OK so after some offline discussion, I think I now have a technical reason for not trying to build on SMTP.
TL;DR; When you design the wheel from scratch you can start off with a round one.
[Jay Carlson just posted that in response to another discussion]
The Mesh does allow people to establish new contacts. But that is an entirely separate protocol to messaging. That separation is impossible to introduce into SMTP at this point but it does work if introduced at the very start of a messaging system.
Sure, people can spam the contact request channel. But applying heuristics to mitigate abuse in that channel is nowhere near as problematic as spam filtering my SMTP mail or my telephone calls.
I get almost no spam in contact request channels in the protocols that support it and for fairly straightforward reasons:
1) The channel is very narrow, no attachments, limited text
2) The channel has a very specific purpose, anyone who is abusing that purpose to sell stuff is easily identified.
3) There are many good reasons to make 1000 outbound messages in a day, no good reason to make 1000 contact requests
4) For users who do have issues, we can apply friend-of-a-friend type controls
There are problems with the way Facebook manages contacts. One of the biggest is that if I add someone because they are in your contact list, they will become a first class contact in my contact list even though I have no idea who they are. While I am probably willing to accept messages from anyone you introduce, I can't tell those apart from people you don't know but accepted because someone else knew them and so on...
Of course Nathaniel Bornstein's email callback loop failed horribly. But it was trying to modify behavior in an existing system. Also, the usability factors were horrid and there was no separation between the contact establishment channel and the messaging channel.
It isn't the walled garden aspect of Signal/Telegram/etc that keeps them spam free, it is the fact that every communication requires a prior authorization. And I would move out of Signal in a heartbeat because contact maintenance in Signal is truly horrid. No, I don't want anything tied to my phone and who the hell are you to be telling me that I can't take a call on my desktop NOW because I have to rebind it to my phone because of some cretinous half baked notion that my desktop which sits inside a TEMPEST secured environment with Tier 3 physical security is less secure than my mobile phone I take to parties.