Further to this, I like the existing language:
> Signers SHOULD NOT sign an existing header field likely to be legitimately
> modified or removed in transit. In particular, RFC 2821 explicitly permits
> modification or removal of the "Return-Path" header field in transit.
... and don't think we should try and innumerate _all_ the specific headers
which SHOULD NOT be signed but a reference to excluding X- and
Authentication-Results might be welcome here. Anyway, I can see the need
for a BCP document on DKIM in the coming months with the results of all our
findings in this area.
Another one that probably deserves explicit mention is original-recipient,
as specified in RFC 3798 section 2.3.
Ned