Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Wee-Lamm
New Contributor

Amazon message failing Sender-Alignment

Fortimail Cloud: Firmware version v7.2.4(GA-Maturity), build401, 2023.05.17

We are seeing Sender-Alignment failure for messages sent as
Header From: <hostname>@sns.amazonaws.com
From: amazonses.com
These messages are passing SPF and DKIM.
Obfuscated failure message from Fortimail console:
Sender Alignment: ( From value: Sender <username@sns.amazonaws.com>) does not align with authorization domain amazonses.com

Adding <hostname>@sns.amazonaws.com to 'Policy\Recipient Policy\Sender-Alignment-Safelist' fails to allow the messages to bypass Sender-Alignment check. I believe this is because the Sender-Alignment check is looking at the From address and not the Header From.  

Excluding the amazonses.com sender is undesirable as it would allow any message from that mail domain to avoid Sender-Alignment check.

How can we bypass Sender-Alignment check on messages based on the Header From value of <hostname>@sns.amazonaws.com?




2 REPLIES 2
Stephen_G
Moderator
Moderator

Hi Wee-Lamm,

 

Thanks for using Fortinet Community Forums!

 

This query seems similar to yours. The solution given may help you.

 

Alternatively, this document may have relevant information, under 'Bypass Safelist for SPF/DKIM/DMARC'.

 

If none of these help, please let us know. We'll be happy to get you in touch with an expert.

 

Kind regards,

Stephen - Fortinet Community Team
Wee-Lamm

Thank you other Stephen, though mine is a V. :)

This is generally what we have been doing these last couple of months but we are slowly accumulating a lot of exceptions to compensate for Sender-Alignment failures when DKIM has passed.  That is, in many instances, though the message has passed DKIM, it is still being flagged as Sender-Alignment.

Is there a way to lower the weighting precedence of Sender-Alignment or to globally have the check occur after DKIM and SPF?  Simply, if the message passes DKIM we don't want Sender-Alignment to over-rule DKIM, noting all other checks will still occur.

Steven.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors