Magic SPF and DKIM support
Could be done.
SPF could be done with an config/spf flag, inside could be another flag "hard fail" to make sure -all is set at the end of the record.
DKIM is a bit trickier. Exim4 needs access to read the private key at signing time, so that means that either private keys need to be copied somewhere as root, and then exim4 granted access to read them, or private keys are world readable. Maybe the keys could be generated when domains are added, and kept somewhere specific, but then only used if a "config/dkim" flag is set.