I think DLP rule is also a good way to check env-From and header-From,
you can choose "Sender matches regex" for env-From, and "Header matches
regex" for header-From
FortiMail will check message/rfc822 content-type attachment which cannot
be disabled. The best way to detect forged header-from is to use
Impersonation Analysis feature, you can let TAC guide you through to
configure the feature.
Hi Jeff,I checked your email sample, it's the email attachment in bounce
email that triggers regex header search. The attachment is an email, so
its header is checked.