Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sw2090
SuperUser
SuperUser

Created on ‎10-20-2025 12:42 AM Edited on ‎10-20-2025 02:05 AM

Security Whoe in FML 7.4

I ran into this issue on our FortiMail and wanted to let you know:

 

We found a mail going out of the FML that should have been quarantined due to failing DMARC check. 

However the mail went through to the user even without any filtering. The log only states the failing DMARC check but no action and no further checks/filters while there is more checks/filters in the recipient policy and also the antispam profile in the policy does specify the action to quarantine it upon failing DMARC check.

 

I opened a ticket with TAC on this and they sent me to the right path:

 

The reason is a new option which was introduced in 7.4.0 first. Since 7.4.0 there is a dmarc generic action option in security=>options=>antispam. Per factory default this is set to not perform any action.

This leads to the FML still detecting a failed DMARC check but ignore any specified action. However due to the failing DMARC check it still skips the rest of the checks/filters and lets the mail out completely unfiltered!

This option was never mentioned in 7.4.0s release notes as a new option and even the admin guide only describes it at where it is in the menue (under security=>Preferences) but has no further references to it.

Unfortunately it renders your DMARC Check rather useless and creates a security risk because mails go out unfiltered.

 

So I recommend anyone to check their FortiMail and reset that option to perform the specified action!

I am still on this with TAC also.

 

Cheers

Sebastian

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Labels:
152
9 REPLIES 9
AEK
SuperUser
SuperUser

Created on ‎10-20-2025 02:26 AM

Thanks for sharing, sw2090.

Do you confirm this behavior is the same with 7.4.5 (highest patch)? Or does it affect only 7.4.0?

If I understand well the default DMARC config cancels all checks and delivers the mail, right? So this is obviously a bug, because all other checks should be applied even if DMARC or any other check fails. However I can't find such bug in the release notes of any 7.5.x version.

AEK
AEK
129
0 Kudos
sw2090
SuperUser
SuperUser

Created on ‎10-20-2025 02:28 AM Edited on ‎10-20-2025 02:32 AM

yes I confirm that!

It was introduced with 7.4.0 I guess since the admin guide of the last 7.2 does not mention it at all. 

I would predict it also exists in 7.6 but since we are on 7.4 I cannot confirm this.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
127
0 Kudos
sw2090
SuperUser
SuperUser

Created on ‎10-20-2025 02:31 AM Edited on ‎10-20-2025 02:42 AM

and yes you understand that correctly. However I am not sure if that is a bug. If there is an action to perform which is to defer or quarantine the mail then the cancellation of anything further would probably be correct. However it should not if there is no action being performed. I think the bug is that it does ignore the action in first case so nothing is done but onprocessing the mail it still "sees" the action in the profile and thinks the mail went to quarantine so it doesn't need further checks/filtering right now. 

 

I've anyways asked TAC about this but they didn't yet reply.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
125
0 Kudos
AEK
SuperUser
SuperUser
In response to sw2090

Created on ‎10-21-2025 11:52 AM

Hi sw

Any update from TAC? Curious to know.

AEK
AEK
68
0 Kudos
sw2090
SuperUser
SuperUser

Created on ‎10-21-2025 11:06 PM Edited on ‎10-21-2025 11:09 PM

hi AEK,

 

not yet unfortunately. As said the workaround/fix is to set that mentioned option from factory default to action so the FML will perform the action specified in the antispam profile. 

 

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
35
0 Kudos
sw2090
SuperUser
SuperUser

Created on ‎10-21-2025 11:20 PM

Here is a screenshot that shows it:

fml_sec.png

 

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
33
sw2090
SuperUser
SuperUser

Created on ‎10-21-2025 11:34 PM Edited on ‎10-21-2025 11:35 PM

Ok TAC have replied now:

 

they say that also they themselves were confused when they noticed this option first.

they also say it is mentioned in the cross search log. That's true but the log only speaks of "system or domain level DMARC failure action setting".

they also say it has been removed again from 7.6.4 on.

 

they did not say anything about mails not getting further filtered in this case....

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
30
AEK
SuperUser
SuperUser

Created on ‎10-22-2025 01:56 AM

That's strange when I check release notes of 7.6.4 I don't find a mention of any DMARC change.

Anyway thanks again for sharing, it will certainly be useful for my future FML integrations.

AEK
AEK
15
0 Kudos
sw2090
SuperUser
SuperUser

Created on ‎10-22-2025 02:00 AM

ya same as with the introduction of this in 7.4.0: no mention in release notes 

Accoarding to TAC it has been removed again with 7.6.4 - again no mention in release notes...

 

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
12
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.