<block-recipient-address_str>

Enter a blocklisted recipient email address.

This setting applies only if recipient-blocklist-status {enable | disable} is enabled.

bounce-rule <dsn-profile_name>

Select which delivery status notification (DSN) profile, if any, to use if email delivery is delayed.

This setting is available only if mta-adv-ctrl-status {enable | disable} is enabled.

<block-sender-address_str>

Enter a blocklisted sender email address.

This setting applies only if sender-blocklist-status {enable | disable} is enabled.

<header-key_str>

Enter a message header name (key) such as X-Custom to remove that header from email messages. Do not include the colon ( : ) after the key.

Multiple similar headers can be matched by using a regular expression pattern (see FortiMail regular expression syntax, except character classes that use a colon such as [[:alnum:]] are not supported). Regular expression matching is automatically enabled if the entry contains any of the following special characters:

.^$*+?{}[]\\|()

Otherwise FortiMail compares with a simple literal match.

This setting applies only if remove-headers {enable | disable} is enabled.

<profile_name>

Enter the name of the session profile.

<safe-recipient-address_str>

Enter a safelisted recipient email address.

This setting applies only if recipient-safelist-status {enable | disable} is enabled.

<safe-sender-address_str>

Enter a safelisted sender email address.

This setting applies only if sender-safelist-status {enable | disable} is enabled.

access-control <profile_name>

Enter an access control profile to be used in a session profile.

This feature is only available as part of the MTA advanced control feature. See mta-adv-ctrl-status {enable | disable}

block-encrypted {enable | disable}

Enable to block PGP and S/MIME encrypted messages.

Disable this setting only if you trust that SMTP clients connecting through the FortiMail system will not be sources of viruses or spam. FortiMail systems cannot scan encrypted message contents. See also profile encryption.

bypass-bounce-verification {enable | disable}

Enable to omit verification of bounce address tags on incoming bounce messages.

Alternatively, you can enable bypass-bounce-verification {enable | disable} in the protected domain.

For information on enabling bounce address tagging and verification (BATV), see antispam bounce-verification.

This setting does not omit bounce address tagging of outgoing messages.

conn-blocklisted {enable | disable}

Enable to prevent clients from connecting to SMTP servers that have been blocklisted in antispam profiles or, if it is enabled, by fortiguard-ip-check-mode {as-profile | as-profile-no-auth | client-connect | disable}.

This setting applies only in transparent mode and if you have enabled proxy-original {enable | disable}, and only for outgoing connections.

conn-concurrent <connections_int>

Enter the maximum number of concurrent connections per SMTP client IP address. Additional connections are rejected. Valid range is 0 to 4294967295. To disable the limit, enter 0.

conn-hidden {enable | disable}

Select either:

• enable: Be transparent. Preserve the SMTP client's IP address or domain name in the:

  • SMTP greeting (HELO/EHLO) in the envelope

  • Received: message headers

  • IP layer packet header

  This masks the existence of the FortiMail system to the protected SMTP server.

• disable: Do not be transparent. Replace the SMTP client’s IP addresses or domain names with that of the FortiMail system.

See also information about the proxies and transparency of the FortiMail built-in MTA.

This setting applies if the FortiMail system is operating in transparent mode.

Unless you have enabled exclusive {enable | disable} in the IP-based policy, tp-hidden {no | yes} in the protected domain supersedes this setting. For full transparency, also enable tp-hidden {no | yes} .

This setting does not take effect if the email is sent between two protected domains.

When this setting is enabled, you cannot use IP pools for this protected domain, and you should specify an SMTP server other than the FortiMail system for outgoing mail. See proxy-original {enable | disable}.

If the protected SMTP server applies rate limiting according to IP addresses, enabling this setting can improve performance. The rate limit will then be separate for each client connecting to the protected SMTP server, rather than shared among all connections handled by the FortiMail system.

conn-idle-timeout <timeout_int>

Enter the number of seconds a client may be idle before the FortiMail system drops the connection. Valid range is 5 to 1200.

conn-rate-number <connections_int>

Enter the maximum number of concurrent connections per SMTP client IP address during each interval. Additional connections are rejected. Valid range is 0 to 4294967295. To disable the limit, enter 0.

The 30 minute interval may be different if you have changed session-profile-rate-control-interval <minutes_int>.

dkim-signing-authenticated-only {enable | disable}

Enable to sign outgoing email with a DKIM signature only if the sender is authenticated.

