I should have been clearer, the assertion is "this is my user's key".
Let's focus on the case where it's completely false, yet it's still reasonable to trust the domain to publish the right MX records. I'm not seeing that case at all, so I'd appreciate some help.
A straightforward example is that the mail system, through malice or outside pressure, does an MITM attack on users who have their own keys, so it publishes a key it controls and re-encrypts mail on the way through to the user's own key. An outsider who had the old key might notice that the key changed, or if he didn't have the old key, probably not.
Or if I were a domain operator who was lazy in a certain sort of way, rather than opening up my creaky provisioning software to add a way for my users to put keys into my system, every once in a while I'd just pull whatever keys I could find on outside key servers and publish those.
My point is that unless you know about the domain's relationship with its users, keys provided this way are no more credible than keys from anywhere else. DNSSEC has not added anything useful.
Regards, John Levine, johnl@xxxxxxxxx, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail.