This is a contract issue, not a technical issue.
Few entities are in a position to negotiate security details relevant
to DKIM keys within higher-level domains.
Too bad. It's still a contract issue, not a technical issue.
A verifier should not expect any parent domain to be authoritative
for what is a valid sub-domain email-address.
No matter how many times you say this, it's still not true. Repeating it
another dozen times won't change anything, so please don't.
NOTE WELL: This list operates according to