I do note that you're actually somewhat vulnerable to this replay even
with signed bodies.
Yes, definitely.
[ replay mail from legit free provider ]
This puts the free email provider in the position of needing to revoke
the key I'm using, but they cannot do that until the other mail signed
with that key has had a chance to flow through the system.
If it were my ISP, I'd just cancel the account. I'd only cancel a key
if I found that it had leaked and unknown parties were using it to
sign mail. The signature means that the original sender and recipient
addresses are real, if someone wants to further pursue the miscreant.
The most that a signature can do is to identify the responsible party.
There's no point in adding cruft that attempts to go beyond that.
Regards,
John Levine, johnl(_at_)taugh(_dot_)com, Taughannock Networks, Trumansburg NY
http://www.taugh.com