[_8j50]

There are cheap s/mime CAs out there. It should be possible for LetsEncrypt to issue an s/mime cert for a domain, similar to TLS certs and verified in the same way, despite what top comments here are saying.

S/MIME being made for email, you can use port 80 ownership, or dns record ownership to verify control. And documents can be signed as originating from bob@acme.com.

I have implemented s/mime to sign documents automatically between companies. It is the best option that works by default. Powershell and openssl support it, as does outlook for email.

My guess is they don't see enough people asking for this, because those who need what you are asking don't mind paying cheap CA fees like $15/year or so.