If it came from a fake "paypal.com" address but was not received from the MX for paypal.com, your incoming spam filtering has issues other than DKIM... Something like that would get 5+ extra points added to it by a basic spamassassin setup. With a common setup that is postfix + opendkim as a mail filter on the incoming, that should also get caught.
I guess the point I was trying to make is that DKIM was really intended to be deployed on the service-provider side, and smtpd mail filtering side, rather than on the client.
I agree they did something wrong. But I don’t run my own server - and I do run my own client....
And it’s not the MX that says where mail comes from, it’s the SPF record (if you have one).
Google had, for a very long time, an issue where any g-suite/gmail user could SPF as any g-suite domain; so servers that didn’t check DKIM (most until recently, and probably still) would let it through happily.
I guess the point I was trying to make is that DKIM was really intended to be deployed on the service-provider side, and smtpd mail filtering side, rather than on the client.