The From header field MUST be signed (that is, included in the "h="
tag of the resulting DKIM-Signature header field). ...
I think that since From is included in the FROZEN list just above the SHOULD list (line 290 of dkim/__init__.py currently) it will always be signed. If that's not the case, then we need to add mandatory.
RFC 6376, which obsoleted RFC 4871, has this:
5.4. Determine the Header Fields to Sign
The From header field MUST be signed (that is, included in the "h="
tag of the resulting DKIM-Signature header field). ...
I think that since From is included in the FROZEN list just above the SHOULD list (line 290 of dkim/__init__.py currently) it will always be signed. If that's not the case, then we need to add mandatory.