DKIM is very good technology. It does not give the same confidence as PGP or S/MIME but it does do a fairly good job at giving the confidence the message has not been altered since it was signed on an MTA authorized to sign for the mailbox domain, and the end user does not have to do anything technical like they do with PGP and S/MIME.
But there are some practices that should be cleaned up by system administrators and maybe could use some exposure.
A) A very large percentage of keys are RSA 1024-bit. System administrators need to be encouraged to use 2048-bit with RSA.
B) A very large percentage of keys are never replaced. This is particularly bad with 1024-bit keys. System administrators should be encouraged to generate new keys about once a year. Encouraging them to put the YYYY at the end of the DKIM selector they use when generating keypairs makes it easier for them to visually see when an old key is being used.
C) Large number of DKIM validators are not able to validate messages signed with Ed25519. Granted that is brand new and only recently added to the spec. But for server-side validation we should really encourage server admins to update their software so it can validate those messages, so that eventually it can be the recommended algorithm and RSA deprecated.
C is hard, OpenDKIM does support it but only in their development releases and it requires a very fresh version of OpenSSL to do so. But I imagine soon their stable release will support it, and hopefully sysadmins will run new enough OpenSSL (I think 1.1.1 is required)