After sending the FortiToken activation code through email, in the system event it shows the Log Description as 'Alert email send status failed' and the user is not getting any activation code.

Review the email server configuration: 

config system email-server
    set server "fortinet-notifications.com"
    set port 465
    set security smtps
end

Make sure the FortiGate can resolve the server FQDN fortinet-notifications.com, test using ping:

FGT (root) # execute ping fortinet-notifications.com
PING fortinet-notifications.com (208.91.114.151): 56 data bytes
64 bytes from 208.91.114.151: icmp_seq=0 ttl=49 time=214.5 ms
64 bytes from 208.91.114.151: icmp_seq=1 ttl=49 time=213.2 ms
64 bytes from 208.91.114.151: icmp_seq=2 ttl=49 time=221.2 ms

The above shows a working scenario as the FQDN resolves to an IP and is responding to ping. If it does resolve to an IP Address, see this article, Technical Tip: DNS issues and commands to use, and/or the DNS server's reachability.

Run email alert, debug, and also a sniffer for port 465 that is used in the email server configuration.

Enable the Email alert debug with output:

diagnose debug reset

diagnose debug enable

diagnose debug console timestamp enable

diagnose debug application alertmail -1

Now generate a test email with the following command:

   diagnose log alertmail test

Sample error shown in the debug output:

connecting to 208.91.114.151 port 465   --------> Email server IP address.
failed to connect
session_io_event: creating ssl structure for session 0x95ada40
create_ssl: 0x7f79f9e000
error in SSL_connect (null)
_session_on_destroy
<== send mail failed, m = 0x9574c70 s = 0x95ada40
failed to connect

Run sniffer in another CLI window.

diagnose sniffer packet any " host 208.91.114.151 and port 465 " 4 0 l
interfaces=[any]
filters=[ host 208.91.114.151 and port 465 ]
2025-03-13 00:12:27.902250 tunnel out 10.10.10.1.22652 -> 208.91.114.151.465: syn 3808799857
2025-03-13 00:12:29.512246 tunnel out 10.10.10.1.22651 -> 208.91.114.151.465: syn 1821275767
2025-03-13 00:12:29.902249 tunnel out 10.10.10.1.22652 -> 208.91.114.151.465: syn 3808799857

Traffic is going over the IPsec tunnel because the IPsec tunnel and WAN interface are part of the same SD-WAN zone with the same default route. Not seen any response back to the syn packet over the IPsec tunnel.

config system email-server
    set server "fortinet-notifications.com"
    set port 465
    set security smtps
    set source-ip x.x.x.x <----- Specify WAN interface IP address.
end

After specifying the source IP in the configuration, check the traffic in the sniffer, and traffic for the email server goes over the WAN interface, and also the 3-way handshake is getting completed. 

If the send mail failed error shows in the alert mail debug,  run a pcap capture using the destination as the server IP and check the client hello packet from the pcap and follow the TCP stream as per the diagram below.

From the above diagram, the public IP is blocklisted by FortiGuard, and the email from the IP has been rejected. This email message was detected as spam.  In that case, a form has to be submitted to the FortiGuard team to check and whitelist the ip address, the below form can be used for the same purpose: https://www.fortiguard.com/faq/antispam/blocklist?

Note:

When using another email-server instead of 'fortinet-notifications.com' (i.e., smtp.gmail.com), the same error can be observed when wrong credentials are supplied. Ensure that the account credentials are up to date. Refer to this article: Technical Tip: How to configure email alerts with Gmail.

config system email-server
    set server "smtp.gmail.com"
    set port 587
    set authenticate enable
    set username "test"
    set password xxxxx
    set security starttls
end

Related articles:

Technical Tip: Unable to send FortiToken email using custom SMTP server starting v7.4.4 
Troubleshooting Tip: Email alert