I think you have to take the message as it originally came in, extract the DKIM signature and headers that it covers, and then re-sign all those headers and content (after modification).

Think of it like a chain of custody.  You get a message that is signed, and which may have some additional stuff associated with it that is not signed (like the "Received:" headers).  Because you're going to do something that is likely to destroy the signature and the original message as you received it, you need to re-sign the stuff you got which was signed on input, to be able to demonstrate to others that it had come into you signed, that you verified that signature, and you're certifying what it is that you verified.

MailmanWiki: DEV/DKIM/0003 (last edited 2008-11-12 21:48:51 by bradknowles)