Including the From: field in the DKIM hash does *not* carry the semantic
that it has valid content!!!!!
As I said .. in certain cases.
No, in no cases. None whatsoever. All a signed From: field tells you
is that it had the same content when it was signed as when you checked
You may well have opinions about the utility of a particular signer's
signature, and you might have an external reputation system that says
"foo.com only signs From: headers that they believe" but that is
external to DKIM. If a mail manager as sophisticated as you has
trouble understanding the layering of DKIM, we're going to have
horrible problems explaining it to the masses.
The other alternative being some other field (such as a received
header with smtp authentication data) that does get signed.
If you want a signature that identifies the individual user, there's
S/MIME and PGP.
It's clear that it might be useful to have add-ons to DKIM that
provide more complex semantics, and "signer validates From: address"
would be a reasonable one, but as it stands, the only common semantics
among DKIM signatures is "I signed this message".
NOTE WELL: This list operates according to