Oversigning works as follows. The (outgoing) mail server is configured to use DKIM. So it contains a private key (associated with the public key that is published in DNS). But it is also configured to what fields are to be signed. For example, the server can be configured to sign only the “from”, “to”, “date” and “subject”.
In that case, the receiver (user) can see in the mail properties that the DKIM header contains “h=From:To:Date:Subject;”
However, if some man-in-the-middle inserts another “from” header, this can get unnoticed (i.e. not being part of the mail that is signed by the DKIM signature).
Now, if you use oversigning, the mail server administrator can change the mail server configuration to e.g. specify “h=From:From:To:Date:Subject;”.
This double “From:” looks silly, but means that for ‘legal’ mail, there is an explicit “empty second from” header part of the DKIM signature. If the man-in-the-middle now tries to insert another “from” header, the DKIM signature gets ‘broken’ (in other words, the verifier at the receiving end will get another DKIM signature and thus have a failing DKIM signature).
I hope this explains it a bit.
