Skip to main content
Jeff_Roback
Jeff_Roback
New Member
May 22, 2018
Question

SPF Validation is skipped for safelist members

  • May 22, 2018
  • 2 replies
  • 17634 views

Not sure if others knew this, but it came as a big surprise to me.   When you add an address to the safe list, it's essentially telling the Fortimail to bypass SPF checking.  Yes,  in retrospect I should have realized this because SPF is one of the antispam checks which are ignored for safe lists. 

 

But this seems like a terrible idea to me because we're telling the system to skip over all antispam protection based upon the sender... and we're not checking to see if the person sending is who they say they are.   Essentially, we're doing Authorization without Authentication.  It seems like SPF checks should be MORE important for people in the safe list, not less.

 

This seems like a really big deal to me... because knowing that a company is going to mark it's most common business partners as trusted, you can then confidently spoof mail from that domain without having to worry about SPF checks.  I can see that we'd need a way to override the SPF check for certain business  partners that just can't get the SPF thing right, but these would be the exception.

 

I know that we can do a SPF check at the Session level, but when it fails there it only increases the reputation score, we don't have the option to set a specific action here, so we can't count on this being effective.

 

It really seems like there should be a setting for an action to apply under SPF in the session profile, or the SPF check should be moved (or added) to the content section so that having a domain on the safe list doesn't remove the ability to enforce an SPF check for that domain.

 

 

    2 replies

    emnoc
    emnoc
    New Member
    May 22, 2018

    You should review the  check seq for the FML to understand what is and not check

     

    example

     

    http://help.fortinet.com/fmail/5-3-6/admin/index.html#page/FortiMail_Online_Help/overview_01_24.html

     

      Jeff_Roback
      Jeff_RobackAuthor
      New Member
      May 22, 2018

      Yes I've read that in detail.  Also the 5.4 admin guide and the 5.4 command line guide.   I do understand what the device is doing... and that it's documented.  I'm just questioning the logic of it, it seems like an unintended design decision.

      emnoc
      emnoc
      New Member
      May 22, 2018

      Find the FML product manager he posts here a lot any bring it up, but SPF for a trusted domain  is probably not a requirement since the purpose of a trusted sender is "trust" and the SPF is a  mail-sender authentication process.

        nagarajs_FTNT
        Staff
        nagarajs_FTNT
        Staff
        May 31, 2024

        The behavior has changed from version 7.x and above onwards. There is a command to enforce the SPF, DKIM, and DMARC check even when sender is in safelist

        config antispam settings
        safelist-bypass-sender-auth {enable | disable}
        end

        Enable: to bypass sender authentication mechanism (SPF/DMARC/DKIM) for safelisted senders.
        When disabled, if the scan result of SPF, DKIM, or DMARC is a failure, and the sender is safelisted, the result of SPF, DKIM, and DMARC takes precedence.

        Technical Tip: How to perform SPF, DKIM, and DMARC Antispam checks even if the sender is included in a safe list
        https://community.fortinet.com/t5/FortiMail/Technical-Tip-How-to-perform-SPF-DKIM-and-DMARC-Antispam-checks/ta-p/301539

         

        Thanks,

        Nagaraj

          Terms & ConditionsAccessibility statement