim verify fail (was pass)
 1999-03-02 09:44:33 10HmbB-0005vi-00 signer: test.ex bits: 1024
 1999-03-02 09:44:33 10HmbB-0005vi-00 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=1024 [fail - hash too weak]
+1999-03-02 09:44:33 10HmbB-0005vi-00 Authentication-Results: myhost.test.ex;\n	dkim=policy (fail - hash too weak) header.d=test.ex header.s=sel header.a=rsa-sha1
 1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@disco-zombie.net
diff --git a/test/log/4501 b/test/log/4501
index 482ba917a..b4f8d3a74 100644
--- a/test/log/4501
+++ b/test/log/4501
@@ -3,7 +3,9 @@
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 10HmaX-0005vi-00 signer: test.ex bits: 1024
 1999-03-02 09:44:33 10HmaX-0005vi-00 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=1024 [verification succeeded]
+1999-03-02 09:44:33 10HmaX-0005vi-00 Authentication-Results: myhost.test.ex;\n	dkim=pass header.d=test.ex header.s=sel header.a=rsa-sha1
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= pass@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss DKIM=test.ex id=qwerty1234@disco-zombie.net
 1999-03-02 09:44:33 10HmaY-0005vi-00 signer: test.ex bits: 1024
 1999-03-02 09:44:33 10HmaY-0005vi-00 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=1024 [verification failed - body hash mismatch (body probably modified in transit)]
+1999-03-02 09:44:33 10HmaY-0005vi-00 Authentication-Results: myhost.test.ex;\n	dkim=fail (body hash mismatch; body probably modified in transit) header.d=test.ex header.s=sel header.a=rsa-sha1
 1999-03-02 09:44:33 10HmaY-0005vi-00 <= fail@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@disco-zombie.net
diff --git a/test/log/4502 b/test/log/4502
index dbbaa7420..b5dcd81c8 100644
--- a/test/log/4502
+++ b/test/log/4502
@@ -3,14 +3,18 @@
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 10HmaX-0005vi-00 signer: test.ex bits: 1024
 1999-03-02 09:44:33 10HmaX-0005vi-00 DKIM: d=test.ex s=sel c=relaxed/relaxed a=rsa-sha1 b=1024 [verification succeeded]
+1999-03-02 09:44:33 10HmaX-0005vi-00 Authentication-Results: myhost.test.ex;\n	dkim=pass header.d=test.ex header.s=sel header.a=rsa-sha1
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss DKIM=test.ex id=564CFC9B.1040905@yahoo.com
 1999-03-02 09:44:33 10HmaY-0005vi-00 signer: test.ex bits: 1024
 1999-03-02 09:44:33 10HmaY-0005vi-00 DKIM: d=test.ex s=sel c=relaxed/simple a=rsa-sha1 b=1024 [verification succeeded]
+1999-03-02 09:44:33 10HmaY-0005vi-00 Authentication-Results: myhost.test.ex;\n	dkim=pass header.d=test.ex header.s=sel header.a=rsa-sha1
 1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss DKIM=test.ex
 1999-03-02 09:44:33 10HmaZ-0005vi-00 signer: test.ex bits: 1024
 1999-03-02 09:44:33 10HmaZ-0005vi-00 DKIM: d=test.ex s=sel c=relaxed/simple a=rsa-sha1 b=1024 [verification succeeded]
+1999-03-02 09:44:33 10HmaZ-0005vi-00 Authentication-Results: myhost.test.ex;\n	dkim=pass header.d=test.ex header.s=sel header.a=rsa-sha1
 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss DKIM=test.ex
 1999-03-02 09:44:33 10HmbA-0005vi-00 PDKIM: d=test.ex s=sel_bad [failed key import]
 1999-03-02 09:44:33 10HmbA-0005vi-00 signer: test.ex bits: 1024
 1999-03-02 09:44:33 10HmbA-0005vi-00 DKIM: d=test.ex s=sel_bad c=relaxed/relaxed a=rsa-sha1 b=1024 [invalid - syntax error in public key record]
+1999-03-02 09:44:33 10HmbA-0005vi-00 Authentication-Results: myhost.test.ex;\n	dkim=neutral (syntax error in public key record) header.d=test.ex header.s=sel_bad header.a=rsa-sha1
 1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss id=564CFC9B.1040905@yahoo.com
diff --git a/test/log/4503 b/test/log/4503
index 2693a947c..3a502a1fe 100644
--- a/test/log/4503
+++ b/test/log/4503
@@ -4,4 +4,5 @@
 1999-03-02 09:44:33 10HmaX-0005vi-00 DKIM: validation error: Public key signature verification has failed.
