> However this worries me. During the setup there is no Debian involvement, and that means anyone can do the same trick to pretend to own my Debian address.
>
That's also a reason why it's better to gpg-sign important email (aside from the fact that anybody can have a setup that sends mails in your name for any domain, even non-Debian).