I’ve echoed this, but the only legal way is to have an AGPL-like license. There is nothing to stop forward email from modifying the code they published to be different than the code the run otherwise. In practice I highly doubt they would do this unless there are some secret sauce code that would be risky to release at this time. Otherwise, there is no good way to validate this.