The spam attacks don't prevent using keys obtained from keyservers, it only reinforces the old facts... that you must verify the key's WoT or fingerprint-to-origin to your satisfaction before using it. You can still get keys from the various now balkanized keyserver communities, some implementations suck for search and using multiple keys. You can run keyservers for some of them in coordination with their comms channels. https://github.com/hockeypuck/hockeypuck https://github.com/sks-keyserver/sks-keyserver https://gitlab.com/hagrid-keyserver/hagrid And use keys with standard things... https://www.openpgp.org/ And also use more simplistic and functional things like... https://github.com/filosottile/age that are alternatives to the traditional standard tool of... https://gnupg.org/ Lots of new groups are integrating pgp into new things... https://sequoia-pgp.org/projects/ But there's probably some awesome lists that aggregate more of those new groups and integrations for reference.