DKIM signatures should cover the mail FROM HEADER address. Instead, they cover the SMTP.FROM sender address. Often the two are the same, so there's no problem. But when the From header address is different from the sender address, the signature doesn't match. This reduces deliverability.
If there's a DKIM key on the server, for the domain of the From header address, then it should be used to sign the email. That does cover a slight risk that it might permit abuse of neighbouring domain addresses, when these don't belong to the same end user. But that would be clear from log files, and can be dealt with through local sanctions.
DKIM signatures should cover the mail FROM HEADER address. Instead, they cover the SMTP.FROM sender address. Often the two are the same, so there's no problem. But when the From header address is different from the sender address, the signature doesn't match. This reduces deliverability.
If there's a DKIM key on the server, for the domain of the From header address, then it should be used to sign the email. That does cover a slight risk that it might permit abuse of neighbouring domain addresses, when these don't belong to the same end user. But that would be clear from log files, and can be dealt with through local sanctions.