DKIM signature covers the sender address, but should cover the FROM HEADER address.
Summary
DKIM signatures are based on the SMTP sender address, not the email FROM HEADER address, which is the wrong thing to do. When the FROM address is local, and there's a DKIM key to sign with, then that should be done.
If there's no key to sign with, then perhaps we should not be sending the email!?
Steps to reproduce
Send an email with a FROM address that doesn't match the SMTP sender address. You should notice that the DKIM header doesn't cover the FROM address.
/cc @kelduum