Microsoft and GOV.UK recommend creating a record like the following on any domain that doesn’t send email.
TXT *._domainkey v=DKIM1;p=
As I understand it, the purpose is to explicitly fail DKIM, rather than leaving open the possibility that real emails from this domain don’t use DKIM.
But I don’t see how it accomplishes that. If the spammer includes an invalid DKIM header, then it’s invalid, not just missing, whether the DNS lookup result is no match or a conflicting match. And if the spammer omits the DKIM header, then a wildcard DNS record doesn’t tell you that there isn’t a valid DKIM record somewhere. It doesn’t communicate that the email should have used DKIM, while the following does:
TXT _domainkey o=!
So what is the wildcard invalid DKIM record accomplishing?