 1999-03-02 09:44:33 10HmaX-0005vi-00 signer: test.ex bits: 1024
 1999-03-02 09:44:33 10HmaX-0005vi-00 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha512 b=1024 [verification failed - signature did not verify (headers probably modified in transit)]
+1999-03-02 09:44:33 10HmaX-0005vi-00 Authentication-Results: myhost.test.ex;\n	dkim=fail (signature did not verify; headers probably modified in transit) header.d=test.ex header.s=sel header.a=rsa-sha512
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@disco-zombie.net
diff --git a/test/log/4504 b/test/log/4504
index b67852209..43389c8a2 100644
--- a/test/log/4504
+++ b/test/log/4504
@@ -4,4 +4,5 @@
 1999-03-02 09:44:33 10HmaX-0005vi-00 DKIM: validation error: Public key signature verification has failed.
 1999-03-02 09:44:33 10HmaX-0005vi-00 signer: test.ex bits: 1024
 1999-03-02 09:44:33 10HmaX-0005vi-00 DKIM: d=test.ex s=sel2 c=simple/simple a=rsa-sha512 b=1024 [verification failed - signature did not verify (headers probably modified in transit)]
+1999-03-02 09:44:33 10HmaX-0005vi-00 Authentication-Results: myhost.test.ex;\n	dkim=fail (signature did not verify; headers probably modified in transit) header.d=test.ex header.s=sel2 header.a=rsa-sha512
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@disco-zombie.net
diff --git a/test/log/4506 b/test/log/4506
index 62cea9db4..55bad6163 100644
--- a/test/log/4506
+++ b/test/log/4506
@@ -3,23 +3,29 @@
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 10HmaY-0005vi-00 signer: test.ex bits: 0
 1999-03-02 09:44:33 10HmaY-0005vi-00 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=0 [invalid - signature tag missing or invalid]
+1999-03-02 09:44:33 10HmaY-0005vi-00 Authentication-Results: myhost.test.ex;\n	dkim=neutral (signature tag missing or invalid) header.d=test.ex header.s=sel header.a=rsa-sha1
 1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@disco-zombie.net
 1999-03-02 09:44:33 10HmaZ-0005vi-00 signer: test.ex bits: 1024
 1999-03-02 09:44:33 10HmaZ-0005vi-00 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=1024 [invalid - signature tag missing or invalid]
+1999-03-02 09:44:33 10HmaZ-0005vi-00 Authentication-Results: myhost.test.ex;\n	dkim=neutral (signature tag missing or invalid) header.d=test.ex header.s=sel header.a=rsa-sha1
 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@disco-zombie.net
 1999-03-02 09:44:33 10HmbA-0005vi-00 signer: test.ex bits: 1024
 1999-03-02 09:44:33 10HmbA-0005vi-00 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=1024 [verification failed - body hash mismatch (body probably modified in transit)]
+1999-03-02 09:44:33 10HmbA-0005vi-00 Authentication-Results: myhost.test.ex;\n	dkim=fail (body hash mismatch; body probably modified in transit) header.d=test.ex header.s=sel header.a=rsa-sha1
 1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@disco-zombie.net
 1999-03-02 09:44:33 10HmbB-0005vi-00 DKIM: validation error: LONG_LINE
 1999-03-02 09:44:33 10HmbB-0005vi-00 DKIM: Error during validation, disabling signature verification: LONG_LINE
+1999-03-02 09:44:33 10HmbB-0005vi-00 Authentication-Results: myhost.test.ex
 1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@disco-zombie.net
 1999-03-02 09:44:33 10HmbC-0005vi-00 signer: test.ex bits: 512
 1999-03-02 09:44:33 10HmbC-0005vi-00 DKIM: d=test.ex s=ses_sha256 c=simple/simple a=rsa-sha1 b=512 [verification failed - unspecified reason]