This setting is available only if dkim-signing {enable | disable} is enable.

dkim-signing {enable | disable}

Enable to sign outgoing email with a DKIM signature. Also configure dkim-signing-authenticated-only {enable | disable}.

This setting requires that you first generate a domain key pair and publish the public key in the DNS record for the domain name of the protected domain. If you do not publish the public key, destination SMTP servers will not be able to validate your DKIM signature. See also details on generating domain key pairs on FortiMail and publishing the public key and dkim-signing-option {all | disable | incoming | outgoing}.

dkim-validation {enable | disable}

Enable to, if a DKIM signature is present, query the DNS server that hosts the DNS record for the sender’s domain name to retrieve its public key to decrypt and verify the DKIM signature.

An invalid signature increases the client sender reputation score and affect the deep header scan. A valid signature decreases the client sender reputation score.

If the sender domain DNS record does not include DKIM information or the message is not signed, the FortiMail unit omits the DKIM signature validation.

domain-key-validation {enable | disable}

Enable to validate the DomainKeys signature.

DomainKeys is a predecessor of DKIM and works in the same way. Because some domains still use DomainKeys validation, it is provided for backward compatibility.

email-addr-rewrite-options
{envelope-from envelope-from-as-key envelope-to header-from header-to reply-to}

Specify which elements of the sender and recipient addresses to rewrite. For more details, see the session profile section in the FortiMail Administration Guide.

email-queue {default | incoming | no-preference | outgoing}

Select which email queue to use for matching sessions.

This feature is only available as part of the MTA advanced control feature. See mta-adv-ctrl-status {enable | disable}

endpoint-reputation-action {reject | monitor}

Select either:

• reject: Reject email and MMS messages from MSISDNs/subscriber IDs whose MSISDN reputation scores exceed endpoint-reputation-blocklist-trigger <trigger_int>.

• monitor: Log, but do not reject, email and MMS messages from MSISDNs/subscriber IDs whose MSISDN reputation scores exceed endpoint-reputation-blocklist-trigger <trigger_int>. Log entries appear in the history log.

This setting applies if endpoint-reputation {enable | disable} is enable.

endpoint-reputation-blocklist-duration <duration_int>

Enter the number of minutes that endpoint-reputation-action {reject | monitor} will be applied after an SMTP client has been automatically blocklisted by endpoint reputation.

This setting applies if endpoint-reputation {enable | disable} is enable.

endpoint-reputation-blocklist-trigger <trigger_int>

Enter the MSISDN reputation score that will trigger the FortiMail system to add the MSISDN or subscriber ID to the automatic endpoint reputation blocklist.

Scores are increated by various factors such as failing sender validation. Spam detections older than the interval window are not included in the score. The interval of time configured in carrier-endpoint-blocklist-window-size {15m | 30m | 60m | 90m | 120m | 240m | 360m | 480m | 1440m}.

This setting applies if endpoint-reputation {enable | disable} is enable.

endpoint-reputation {enable | disable}

Enable to accept, monitor, or reject email based upon endpoint reputation scores. Your RADIUS server must provide mappings between dynamic IP addresses and MSISDNs/subscriber IDs to the FortiMail system.

This setting is designed for use with SMTP clients with dynamic IP addresses. For static IP addresses, instead use sender-reputation-status {enable | disable}.

Enabling endpoint reputation can improve performance by rejecting known spammers before more resource-intensive antispam scans are performed.

eom-ack {enable | disable}

Enable to acknowledge the end of message (EOM) signal immediately after receiving the carriage return and line feed (CRLF) characters that indicate the EOM, rather than waiting for antispam scanning to complete.

If the FortiMail system does not complete antispam scanning within 4 minutes, it returns SMTP reply code 451(Try again later), resulting in no permanent problems, since according to RFC 2821, the minimum timeout value should be 10 minutes. However, in rare cases where the server or client’s timeout is shorter than 4 minutes, the sending client or server could time-out while waiting for the FortiMail system to acknowledge the EOM command. Enabling this setting prevents those rare cases.

error-drop-after <errors_int>

Enter the maximum number of errors that the FortiMail system accepts before dropping the connection. Valid range is 0 to 4294967295. To disable the limit, enter 0.

error-penalty-increment <penalty-increment_int>

Enter the number of seconds by which to increase the delay for each error after error-penalty-initial <penalty-initial_int> is incurred. Valid range is 0 to 4294967295. To disable the limit, enter 0.

