After making my server sign outgoing email I started to wonder what the benefits are.
This is the opposite of a previously asked question.
Naively I see two benefits:
We can throw away all emails which don’t carry a valid signature: Wrong! Mail forwarders (like Mailman) will produce emails from someone at «domain which signs» which are not signed correctly (in their forwarded shape).
We can skip spam checking on signed email: Wrong! A spammer can send a single email through e.g. gmail.com and then resend that email as-is (w/o changing headers) to a million people.
So what are the selling points of DKIM?
DKIM is about reputation. From the intro paragraph of the main website (dkim.org):
One place you can look up reputation is at: http://www.dkim-reputation.org/
Yes, a spammer can DKIM sign a message, but that message then goes through SpamAssassin and gets scored. You then build a database of signed domains and what kind of messages the domains send. If (say) gmail.com keeps sending spam, then SA knows to increases the spamminess level of that domain; if it sends more 'ham', then SA will learn to trust those domains/signatures.
You are correct in saying that you can't base the spam or ham status of a message with DKIM alone (at least not right away), but it helps in determining where a message has passed through. Whereas a non-signed message could have theoretically come from anywhere, having its content changed at any point in the process. Once you have at least one DKIM signature (and there can be several), you have a data point to start assessing the reputation of relays.
DKIM is about taking responsibility for the mail that goes through your relays. If you're not signing messages, then why should receivers bother trusting you? If you do sign messages, then recipient SMTP servers can learning about your relays and be confident on the reputation data they're collecting. They're just one more link in a chain (Bayesian filtering, dial-up/DSL black lists, razor content database, etc.).
For point (1): mailforwarders were thought of in the design of DKIM:
http://www.circleid.com/posts/dkim_for_discussion_lists/
For point (2): you are correct, that you still have do spam checking. But before you had no link between a domain and a spam score: every message was treated independently of every other message. Now, you potentially have something linking different messages together. Put that common link into a database and you can start doing analysis on it.
The only real advantage from my perspective is that outgoing emails are just a bit less likely to be flagged as spam. Some legitimate emails can appear to be borderline spam, for all sorts of reasons. In the mail scanners I've seen and used a valid DKIM sig will add a positive (ham) score, which may make all the difference between those emails being flagged as spam or being allowed through as ham.
Note that this is NOT the same as skipping spam checking using other methods, or skipping it altogether. It's just a matter of improving the score, not making a definitive decision.