In theory S/MIME could be one "cure" against spam, viruses and phishing.
There are at least two things making this stay as "theory".
1.
There is no S/MIME trust structure that works except rather locally,
effectively making every person on the net a "PKI trust administrator".
Although the DoD have a solution ( http://www.certipath.com/services.htm ),
few other organizations can spend huge amounts of tax-payer money just
to prove that "it can be done", but are rather evaluating other options.
2.
The unavailability of a cheap, mobile, secure and fully standardized
container makes the certificate requirement a much too high bar. That
not even the financial sector have managed to deploy such schemes to
more than 1-2% in spite of 10+ years of on-line banking is in my opinion
good enough as a proof. The virtual explosion of Web-mail and mobile
phone mail, actually makes the S/MIME-card-everywhere-vision
more distant than ever. Well, the DoD have no problems [of course],
http://www.karbonsystems.com/BlackBerry-SMIME-CAC-products_detail-83.html
but who else would buy $200+ card-readers?
It might be interesting knowing that some governments have indeed
removed S/MIME from their C2G (Citizen-to-Government) PKI
schemes since they have noted that the web is a more powerful way
of delivering services as well as offering encryption for free.
Regarding the failed DOMSEC experimental RFC, I believe that it
[partly] failed because the authors did not realize that there already was
a globally working PKI they should have hooked into; the web-server
SSL PKI. Imagine, securing an entire e-mail domain for a measly $100-
$200 annually! Too simple, too obvious, and too commercial I guess.
AR