Thanks for the suggestions, Matt. I will think on it - it all makes sense. In the meantime my temporary fix appears to have worked and I have stopped sending responses. Now I just need to figure out how to delete all these users and their messages until the spammers give up on me… 
My own use case is a bit different from what you are describing, but I imagine it’s something that other sites might also be interested in getting to work. My forum is private and I do not allow just anyone to post topics. However, I have a few email addresses that I allow anyone to send to. Those emails are delivered to me as discourse messages. The senders are added as staged users. I use Tickets Plugin 🎟 and assigned to make sure I follow up.
I love this setup which has been working incredibly well for the last several months, and allows me to operate a discourse forum without maintaining a separate email account externally with gmail etc. I just have digitalocean and mailgun, and the domain name registration pointing the domain and I’m done.
I looked a bit at postfix settings. Can you give some pointers on how to configure postfix in this docker setup? Also, is there any way (within discourse or with postfix) to just completely ignore emails from blacklisted domains? I just want their emails to disappear into a black hole. The sender_access rules appear to send bounce messages.