Applying a signature and ensuring the 2822.From header can not be modified is not equal to having validated that the account sending the message represents the recipient of that 2822.From address or that this account's use of the 2822.From address is valid. Being included in the signature's hash is not the same as having validated the associated content.

Forgive me for misunderstanding. You're asking then, for something that is out of scope of what DKIM claims to do and that DKIM *cannot* do. If you have an ISP that forges email in your name, domain-level signing is orthogonal to that problem.

So let's just stop wrapping ourselves around that axle.


