I've been rereading all of the discussions around issues 0b/21/25. Some
of the discussion wants to require verification of the sender before
ever sending an non-delivery notification.
While this does reflect what some implementations are doing and is the
effort of some recent standards and non-standards efforts, it is not
common deployment. So I'm going to make a ruling that requiring such
validation goes too far in the direction of a "new behavior" requirement.
However, I'd like to follow the lead of the 3463 reference found in
section 2.3.11, and suggest that some wording be added, probably to
section 3.6, along these lines:
This specification does not deal with the verification of return
paths for use in delivery notifications. Recent work, such as
[add REFERENCES here], has been done in providing ways to
ascertain that an address is valid or belongs to the person who
actually sent the message. A server MAY attempt to verify the return
path before using its address for delivery notifications, but
methods of doing so are not defined here nor is any particular
method recommended at this time.
Thoughts on an addition like this? I know it doesn't go far enough for
some people, and probably goes too far for some other people. So I'm
offering it as a possible way forward.