If I reject a message, should it bounce back to the sender, or shouldGiven that the sender passed a reverse-DNS I'd say it is safe to bounce it back. Chances are the message was sent by a compromised account at an otherwise legit service. (And maybe the rejection lets them know they've got a problem user?).
If a message in the archives is flagged as having a virus or phishingOn the whole I'd say "yes".
The counter-argument is that if the group's mods accepted the message then they might not appreciate having the (presumed false-positive) marking on the message. But I think that the members deserve to know that there was at least some doubt about this content.
(and should I go back through the archives doing scans)?Optional, but probably a good idea. The question is what you'd do besides mark them. I think adding entries for them to the Activity log may be sufficient (for mods to go find them if they want).
I haven't done anything with SPF and DKIM data yet.One step at a time. Though I might have expected these before content scanning. But I may have a skewed view of their relative difficulty and effectiveness (eg: these don't apply to uploads).