Regarding "From MUST be signed twice, because it is a mandatory frozen/singleton header. You can't have more than one From header" this is not a requirement of RFC 6376. In section 8.15, Attacks Involving Extra Header Fields, double-signing From is presented as an option:
"These can represent serious attacks, but they have nothing to do with
DKIM; ... DKIM can aid in detecting addition of specific fields in transit.
This is done by having the Signer list the field name(s) in the "h=" tag an
extra time (e.g., "h=from:from:..." for a message with one From field), so
that addition of an instance of that field downstream will render the
signature unable to be verified."
It might be a good idea to double sign but it's not a strict requirement.
Regarding "From MUST be signed twice, because it is a mandatory frozen/singleton header. You can't have more than one From header" this is not a requirement of RFC 6376. In section 8.15, Attacks Involving Extra Header Fields, double-signing From is presented as an option:
"These can represent serious attacks, but they have nothing to do with
DKIM; ... DKIM can aid in detecting addition of specific fields in transit.
This is done by having the Signer list the field name(s) in the "h=" tag an
extra time (e.g., "h=from:from:..." for a message with one From field), so
that addition of an instance of that field downstream will render the
signature unable to be verified."
It might be a good idea to double sign but it's not a strict requirement.