No, SHOULD is defined in the RFC, not by colloquial usage. Google is on the wrong, regardless of their "safety" intent.
replyAfter all, linguistics is full with examples of words that are spelled the same, but have different meaning in different cultures. I'm glad the RFC spelled it out it for everyone.
The RFC says a SHOULD is to be treated like a MUST, but well-justified exceptions are allowed.
replyWhen producing a message, it SHOULD have the id. With or withot it is compliant.
replyOn the other end, we may receive messages with or without. Both are valid. We MUST therefore accept both variations.
The second one is a consequence of the former. So yes Google is the violating party.
if Google's choices are protecting users, they can't be in the wrong. That's the reality of a shared communications infrastructure regardless of what the docs say.
replyWhen the docs disagree with the reality of threat-actor behavior, reality has to win because reality can't be fooled.
Spam senders don’t have pseudorandom number generators?
replyThey're more likely to put in the least amount of effort or care the least about the reasons how the header is used later on.
reply