--- a/xml/dnsbl.in	Wed Jun 06 07:33:44 2018 -0700
+++ b/xml/dnsbl.in	Tue Sep 18 09:49:21 2018 -0700
@@ -25,7 +25,7 @@
 
     <refentry id="@PACKAGE@.1">
         <refentryinfo>
-            <date>2018-06-04</date>
+            <date>2018-09-18</date>
             <author>
                 <firstname>Carl</firstname>
                 <surname>Byington</surname>
@@ -391,11 +391,10 @@
                 </para></listitem>
                 <listitem><para>
                     If the answer is white, the mail is not from localhost,
-                    and the envelope from domain name is
-                    listed in the current (or parents) filtering contexts dkim_from with
-                    "required_signed" or "unsigned_black", we downgrade this white answer to unknown.
-                    If the answer is still white, mail to this recipient is accepted and the dns
-                    lists are not checked.
+                    and the envelope from domain name is listed in the current (or parents)
+                    filtering contexts dkim_from with "required_signed" or "unsigned_black",
+                    we downgrade this white answer to unknown. If the answer is still white,
+                    mail to this recipient is accepted and the dns lists are not checked.
                 </para></listitem>
                 <listitem><para>
                     If the answer is unknown, we don't reject yet, but the dns lists will be
@@ -413,7 +412,8 @@
                     expression.
                 </para></listitem>
                 <listitem><para>
-                    If the mail has not been accepted or rejected yet, the dns white lists
+                    If the mail has not been accepted or rejected yet, and the envelope from
+                    email address is not empty, the dns white lists
                     specified in the filtering context are checked and the mail is accepted
                     if any list has an A record for the standard dns based lookup scheme
                     (reversed octets of the client followed by the dns suffix) with a final
@@ -458,6 +458,7 @@
             <para>
                 For each recipient that was accepted, we search for an autowhite entry
                 starting in the reply filtering context. If an autowhite entry is found,
+                and the local part of the recipient address is shorter than 35 characters,
                 we add the recipient to that auto whitelist file. This will prevent reply
                 messages from being blocked by the dnsbl or content filtering.
             </para>
@@ -494,6 +495,7 @@
                 If any of the message signers are in that list, or if
                 the source ip address passes a strong spf check for the header from
                 domain, processing continues. Otherwise, the message is rejected.
+                This is very close to enforcing DMARC for the header from domain.
             </para>
             <para>
                 If any of the message signers are blacklisted, the message is rejected.
@@ -785,7 +787,7 @@
 
     <refentry id="@PACKAGE@.conf.5">
         <refentryinfo>
-            <date>2018-06-04</date>
+            <date>2018-09-18</date>
             <author>
                 <firstname>Carl</firstname>
                 <surname>Byington</surname>
@@ -963,6 +965,13 @@
         };
         dkim_from {
             #
+            # dmarc enforcement
+            aim.com             unsigned_black  "aim.com,mx.aim.com";
+            aol.com             unsigned_black  "aol.com,mx.aol.com";
+            yahoo.co.uk         unsigned_black  yahoo.co.uk;
+            yahoo.com           unsigned_black  yahoo.com;
+            yahoo.in            unsigned_black  yahoo.in;
+            #
             # white/blacklisting based on presence of valid signatures
             credit.paypal.com   require_signed  credit.paypal.com;
             paypal.com          require_signed  paypal.com;