This is an issue with GpgOL.
When PGP signed messages are sent to mailinglists, there are bounce mechanisms that cause the from: address to be rewritten.
e.g. a message from firstname.lastname@example.org to email@example.com will look like this:
firstname.lastname@example.org on behalf of Info <email@example.com>
Even if the message is PGP signed with a valid key for firstname.lastname@example.org, GpgOL will say that it is insecure (white questionmark on purple background), and list the following:
'The sender address is not trustworthy because:
The used key does not claim the address:
click here for details about the key'
Clicking on it shows the key for email@example.com.
The mailinglist software in this case is mailman.
Naming as per https://dmarc.org/2016/07/how-many-from-addresses-are-there/
The RFC5322.From is set to Info <firstname.lastname@example.org>
The RFC5321.MailFrom is set to <email@example.com>
It seems like GpgOL only checks RFC5321.MailFrom in this case.
Can we have it check against RFC5322.From as well?
The other option (the way I see it, you guys may view it differently) - is that it at least clearly state which key it is valid for. Of course there might be issues with emails sent from lookalike-addresses, however that is an issue that is present no matter what (and strictly not what PGP is made to circumvent I would believe)