How FortiMail processes email

FortiMail units receive email for defined email domains and control relay of email to other domains. Email passing through the FortiMail unit can be scanned for viruses and spam. Policies and profiles govern how the FortiMail unit scans email and what it does with email messages containing viruses or spam. For information about policies, see Configuring policies. For information about profiles, see Configuring profiles.

In addition to policies and profiles, other configured items, such as email domains, may affect how your FortiMail unit processes email.

Email domains

An email domain is a set of email accounts that reside on a particular email server. The email domain name is the portion of the user’s email address following the @ symbol.

FortiMail units can be configured to protect email domains (referred to as “protected domains” in this Administration Guide) by defining policies and profiles to scan and relay incoming and outgoing email.

If the FortiMail unit is operating in gateway mode or transparent mode, there is one local email domain that represents the FortiMail unit itself. If the FortiMail unit is operating in server mode, protected domains reside locally on the FortiMail unit’s built-in email server.

For information about creating protected domains, see Configuring protected domains.

In transparent mode, each network interface includes a proxy and/or implicit MTA that receives and relays email. By default, the proxy/implicit MTA responds to SMTP greetings (HELO/EHLO) using the host name of the SMTP server of the protected domain. This “masquerade” hides the existence of the FortiMail unit. For information on configuring the SMTP greeting, see Configuring protected domains.

Access control rules

The access control rules allow you to control how email messages move to, from, and through the FortiMail unit. Using access control rules the FortiMail unit can analyze email messages and take action based on the result. Messages can be examined according to the sender email address, recipient email address, and the IP address or host name of the system delivering the email message.

Each access control rule specifies an action to be taken for matching email.

For information about configuring access control rules, see Configuring access control receiving policies.

Recipient address verification

Recipient address verification ensures that the FortiMail unit rejects email with invalid recipients and does not scan or send them to the protected email server. This verification can reduce the load on the FortiMail unit when a spammer tries to send messages to every possible recipient name on the email server.

If you want to use recipient address verification, you need to verify email recipient addresses by using either the email server or an LDAP server.

Usually you can use the email server to perform address verification. This works with most email servers that provide a User unknown response to invalid addresses.

For instructions on configuring recipient address verification, see Configuring protected domains.

Disclaimer messages and customized appearance

You can customize both the disclaimer and replacement messages, as well as the appearance of the FortiMail unit interface.

The disclaimer message is attached to all email, generally warning the recipient the contents may be confidential.

Replacement messages are messages recipients receive instead of their email. These can include warnings about messages sent and incoming messages that are spam or infected with a virus. See Configuring custom messages.

You can customize the appearance of the FortiMail unit web pages visible to mail administrators to better match a company look and feel. See Customizing the GUI appearance.

Advanced delivery features

Processing email takes time. Processing delays can cause clients and servers to time out. To reduce this problem, you can:

defer delivery to process oversized email at a time when traffic is expected to be light
send delivery status notifications (DSN)

For full configuration and procedural details regarding oversized emails, see Downloading oversized email attachments.

Antispam techniques

Spam detection is a key feature of the FortiMail unit. The feature is based on two tiers of spam defense:

FortiMail antispam techniques
FortiGuard Antispam service

Each tier plays an important role in separating spam from legitimate email. FortiGuard Antispam delivers a highly-tuned managed service for the classification of spam while the FortiMail unit offers superior antispam detection and control technologies.

In addition to scanning incoming email messages, FortiMail units can also inspect the content of outgoing email messages. This can help eliminate the possibility that an employee or a compromised computer could send spam, resulting in the blocklisting of your organization’s email servers.

For more information on FortiMail antispam techniques, see Configuring profiles and Configuring security settings.

FortiMail antispam techniques

The following table highlights some of the FortiMail antispam techniques. For information about how these techniques are executed, see Order of execution.

