Yeah, in the end it’s silly that we ended up with “trust” meaning only you’re connected to someone that controls the domain” which doesn’t actually need PKI to accomplish if we just supported a SRV record with the public key(s) and verifiably authoritative DNS queries.

Which fair it’s trading one PKI for another but web servers vastly outnumber authoritative DNS servers. But DKIM gets along fine without it so we probably could too.