I don't think there's a need to sign emails. We just sign the release tarballs and those signatures go into a .sig file that people can download and use to verify the tarballs.
Thanks... I obviously don't know what I am going. Just following through Apache checklists as I run across them.
Greg
