Description
This article explains what a forged IP is.
Scope
FortiMail.
Solution
When the forged IP scan is enabled, the FortiMail will perform a reverse (PTR record) lookup on the IP address of a connecting host to get a hostname. It will then perform a forward (A record) lookup on that hostname, and compare the returned IP address to that of the connecting host. If they do not match, then the IP address is considered 'forged'.
This can occasionally cause false-positives with hosts with multiple A records. The FortiMail will check the connecting IP against all the A records for the hostname, but some DNS servers will return a truncated list, possibly cutting off the IP address that was actually connecting.
FortiMail uses Sender Policy Framework to achieve this. Settings for SPF check can be configured in AntiSpam or Session profiles. For more information, see Enable SPF checking for incoming email - FortiMail cookbook and Technical Tip: SPF Checking on the FortiMail.
