Whether to use IP-based or recipient-based policies
Since there are two types of policies, which type should you use?
You can use either or both.
Exceptions include the following scenarios, which require IP-based policies:
• mail hosting service providers
There is a great number of domains, and it is not feasible to configure them all as protected domains on the FortiMail unit.
• Internet service providers (ISPs)
Mail domains of customers are not known.
• session control
Even if protected domains are known and configured on the FortiMail unit, an IP-based policy must be created in order to apply a session profile. Session profiles are only available in IP-based policies.
• differentiated services based on the network of origin
To apply antispam and antivirus protection based on the IP address of the SMTP client or based on a notion of the internal or external network, rather than the domain in a recipient’s email address, you must use an IP-based policy.
As a general rule, it is simpler to use IP-based policies. Use recipient-based policies only where they are required, such as when the policy must be tailored for a specific email address.
For example, if your company is an ISP, you can use recipient-based policies to apply antispam and antivirus profiles for only the customers who have paid for those services.
If both a recipient-based policy and an IP-based policy match the email, unless you have enabled Take precedence over recipient based policy match in the IP-based policy, the settings in the recipient-based policy will have precedence.