OpenPGP signature spoofing using HTML

FWIW I've been running kmail with "Prefer HTML to plain text" in the security settings disabled for years. Thus I have to actively click to enable HTML layouting when viewing an email. For the vast majority of emails that's not necessary as the text version is just fine and I get the rare signature information before there's any chance of spoofing. It's just the occasional booking confirmation or newsletter that comes with a useless text version. I can live with that very well.