Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Boris_Tolshew
New Contributor

How to force implementation of a DMARC in FortiMail

My goal is to skip emails only when either SPF or DKIM is correct (or both of whem). And the answer to this is DMARC. But what if some sender does not have it?

 

For example: sender №1 with SPF, DKIM and DMARC, sender №2 with SPF, DKIM and without DMARC.

 

Mail from sender №1:

... (some antispam techniques) ...

1) FortiMail checks DMARC for domain and find it.

2) After this FortiMail look into SPF with DKIM and allow email only if either SPF or DKIM is correct (or both of whem).

... (some antispam techniques) ...

 

Mail from sender №2:

... (some antispam techniques) ...

1) FortiMail checks DMARC for domain and can't find anything because it's not published.

2) FortiMail anyway checks SPF and DKIM, and allow email only if either SPF or DKIM is correct (or both of whem).

... (some antispam techniques) ...

 

How can I configure policies to achieve this result?

1 Solution
AEK
SuperUser
SuperUser

I don't know a way to do that in FML, however I think we can avoid this problem if simply we don't accept a mail from a source that failed the SPF check, just because this mail is 100% illegitimate.

AEK

View solution in original post

AEK
3 REPLIES 3
AEK
SuperUser
SuperUser

I don't know a way to do that in FML, however I think we can avoid this problem if simply we don't accept a mail from a source that failed the SPF check, just because this mail is 100% illegitimate.

AEK
AEK
Boris_Tolshew

Yes you are right. But the fact is that many senders have the correct DKIM and "bad" SPF. I've seen this many times. 

It would be nice if this worked in FML the same way as in gmail SMTP servers. Gmail SMTP servers accept the email only if the sender has the correct OR SPF, OR DKIM, OR both. And it doesn't matter what is in your DMARC

AEK

If a sender has a bad SFP by mistake then he has a big delivrability problem and should resolve it very quickly, and I don't think all his recipient will agree to make an exception for him.

But in case this happens and you know that the sending IP is legitimate, then you can allow it via safelist. Or you can also create an IP policy specially for this IP and use an AS profile that doesn't check SPF.

Hope it helps

AEK
AEK
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors