Comment 14 for bug 316272

I don't think you can reasonably assume anything about From based on a DKIM signature. If you have some out of band communication with the domain in question and they tell you they limit use of particular From addresses to the one(s) the user is authorized to use, then to the extent you trust that assertion, use of a DKIM signature might be OK.