Re: user-whitelisting
How about an extension to add (and collect) certificates to each email on a per recipient basis.
Basically PKI but you give the recipient a certificate to use to communicate with you. Everone runs their own CA. If it gets compromised, you send them another one. It isn't perfect, but that's ok because it allows for graceful failure.
It all boils down to clever address-books, which is why the idea will fail. Webmail halts the development of email in the same way that tablets and phones with hardware-based video decoding mean that developing new video standards is pretty much futile. The "winner-takes-all" cloud means you can't grow adoption of something.
The internet was designed to be decentralised. That design is being increasingly over-ridden and its dangerous.
/rant