FortiMail antispam technique highlights

Greylist scanning	See Configuring greylisting.
DNSBL scanning	In addition to supporting Fortinet’s FortiGuard Antispam DNSBL service, the FortiMail unit supports third-party DNS Blocklist servers. See DNSBL section.
SURBL scanning	In addition to supporting Fortinet’s FortiGuard Antispam SURBL service, the FortiMail unit supports third-party Spam URL Realtime Block Lists servers. See SURBL section.
Bayesian scanning	See Training the Bayesian databases.
Heuristic scanning	See Heuristic section.
Image spam scanning	See Image spam section.
PDF scanning	See Scan PDF attachment.
Block/safe lists	For information on global block/safe lists, see Managing the global block and safe list. For information on domain-wide block/safe lists, see Managing the per-domain block lists and safe lists. For information on personal block/safe lists, see Managing the personal block lists and safe lists. For information on session block/safe lists, see Configuring sender reputation options.
Banned word scanning	See Banned word section.
Safe list word scanning	See Safelist word section.
Sender reputation	See Viewing sender reputation statuses.

FortiGuard Antispam service

The FortiGuard Antispam service is a Fortinet-managed service that provides a three-element approach to screening email messages.

The first element is a DNS Block List (DNSBL) which is a “living” list of known spam origins.

The second element is in-depth email screening based on a Uniform Resource Identifier (URL) contained in the message body – commonly known as Spam URL Realtime Block Lists (SURBLs).

The third element is the FortiGuard Antispam Spam Checksum Blocklist (SHASH) feature. Using SHASH, the FortiMail unit sends a hash of an email to the FortiGuard Antispam server which compares the hash to hashes of known spam messages stored in the FortiGuard Antispam database. If the hash results match, the email is flagged as spam.

FortiGuard query results can be cached in memory to save network bandwidth.

FortiGuard Antispam DNSBL

To achieve up-to-date real-time identification, the FortiGuard Antispam service uses globally distributed spam probes that receive over one million spam messages per day. The FortiGuard Antispam service uses multiple layers of identification processes to produce an up-to-date list of spam origins. To further enhance the service and streamline performance, the FortiGuard Antispam service continuously retests each of the “known” identities in the list to determine the state of the origin (active or inactive). If a known spam origin has been decommissioned, the FortiGuard Antispam service removes the origin from the list, thus providing customers with both accuracy and performance.

The FortiMail FortiGuard Antispam DNSBL scanning process works this way:

Incoming email (SMTP) connections are directed to the FortiMail unit.
Upon receiving the inbound SMTP connection request, the FortiMail unit extracts the source information (sending server’s domain name and IP address).
The FortiMail unit transmits the extracted source information to Fortinet’s FortiGuard Antispam service using a secure communication method.
The FortiGuard Antispam service checks the sender’s source information against its DNSBL database of known spam sources and sends the results back to the FortiMail unit.
The results are cached on the FortiMail unit.

Additional connection requests from the same source do not need to be submitted to the FortiGuard Antispam service again because the classification is stored in the system cache.
If the results identify the source as a known spam source, the FortiMail unit acts according to its configured policy.

Once the incoming connection has passed the first pass scan (DNSBL), and has not been classified as spam, it will then go through a second pass scan (SURBL) if the administrator has configured the service.

FortiGuard Antispam SURBL

To detect spam based on the message body URLs (usually web sites), Fortinet uses FortiGuard Antispam SURBL technology. Complementing the DNSBL component, which blocks messages based on spam origin, SURBL technology blocks messages that have spam hosts mentioned in message bodies. By scanning the message body, SURBL is able to determine if the message is a known spam message regardless of origin. This augments the DNSBL technology by detecting spam messages from a spam source that may be dynamic, or a spam source that is yet unknown to the DNSBL service. The combination of both technologies provides a superior managed service with higher detection rates than traditional DNSBLs or SURBLs alone.

The FortiMail FortiGuard Antispam SURBL scanning process works this way:

After accepting an incoming SMTP connection (passed first-pass scan), the email is received.
After an incoming SMTP connection has passed the DNSBL scan, the FortiMail unit accepts delivery of email.
The FortiMail unit generates a signature (URL) based on the contents of the received email.
The FortiMail unit transmits the signature to the FortiGuard Antispam service.
The FortiGuard Antispam service checks the email signature against its SURBL database of known signatures and sends the results back to the FortiMail unit.
The results are cached on the FortiMail unit.

