Comment 2 for bug 1525048

RFC 6376, which obsoleted RFC 4871, has this:

5.4. Determine the Header Fields to Sign

   The From header field MUST be signed (that is, included in the "h="
   tag of the resulting DKIM-Signature header field). ...

I think that since From is included in the FROZEN list just above the SHOULD list (line 290 of dkim/__init__.py currently) it will always be signed. If that's not the case, then we need to add mandatory.