A concrete proposal to add X.509 support:
Add to section 3.7.1
x509=
A URL that resolves to an X.509v3 certificate [REF] whose key
value SHOULD match the value specified by the p= attribute. The
attribute MUST be ignored if the p= attribute is either omitted or does
not match the value specified in the certificate.
Information provided in the certificate MAY be used to assist in
the interpretation of a valid DKIM signature. The certificate MUST
strictly comply with the requirements of [PKIX] and SHOULD be
interpreted according to the framework set out therein.
x509path=
A URL that resolves to an x509 certificate path where the key
value of the end-entity certificate MUST match the value specified by
the p= attribute.
Information provided by the certificate path MAY be used to
assist in the interpretation of a valid DKIM signature as described for
certificates above.