How Googlebot proves its identity
A user-agent string is a claim, not a credential. Any script can send 'Googlebot/2.1' in its headers, and many do — pretending to be a search engine is the oldest trick for slipping past bot rules, since nobody wants to block the real one.
Google settles the question by publishing the IP ranges its crawlers use, in machine-readable JSON files it keeps current. Verification is a lookup: if a request claiming to be Googlebot comes from inside the published ranges, it is Google; from anywhere else, it is an impersonator.
Reverse DNS is the older method — resolve the IP, check the hostname ends in googlebot.com, resolve it forward again — and it still works. But published ranges turned verification from a network ritual into a data problem, which is what made it cheap enough to do on every request.