Configuring bounce verification and tagging

The Bounce Verification submenu lets you configure bounce address tagging and verification.

Spammers sometimes fraudulently use others’ email addresses as the sender email address in the message envelope (MAIL FROM:) when delivering spam. When an email cannot be delivered, email servers often return a a delivery status notification (DSN) message, sometimes also known as a bounce message, to the sender email address located in the message envelope.

While DSNs are normally useful in notifying email users when an email could not be delivered, in this case, it could result in delivery of a DSN to an email user who never actually sent the original message. Because the invalid bounce message is from a valid email server, it can be difficult to detect as invalid.

You can combat this problem with bounce address tagging and verification. If the FortiMail unit tags outgoing email, it can verify the tags of incoming bounce messages to guarantee that the bounce message is truly in reply to a previous outgoing email.

For a FortiMail unit to perform bounce address tagging, the following must be true:

bounce verification is enabled
a bounce address key must exist and be activated
in the protected domain to which the sender belongs, the “Bypass bounce verification” option is disabled (see Configuring protected domains)
the recipient domain is not in the tagging exempt list

The FortiMail unit will use the currently activated key to generate bounce address tags for all outgoing email. You can create multiple keys, but only one can be activated at any time.

The activated private key is used, together with randomizing data, to generate the tag that is applied to the sender email address in the message envelope, also known as the bounce address, of all outgoing messages. The format of tagged sender email addresses is:

prvs=1234567890=user1@example.com

where the sender email address is user1@example.com and the prefix is the bounce address tag. The tag is different for every email message, and uniquely identifies the email message.

Bounce address tagging is applied to the sender email address in the message envelope only; it is not applied to the sender email address in the message header.

If the email server for the recipient email domain cannot deliver the email, it will send a bounce message whose recipient is the tagged email address. When the bounce message arrives at the FortiMail unit, it will use the private keys to verify the bounce address tag. Incoming email is subject to bounce verification if all the following is true:

bounce verification is enabled
at least one bounce address key exists
in the protected domain to which the recipient belongs, the Bypass Bounce Verification option is disabled (see Configuring protected domains)
in the session profile, the Bypass Bounce Verification check option is disabled (see Configuring session profiles)
the sender email address (MAIL FROM:) in the message envelope is empty
the DSN sender is not in the verification example list

The sender email address is typically empty for bounce messages. The sender email address may also be empty for some types of spam that are not bounce messages. Because the sender email addresses of those types of spam will not have a proper tag, similar to bounce message spam, these spam will fail the bounce verification process. Email sent from email clients or webmail will not have an empty sender email address, and therefore will not be subject to the bounce verification process.

If the tag is successfully verified, the bounce verification scan removes the tag, restoring the recipient email address to one known by the protected domain, and allows the bounce message.

If the tag is not successfully verified, the bounce verification scan will perform the action that you have configured for invalid bounce messages.

To access this part of the web UI, your administrator account’s:

Domain must be System
access profile must have Read or Read-Write permission to the Policy category

For details, see About administrator account permissions and domains.

To configure bounce verification settings

Go to Security > Bounce Verification > Setting.
Configure the following as required:

GUI item	Description
New, Edit, Delete (buttons)	Click to create, edit or delete a key. Note: If you delete a key, any email with a tag generated when that key was active will fail bounce verification. After activating a new key, keep the previously active key until any tags generated with the old key expire. Delete is unavailable if the Status of the key is Active.
New, Edit, Delete (buttons)
Key	Displays the string of text that is the private key. This can be any arbitrary string of text, and will be used together with randomizing data to generate each bounce address tag.
Status	Indicates which key is activated for use. Active: The key is activated. Inactive: The key is deactivated. Only one of the keys may be activated at any given time. The activated key is the one that will be used to generate the bounce address tags for outgoing email. Both activated and deactivated keys will be used for bounce address tag verification of incoming email. To activate or deactivate a key, double-click it and modify its Status.
Last Used	Displays the date and time when the key was generated or last used to verify the bounce address tag of an incoming email, whichever is later.
Enable bounce verification	Mark this check box to enable verification of bounce address tags for all incoming email. If you want to make exceptions for email that does not require bounce address tag verification, you can bypass bounce verification in protected domains and session profiles. For more information, see Configuring protected domains and Configuring session profiles.
Bounce verification tag expires in (days)	Enter the number of days after creation when bounce message keys will expire and their resulting tags will fail verification.
Keys will be automatically removed	Displays the period of time after which unused, deactivated keys will be automatically removed. The activated key will not be automatically removed.
Bounce verification action	Select which action that a FortiMail unit will perform when an incoming email fails bounce address tagging verification, either: Reject: Reject delivery of the email and respond to the SMTP client with SMTP reply code 550 (`Relaying denied`). Discard: Accept the email, but silently delete it and do not deliver it. Do not inform the SMTP client. Use antispam profile setting: Use the actions configured in the antispam profile that you selected in the policy that matches the email message. For more information on actions, see Configuring antispam action profiles.

To configure a bounce address tagging and verification key

Go to Security > Bounce Verification > Setting.
Click New to add a key or double-click to a key to modify it.

A dialog appears:

Configure the following:

GUI item	Description
Key name	Enter the string of text that will be used together with randomizing data in order to generate each bounce address tag. Keys must not be identical. This field cannot be modified after a key is created. Instead, you must create a new key. If you are certain that no email has used a key, and therefore no bounce messages can exist which would require tag verification, you can safely delete that key.
Status	Select the activation status of the key. Active: The key will be activated, and used to generate bounce address tags for outgoing messages. If any other key is currently activated, it will be deactivated when this new key is saved and activated. Inactive: The key will be deactivated. You can activate the key at a later time. Only one of the keys may be activated at any given time.The activated key is the one that will be used to generate tags for outgoing messages. Both activated and deactivated keys will be used for bounce address tag verification of incoming email.

GUI item

Description

Key name

Enter the string of text that will be used together with randomizing data in order to generate each bounce address tag. Keys must not be identical.

This field cannot be modified after a key is created. Instead, you must create a new key. If you are certain that no email has used a key, and therefore no bounce messages can exist which would require tag verification, you can safely delete that key.

Status

Select the activation status of the key.

Active: The key will be activated, and used to generate bounce address tags for outgoing messages. If any other key is currently activated, it will be deactivated when this new key is saved and activated.
Inactive: The key will be deactivated. You can activate the key at a later time.

Only one of the keys may be activated at any given time.The activated key is the one that will be used to generate tags for outgoing messages. Both activated and deactivated keys will be used for bounce address tag verification of incoming email.

Excluding recipient domains from bounce verification tagging

If you do not want to tag the email sent to certain recipients, you can do so by adding the recipient domain to the exempt list.

To configure the tagging exempt list

Go to Security > Bounce Verification > Tagging Exempt List.
Click New.
Add the recipient domain name.
Click Create.

Excluding senders from bounce verification

If you do not want to verify bounce verification tags from certain senders, you can do so by adding the sender host names to the exempt list.

To configure the verification exempt list

Go to Security > Bounce Verification > Verification Exempt List.
Click New.
Add the host name. FortiMail will use reverse DNS to resolve the client’s IP address into host name. You can use wildcard to include all hosts within a domain, for instance, *.example.com.
Click Create.