I gather you have completed your program already, but I had this in the works and it might be useful for people doing similar things.
Lindsay Haisley writes:
Is there any reason to pull in a more recent MM 2 and use the DMARC detection code therein? Speed is important here since this is simply a turnaround on a single email, not dependent on any list variables. I'm reluctant to burden every redirection turnaround with an HTTP look-up.
You may want to consider improving performance by caching DNS results by domain. This should be reasonable space as long as you do this check after spam elimination. If expiries are fixed you will need to have a reasonably short expiry on negative (p=none) results (fails nasty -- bounces from receivers), but could have a pretty long one on positive results. You could also get the actual TTL out of the DNS reply for more accurate expiry.
Of course the effectiveness of caching depends heavily on the actual pattern of mail received at the domains in question.
You don't need to burden each redirection with an HTTP lookup. There's only one publicsuffix list, which you can download occasionally. I would guess once a day would be more than enough and no burden at all; you could even do it asynchronously in a cron job.
if from_domain publishes bad DMARC: if Reply-To does not exist: copy From header to Reply-To Replace From with "On behalf of old_From" <postmaster@fmp.com> Feed headers and body to Courier's sendmail clone
My take on it is that this should work OK.
I think you should consider adding an else to the inner if:
else:
append From to Reply-To
as Mailman does. Otherwise the user has to copy/paste the address if they really want to reply to the author rather than the Reply-To for some reason, and it may not be present at all if you follow Mark's advice to not copy it to the display name in From.
I'm with Mark on everything else. I don't think the probability you need to deal with organizational domains is that high, but the costs are potentially high (collateral damage = disabled or unsubscribed users).