Thinking about it, I guess you're right. While I'd like some way to say "never trust a DKIM signature claiming to be from me if it allows extension", the reality is that the only way for somebody to get their hands on such a message is if my MTA produced one in the first place.