The alternative is opensmtpd-filter-rspamd which is rather overdimensioned for my needs.
So writing my own filters it was. The filters protocol (https://man7.org/linux/man-pages/man7/smtpd-filters.7.html) is fairly simple, handling it required around 100 lines of Python code.
The DKIM signing and verification filters are trivial then, thanks to the existing dkimpy module. You can see all the code and setup instructions here: https://gist.github.com/palant/c6ad869a1dd2cd79506898e4e8401438
I changed the code to make attaching information to a session context more straightforward. So the #DKIM verification filter can now optionally do #SPF verification as well. This should be the last major change I think.
A Mastodon instance for info/cyber security-minded people.