> > > Or is there some criteria to determine which domain name > > should have the DKIM signature? Is there a penalty score if one or > > the other is missing? > > It's doesn't make much difference, unless there's a whitelist involved.
If you publish a DMARC record, DMARC requires that the DKIM signing domain be aligned with the From: header domain in order to pass. SA doesn't currently check DMARC I don't think but lots of other receivers do. And even if you don't want to publish DMARC records now it's probably best practice to sign with the organizational domain of the From: header. A DKIM signature from an unrelated domain doesn't really say anything except that the message wasn't altered in transit.
