A) You have to sign either all occurences of a header or none of them, ...
B) Same as A, but limited to an enumerated set of headers that are
supposed to occur only once.
c) Same as B, but tell signers to use the h= trick to make verification
fail if extra headers show up.
Realistically useful advice probably has to influence rendering of
messages. That might mean MUA participation or it might mean mailstore
participation that removes all (typically) rendered headers that are
Gosh, I hope not. I'd like DKIM to be sturdy enough that I can trust
stuff signed by people I know and not have to backstop it by tricks
elsewhere to defend against malicious changes that DKIM didn't notice.
NOTE WELL: This list operates according to