FortiMail Email Authentication: SPF, DKIM and DMARC


Domain-based Message Authentication, Reporting & Conformance (DMARC) performs email authentication with Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) checking. 

SPF compares the client IP address to the IP address of the authorized senders in the DNS record. If the test fails, the email is treated as spam.

DKIM allows FortiMail to check for DKIM signatures for incoming email or sign outgoing email with the domain keys for the protected domains.

This recipe covers how to enable DMARC, SPF, and DKIM.

If you require more information on DMARC, SPF, or DKIM, consult the FortiMail Administrator Guide.

Enabling SPF checking

You can enable SPF in the antispam profile and in the session profile settings. If you select to Bypass SPF checking in the session profile, however, SPF checking will be bypassed even though you enable it in the antispam profile. 

To enable SPF in an antispam profile

    1. Go to Profile > Antispam.
    2. Select New or double click an existing profile.
    3. Enable SPF check.

To enable SPF in a session profile

    1. Go to Profile > Session.
    2. Select New or double click an existing profile.
    3. Select the arrow beside the Sender Validation section to expand it.
    4. Enable or disable SPF by selecting the appropriate option from the dropdown menu.

      If the sender domain DNS record lists SPF authorized IP addresses, use SPF check to compare the client IP address to the IP addresses of authorized senders in the DNS record. An unauthorized client IP address increases the client sender reputation score, while an authorized client IP address decreases the client sender reputation score.


Enabling DKIM checking

FortiMail can perform DKIM checking for the incoming mail by query the DNS server that hosts the DNS record for the sender’s domain name to retrieve its public key to decrypt and verify the DKIM signature.
To enable DKIM checking
    1. Go to Profile > Session.
    2. Select New or double click an existing profile.
    3. Select the arrow beside the Sender Validation section to expand it.
    4. Enable DKIM check.

Configuring DKIM Signing

If you want to sign the outgoing mail with DKIM signatures so that the remote receiving server can verify the signatures, you can do so after you create the protected domains. Note that the DKIM signing settings only appear when configuring an existing protected domain.
To configure DKIM signing
    1. Go to Mail Settings > Domains > Domains.
    2. Double click an existing protected domain.
    3. Expand the Advanced Settings and then expand the DKIM setting.
    4. Enter a selector to use for the DKIM key in the entry field and select Create.
      The selector name for the key pair appears in the list of domain key selectors. The key pair is generated and public key exported for publication on a DNS server.
    5. Click to select the domain key and then select Download.
    6. Publish the public key by inserting the exported DNS record into the DNS zone file of the DNS server that resolves this domain name.
    7. Select OK.

To enable DKIM signing

    1. Go to Profile > Session.
    2. Select New or double click an existing profile.
    3. Select the arrow beside the Sender Validation section to expand it.
    4. Enable DKIM signing for outgoing messages.

Enabling DMARC

DMARC performs email authentication with SPF and DKIM checking. If either SPF or DKIM check passes, DMARC check will pass. If both of them fails, DMARC check will fail.

Enabling DMARC will enable both SPF  and DKIM.

To enable DMARC

  1. Go to Profile > AntiSpam > AntiSpam.
  2. Select New or modify an existing profile.
  3. Enable DMARC check.
  • Was this helpful?
  • Yes   No
  • Johan de Koning

    Hi there,

    I mis a lot of documentation on how DMARC is implemented on Fortimail.

    As of now it only states that it will do the following:
    “If either SPF check or DKIM check passes, DMARC check will pass. If both of them fails, DMARC check fails.

    More DMARC features will be added in future releases.”

    So no checking with the domain holders to see what the policy is?
    And when is the rest of DMARC gonna be implemented in Fortimail?

  • Izan Díez

    Enabling DKIM signing with disclaimer insertion enabled results in failed DKIM signatures. Is this a known issue or is there any configuration change necessary?

  • Andrew Curtis

    Configuring and enabling these settings has been proposed as a solution by Fortinet support to our issue with forged or spoofed emails. We already have a hard fail on our SPF record but enabling these settings on our Fortimail will block emails from all senders that haven’t correctly configured their own SPF or DKIM records wont they, not just our own?

    • Chris

      Yes, you’re correct.

      • Andrew Curtis

        Any idea how to enforce SPF checking for just our own domains without effecting our own? We have been working on this issue for over 6 months with Fortinet and they still haven’t been able to provide an effective solution. Recipient policies and IP policies are not having the desired result. Forged emails are stil getting through or important emails are getting unnecessarily quarantined.

        It appears that the SPF checking algorithm on our Fortimails is getting tricked by well crafted phishing emails. We have forged emails with our domain in the ‘from’ address coming from unauthorised IPs that are get past all our SPF checking in our IP policies and recipient policies when it’s set to strict. If we turn IP policies on to aggressive we get everyone else’s emails quarantined. We are yet to get any forged emails pretending to from our domain to confirm if aggressive stops our forged emails.

        This is really quite frustrating how long it’s taking to get a workable solution for such a basic and fundamental protection that any mail appliance should be able to protect against. =/

        • Johan de Koning

          We had the same problem and did a simple thing that worked like a charm.

          Go to Policy -> Access Control -> And press New -> at sender Pattern set and receipient pattern set Action Reject.

          Now only clients you explicitely allow in the Acces Control list can relay or send emails to your company from your own company domain so no more spoofing.

          Also we implemented adding a Tag in the subject from all emails marking it as [External] so people know at all time when an email comes from an internal recipient of externally.

  • There is apparently a design error in FortiMail’s DMARC implementation which presents an ecosystem risk (it ultimately makes life easier for phishers by treating p=none differently to no DMARC record, which makes it hazardous for most domain registrants to even request DMARC reports in order to survey use of their domain). FortiNet support is apparently telling customers that FortiNet does not intend to change the implementation, presumably because the harm being done is not understood by FortiMail’s product management. Are you able to connect me with the relevant product manager?

    (I’m not a customer, but do have a decade-long involvement in email authentication and am concerned about the ecosystem harm that FortiMail’s implementation is doing or may do.)