Hi, we are trying to pilot Fortimail with only a few mailboxes from our organisation. We have Fortimail cloud setup in gateway mode. We have already done the default configuration guide on it, except changing the MX records on our DNS Zone file. Doing that would cause the whole domain's users to be routed through FortiMail, our concern on that is that we will exceed our license count. We've only bough 100 licenses to test out on a few users before onboarding our whole user base. As per TAC support, with this setup, we cannot selectively activate licenses on select users via FortiMail. So we have to send mails for only certain users to the FML unit for filtering.
Currently, we have this proposed mail flow:
External mail (from anywhere, e.g. user@foo.com) >> O365 MX >> Mail Flow Rule (checks recipient if part of pilot program) >> FML >> Runs filtering >> user inbox (user@bar.com)
We've already setup the protected domains (bar.com) as per the initial config guide. When sending an external mail to internal user, we get a bounce back error (Error: 550 Domain foo.com is not a protected domain). It seems that FML is checking the sender domain in the protected domains list, did I miss some configuration settings?
Below are some of the policies we've set in attempt to get this working.
Access Control Policy
Solved! Go to Solution.
For anyone else looking, you have to set the connector to use the two MX records for inbound, the one that is supposed to be used on the DNS zone file. For outbound, another connector is needed, this time using the FML cloud hostname.
Issue could be related to the SMTP setting.
I had a similar issue got resolved by changing the SMTP server in the domain settings from the IP earlier used to the FQDN that is for O365.
For anyone else looking, you have to set the connector to use the two MX records for inbound, the one that is supposed to be used on the DNS zone file. For outbound, another connector is needed, this time using the FML cloud hostname.
Hi,
It looks like you are experiencing an issue with FortiMail checking the sender domain against the protected domain list. Here are some steps you can follow to resolve this issue:
1. Go to "Mail Settings" > "SMTP" > "Protection".
2. Under "Protected Domains", make sure that the domain name you are using for the sender email address (e.g. foo.com) is not listed.
3. Under "Recipient Verification", make sure that "Verify Recipient Domain" is enabled.
4. Go to "Policy & Objects" > "Policy" and create a new policy.
5. Under "Inbound Mail Flow", select "Anti-Spam Profile" and "Anti-Virus Profile".
6. Under "Sender Check", select "Allow if sender domain matches recipient domain".
7. Under "Recipient Check", select "Allow if recipient domain is local".
8. Under "Policy Action", select "Deliver to Local Recipient".
9. Click on "OK" to save the policy.
These steps should allow emails from external senders to be delivered to your internal users without being blocked by the protected domain list.
I hope this helps! Let me know if you have any further questions or if there's anything else I can assist you with.
User | Count |
---|---|
2674 | |
1410 | |
810 | |
702 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.