--- exim4-4.97.orig/src/dkim.c	2023-11-04 12:55:49.000000000 +0000
+++ exim4-4.97/src/dkim.c	2024-11-19 13:21:20.778244378 +0000
@@ -343,7 +343,8 @@
   if (sig->identity) g = string_append_listele(g, ':', sig->identity);
   }
 
-if (g) dkim_signers = g->s;
+gstring_release_unused(g);
+dkim_signers = string_from_gstring(g);
 
 out:
 store_pool = dkim_verify_oldpool;
@@ -358,7 +359,8 @@
 {
 int rc;
 DEBUG(D_receive)
-  debug_printf("calling acl_smtp_dkim for dkim_cur_signer='%s'\n", id);
+  debug_printf("calling acl_smtp_dkim for identity '%s' domain '%s' sel '%s'\n",
+             id, dkim_signing_domain, dkim_signing_selector);
 
 rc = acl_check(ACL_WHERE_DKIM, NULL, acl_smtp_dkim, user_msgptr, log_msgptr);
 dkim_exim_verify_log_sig(dkim_cur_sig);
@@ -369,6 +371,7 @@
 
 
 /* For the given identity, run the DKIM ACL once for each matching signature.
+If none match, run it once.
 
 Arguments
  id		Identity to look for in dkim signatures
@@ -425,7 +428,8 @@
     dkim_verify_status = dkim_exim_expand_query(DKIM_VERIFY_STATUS);
     dkim_verify_reason = dkim_exim_expand_query(DKIM_VERIFY_REASON);
 
-    if ((rc = dkim_acl_call(id, res_ptr, user_msgptr, log_msgptr)) != OK)
+    if (  (rc = dkim_acl_call(id, res_ptr, user_msgptr, log_msgptr)) != OK
+       || dkim_verify_minimal && Ustrcmp(dkim_verify_status, "pass") == 0)
       return rc;
     }
 
--- exim4-4.97.orig/src/pdkim/pdkim.c	2023-11-04 12:55:49.000000000 +0000
+++ exim4-4.97/src/pdkim/pdkim.c	2024-11-19 13:23:34.602957917 +0000
@@ -468,15 +468,12 @@
 static pdkim_signature *
 pdkim_parse_sig_header(pdkim_ctx * ctx, uschar * raw_hdr)
 {
-pdkim_signature * sig;
-uschar *q;
-gstring * cur_tag = NULL;
-gstring * cur_val = NULL;
-BOOL past_hname = FALSE;
-BOOL in_b_val = FALSE;
+pdkim_signature * sig = store_get(sizeof(pdkim_signature), GET_UNTAINTED);
+uschar * q;
+gstring * cur_tag = NULL, * cur_val = NULL;
+BOOL past_hname = FALSE, in_b_val = FALSE;
 int where = PDKIM_HDR_LIMBO;
 
-sig = store_get(sizeof(pdkim_signature), GET_UNTAINTED);
 memset(sig, 0, sizeof(pdkim_signature));
 sig->bodylength = -1;
 
@@ -1885,11 +1882,9 @@
       {
       sig->verify_status = PDKIM_VERIFY_PASS;
       verify_pass = TRUE;
-      if (dkim_verify_minimal) break;
       }
 
 NEXT_VERIFY:
-
     DEBUG(D_acl)
       {
       debug_printf("DKIM [%s] %s signature status: %s",
@@ -1901,6 +1896,9 @@
       else
 	debug_printf("\n");
       }
+    if (  verify_pass && dkim_verify_minimal
+       && !(acl_smtp_dkim && dkim_verify_signers && *dkim_verify_signers))
+      break;
     }
   }
 
--- exim4-4.97.orig/src/receive.c	2024-11-19 13:40:00.000000000 +0000
+++ exim4-4.97/src/receive.c	2024-11-19 13:29:55.972992228 +0000
@@ -3518,12 +3518,10 @@
         {
         uschar * dkim_verify_signers_expanded =
           expand_string(dkim_verify_signers);
-	gstring * results = NULL;
-	int signer_sep = 0;
+        gstring * results = NULL, * seen_items = NULL;
+        int signer_sep = 0, old_pool = store_pool;
 	const uschar * ptr;
 	uschar * item;
-	gstring * seen_items = NULL;
-	int old_pool = store_pool;
 
 	store_pool = POOL_PERM;   /* Allow created variables to live to data ACL */
 
@@ -3577,6 +3575,9 @@
 	    cancel_cutthrough_connection(TRUE, US"dkim acl not ok");
 	    break;
 	    }
+	  else
+		  if (dkim_verify_minimal && Ustrcmp(dkim_verify_status, "pass") == 0)
+		             break;
 	  }
 	dkim_verify_status = string_from_gstring(results);
 	store_pool = old_pool;
--- exim4-4.97.orig/src/smtp_in.c	2024-11-19 13:40:00.000000000 +0000
+++ exim4-4.97/src/smtp_in.c	2024-11-19 13:25:31.555581625 +0000
@@ -1678,7 +1678,6 @@
 #ifndef DISABLE_DKIM
 dkim_cur_signer = dkim_signers =
 dkim_signing_domain = dkim_signing_selector = dkim_signatures = NULL;
-dkim_cur_signer = dkim_signers = dkim_signing_domain = dkim_signing_selector = NULL;
 f.dkim_disable_verify = FALSE;
 dkim_collect_input = 0;
 dkim_verify_overall = dkim_verify_status = dkim_verify_reason = NULL;