Description
This article describes how SPF checks work on FortiMail.
Scope
FortiMail all versions.
Solution
Note: The SPF record itself indicates how strict it is to interpret the SPF record.
- Hardfail.
If an SPF record ends with -all, it means that only mail that comes from one of the parameters (i.e., IPv4, IPV6, etc) can be considered legitimate mail from that domain.
This is known as 'hardfail'.
For example, if an nslookup -txt is performed on Fortinet, the following will be displayed:
v=spf1 ip4:208.91.113.0/24 mx include:ott-fortimail.com include:fortinet-emea.com include:_spf.salesforce.com -all
The -all at the end of the record indicates that only the included DNS records/IP address ranges can send mail on behalf of Fortinet.
- Softfail.
Google's SPF record displays:
v=spf1 include:_spf.google.com ~all
The ~all at the end of the record indicates that while some emails from Google will come from _spf.google.com, other emails from Google can come from parameters not in the SPF record.
By default, FortiMail is set to allow softfails through the device. If there is an SPF check in the logs that allowed an email through because of 'softfail', this means that the domain in question is using ~all at the end of the SPF record.
This is because many domains, such as the example of Google above, use softfail (~all) in their SPF records.
From firmware version 6.0.3 release, it is possible to specify different actions for different SPF check results on FortiMail. For more details, see the SPF section.
