Stephane Bortzmeyer <bortzmeyer(_at_)nic(_dot_)fr> writes:
You did not send it. The MTA just before you did and it was the faulty
one, for having *not* performed SenderID tests. To me, this is the
most important thing against your idea: you do not send the bounce,
someone else does.
Yes, your action (refusing the mail with 5xx) was indirectly the cause
of the bounce. But (IANAL) I do not think it can be regarded as a
liability.
But what would be completely unacceptable would be for the SMTP
transaction to accept a mail, perform (either at SMTP time or
subsequently) Sender-ID (or SPF, Domainkeys, or other) checks which
show the mail to be a forgery and then send a bounce (to the known
forged address) for any reason. I believe that, unfortunately, some
MTAs do accept all emails and only subsequently check that the
recipient mailbox is valid, not over quota, that the email does not
contain a virus etc, and send a bounce if these checks fail. The
operators of such MTAs might find themselves with more legal liability
if they generate bounces to addresses which Sender-ID etc show to be
forgeries.