Also, I'm not sure you said this, but I would say: default whitelist is dkim only
This means All existing entries are converted to dkim as well as we can, not worrying if they break. We'll prune ones that don't work as dkim, and add a signing domain as we figure it out, as a lightweight thing. But all non-dkim entries go away. to consider a new entry, it must be dkim or maybe that's already true