I don't think the protocol is necessarily the problem. For example we don't say the HTTP protocol is the problem when spammers abuse website comment forms or forums, we say it's the server on the other side.

I think the answer is somewhat the same as where we've gone with many HTTP servers: proof of work. Just like Captcha and more recently Cloudflare turnstile required you complete a task before you'd be able to access as website, senders should be required to complete a task before you'll accept their email.

It can even be a sliding scale: the higher you want the chances of the recipient seeing it to be, the more work you need to do.

However this also break emails considered "legitimate" by businesses, like marketing newsletters and other nonsense, which is why it'll likely never happen.

I've gotten my email routed to spam even though it never left the Google cloud. They don't say, "Gosh, this is coming from inside the house. Therefore it's trustworthy." Nope. The push legit mail from other Google hosted domains into spam without a second thought.

I'd be happy if we at least started punishing the large, well known and established companies for spamming us...

...you know the one, where you have email preferences, and you only have "new messages" and "commercial offers" in the settings, and you uncheck the "commercial offers" and think you're sae. Then you get a spam email from them... check the preferences again, and there's a "new product notification" preference, checked by default, and you uncheck that too. Bam! another spam! "personalized offers" option appeared, check by default. "limited time offers". "value deals", etc.