Delays continue to increase until the connection completes or reaches error-drop-after <errors_int>.

error-penalty-initial <penalty-initial_int>

Enter the delay in seconds for the first error after error-penalty-threshold <threshold_int> is reached. Valid range is 0 to 4294967295. To disable the limit, enter 0.

error-penalty-threshold <threshold_int>

Enter the number of errors permitted before the FortiMail system starts to penalize the client with delays. Valid range is 0 to 4294967295. To disable the limit, enter 0.

fortiguard-ip-check-mode {as-profile | as-profile-no-auth | client-connect | disable}

Select when during the SMTP connection to perform the FortiGuard IP reputation check and which settings to use, either:

• as-profile: Use FortiGuard IP reputation if fortiguard-check-ip {enable | disable} is enabled in the antispam profile.The action for this option happens after the entire message has been received by FortiMail, during the antispam scans.

• as-profile-no-auth: Use FortiGuard IP reputation if it is enabled in the antispam profile, but disable SMTP authentication when the reputation score reaches the threshold.

• client-connect: Use FortiGuard IP reputation.

  FortiGuard categorizes blocklisted IP addresses into three levels of reputation. You can configure the threshold which triggers the action in threshold-ip-connect {1 | 2 | 3}.

  The action for this option happens early during the connection phase, before the entire message has been received by FortiMail, so if a client has a bad reputation, then the connection is more quickly rejected, improving throughput.

• disable: Do not do the FortiGuard IP reputation check, even if it is enabled in the antispam profile.

When a FortiGuard IP reputation check occurs, the FortiMail system asks if the public IP address of the SMTP client is blocklisted. If the SMTP client IP address is a private one (and therefore may not be globally unique), then the first public IP address in the Received: message headers is inspected instead.

This setting applies only if sender-reputation-status {enable | disable} is enable.

limit-email <limit_int>

Enter the limit of email messages per session to prevent mass mailing. Valid range is 0 to 4294967295. To disable the limit, enter 0.

limit-helo <limit_int>

Enter the limit of SMTP greetings. Valid range is 0 to 4294967295. To disable the limit, enter 0.

Restricting the number of SMTP greetings allowed per session makes it more difficult for spammers to probe the email server for vulnerabilities (more attempts results in a greater number of terminated connections, which must then be re-initiated).

limit-max-header-size <limit_int>

Enter the size limit in kilobytes (KB) of the message headers. Valid range is 1 to 102400.

limit-max-message-size <limit_int>

Enter the size limit in kilobytes (KB) of the message. Valid range is 1 to 302700.

Message size limits also exist in the protected domain (max-message-size <limit_int>). The result depends on the email direction: Outgoing: Only the size limit in the session profile applies. If there is no session profile selected or no IP-based policy matches, then the default size limit of 10 MB is used. Incoming: Both the session profile and domain-specific settings apply. FortiMail uses whichever limit is smaller. If there is no session profile selected or no IP-based policy matches, then the default size limit of 10 MB is compared with the size limit in the protected domain. See also max-size <KB_int>.

limit-NOOPs <limit_int>

Enter the limit of NOOP commands. Valid range is 0 to 4294967295. To disable the limit, enter 0.

Some spammers use SMTP NOOP commands to keep a long session alive. Legitimate sessions usually require few NOOPcommands.

limit-recipient <limit_int>

Enter the limit of recipients to prevent mass mailing. Valid range is 0 to 4294967295. To disable the limit, enter 0.

limit-RSETs <limit_int>

Enter the limit of RSET commands. Valid range is 0 to 4294967295. To disable the limit, enter 0.

Some spammers use SMTP RSET commands to try again after receiving error messages about unknown recipients. Legitimate sessions should require few RSET commands.

mail-route <profile_name>

Enter a mail routing profile to be used in a session profile.

number-of-messages <limit_int>

Enter the maximum number of email messages (determined by the number of senders in the SMTP envelope (MAIL FROM:)) that a client can send during each interval. Valid range is 0 to 4294967295. To disable the limit, enter 0.

The 30 minute interval may be different if you have changed session-profile-rate-control-interval <minutes_int>.

number-of-recipients <limit_int>

Enter the maximum number of recipients (determined by the SMTP envelope (RCPT TO:)) that a client can send during each interval. Valid range is 0 to 4294967295. To disable the limit, enter 0.

The 30 minute interval may be different if you have changed session-profile-rate-control-interval <minutes_int>.

recipient-blocklist-status {enable | disable}

Enable to check the recipient addresses in the SMTP envelope (RCPT TO:) against the block list Also configure <block-recipient-address_str>.

recipient-rewrite-map <profile_name>

Enter an address rewrite profile to be used in a session profile.

