Mark Shewmaker point out that if you have an SMTP transaction for which
*all* of the following are true:
1. The sender didn't use SUBMITTER, and
2. There is more than one recipient, and
3. The SenderID test fails, and
4. Your MTA implements a per-user white list for SenderID failures, and
5. At least one recipient white-listed the PRA, and
6. At least one other recipient didn't white-list the PRA, and
7. You feel it's immoral to silently discard forged mail
then you need to generate a bounce (instead of rejecting a message).
He's right. But it's such a corner case that I'm not worried. This
should be a very small fraction of the mail, and won't generate very
many bounces at all.
He then goes on to argue that if we validated the bounce address instead
of the PRA, he wouldn't need to generate a bounce. He's right again.
But I don't see this minor virtue of checking bounce addresses
outweighing the fact that checking bounce addresses too often gives the
wrong answer.
-- Jim Lyon