Initial Configuration:

In certain scenarios, enabling and configuring email filtering on FortiGate helps manage spam effectively and adds another layer of security to email communication. The steps below illustrate how to configure the email filter profile and utilize features like FortiGuard spam filtering and local spam filtering.

Enable Email Filtering Feature:

To ensure all required features are visible:

1. Go to System -> Feature Visibility.
2. Enable Email Filter and Email Collection.

Create Email Filtering:

1. Navigate to Security Profiles -> Email Filter.
2. Select Create New to create a new email filter profile.
3. Name the profile (e.g., Block_Spam) and enable Spam Detection and Filtering.

Configure Spam Detection by Protocol:

1. For each protocol (IMAP, POP3, SMTP):
   • Set Spam Action to 'Tag'. This will add a spam tag to detected emails.
   • Set Tag Location to "subject" to append a tag to the email subject line.
   • Set the Tag Format (e.g., FortiGate_Tag) for consistency.

Enable FortiGuard Spam Filtering:

1. Enable the following options to leverage FortiGuard's advanced spam detection:

   • IP Address Check: Identifies spam sources by IP reputation.
   • URL Check: Analyzes URLs in email content against a spam database.
   • Detect Phishing URLs in Email: Detects potential phishing links.

2. Optionally, enable additional features:

   • Email Checksum Check: Detects duplicate or template-based spam emails (default is off).
   • Spam Submission: Allows users to submit emails for spam analysis. 

Configure Local Spam Filtering:

1. Enable the Block/Allow List option to add custom filtering rules.
2. To create a rule:
   • Set the Type to 'Subject'.
   • Choose the Pattern Type (e.g., Wildcard or Regular Expression).
   • Enter a Pattern (e.g., Bonus Offer) to match.
   • Select the Action (Mark as Spam, Mark as Clear, or Mark as Reject).

3. Enable the Status toggle for the rule to take effect.

Optional Enhancements:

• Enable HELO DNS Lookup or Return Email DNS Check for stricter validation of email headers.
• Add specific patterns or domains to the Block/Allow List to handle known spam or trusted sources.

Once the Block/Allow lists will be checked after the HELO DNS: to overcome the HELO DNS, the local-override has to be enabled from the email_filter profile for the local-based email filtering. Unfortunately, only the SMTP has the option of using the local override instead of IMAP/POP3/GMAIL. Aside from SMTP, other protocols may have the option to use tag-only in the action.

Save and Apply to the Firewall Policy:

1. Once the configuration is complete, select OK to save the profile.
2. Apply the email filter profile to relevant firewall policies under Policy & Objects -> Firewall Policy. 

The configured email filter will tag and manage spam effectively, reducing risks from phishing or spam campaigns.

Troubleshooting:

In a scenario, the user is using v7.2.3  and wants to add an Email Filter to the policy.

When the user tries to enable the options, like 'URL check and IP address check' in the FortiGuard spam filtering section and presses okay, It does not get saved.

So in the GUI at the top, the option of Feature set is visible. It is necessary to change it to proxy-based and then, try enabling the option and saving it. Once back to the email filter, options are saved now.

In the FortiOS v7.2.4, those option is not visible in the GUI:

In this case, it is necessary to process it from CLI:

config emailfilter profile

    edit default
        set feature-set proxy

After changing it from the CLI, it will be possible to enable those options and save it.

If it is necessary for the license firewall policy, change the inspection mode to proxy to be able to see the security profile of the email filter just created.

config firewall policy

    edit x

        set inspection-mode proxy

    end

Follow this guide KB article to enable Anti-Spam/Email Filter logs: Technical Tip: How to enable email and spam filter logs

Once configured, the logs can be viewed from Log & Reports -> Security Events -> Anti-Spam. 

Sample Log:

date=2025-03-21 time=23:41:39 eventtime=1742557299240425227 tz="+1200" logid="0520020510" type="utm" subtype="emailfilter" eventtype="webmail" level="information" vd="root" policyid=12 poluuid="445e34b2-e0b3-51ef-92fc-7c262248520f" policytype="policy" sessionid=2573176 srcip=10.0.6.84 srcport=53780 srccountry="Reserved" srcintf="port3" srcintfrole="undefined" srcuuid="fd7fc41e-dd4e-51ef-7e15-76987eca007a" dstip=142.251.36.69 dstport=443 dstcountry="United States" dstintf="port1" dstintfrole="undefined" dstuuid="fd7fc41e-dd4e-51ef-7e15-76987eca007a" proto=6 service="HTTPS" action="log-only" webmailprovider="gmail" from="demented***bd@gmail.com" to="n***devan*@gmail.com" direction="outgoing" msg="general email log" subject="test" size="6412" attachment="no"

Related articles:

Technical Tip: Mark as Spam and discard SPAM Email of a specific domain using AntiSpam profile and R...

Technical Tip: 'Mark as Reject' not available in Anti-Spam Block/Allow List Entry