We need to find out how the message is modified after it is signed.
For this, it does not help if you compare messages that differ in
time stamps in headers, hashcash output, S/MIME signatures, and
body content.
Capture one message 1) after DKIM signing but before transmission,
and 2) as received with DKIM verification failed.
If everything works as it should, 1) and 2) are identical except
for headers added in transit. If the DKIM verification fails, then
the file difference(s) will show what was changed.
Wietse
