The part of the solution is to switch to secure domain names, each domain name comes with bundled key pair (like SSL) this is why it's easier to work securely with public key encryption under the hood - the signing of the e-mail public key is done under the hood, the user doesn't have to do it manually.