This feature is only available as part of the MTA advanced control feature. See mta-adv-ctrl-status {enable | disable}

recipient-safelist-status {enable | disable}

Enable to check the recipient addresses in the SMTP envelope (RCPT TO:) against the safe list. Also configure <safe-recipient-address_str>.

Use safe lists and block lists with caution. They can increase incorrect results. For example, a session safe list entry for 0.0.0.0/0 allows email from all email servers. The result is that all spam from any email server — normal or spammer — would bypass later antispam scans.

remote-log <profile_name>

Enter the name of a remote logging profile.The remote logging profiles used here are the same as the system-wide remote logging profiles.

This feature is only available as part of the MTA advanced control feature. See mta-adv-ctrl-status {enable | disable}

remove-current-headers {enable | disable}

Enable to remove the headers that are inserted by this FortiMail system, except DKIM-Signature:. Which message headers are removed is determined by whether you have enabled remove-received-headers {enable | disable} and/or remove-headers {enable | disable}.

For backwards compatibility, if the firmware is upgraded while both remove-received-headers {enable | disable} and remove-headers {enable | disable} are enabled, then this setting is enabled by default.

remove-headers {enable | disable}

Enable to remove other specified message headers that have been inserted by other MTAs. Also configure <header-key_str>.

remove-received-headers {enable | disable}

Enable to remove all Received: message headers that have been inserted by other MTAs.

Alternatively, you can remove this header with the per-domain setting remove-outgoing-received-header {enable | disable}.

sender-blocklist-status {enable | disable}

Enable to check the sender addresses in the SMTP envelope (MAIL FROM:), message header (From:) and (Reply-to:) against the block list. Also configure <block-sender-address_str>.

sender-reputation-reject-score <threshold_int>

Enter a sender reputation score over which the FortiMail system will reject the email and reply to the SMTP client with SMTP reply code 550 when the SMTP client attempts to initiate a connection. Valid range is 0 to 100. To disable the limit, enter 0. FortiMail still monitors the sender reputation and increases or decreases the sender reputation scores accordingly.

This setting applies only if sender-reputation-status {enable | disable} is enable.

sender-reputation-status {enable | disable}

Enable to accept or reject email based upon sender reputation scores. Also configure fortiguard-ip-check-mode {as-profile | as-profile-no-auth | client-connect | disable}, etc.

Tip: Sender reputation may not function well for SMTP clients with dynamic IP addresses. Instead, consider endpoint-reputation {enable | disable}.

sender-reputation-tempfail-score <threshold_int>

Enter a sender reputation score over which the FortiMail system will return a temporary failure error when the SMTP client attempts to initiate a connection. Valid range is 0 to 100. To disable the limit, enter 0. FortiMail still monitors the sender reputation and increases or decreases the sender reputation scores accordingly.

This setting applies only if sender-reputation-status {enable | disable} is enable.

sender-reputation-throttle-number <rate_int>

Enter the maximum number of email messages per hour that the FortiMail system will accept from a throttled SMTP client. Valid range is 0 to 4294967295.

This setting applies only if sender-reputation-status {enable | disable} is enable.

sender-reputation-throttle-percentage <percentage_int>

Enter the maximum number of email messages per hour that the FortiMail system will accept from a throttled SMTP client, as a percentage of the number of email messages that the SMTP client sent during the previous hour. Valid range is 0 to 100.

This setting applies only if sender-reputation-status {enable | disable} is enable.

sender-reputation-throttle-score <threshold_int>

Enter a sender reputation score over which FortiMail will rate limit the number of email messages that can be sent by this SMTP client. Valid range is 0 to 100. To disable the limit, enter 0. FortiMail still monitors the sender reputation and increases or decreases the sender reputation scores accordingly.

The enforced rate limit is either sender-reputation-throttle-number <rate_int> or sender-reputation-throttle-percentage <percentage_int>, whichever value is greater. After the sender reaches the limit, no more incoming email will be accepted.

The enforced rate limit is either sender-reputation-throttle-number <rate_int> or sender-reputation-throttle-percentage <percentage_int> whichever value is greater.

This setting applies only if sender-reputation-status {enable | disable} is enable.

sender-rewrite-map <profile_name>

Enter an address rewrite profile to be used in a session profile.

This feature is only available as part of the MTA advanced control feature. See mta-adv-ctrl-status {enable | disable}

sender-safelist-status {enable | disable}

Enable to check the sender addresses in the SMTP envelope (MAIL FROM:), message header (From:) and (Reply-to:) against the safe list. Also configure <safe-sender-address_str>.

