Comment 11 for bug 1525048

Regarding "From MUST be signed twice, because it is a mandatory frozen/singleton header. You can't have more than one From header" this is not a requirement of RFC 6376. In section 8.15, Attacks Involving Extra Header Fields, double-signing From is presented as an option:

   "These can represent serious attacks, but they have nothing to do with
   DKIM; ... DKIM can aid in detecting addition of specific fields in transit.
   This is done by having the Signer list the field name(s) in the "h=" tag an
   extra time (e.g., "h=from:from:..." for a message with one From field), so
   that addition of an instance of that field downstream will render the
   signature unable to be verified."

It might be a good idea to double sign but it's not a strict requirement.