Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Cookbook

    7.6.0
    7.6.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0
    6.2.3
    6.2.0

    Preparing DMARC checking for outbound email

    Preparing DMARC checking for outbound email

    This recipe describes the outbound email Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting & Conformance (DMARC) preparation on FortiMail and the DNS server for verification by the receiving email servers.

    Email signing requires up-to-date SPF, DKIM, and DMARC TXT records within the DNS server:

    • For outbound email, SPF records indicate who is authorized to send email on your behalf. SPF records contain the client IP addresses of the domains' authorized senders. These domains are checked until an authorized IP address match occurs. If the test fails, the email is identified as spam. DNS records must be kept up-to-date.

    • DKIM records digitally sign outbound emails to prove that the email has not been tampered with in transit. This is achieved through both a public key and a private key. The public key is what is published to the DNS record, so receiving MTAs can download the key and validate the signature.

    • On the receiver's end, DMARC records provide a form of feedback as to whether SPF and DKIM passed. For Fortinet as an example, DMARC passes if either SPF or DKIM pass. Otherwise, if both SPF and DKIM fail, DMARC takes an action of either none, quarantine, or reject.

    Note

    Note that SPF performs its check using the Mail From address, or the RFC5321.MailFrom (envelope) address. DMARC enhances SPF by performing its check against the From address, or the RFC5322.From (header) address.

    This prevents situations where messages can pass an SPF check, but spoof its RFC5322.From sender address.

    For more information, see identifier alignment information at RFC 7489.

    Below are examples, taken from publicly accessible DNS records at mxtoolbox.com, of the three TXT records required for a given domain (in this example, fortinet.com):

    In this example, the appropriate text records for SPF, DKIM, and DMARC are retrieved for the domain fortinet.com. These records are used to update the DNS server, and an email is sent from a Fortinet account to a Gmail account (from fortinet.com to gmail.com) to prove the email passed successfully.

    For more information about these email authentication protocols, see the FortiMail Administration Guide. For a recipe regarding email checking, see Configuring incoming email DMARC checking with SPF and DKIM.

    Previous
    Next

    Preparing DMARC checking for outbound email

    Preparing DMARC checking for outbound email

    This recipe describes the outbound email Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting & Conformance (DMARC) preparation on FortiMail and the DNS server for verification by the receiving email servers.

    Email signing requires up-to-date SPF, DKIM, and DMARC TXT records within the DNS server:

    • For outbound email, SPF records indicate who is authorized to send email on your behalf. SPF records contain the client IP addresses of the domains' authorized senders. These domains are checked until an authorized IP address match occurs. If the test fails, the email is identified as spam. DNS records must be kept up-to-date.

    • DKIM records digitally sign outbound emails to prove that the email has not been tampered with in transit. This is achieved through both a public key and a private key. The public key is what is published to the DNS record, so receiving MTAs can download the key and validate the signature.

    • On the receiver's end, DMARC records provide a form of feedback as to whether SPF and DKIM passed. For Fortinet as an example, DMARC passes if either SPF or DKIM pass. Otherwise, if both SPF and DKIM fail, DMARC takes an action of either none, quarantine, or reject.

    Note

    Note that SPF performs its check using the Mail From address, or the RFC5321.MailFrom (envelope) address. DMARC enhances SPF by performing its check against the From address, or the RFC5322.From (header) address.

    This prevents situations where messages can pass an SPF check, but spoof its RFC5322.From sender address.

    For more information, see identifier alignment information at RFC 7489.

    Below are examples, taken from publicly accessible DNS records at mxtoolbox.com, of the three TXT records required for a given domain (in this example, fortinet.com):

    In this example, the appropriate text records for SPF, DKIM, and DMARC are retrieved for the domain fortinet.com. These records are used to update the DNS server, and an email is sent from a Fortinet account to a Gmail account (from fortinet.com to gmail.com) to prove the email passed successfully.

    For more information about these email authentication protocols, see the FortiMail Administration Guide. For a recipe regarding email checking, see Configuring incoming email DMARC checking with SPF and DKIM.

    Previous
    Next