Help
FortiMail
FortiMail provides advanced, multi-layer protection against the full spectrum of email-borne threats
adavila
Staff
Staff

Created on ‎05-04-2016 08:26 PM Edited on ‎04-06-2025 10:34 PM By Community Manager

Article Id 194658

Technical Tip: How to avoid 'email spoofing' using a forged sender address or fake emails accounts associated to the real domain

Description


This article describes how to avoid email spoofing by creating 2 access control policies in an environment with FortiMail, either Gateway Mode or Server Mode.

 

Email spoofing is the creation of email messages with a forged sender address, fake or not, pretending to be from the mail server domain (replace the sender's identity).

 

Scope

 

FortiMail.


Solution

 

To avoid email spoofing it is necessary to create Access Control Policies.  The first one will verify if the sender has supplied their credentials (user and password), if so, the email will be sent; if not, the email will be evaluated by the second policy, and it will reject the email if not supplied the credentials (no authenticated). The Policies required are:
Create a Policy for accounts with credentials (user and password):
  • Sender pattern: Internal
  • Recipient pattern: User Defined (*)
  • Sender IP/netmask: User Defined (0.0.0.0/0)
  • Reverse DNS pattern: *
  • Authentication status: Authenticated
  • TLS profile: --None--
  •  Action: RELAY

 

Create a Policy for accounts with no credentials:

  • Sender pattern: Internal
  • Recipient pattern: User Defined (*)
  • Sender IP/netmask: User Defined (0.0.0.0/0)
  • Reverse DNS pattern: *
  •  Authentication status: Not Authenticated
  • TLS profile: --None--
  • Action: REJECT
 
The example in GUI:
 
Screenshot 2025-04-06 171545.jpg
 
Screenshot 2025-04-06 171526.jpg

ACP_KB.png
The script code is then as follows:

config policy access-control receive
    edit 1
        set status enable
        set sender-pattern-type internal
        set sender-pattern *
        set recipient-pattern-type default
        set recipient-pattern *
        set sender-ip-type ip-mask
        set sender-ip-mask 0.0.0.0/0
        set reverse-dns-pattern *
        set reverse-dns-pattern-regexp no
        set authenticated authenticated
        unset tls-profile
        set action relay
        unset comment
    next
    edit 2
        set status enable
        set sender-pattern-type internal
        set sender-pattern *
        set recipient-pattern-type default
        set recipient-pattern *
        set sender-ip-type ip-mask
        set sender-ip-mask 0.0.0.0/0
        set reverse-dns-pattern *
        set reverse-dns-pattern-regexp no
        set authenticated not-authenticated
        unset tls-profile
        set action reject
        unset comment
    next
end
 
The numbers (1 and 2) are for reference only and should be changed according to the end customer configuration.

 

Related article:

Troubleshooting Tip: Email users are spammed by DSN for email they did not actually send

7000
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.