My goal is to skip emails only when either SPF or DKIM is correct (or both of whem). And the answer to this is DMARC. But what if some sender does not have it?
For example: sender №1 with SPF, DKIM and DMARC, sender №2 with SPF, DKIM and without DMARC.
Mail from sender №1:
... (some antispam techniques) ...
1) FortiMail checks DMARC for domain and find it.
2) After this FortiMail look into SPF with DKIM and allow email only if either SPF or DKIM is correct (or both of whem).
... (some antispam techniques) ...
Mail from sender №2:
... (some antispam techniques) ...
1) FortiMail checks DMARC for domain and can't find anything because it's not published.
2) FortiMail anyway checks SPF and DKIM, and allow email only if either SPF or DKIM is correct (or both of whem).
... (some antispam techniques) ...
How can I configure policies to achieve this result?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I don't know a way to do that in FML, however I think we can avoid this problem if simply we don't accept a mail from a source that failed the SPF check, just because this mail is 100% illegitimate.
I don't know a way to do that in FML, however I think we can avoid this problem if simply we don't accept a mail from a source that failed the SPF check, just because this mail is 100% illegitimate.
Yes you are right. But the fact is that many senders have the correct DKIM and "bad" SPF. I've seen this many times.
It would be nice if this worked in FML the same way as in gmail SMTP servers. Gmail SMTP servers accept the email only if the sender has the correct OR SPF, OR DKIM, OR both. And it doesn't matter what is in your DMARC
Created on 05-15-2024 08:44 AM Edited on 05-15-2024 08:45 AM
If a sender has a bad SFP by mistake then he has a big delivrability problem and should resolve it very quickly, and I don't think all his recipient will agree to make an exception for him.
But in case this happens and you know that the sending IP is legitimate, then you can allow it via safelist. Or you can also create an IP policy specially for this IP and use an AS profile that doesn't check SPF.
Hope it helps
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.