Additional email with the same signature do not need to be submitted to the FortiGuard Antispam service again because the signature classification is stored in the system cache.
If the results identify the signature as known spam, the FortiMail unit acts according to its configured policy.

Once the message has passed both elements (DNSBL and SURBL), it goes to the next layer of defense; the FortiMail unit that includes additional spam classification technologies.

Order of execution

The following table shows the sequential order of FortiMail antispam scans during an SMTP connection. You can use the table to design a configuration to achieve intended results, and to optimize performance.

Only antispam techniques are shown. Other features may occur in parallel. Disabled scans are skipped. Some features also cause later antispam scans to be skipped. Sort order of rows is by when scans end and action occurs, not by when scans start (which could be earlier for complex scans).

Order of execution is configurable for safe lists and block lists. See the FortiMail CLI Reference. In this table, default order is shown.

By default, safe lists cause sender authentication (DKIM, SPF, DMARC) to be skipped, even though sender email addresses could be fake. This is configurable. See the FortiMail CLI Reference.

Actions are usually configurable, either in the profile's general Default action, or in each scan. Actions can be complex and determined by many factors, not only by antispam.

Categories include:

Final actions: Reject, discard, rewrite, personal quarantine, and system quarantine. If a final action occurs, skip remaining scans.
Non-final actions: Tag, add header, replace, archive, notify, BCC, and encrypt. If a non-final action occurs, more scans and actions can still occur.
Delivery actions: After scans occur, delivery can be to the original host, alternate host, and BCC.

Factors include:

If an antivirus and antispam scan ends with non-final actions, attachment scans still occur but skip content monitoring.
If a FortiSandbox scan occurs, content monitoring still occurs.
If FortiGuard Antispam and IP Reputation detects spam, skip remaining antispam scans, even though the actions are not final.