Caution: Use safe lists and block lists with caution. They can increase incorrect results.

For example, a session safe list entry for 0.0.0.0/0 allows email from all email servers. The result is that all spam from any email server — normal or spammer — would bypass later antispam scans.

sender-verification-profile <profile_name>

Select which LDAP profile to use for sender address verification.

This setting applies if sender-verification {enable | disable} is enable.

sender-verification {enable | disable}

Enable to validate sender email addresses with a query an LDAP server. Also configure sender-verification-profile <profile_name>.

session-3way-check {enable | disable}

Enable to reject the email if the domain name in the SMTP greeting (HELO/EHLO) and recipient email address (RCPT TO:) match, but the domain name in the sender email address (MAIL FROM:) does not.

Mismatching domain names is sometimes used by spammers to mask the true identity of their SMTP client.

This setting only affects unauthenticated sessions.

Note: Do not enable this setting if you have Microsoft 365 and need to send email to other Microsoft 365 tenants (private or business).

session-action-msg-type {accepted | all}

Select whether to apply session-action <content-action_profile> to either:

• all: All messages in the SMTP session.

• accepted: Only accepted messages. This is useful to optimize performance if the action profile would apply features that can't have any effect if a message is ultimately rejected, such as header manipulation or tagging.

session-action <content-action_profile>

Select which content action profile to apply to the email that you select in session-action-msg-type {accepted | all}.

session-allow-pipelining {yes | no}

Select the behavior for ESMTP command pipelining, either:

• yes: Accept some SMTP commands to be given and processed as a batch, increasing performance over high-latency connections.

• no: Accept only one command at a time during an SMTP session. Do not accept the next command until processing of the previous command is complete.

Note: Pipelining may also occur implicitly, even if an email server or FortiMail does not explicitly say that it supports pipelining. See smtp-eom-bare-lf-handling {allow | disallow | ignore}.

session-command-checking {enable | disable}

Enable to return an SMTP reply code (the number may vary) rejecting the SMTP command if the client or server uses SMTP commands that have syntax errors, such as:

• invalid sequential order of SMTP commands

• invalid email address formats, including MAIL FROM: and RCPT TO: email addresses not enclosed with <> (for example, the valid format should be RCPT TO:<user@example.com>)

• extra spaces in parameters

In the following example, the invalid command is highlighted in bold:

220 FortiMail-400.localdomain ESMTP Smtpd; Wed, 14 Feb 2008 13:41:15 GMT

EHLO example.com

250-FortiMail-400.localdomain Hello [192.168.1.1], pleased to meet you

RCPT TO:user@example.com

553 5.1.2 user@example.com... Invalid email address

session-disallow-encrypted {enable | disable}

Enable to block STARTTLS/MD5 commands so that email connections cannot be TLS-encrypted.

This setting applies only in transparent mode.

Caution: Disable this setting only if you trust that SMTP clients connecting using TLS through the FortiMail system will not be sources of viruses or spam. FortiMail systems operating in transparent mode cannot scan encrypted sessions. See also profile tls.

session-helo-char-validation {enable | disable}

Enable to return SMTP reply code 501, and to reject the SMTP greeting, if the client or server uses a greeting that contains a domain name with invalid characters.

To avoid disclosure of a real domain name, spammers sometimes spoof an SMTP greeting domain name with random characters, rather than using a valid domain name.

The following example shows invalid command in bold:

220 FortiMail-400.localdomain ESMTP Smtpd; Wed, 14 Feb 2008 13:30:20 GMT

EHLO ^^&^&^#$

501 5.0.0 Invalid domain name

Valid characters for domain names include:

• alphanumerics (A to Z and 0 to 9)

• brackets ( [ and ] )

• periods ( . )

• dashes ( - )

• underscores ( _ )

• number symbols( # )

• colons ( : )

session-helo-domain-check {enable | disable}

Enable to return SMTP reply code 501, and reject the SMTP command, if the domain name accompanying the SMTP greeting is not a domain name that exists in either DNS MX or A records.

In the following example, the invalid command is highlighted in bold:

220 FortiMail-400.localdomain ESMTP Smtpd; Wed, 14 Feb 2008 14:32:51 GMT

EHLO example.com

This setting only affects unauthenticated sessions.

session-helo-rewrite-clientip {enable | disable}

Enable to rewrite the domain name in the SMTP greeting (HELO/EHLO) to the IP address of the client to prevent domain name spoofing.

