#4 more control over what headers get signed

[Jason Long]

The current behavior is hardcoded... we will sign headers found in the message that match a list of "safe headers".

Possibly desired features:

- for DomainKeys signatures, to be able to sign without an h= tag (i.e. sign all headers)
- to be able to sign all headers except known "bad headers", (such as Return-Path)
- to be able to override the built-in list of "safe headers" or "bad headers"
- to be able to specify the order of signed headers