While a service need not monolithic, the criteria established for the
RA in your example likely was based upon tangible entities. If there
was a problem, there would also be meaningful recourse. DNS domain
delegations and email interactions are orthogonal from a trust
standpoint. While DNS could be called at TTP with respect to domain
delegations (to and by often anonymous entities), with respect to
email interactions, trust is missing. When DKIM is based upon DNS
keys, either pre-arranged acceptance (white-listing), or some other
trusted third-party remains essential for secure email interactions.
I don't see how you get here. First of all, why is trust missing with
respect to email interactions? There is already a reliance on DNS
because of MX records, and so there already needs to be an established
relationship between the domain administrator and the mail
administrator. There are, typically, not countless interactions that
then occur, but the number of DNS delegations worth of interactions, and
for outside the organization that is typically two, and they're anything
but anonymous. While the level of trust one invests in DNS is always a
matter of judgment, depending on how paranoid one wants to be about each
of the delegations one could use DNSSEC, if/when it becomes available
for a given zone.
All of this having been said, your use of the words "secure email
interactions" overstates the purpose of the method.
NOTE WELL: This list operates according to