If the sender domain DNS record lists SPF authorized IP addresses, use SPF check to compare the client IP address to the IP addresses of authorized senders in the DNS record (RFC 4408).

An unauthorized client IP address increases the client sender reputation score. An authorized client IP address decreases the client sender reputation score.

If the DNS record for the domain name of the sender does not publish SPF information, the FortiMail unit omits the SPF client IP address validation.

You can also enable SPF checking in the antispam profile. See “Configuring antispam profiles and antispam action profiles”.

Note: Before FortiMail 4.0 MR3 Patch 1 release, you must enable SPF checking in the session profile before SPF checking in the antispam profile takes effect. Starting from 4.0 MR3 Patch 2 release, SPF checking can be enabled in either a session profile or an antispam profile, or both profiles. However, if you select to Bypass SPF checking in the session profile, SPF checking will be bypassed even though you enable it in the antispam profile.

Note: Before FortiMail 4.0 MR3 Patch 1 release, only SPF hardfailed (-all) email is treated as spam. Starting from 4.0 MR3 Patch 2 release, you can use a CLI command (set spf-checking {strict | aggressive} under config antispam settings) to control if the SPF softfailed (~all) email should also be treated as spam. For details, see the FortiMail CLI Guide.

If a DKIM signature is present (RFC 4871), enable this to query the DNS server that hosts the DNS record for the sender’s domain name to retrieve its public key to decrypt and verify the DKIM signature.

An invalid signature increases the client sender reputation score and affects the deep header scan. A valid signature decreases the client sender reputation score.

If the sender domain DNS record does not include DKIM information or the message is not signed, the FortiMail unit omits the DKIM signature validation.

Enable to sign outgoing email with a DKIM signature.

This option requires that you first generate a domain key pair and publish the public key in the DNS record for the domain name of the protected domain. If you do not publish the public key, destination SMTP servers cannot validate your DKIM signature. For details on generating domain key pairs and publishing the public key, see “DKIM Setting”.

Enable to sign outgoing email with a DKIM signature only if the sender is authenticated.

This option is effective only if Enable DKIM signing for outgoing messages is enabled.

If a DomainKey signature is present, use this option to query the DNS server for the sender’s domain name to retrieve its public key to decrypt and verify the DomainKey signature.

An invalid signature increases the client sender reputation score and affects the deep header scan. A valid signature decreases the client sender reputation score.

If the sender domain DNS record does not include DomainKey information or the message is not signed, the FortiMail unit omits the DomainKey signature validation.

If bounce verification is enabled, enable to omit verification of bounce address tags on incoming bounce messages.

This bypass does not omit bounce address tagging of outgoing messages.

For more information, see “Configuring bounce verification and tagging”.

Enable to verify sender email addresses on an LDAP server. Also select an LDAP profile from the dropdown list. Or click New to create a new one. For details about LDAP profiles, see “Configuring LDAP profiles”.