Comment 1 for bug 643223

You want to limit DKIM to cases where the signing domain (d=) matches the From domain in the body of the message. Looking at Sender and ignoring From puts the identity precedence backwards. It is not unheard of for mailing lists to add a sender header and for mailing lists to add DKIM signatures. If there were a mailing list hosted under the domain in question, relying on Sender might allow malicious commands to be authenticated:

1. Sign up for mailing list on target domain.
2. Send message to mailing list (LP won't get this because it's not subscribed).
3. Collect message plus signature from mailing list.
4. Replay message with rcpt to LP.
5. Profit.

Keep in mind that envelope identities like rcpt to are not bound to DKIM signatures and so replay like this is trivial. It's not currently done because it's not valuable to do so. Please don't make it valuable to do so.