Recommended configuration of OpenDKIM TrustedHosts

You should not be signing messages based on the originating hosts but only for authenticated users. Your question revolves around a single configuration parameter and does not really tell how your Postfix is configured and how OpenDKIM is integrated to it.

All mail user agents (MUA) should send mail through a separate smtpd instance (smtps on port 465). This instance should require SASL authentication, and as it is implicit TLS for SMTP submission (RFC 8314, 3.3) it is also secured by TLS. In master.cf you could have, e.g.:

smtps     inet  n       -       -       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
  -o smtpd_sasl_security_options=noanonymous
  -o smtpd_sasl_local_domain=$myhostname
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject

It might be a good idea to further restrict that your users should not be using email addresses of other users by adding, e.g., these parameters:

  -o smtpd_sender_login_maps=hash:/etc/postfix/virtual
  -o smtpd_sender_restrictions=reject_sender_login_mismatch

Now, as all mail from this instance is authenticated, you can sign it regardless of the IP address. The following configuration is an example that adds the OpenDKIM milter assuming it is listening on localhost:8891, continues without signing in case the milter is temporarily unavailable, and tells the milter that it should work in the signing mode (ORIGINATING).

  -o smtpd_milters=inet:localhost:8891
  -o non_smtpd_milters=inet:localhost:8891
  -o milter_default_action=accept
  -o milter_macro_daemon_name=ORIGINATING

(For the inbound mail on the smtpd instance on port 25 you should have the milter_macro_daemon_name set to VERIFYING, instead.)