Help
FortiMail
FortiMail provides advanced, multi-layer protection against the full spectrum of email-borne threats
alya
Staff
Staff

Created on ‎10-08-2025 04:21 AM

Article Id 414317

Technical Tip: Enabling and Interpreting DMARC Alignment Scan in FortiMail

Description This article describes how to configure FortiMail to perform DMARC alignment scanning (i.e. checking SPF and DKIM alignment w.r.t the Header‑From domain) and how to interpret the resulting logs (e.g. 'DMARC SPF alignment check failed …', 'DKIM header aligned …').
Scope FortiMail v7.0 and above.
Solution

Background: What is DMARC Alignment Scan.

DMARC (Domain-based Message Authentication, Reporting, and Conformance) requires not only that SPF or DKIM pass, but also that the authenticated domain is aligned with the domain in the From: header (RFC 5322).

  • SPF alignment: The domain in the SMTP envelope 'MailFrom' (RFC 5321) must match or be a permitted subdomain of the Header‑From.
  • DKIM alignment: The DKIM signing domain (d= tag) must match or be a permitted subdomain of the Header‑From.

A 'DMARC alignment scan' refers to the process by which FortiMail applies these alignment checks and logs / acts upon the results.

 

Configuration Steps:

Below are steps to enable DMARC alignment scanning in FortiMail.

  1. Enable DMARC Checking in Antispam Profile:

 

config antispam profile
    edit <profile_name>
        set dmarc-checking enable
    next
end

 

This ensures FortiMail evaluates SPF, DKIM, and applies alignment logic to incoming emails.

 

  1. Configure Sender Alignment Behavior:

 

config antispam profile
    edit <profile>
        set sender-alignment header-envelope reply-to
    next
end

 

Depending on version, configure which alignment checks to enforce (e.g. header vs envelope, header vs reply-to).

 

For example (in 7.x):

 

  1. Set DMARC Failure Action Preference.

 

config antispam settings
    set dmarc-failure-action use-profile-action
end

 

By default, FortiMail may follow p= policy in DNS, or FortiMail can override it to use the profile-defined action:

 

This forces FortiMail to enforce the action defined in the antispam profile whenever DMARC alignment fails.

 

In newer GUI versions, this setting might be under Security -> Options -> Preference or within the Antispam profile’s DMARC section.

 

Example Log Messages & Interpretation:

Once DMARC alignment scan is active, the DMARC logs in FortiMail will be as below:

  • DMARC: DKIM header aligned, DKIM signature valid d=example.com s=default headerFrom=example.com
    • DKIM signature passed and aligned with the Header‑From domain.
  • DMARC SPF alignment check failed. mailFrom=example.com headerFrom=abc.com
    • SPF check may have passed (or failed), but the MailFrom (envelope domain) is not aligned with the Header‑From domain, so SPF alignment fails.
  • DMARC: DKIM header not aligned …
    • DKIM signed domain does not match Header‑From domain or subdomain in relaxed mode.

These logs helps trace which component (SPF or DKIM) failed alignment, which aids in troubleshooting SPF records, DKIM configurations, or envelope rewriting
79
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.