On 2 Jan 2018, at 20:39, Alex wrote:
Is it possible to at least enforce that the message-ID has a valid
domain?
Not reliably.
About 1.5% of my personal non-spam email over the past 20 years has had
"localhost" as the right hand side of the MID. This implies a de facto
RFC violation because it poses a real risk of duplication.
An additional ~1% has a MID header with either no dots or no '@'. This
includes mail from Facebook, Seagate, Apple, one of my credit unions, a
medical supply house that we buy from for my son's care, GMX (German
freemail provider), multiple regulars on a private mailing list of
old-timer anti-spam nutcases, the postmaster of LinkedIn sending
personal mail with his linkedin.com address via GMail, iFixit, Verizon's
SMS->Email gateway, and multiple ESPs including Eloqua and Digital
River. At least one recent version of CommuniGate Pro (6.1.2) generated
event invitations with a bare UUID as the MID.
In other words: a significant number of messages, largely legitimate
transactional messages, lack a FQDN in the MID.
I have run an environment where each MTA node in the external gateway
layer would add a MID with its own FQDN to any message passing through
missing a MID. Those names could not be resolved in the world at large,
but they were absolutely valid and guaranteed unique.