Multi-region

This page includes:

About multi-region

The multi-region functionality helps to avoid data loss in the case of an AWS SES [Simple Email Service] outage - by enabling the transfer of emails between the AWS US and EU regions. If multi-region is enabled, when an AWS SES outage occurs, emails will be transferred from the primary region [US East or Europe] to a secondary region [US West], until the primary AWS region is again up and running.

Note: Since the secondary server is located in the US, and not in the EU, the multi-region functionality is not GDPR compliant.

Multi-region applicability

The multi-region functionality does not apply to the following:

  • Microsoft 365 API integrations

Enabling multi-region functionality

Multi-region functionality can be enabled for any organization - either an existing organization or a new organization.

Licensing: There are no additional licensing requirements for enabling the multi-region functionality.

To enable multi-region functionality for an existing organization:

  1. In FortiMail Workspace Security, in the left navigation menu, select Settings > Account.

  2. Under General, click Edit, select Allow Multi-region, and then click Save.

  3. Select Settings > Protected Email Assets.

  4. Locate the required domain, and then add the secondary TXT record into your domain provider.

To enable multi-region functionality for a new organization:

  1. When you create a new organization, select "Allow Multi-Region" in the first step of the organization creation wizard.

TXT record requirements

When you enable the multi-region functionality, you'll need to add an additional TXT record for the secondary region - for each existing domain and each new domain.

  • Existing domains: In FortiMail Workspace Security, in the left navigation menu, select Settings > Protected Email Assets. Locate the required domain, and then add another TXT record for the secondary region.

  • New domains: During the process of adding a new domain, you'll be required to add a TXT record for the primary region and another TXT record for the secondary region.

IP address requirements

When you enable the multi-region functionality - for all existing email service integrations - you'll need to add an additional IP address [52.12.169.124] to your inbound gateway. For details, see:

You'll also need to change the host name [inbound mail connector] - typically called "Perception Point Scanner". For details, see the references above.

Disabling multi-region functionality

When you disable the multi-region functionality, you'll need to delete the additional IP address [52.12.169.124] from your inbound gateway. For details, see:

You'll also need to change the host name [inbound mail connector] - typically called "Perception Point Scanner". For details, see the references above.

How multi-region works

The FortiMail Workspace Security multi-region functionality is designed to make sure emails are delivered even if there’s an outage in one AWS region (for example, US-East-1).

  • Normal Operation

    Emails are received through the default region. They’re scanned and then delivered to the recipient server.

  • If there’s an outage

    FortiMail Workspace Security automatically switches to a backup (disaster recovery) region.

    Instead of trying to scan emails in the affected region, the backup system sends the emails directly to the recipient server to avoid delays or failures.

    The emails are copied back to the original region’s storage when it becomes available, ensuring no data is lost.

  • Fallback handling

    If for any reason the email still can’t be delivered, it’s moved to a special queue for follow-up, so nothing messages are dropped.

In contrast to the above scenario, if the multi-region functionality is not configured, messages will be routed to the outage region and get stuck in the queue. Some messages will be sent directly to the customer, while others will be held for scanning. Once the system is back up, the messages will be scanned, and then either released or quarantined. There’s a chance of message loss - depending on the nature of the outage.

See also: