I just read the thread where Majestic is providing a validation key for webmasters in his crawl to "prove" it's a real bot.
A better system would be to "sign" the crawl using secret keys and the url crawled. This way, if the "secret" gets found out, it's unusable.
I believe if you check how Facebook and Twitter handle their "connect" initiatives, you will find a good example of it.
Something encrypted w/ Majestic's public key can only be read by the webmaster's private key....
So if the key gets found it, it's only good for that url, not sitewide.