Configuring bounce verification and tagging
The Bounce Verification submenu lets you configure bounce address tagging and verification.
Spammers sometimes fraudulently use others’ email addresses as the sender email address in the message envelope (MAIL FROM:) when delivering spam. When an email cannot be delivered, email servers often return a a delivery status notification (DSN) message, sometimes also known as a bounce message, to the sender email address located in the message envelope.
While DSNs are normally useful in notifying email users when an email could not be delivered, in this case, it could result in delivery of a DSN to an email user who never actually sent the original message. Because the invalid bounce message is from a valid email server, it can be difficult to detect as invalid.
You can combat this problem with bounce address tagging and verification. If the FortiMail unit tags outgoing email, it can verify the tags of incoming bounce messages to guarantee that the bounce message is truly in reply to a previous outgoing email.
For a FortiMail unit to perform bounce address tagging, the following must be true:
- bounce verification is enabled
- a bounce address key must exist and be activated
- in the protected domain to which the sender belongs, the “Bypass bounce verification” option is disabled (see “Configuring protected domains” on page 380)
- the recipient domain is not in the tagging exempt list
The FortiMail unit will use the currently activated key to generate bounce address tags for all outgoing email. You can create multiple keys, but only one can be activated at any time.
The activated private key is used, together with randomizing data, to generate the tag that is applied to the sender email address in the message envelope, also known as the bounce address, of all outgoing messages. The format of tagged sender email addresses is: prvs=1234567890=user1@example.com
where the sender email address is user1@example.com and the prefix is the bounce address tag. The tag is different for every email message, and uniquely identifies the email message.
If the email server for the recipient email domain cannot deliver the email, it will send a bounce message whose recipient is the tagged email address. When the bounce message arrives at the FortiMail unit, it will use the private keys to verify the bounce address tag. Incoming email is subject to bounce verification if all the following is true:
- bounce verification is enabled
- at least one bounce address key exists
- in the protected domain to which the recipient belongs, the Bypass Bounce Verification option is disabled (see “Configuring protected domains” on page 380)
- in the session profile, the Bypass Bounce Verification check option is disabled (see
“Configuring session profiles” on page 482)
- the sender email address (MAIL FROM:) in the message envelope is empty
- the DSN sender is not in the verification example list
The sender email address is typically empty for bounce messages. The sender email address may also be empty for some types of spam that are not bounce messages. Because the sender email addresses of those types of spam will not have a proper tag, similar to bounce message spam, these spam will fail the bounce verification process. Email sent from email clients or webmail will not have an empty sender email address, and therefore will not be subject to the bounce verification process.
If the tag is successfully verified, the bounce verification scan removes the tag, restoring the recipient email address to one known by the protected domain, and allows the bounce message.
If the tag is not successfully verified, the bounce verification scan will perform the action that you have configured for invalid bounce messages.
To access this part of the web UI, your administrator account’s:
- Domain must be System
- access profile must have Read or Read-Write permission to the Policy category
For details, see “About administrator account permissions and domains” on page 290.
To configure bounce verification settings
- Go to AntiSpam > Bounce Verification > Settings.
Figure 281:Settings tab
- Configure the following as required:
GUI item | Description |
New, Edit, Delete
(buttons) |
Click to create, edit or delete a key.
Note: If you delete a key, any email with a tag generated when that key was active will fail bounce verification. After activating a new key, keep the previously active key until any tags generated with the old key expire. Delete is unavailable if the Status of the key is Active. |
Key | Displays the string of text that is the private key. This can be any arbitrary string of text, and will be used together with randomizing data to generate each bounce address tag. |
Status | Indicates which key is activated for use.
• Active: The key is activated. • Inactive: The key is deactivated. Only one of the keys may be activated at any given time. The activated key is the one that will be used to generate the bounce address tags for outgoing email. Both activated and deactivated keys will be used for bounce address tag verification of incoming email. To activate or deactivate a key, double-click it and modify its Status. |
Last Used | Displays the date and time when the key was generated or last used to verify the bounce address tag of an incoming email, whichever is later. |
Enable bounce verification | Mark this check box to enable verification of bounce address tags for all incoming email.
If you want to make exceptions for email that does not require bounce address tag verification, you can bypass bounce verification in protected domains and session profiles. For more information, see “Configuring protected domains” on page 380 and “Configuring session profiles” on page 482. |
Bounce verification tag expires in (days) | Enter the number of days after creation when bounce message keys will expire and their resulting tags will fail verification. |
GUI item | Description |
Keys will be automatically removed | Displays the period of time after which unused, deactivated keys will be automatically removed.
The activated key will not be automatically removed. |
Bounce verification action | Select which action that a FortiMail unit will perform when an incoming email fails bounce address tagging verification, either:
• Reject: Reject delivery of the email and respond to the SMTP client with SMTP reply code 550 (Relaying denied). • Discard: Accept the email, but silently delete it and do not deliver it. Do not inform the SMTP client. • Use antispam profile setting: Use the actions configured in the antispam profile that you selected in the policy that matches the email message. For more information on actions, see “Configuring antispam action profiles” on page 516. |
To configure a bounce address tagging and verification key
- Go to AntiSpam > Bounce Verification > Settings.
- Click New to add a key or double-click to a key to modify it.
A dialog appears:
Figure 282: Bounce Verification Key dialog
- Configure the following:
GUI item | Description |
Key name | Enter the string of text that will be used together with randomizing data in order to generate each bounce address tag. Keys must not be identical.
This field cannot be modified after a key is created. Instead, you must create a new key. If you are certain that no email has used a key, and therefore no bounce messages can exist which would require tag verification, you can safely delete that key. |
Status | Select the activation status of the key.
• Active: The key will be activated, and used to generate bounce address tags for outgoing messages. If any other key is currently activated, it will be deactivated when this new key is saved and activated. • Inactive: The key will be deactivated. You can activate the key at a later time. Only one of the keys may be activated at any given time.The activated key is the one that will be used to generate tags for outgoing messages. Both activated and deactivated keys will be used for bounce address tag verification of incoming email. |
Excluding recipient domains from bounce verification tagging
If you do not want to tag the email sent to certain recipients, you can do so by adding the recipient domain to the exempt list.
To configure the tagging exempt list
- Go to AntiSpam > Bounce Verification > Tagging Exempt List.
- Click New.
- Add the recipient domain name.
- Click Create.
Emails from at least one customer are still going to quarantine after being added to personal AND system safe list. What am I missing?