• If you can break DNS, you can get an NXDOMAIN reply, making recipients think there aren't any domainkeys

• If the domainkey private key is small, you can factor it. There's an article on HN's frontpage right now about this.

• If the server uses domainkeys, but it doesn't specifically verify the From: header, an attacker can still forge a message if they share a popular mail provider with their target. I don't know if this is still practical.

• Stupidity. DKIM is difficult to test, and as a security measure it would need to be tested.

An autoreponse confirmation would be immune to all of these attacks and would be trivial to implement correctly.