latest dkim news
The scam I have described involves the use, by the phisher, of a
DKIM-signed (by himself) email with two From: headers, which is intended
to fool verifiers into not spotting that the first signature should have
triggered an ADSP lookup which would have revealed that the first From:
was 'discardable'.
Naturally, the phisher signs with a throwaway domain that has not yet
acquired any reputation, good or bad.

of course the second displayed header can be paypal.com and a mua might display dkim verified