This setting applies only if the FortiMail system is operating in transparent mode.

session-helo-rewrite-custom-string <helo_str>

Enter the replacement text for the HELO/EHLO domain.

This setting applies only if the FortiMail system is operating in transparent mode, and if session-helo-rewrite-custom {enable | disable} is enable.

session-helo-rewrite-custom {enable | disable}

Enable to rewrite the domain name in the SMTP greeting (HELO/EHLO). Also configure session-helo-rewrite-custom-string <helo_str>.

This setting applies only if the FortiMail system is operating in transparent mode.

session-prevent-open-relay {enable | disable}

Enable to prevent SMTP clients from using open relays to send email by blocking unauthenticated sessions in outgoing connections. (Unauthenticated sessions are assumed to be occurring with an open relay.)

If SMTP clients use open relays to send email, email from their protected domain could be blocklisted by recipient SMTP servers.

This setting is used only if proxy-original {enable | disable} is enable, and only affects unauthenticated sessions.

This setting is available only if FortiMail system is operating in transparent mode.

session-recipient-domain-check {enable | disable}

Enable to return SMTP reply code 550, rejecting the SMTP command, if the domain name portion of the recipient address is not a domain name that exists in either DNS MX or A records.

In the following example, the invalid command is highlighted in bold:

220 FortiMail-400.localdomain ESMTP Smtpd; Wed, 14 Feb 2008 14:48:32 GMT

EHLO example.com

250-FortiMail-400.localdomain Hello [192.168.1.1], pleased to meet you

MAIL FROM:<user1@fortinet.com>

250 2.1.0 <user1@fortinet.com>... Sender ok

RCPT TO:<user2@example.com>

550 5.7.1 <user2@example.com>... Relaying denied. IP name lookup failed [192.168.1.1]

This setting only affects unauthenticated sessions.

session-reject-empty-domain {enable | disable}

Enable to return an SMTP reply code (the number varies), and reject the SMTP command, if the sender domain is empty in either:

• HELO/EHLO greeting

• sender email address (MAIL FROM:) in the SMTP envelope

The following example shows the invalid command highlighted in bold:

220 FortiMail-400.localdomain ESMTP Smtpd; Wed, 20 Nov 2013 10:42:07 -0500

EHLO

250-FortiMail-400.localdomain Hello [172.20.140.195], pleased to meet you

250-ENHANCEDSTATUSCODES

250-PIPELINING

250-8BITMIME

250-SIZE 10485760

250-DSN

250-AUTH LOGIN PLAIN

250-STARTTLS

250-DELIVERBY

250 HELP

MAIL FROM:user@example.com

550 5.5.0 Empty EHLO/HELO domain.

quit

221 2.0.0 FortiMail-400.localdomain closing connection

This setting only affects unauthenticated sessions.

session-sender-domain-check {enable | disable}

Enable to return SMTP reply code 421, rejecting the SMTP command, if the domain name portion of the sender address is not a domain name that exists in either DNS MX or A records.

In the following example, the invalid command is highlighted in bold:

220 FortiMail-400.localdomain ESMTP Smtpd; Wed, 14 Feb 2008 14:32:51 GMT

EHLO

250-FortiMail-400.localdomain Hello [192.168.1.1], pleased to meet you

MAIL FROM:<user1@example.com>

421 4.3.0 Could not resolve sender domain.

This setting only affects unauthenticated sessions.

spf-validation {enable | disable | bypass}

Select either:

• enable: Validate the SMTP client IP address using SPF.

• disable: Do not use SPF validation, unless SPF is enabled in the antispam profile.

• bypass: Do not use SPF validation.

See also spf-checking {enable | disable} and spf-perm-error-as-failure {enable | disable}.

splice-status {enable | disable}

Enable to use splice mode once an SMTP session reaches the threshold. Also configure splice-unit {seconds | kilobytes} and splice-threshold <threshold_int>.

Splice mode lets the FortiMail system simultaneously scan an email and relay it to the SMTP server. This increases throughput and reduces the risk of server timeout. If FortiMail detects spam or a virus, it terminates the server connection and returns an error message to the sender with the spam or virus name and infected file name.

This setting applies only if the FortiMail system is operating in transparent mode.

splice-threshold <threshold_int>

Enter a threshold value to switch to splice mode based on time (seconds) or data size (kilobytes) using splice-unit {seconds | kilobytes}.

This setting applies only if the FortiMail system is operating in transparent mode.