Tony Finch writes:
Indeed there is; see draft-fenton-identified-mail-01.txt section 9.1.4.
problem is that there is no way I can think of to differentiate an MTA that
forwards mail to multiple addresses from a spam replay, other than intent
(possibly) the number of addresses that the messages is forwarded to. It's
hard to detect even the latter, unless you're a large enough domain to get
large number of copies of the same message with the same signature.
If verification involves some kind of callback then the sending site
(webmail.com) can track the number of copies of a given message that have
been received. It can then revoke its signature if a threshold is passed,
or rate-limit verifications if the spam decision isn't clear.
Part of my hand-wringing included this thought and I quickly
shuddered at the thought of the scaling implications, not to
mention DDOS opportunities.