With DKIM only, there is no way for a receiving server to know where to find the DKIM key for your domain because the signature of the email is what includes the selector DNS record location, which is assigned by each mail server admin. So mail servers receiving emails from other servers will not be able to use this for evaluating a message.
If you have example.com and have configured DKIM and nothing else, and I send an email from my server, which is example.net, but my server otherwise “spoofs” the email to be from example.com, and I have configured a DKIM record for example.net, the email will pass DKIM tests and receiving servers would have a harder time determining the message is not from a server approved by the owners of example.com. This is because the DKIM test is performed using the sending server records to verify email integrity, nothing else.
The verification is performed using information in the email signature. In other words, the beginning of the DKIM test is the email, itself, which includes the location of the DKIM public key for the sending server. The DKIM standard is only for validating the email integrity sent by a server, so the domain of the server does not need to have anything to do with other header information, such as smtp.mailfrom. That is why I can “spoof” example.com and pass a DKIM test using the key for example.net
This is why everyone here is stating that DKIM serves the purpose only of message integrity, not approved sender validation. DKIM may only be used as a “proof of work” in regards to spam prevention unless used alongside DMARC with SPF configured because nobody knows where the key is located for your domain.