This isn't about evidence. In a court case, discovery and court orders can authenticate email messages even if providers publish their keys; the provider will have a record of having verified the email when it was received. But ATO attackers will not have access to those records.