Also, I'm not sure you said this, but I would say: default whitelist is dkim only
This means
All existing entries are converted to dkim as well as we can, not
worrying if they break. We'll prune ones that don't work as dkim,
and add a signing domain as we figure it out, as a lightweight
thing. But all non-dkim entries go away.
to consider a new entry, it must be dkim
or maybe that's already true
