Just noticed Simon’s reference to his SOAP SMTP binding spec. Section 6, “Security Considerations” says “This should introduce no new security considerations.”. Bzzt! 8-)
Consider that by requiring the SOAP response in a new email, rather than using the SMTP response as the response, you’re requiring that any deployed implementation of software conforming to this specification, include an automated responder where none was previously. That is, what was once a safe “input only” protocol (SMTP), has been turned into a request/response protocol. There’s oodles of new security considerations to consider because of that.