Help
FortiMail
FortiMail provides advanced, multi-layer protection against the full spectrum of email-borne threats
talsayyad
Staff
Staff

Created on ‎02-27-2024 12:09 AM Edited on ‎10-27-2025 06:59 AM By Community Manager

Article Id 301539

Technical Tip: How to perform SPF, DKIM, and DMARC Antispam checks even if the sender is included in a safe list

Description This article describes how to perform SPF, DKIM, and DMARC Antispam checks even if the sender is included in a safe list.
Scope FortiMail.
Solution
  • Execute the commands that would make SPF, DKIM, and DMARC Antispam checks take precedence even if the sender is included in a safe list, as below:


config antispam settings
    set safelist-bypass-sender-auth disable
end


By default, 'safelist-bypass-sender-auth' is set to 'enable', which means that safe-listed senders will bypass all antispam checks.
An example where 'safelist-bypass-sender-auth' is set to 'enable' while the DKIM check fails:


safelist take precedence over dkim check.png

 

An example where 'safelist-bypass-sender-auth' is set to 'disable' while the DKIM check fails:


DKIM check results take precedence.png

 

Note:

If the 'DNS record policy' is enabled under DMARC in the "Antispam profile", FortiMail will look up the published DMARC record of the domain first  (p=none, p=quarantine, p=reject).

 

The FortiMail bypasses the SPF evaluation path in this case; however, the command 'set safelist-bypass-sender-auth disable' is executed, since the DMARC check logic took precedence.

 

image.png

 

 image.png

 

1383
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.