I'm encountering a strange problem with a FortiMail unit ad an environment with both on-premise and in-cloud mailbox.
The problem regards the incoming email flow.
When an email is sent to a mailbox on premise (hosted to the local Exchange Server), no problem.
When an email is sent to an in-cloud mailbox, I have 2 steps involved:
This happens with the message:
SPF=FAIL: (envelope from firstname.lastname@example.org) indicates that MTA (126.96.36.199) is not permitted to send email for sender.com
From what I understand, my public IP address is not form the ones allowed to send email as @sender.com (and this is correct).
The question is: how could I avoid to perform SPF Check only in this cases?
I'd like to disable SPF check from mail sent from my internal Exchange Server and the in-cloud domain but I don't think this could be done.
Simple, If the FML is handling the mail than write a policy allowing the internal mailserver to send and "with a AS policy" that has no SPF check.
Policy > Policies
You should be able to order that policy to avoid AS policy issues ( thresholds,sessions, AS rating ,etc......) Just be sure that you can send mail for that domain and have a correct TXT or SPF DNS RR.
Not so simple since I shoud create a policy with an IP as a Source (the internal Exchange Server) and a domain as destination.
But the policies are IP ---> IP or sender --> recipient
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.