This article provides an explanation of forged IP.
When the forged IP scan is enabled, the FortiMail will perform a reverse (PTR record) lookup on the IP address of a connecting host to get a hostname. It will then perform a forward (A record) lookup on that hostname, and compare the returned IP address to that of the connecting host. If they do not match, then the IP address is considered "forged".
This can occasionally cause false-positives with hosts with multiple A records. The FortiMail will check the connecting IP against all the A records for the hostname, but some DNS servers will return a truncated list, possibly cutting off the IP address that was actually connecting.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.