For a client we've implemented the DKIM plugin and use it only for inbound DMARC/DKIM/SPF validation.

The issue:

1. a mail is sent from sender.com to domain.com.
2. the mail is forwarded to recipient.com (in this domain, on this server, we use the plugin
3. DMARC p=reject for sender.com

The result:
09:25:45.069 start to dmarc check based on spf and dkim result ...
09:25:45.069 SmtpMailFromOrHeloDomain someone@domain.com
09:25:45.069 HeaderMailFrom someone@sender.com
09:25:45.069 query dmarc text from _dmarc.sender.com
09:25:45.069 v=DMARC1; p=reject; rf=afrf; pct=100; ri=86400
09:25:45.069 SPF Result: pass
09:25:45.069 DKIM Result: fail
09:25:45.069 evaluate alignment by v=DMARC1; p=reject; rf=afrf; pct=100; ri=86400
09:25:45.069 SPF Alignment Result: fail
09:25:45.069 DKIM Alignment Result: fail
09:25:45.069 DMARC Result: fail

So far so good: the HeaderMailFrom is preserved in the forward but the SmtpMailFromOrHeloDomain is changed to someone@domain.com and this causes DKIM to fail, which in turn causes DMARC to fail.

I understand this, but I also want to fix this. I've tried to add the sender's IP (in this case all messagelabs IP addresses) to the trustedIPAddresses and ignoredGatewayIPAddressesForSpfCheck. The SPF should work, but the trustedIPAddresses seem to get ignored.
The result:

Detect if message should be rejected by SPF result.
Detect if message should be rejected by DKIM result.
Detect if message should be rejected by DMARC result.
Dmarc result is fail, dmarc record is: v=DMARC1; p=reject; rf=afrf; pct=100; ri=86400
Check if sender or signer domain is in ignoreDomains list.
Check ignore item: domain.com

Reject message based on spfResultToReject/dkimResultToReject/dmarcResultToReject.

So the message is rejecten, even though the IP address of the sending server was mentioned in the trustedIPAddresses.

I could add domain.com to the ignoreDomains list, but I'm wondering if something else is wrong in my approach?

Thanks!