A wifi encryption vulnerability that required you to interact with a base station or remote computer would implicate CFAA. A wifi encryption vulnerability that allowed for pure passive interception --- a devastating flaw in 802.11/WPA3 --- might not actually violate any federal law directly. There are probably state laws (I believe Michigan has one) that implicate packet sniffing directly (they were problematic in the early oughts for security researchers).

Worth remembering: when CFAA was originally passed, an objection to it was "we already have laws that proscribe hacking computers"; the fraud statutes encompass most of this activity. CFAA's original motivation was literally WarGames: attacks with no financial motivation, just to mess things up. So even without statutory issues, breaking an encryption key and using it to steal stuff (or to gain information and ferry it to others who will use it for crimes) is still illegal.

Your guess is as good as mine about whether ECPA covers wifi sniffing. But: presuming you obtain an encryption key through lawful means, ECPA can't (by any obvious reading) make cracking that key unlawful; it's what you'd do with the key afterwards that would be problematic.

My understanding of the ECPA and other acts is that you can't intercept, decode, or receive by other intentional means any information or communications that aren't "generally accessible" without permission. It's pretty broad and doesn't care about the "how".

Private keys are not "generally accessible" and my concern is that the authorities will see cracking the key itself as issue enough, and unlawful. If a security researcher triggers painful breach notifications, which could well happen for a compromised private key, I don't think it's unthinkable at all that an upset target will find a DA who is happy to take this interpretation.

I don't think this specific DKIM case is particularly high-risk, but I still wouldn't do it without permission from the key holder.