At this point we should really be leveraging the (admittedly problematic at times) chain of trust built for the web.
In an ideal world you could query the mail server for the domain in question for the person's keys using a simple HTTPS transfer. Verify the certificate is signed by a trusted party and issued to the domain in question, then request the public key for your destination. Sign the mail with that public key, and probably store it (or a fingerprint) so you can note any anomalous changes later.
This could all be built into the mail client and happen at the click of a button. With an interface like this even your mother could use encrypted email.
But it can't happen because someone will point out that the web of trust can't be trusted because governments could infiltrate it. Perfect has been the enemy of good in this system for decades.
In an ideal world you could query the mail server for the domain in question for the person's keys using a simple HTTPS transfer. Verify the certificate is signed by a trusted party and issued to the domain in question, then request the public key for your destination. Sign the mail with that public key, and probably store it (or a fingerprint) so you can note any anomalous changes later.
This could all be built into the mail client and happen at the click of a button. With an interface like this even your mother could use encrypted email.
But it can't happen because someone will point out that the web of trust can't be trusted because governments could infiltrate it. Perfect has been the enemy of good in this system for decades.