I think some site like a Bank, that is heavily phished, might go so far as
"I sign all mail. Please delete/reject/drop/whatever (perhaps even
silently) all messages that fail to verify".
Here's three cases:
a) paypal.com publishes that note. So far so good.
b) mismanaged-isp.com publishes that note, and blames you when their
users' poorly formatted mail disappears. Not so good.
c) paypal-payments.com publishes that note. I don't want their mail
whether they verify or not.
It seems to me that the likely number of domains in case a), real
institutions with serious phish problems, is far smaller than the
number of b) and c). I don't see how SSP can help me as a receiver
tell the useful info about a) domains from the useless info about b)
and c) domains. I expect that people will be using third party lists
of a)'s, which makes me ask what the point of self-publishing this is.
NOTE WELL: This list operates according to