+1999-03-02 09:44:33 10HmbC-0005vi-00 Authentication-Results: myhost.test.ex;\n	dkim=fail (unspecified reason) header.d=test.ex header.s=ses_sha256 header.a=rsa-sha1
 1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@disco-zombie.net
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 10HmbD-0005vi-00 unknown
 1999-03-02 09:44:33 10HmbD-0005vi-00 signer: test.ex bits: 0
 1999-03-02 09:44:33 10HmbD-0005vi-00 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=0 [invalid - signature tag missing or invalid]
+1999-03-02 09:44:33 10HmbD-0005vi-00 Authentication-Results: myhost.test.ex;\n	dkim=neutral (signature tag missing or invalid) header.d=test.ex header.s=sel header.a=rsa-sha1
 1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@disco-zombie.net
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 10HmaX-0005vi-00 signer: test.ex bits: 0
diff --git a/test/log/4600 b/test/log/4600
index 9c07c1791..3eb81ad43 100644
--- a/test/log/4600
+++ b/test/log/4600
@@ -5,8 +5,10 @@
 1999-03-02 09:44:33 spf_header_comment myhost.test.ex: domain of example.com does not designate ip4.ip4.ip4.ip4 as permitted sender
 1999-03-02 09:44:33 spf_smtp_comment   Please see http://www.openspf.org/Why?id=a%40example.com&ip=ip4.ip4.ip4.ip4&receiver=myhost.test.ex : Reason: mechanism
 1999-03-02 09:44:33 spf_received       Received-SPF: fail (myhost.test.ex: domain of example.com does not designate ip4.ip4.ip4.ip4 as permitted sender) client-ip=ip4.ip4.ip4.ip4; envelope-from=a@example.com; helo=testclient;
+1999-03-02 09:44:33 Authentication-Results: myhost.test.ex;\n\tspf=fail smtp.mailfrom=example.com
 1999-03-02 09:44:33 H=(testclient) [ip4.ip4.ip4.ip4] F=<a@example.com> rejected RCPT <fred@test.ex>
 1999-03-02 09:44:33 spf_result         pass
 1999-03-02 09:44:33 spf_header_comment myhost.test.ex: localhost is always allowed.
 1999-03-02 09:44:33 spf_smtp_comment   
 1999-03-02 09:44:33 spf_received       Received-SPF: pass (myhost.test.ex: localhost is always allowed.) client-ip=127.0.0.1; envelope-from=b@example.com; helo=testclient;
+1999-03-02 09:44:33 Authentication-Results: myhost.test.ex;\n\tspf=pass smtp.mailfrom=example.com
diff --git a/test/mail/3403.userx b/test/mail/3403.userx
index d8a0676d6..c344d9b70 100644
--- a/test/mail/3403.userx
+++ b/test/mail/3403.userx
@@ -1,4 +1,6 @@
 From CALLER@myhost.test.ex Tue Mar 02 09:44:33 1999
+Authentication-Results: myhost.test.ex;
+	auth=pass (plain1) smtp.auth=userx
 Received: from CALLER (helo=testing.ex)
 	by myhost.test.ex with local-esmtpa (Exim x.yz)
 	(envelope-from <CALLER@myhost.test.ex>)
diff --git a/test/stderr/4507 b/test/stderr/4507
index 8a4dd6bff..42dd96980 100644
--- a/test/stderr/4507
+++ b/test/stderr/4507
@@ -23,4 +23,11 @@ LOG: 10HmaX-0005vi-00 signer: test.ex bits: 1024
 >>> accept: condition test succeeded in ACL "check_dkim"
 >>> end of ACL "check_dkim": ACCEPT
 LOG: 10HmaX-0005vi-00 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=1024 [verification succeeded]
+>>> processing "accept"
+>>> check logwrite = Authentication-Results: myhost.test.ex;\n\tdkim=pass header.d=test.ex header.s=sel header.a=rsa-sha1
+>>>                = Authentication-Results: myhost.test.ex;
+>>> 	dkim=pass header.d=test.ex header.s=sel header.a=rsa-sha1
+LOG: 10HmaX-0005vi-00 Authentication-Results: myhost.test.ex;\n	dkim=pass header.d=test.ex header.s=sel header.a=rsa-sha1
+>>> accept: condition test succeeded in inline ACL
+>>> end of inline ACL: ACCEPT
 LOG: 10HmaX-0005vi-00 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss DKIM=test.ex id=qwerty1234@disco-zombie.net