The problem with NGFW antispam. For many organizations, spam filtering relies heavily on blacklists (RBL). With NGFW firewall-based products, the logic is simple: if the sending server’s IP address appears on even one blacklist, the email is rejected immediately. This approach is fast, cheap, and technically easy to implement. But it comes with a major downside: false positives. Legitimate business emails, newsletters, or member communications can be blocked completely. NGFW Antispam Makes Wrong Decisions.

Why blacklists are problematic

  • False positives: If one sender in a shared pool triggers spam traps, the entire IP can get listed, affecting all senders.
  • Strong technical setup doesn’t help: Even with perfect SPF, DKIM, and DMARC, a single blacklist hit can cause rejection.
  • Bulk email ≠ spam: Associations and companies often send bulk messages with full user consent, but blacklists can’t tell the difference.

The ideal model: scoring instead of a single signal

A modern antispam solution should not block based on one hit. Instead, it should use a multi-signal scoring system:
  • One blacklist = penalty, but not immediate rejection.
  • Multiple blacklists = higher penalty.
  • Valid SPF, DKIM, DMARC = positive signal.
  • Domain and IP reputation history = strong weighting.
  • Content analysis, suspicious URLs, or attachments = negative score.
  • User feedback (spam reports) = negative score.
  • Engagement metrics (opens, clicks, replies) = positive score.
This layered scoring reduces false positives and allows administrators to tune filtering based on the organization’s risk tolerance.

FortiGate and DNSBL – a flawed approach

Take FortiGate NGFW as an example. Its antispam engine checks both FortiGuard and external DNSBL/ORDBL services simultaneously. The first response wins:
  • If Spamhaus responds first with “listed → reject,” the email is blocked instantly—even if FortiGuard would later mark it clean.
  • If FortiGuard replies “clean” first, the email is allowed, even if Spamhaus flags it moments later.
This design means the decision is not based on scoring or combined analysis, but on response time. The result: more false positives. In contrast, a dedicated mail gateway like FortiMail or Cisco ESA evaluates multiple signals, assigns scores, and makes a more accurate final decision.

Delisting is slow and painful

If a sending IP lands on a blacklist, removal is rarely quick. Most RBL operators require proof that the issue (list hygiene, spam complaints, bounce rates) has been fixed before processing removal requests. This can take days—or weeks. For senders using shared IP pools, reputation damage may be permanent, since other customers’ actions affect everyone. Even compliant, legitimate senders may struggle to get their emails delivered.

Conclusion: NGFW antispam is not enough

Blocking email on a single blacklist hit is too aggressive in today’s complex communication landscape. NGFW antispam works as a basic defense—filtering out obvious threats at the firewall. But organizations need a scoring-based mail security layer to ensure legitimate communication is not lost. NGFW Antispam Makes Wrong Decisions and you should not use it. This approach keeps spam and phishing out while allowing trusted email through—improving both security and user experience.   Hannu Rokka, Senior Advisor 5Feet Networks Oy