Comment 15 for bug 316272

Even just trusting GMail would make over 40% of our users happy, especially now FireGPG has dropped GMail support. I think it is fair to say that if we receive an email with a valid DKIM signature from <email address hidden> then we can reasonably trust that it came from <email address hidden>.

We are already trusting email providers due to the mechanics of password recovery. This may no longer be true when we become a proper OpenID relying party (at which point we start trusting the OpenID providers), but it is true now.

We probably want a whitelist of domains to trust, or a tick box the user can select against their email address to toggle DKIM trust. Whitelist would be the best start I think.