Created on 09-22-2022 10:11 AM Edited on 12-11-2024 03:02 AM By Jean-Philippe_P
Description
This article describes how to successfully perform SPF check on mails from protected domains, when using a private DNS.
Scope
All FortiMail.
Solution
When internal mail flow reaches the FortiMail from an authorized public IP address and the FortiMail performs an SPF check based on the private DNS server, for the SPF check to be successful:
Note: DNS traffic on TCP port 53 should be allowed on the upstream firewall, if the SPF records exceed 512 bytes, DNS queries will use TCP on port 53 instead of UDP.
Verify if the records are published on the private DNS server, also through the FortiMail CLI.
Query the configured private DNS for the SPF TXT records:
execute nslookup name domain.com type txt
Compare the previous results, with the results from any public DNS server:
execute nslookup name domain.com type txt server 208.91.112.52
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.