Check Name	Inspects	Action If Positive (Math Found)	Action If Negative
Client initiates SMTP session with the FortiMail unit
Sender reputation	Client IP address (a.k.a. last hop address)	If the score is bad, perform the action. Else continue.	Add the IP address to the sender reputation database. Keep a reputation score based on the email. Continue.
FortiGuard block IP	Client IP address	Reject the email.	Continue.
Endpoint reputation	Client endpoint ID	If the score is bad, perform the action. Else continue.	Add the IP address to the endpoint reputation database. Keep a reputation score based on the email. Continue.
Sender rate control per connection	Client IP address	Apply limitations in the session profile.	Continue.
HELO/EHLO command received from SMTP client
HELO/EHLO	Domain name in the `HELO`/`EHLO`	If invalid characters are in the domain name, reject the `HELO`/`EHLO` command. Do not continue until a proper `HELO`/`EHLO` command is received.	Continue.
MAIL FROM: and RCPT TO: commands received from SMTP client
Sender rate control per message	Client IP address	Apply limitations in the session profile.	Continue.
Sender domain check (in the session profile's Unauthenticated Session Settingssection)	Sender in the SMTP envelope (`MAIL FROM:`)	Return an error to the SMTP client. The error depends on which check failed.	Continue.
Recipient verification (for unknown recipients)	Recipient in the SMTP envelope (`RCPT TO:`)	Reject the email.	Continue.
System safe list (Phase I)	Client IP address Sender in the SMTP envelope (`MAIL FROM:`)	Skip remaining antispam checks (but not antivirus and content checks).	Continue.
Greylist	Sender in the SMTP envelope (`MAIL FROM:`) Recipient in the SMTP envelope (`RCPT TO:`) Client IP address subnet	Continue. Note: Skip this scan if the access control rule’s action is Relay.	Return a temporary failure code to the SMTP client.
Session sender safe list (Phase I)	Client IP address Sender in the SMTP envelope (`MAIL FROM:`)	Skip remaining antispam checks (but not the antivirus and content checks).	Continue.
Authentication difference	Sender in the SMTP envelope (`MAIL FROM:`) Authenticated username	Reject the email.	Continue.
Bounce verification	Recipient in the SMTP envelope (`RCPT TO:`)	Perform the action.	Continue.
Access control rules	Client IP address Sender in the SMTP envelope (`MAIL FROM:`) Recipient in the SMTP envelope (`RCPT TO:`)	Perform the action. See also Configuring access control receiving policies.	If recipient is in a protected domain, the default action is Relay. Otherwise, the default action is Reject.
Check recipient domain	Recipient in the SMTP envelope (`RCPT TO:`)	Return an error to the SMTP client. The error depends on which check failed.	Continue.
Session recipient safe list	Recipient in the SMTP envelope (`RCPT TO:`) Recipient in message headers (`To:`)	Skip remaining antispam checks (but not the antivirus and content checks). Note: If there are multiple recipients, the action only applies to safelisted recipients.	Continue.
Session recipient block list	Recipient in the SMTP envelope (`RCPT TO:`) Recipient in message headers (`To:`)	Reject the email.	Continue.
DATA command received from SMTP client
System safe list (Phase II)	Sender in message headers (`From:` and `Reply-to:`)	Skip remaining antispam checks (but not the antivirus and content checks).	Continue.
System block list	Client IP address Sender in the SMTP envelope (`MAIL FROM:`) Sender in message headers (`From:` and `Reply-to:`)	Perform the action.	Continue.
Domain safe list	Client IP address Sender in the SMTP envelope (`MAIL FROM:`) Sender in message headers (`From:` and `Reply-to:`)	Skip remaining antispam checks (but not the antivirus and content checks).	Continue.
Domain block list	Client IP address Sender in the SMTP envelope (`MAIL FROM:`) Sender in message headers (`From:` and `Reply-to:`)	Perform the action.	Continue.
Session sender safe list (Phase II)	Sender in message headers (`From:` and `Reply-to:`)	Skip remaining antispam checks (but not the antivirus and content checks).	Continue.
Session sender block list	Client IP address Sender in the SMTP envelope (`MAIL FROM:`) Sender in message headers (`From:` and `Reply-to:`)	Perform the action.	Continue.
Personal safe list	Client IP address Sender in the SMTP envelope (`MAIL FROM:`) Sender in message headers (`From:` and `Reply-to:`)	Skip remaining antispam checks (but not the antivirus and content checks).	Continue.
Personal block list	Client IP address Sender in the SMTP envelope (`MAIL FROM:`) Sender in message headers (`From:` and `Reply-to:`)	Discard the email.	Continue.
End of message (EOM) command received from SMTP client
Antivirus	Body Attachments	If the antispam profile is configured to treat viruses as spam, perform the action in Default action.	Continue.
Safe list word	Subject line Body	Skip remaining antispam checks.	Continue.
FortiGuard Antispam	Message headers Body	Perform the action. Skip remaining antispam checks.	Continue.
DMARC (SPF and DKIM)	Client IP address	Perform the action. Note: If ARC override is enabled for DMARC, then the ARC result determines the action instead.	Continue.
SPF	Client IP address	Perform the action. Note: If ARC override is enabled for SPF, then the ARC result determines the action instead.	Continue.
DKIM	Message headers Body	Perform the action. Note: If ARC override is enabled for DKIM, then the ARC result determines the action instead.	Continue.
ARC	Message headers	Perform the action.	Continue.
Spam outbreak protection	Message headers Body	Perform the action.	Continue.
Behavior analysis	Body	Perform the action.	Continue.
Impersonation	Message headers	Perform the action.	Continue.
Banned word	Subject line Body	Perform the action.	Continue.
Dictionary	Body	Perform the action.	Continue.
DNSBL	Client IP address	Perform the action.	Continue.
SURBL	Body (URLs)	Perform the action.	Continue.
Heuristic	Body	Perform the action.	Continue.
Image spam	Body (embedded images) Attachments (if Aggressive is enabled)	Perform the action.	Continue.
Header analysis	Message headers	Perform the action.	Continue.
Bayesian	Body	Perform the action.	Continue.
Suspicious newsletter	Message headers Body	Perform the action.	Continue.
Content	Message headers Body Attachments	Perform the action.	Continue.
DLP	Message headers Body Attachments	Perform the action in Action.	Continue.