As discussed in section 4.1 of Russ's draft, a domain cannot know how
widely a message will be distributed. Once I have a signed copy of
that message I can choose to distribute it much more widely than the
sending domain might like me to do.
Right. This is not news, since you can do that right now with unsigned
messages or S/MIME or PGP signed messages.
For a large ISP this will happen enough that your strategy will end
up deciding all the large isps have unacceptable reputations.
It doesn't happen now. Why will it happen with signatures?
R's,
John