Each mail server relaying a message will sign that message. Typically only the
server authoritative of sending mails for a specific domain (like spf) will
do this. E.g. gmail will dkim-sign all outgoing mails if you send them over
their smtp servers.
Exim's dkim code will read the incoming mail and parse all dkim signatures
found in this mail. After this, you can use ${lookup dkim{...}} to check if
this mail has been signed for a specific domain. You can use the domain part
of the From-header field and/or from the envelope from. This will tell you,
if they have been forged.
This can be handy if some wants their mail forwarded. First you check the
envelope address. It will not be correct of course (the mail has been
forwarded). Then you check the From-header address. It will be correct.
Therefore you can accept the mail as from the authoritative server.
In my understanding, at least one of those two address must be valid to accept
a mail. This can of course only be done for those domains that typically sign
ALL their outgoing mails with dkim. If at least on "correct" mail is
unsigned, dkim is useless.
gmail really signs its mails and it is therefore very easy to discard gmail
spam because the spam from gmail addresses is not send over gmail's mail
servers and is therefore not dkin signed... at least that kind of spam I get
from gmail addresses.