Thursday, November 22, 2012, 15:00
Solution ID: 00000178
I see the phrase "may be forged" in my email "received" headers; what does this mean? Does this mean the message is spam?
PerfectMail's Mail Transport Agent does a reverse hostname lookup of the IP address of the connecting client, and a lookup of the IP addresses associated with that hostname. If the client IP address does not appear in that list then the "may be forged" tag is added.
The "may be forged" mail tag is an artifact of the sendmail MTA.
Spammers can spoof DNS domains via PTR records. In DNS validation of data is implicit in the lookup process. When you do a DNS lookup of "example.com" (A record) you are directed to the Name Servers for "example.com"; they are inherently valid servers. No validation is performed or implied on the responses the Names Servers provide.
Similarly, when you do a Reverse DNS lookup of an IP address (e.g. 188.8.131.52), you are directed to the Name Servers for "204.10.243", and no validation/verification is performed on the responses.
The Name Server easily can say 184.108.40.206 is secure.yourbank.com. The only way to validate this result is to perform a DNS lookup of the PTR result (e.g. secure.yourbank.com) and confirm that the IP address is listed. If it is not listed you may be in a situation where the PTR record is a spoof/forged!
It is best practice to maintain the referential integrity of your DNS A and PTR records. Unfortunately it is quite common for these records to not be fully matched.
Tags: email, mail, header, received, forged
Link to this article: kb/may_be_forged_header
Updated: Thursday, November 22, 2012, 15:00
-- David Rutherford
Last modified: 2016-02-16, 12:40
© 1999-2013 PerfectMail
1. Rick Hawkes, Monday, February 15, 2016, 17:58:
If it "may be forged" does that mean that it could have originated from anywhere? Even from my computer?
2. David Rutherford, Tuesday, February 16, 2016, 12:20:
It doesn't matter where the email originated. It is a simple test that compares the DNS PTR and A records. If there is a mismatch the "may be forged" message is displayed.
3. Falcon Bravis, Monday, February 06, 2023, 22:27:
I have got "(maybe forged)" tag line in my AT&T Email Header
is this has indicate any Spam or malware practice held on my mailbox