Re: You can't trust anybody
There's no reason that website's can't crytographically sign a message in DNS that tells you what CA's are valid for them.
In fact there are protocols for exactly that.
Done properly, even the people who control DNS can't interfere (they can only "break" the chain, which is obviously visible).
But nobody has ever sat down and fixed email either, and that's much more important.