IDK if you already do this, but one way to help mitigate the “a MitM messing with the key headers” is if there happens to be DKIM, in which case you can check it 
(I guess you can tell that I’m starting to learn a tiny and dangerous amount about email and about security and is being an obnoxious armchair cook but I can’t not send it, juuuuust in case there’s a good idea that you’ve missed.)
we are already working on it, it’s a problem we identified during our automated email address porting project, but it is harder than one might think, also because it depends heavily on the providers to implement it (we don’t have the resources to implement it client-side right now and we don’t even know if it’s possible at all client side, because provider could (and do) change their keys regularly).
I think DKIM is implemented at DNS/SMTP level and there is no need to add something in Delta chat. The message delivery is done by mail servers and they work according to configuration (including DKIM).
Someone can MitM between your own server and you, which a Delta Chat–side DKIM-awareness could stop. Not for every message but for situations where they’re like “uh I lost my key this is a new phone please resend”