I have about 50 entries in my watchlist (heavily using subdomains) and separating mails for legitimate use and fraud is hard.

Please add a check whether the certificate matches a known private key
I.e. by adding the modulus of the private key: "openssl rsa -in private.key -modulus -noout" in a knownkeyslist and check the certificates again this: "openssl x509 -in cert.pem -modulus --noout" [editor's note: comparing by modulus only is not correct]. When it matches the mail subject could then include a "known" or another keyword.

This way it would be much easier to find bad certificates.