Purpose
This article explains how SPF checks work on the FortiMail
Expectations, Requirements
Note: SPF record itself indicates how strict it is to interpret the SPF record.
Configuration
1) Hardfail
If an SPF record ends with a -all, it means that only mail that comes from one of the parameters (ie. IPv4, IPV6 etc) can be considered legitimate mail from that domain.
This is known as "hardfail"
For example, if an nslookup -txt is donre on Fortinet, the following will be displayed:
"v=spf1 ip4:208.91.113.0/24 mx include:ott-fortimail.com include:fortinet-emea.com include:_spf.salesforce.com -all"
The -all at the end of the record indicate that only the included DNS records/IP address ranges can send mail on behalf of Fortinet.
2) Softfail
If an SPF record ends with a ~all, it means that mail can come from parameters (ie. IPv4, IPV6 etc) can be considered legitimate mail from that domain.
This is known as "hardfail"
On the other hand, Google's SPF record displays:
"v=spf1 include:_spf.google.com ~all"
The ~all at the end of the record indicates that while some emails from Google will come from _spf.google.com, other emails from Google can come from parameters not in the SPF record.
By default the FortiMail is set to allow softfails through the device. If an SPF check in the logs that allowed an email through because of "softfail", this means that the domain in question is using ~all at the end of the SPF record.
This is because many domains, such as the example of Google above, use softfail (~all) in their SPF records.
