Tony Finch wrote:
However, the server MUST NOT refuse to accept a message for this
reason if the verification fails: the information about verification
failure is for logging and tracing only.
It is a well-established principle that an SMTP server may refuse to
accept mail for any operational or technical reason that makes sense
to the site providing the server.
This is a contradiction. The fix, in line with current practice, is to
downgrade the MUST NOT to a SHOULD NOT - or delete it altogether.
Maybe the intention was something like this: "Servers SHOULD NOT reject
the Hello with a 5yz reply if the verification fails as a consequence of
getting no cachable DNS reply" (or something less convoluted, allowing a
4yz reply "try again later").