Technical Tip: How to stop read receipts from inbound email
Description
This article describes how an external email sender can request a read-read receipt in an email, prompting the protected recipient's e-mail client to send a receipt or in the case of some mail clients send it automatically.
Scope
FortiMail.
Solution
When sending back a read-receipt, as this is an SMTP communication, the external recipient can be added to a user safelist if the resource profile option 'Safelist recipients of outbound message' is enabled.
In the GUI:
In the CLI:
FML # config profile resource
FML (resource) # edit Res_Default
FML (Res_Default) # set outbound-safelist
disable disable option
enable enable option
--- current value ---
outbound-safelist: enable
The sender's e-mail client inserts the header 'Disposition-Notification-To:' and, based on this header, the protected user's e-mail client will prompt for a read request or send it automatically.
It is possible to 'disarm' such read-receipt requests so that the protected user's e-mail client will not even know there was a request in the first place, and thus no read-receipt is requested or sent back automatically.
To do that, edit the session profile used for inbound mail: Profile > session and under 'Header Manipulation' > add the header 'Disposition-Notification-To' to be removed.
This way, the read-receipt request does not appear in the protected email clients.
And header:
