[jcgl]

You’re mistaken: DKIM always signs the entire From field. Signing is done on the MTA, so yes, it is “the reputation of the server” like you say, but “server” can be a relatively granular thing here, using different DKIM selectors for different addresses, MTAs, etc.

[upofadown]

A signature is not authentication in itself. It is only such if the signing entity is in some way restricting what it is willing to sign. The domain part of the email address in the "From" field is so restricted. The signing MTA will only sign domains that it controls. Otherwise it would suffer a loss of reputation. The user part of the address is not so restricted.

The name part of the email address is also part of the same signature but is not being authenticated either.