DKIM doesn't decide which headers are signed, the mail server does (in the h= field). Gmail signs both To and From[0], but these don't control the 'real' recipient - the RCPT TO command in SMTP does. The recipient would presumably show wrong in the mail client, but since mailing lists and aliases are a thing, this is not suspicious by default.

[0] h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to;