This article provides an explanation of forged IP.


All FortiMail

When the forged IP scan is enabled, the FortiMail will perform a reverse (PTR record) lookup on the IP address of a connecting host to get a hostname. It will then perform a forward (A record) lookup on that hostname, and compare the returned IP address to that of the connecting host. If they do not match, then the IP address is considered "forged".

This can occasionally cause false-positives with hosts with multiple A records. The FortiMail will check the connecting IP against all the A records for the hostname, but some DNS servers will return a truncated list, possibly cutting off the IP address that was actually connecting.