Sender Policy Framework

What about mailer-daemon messages whose sender address is <>?

When the sender address is <>, you don't have any domain to look up!

There are two solutions:

The SPF solution uses the domain name presented in the HELO/EHLO command instead. This may work to catch careless spammers. HELO/EHLO checking is a standard part of SPF (originally it was only used for <> Mail From).

Careful spammers will find a way to get around this, consider a DynDNS-registered broadband host that has been compromised. An alternative approach might be to accept the message, take it apart, determine if it is in fact a bounce, and if it is a bounce, it extract the Message-ID of the original message, and if the the Message-ID did not in fact originate from the system, discard the message. This takes a bit of work, but in a world where automated spamtraps do most of the work and would add the hostname to known-spammer lists anyway, a spammer might as well use a non-null sender address anyway.

In either case an MTA should reject messages from null senders that have more than one recipient.