I have a suggestion on how this can be fixed:
Take the *whole mail* as sent as the user, and put this into a new message/rfc822 container, that has the envelope from *AND* "From:" set to the list mailing adress (eg the mail adress that users send their list posts to).
So a list mail like this:
From: listuser@example.org To: list@list.org Subject: Fix this Content-Type: text/plain
This is broken.
Can be sent out from the list as:
From: list@list.org To: list_subscriber@someotherhost.org Subject: Fwd: Fix this Content-Type: message/rfc822; boundary="
1234"
This is a MIME Message
1234 From: listuser@example.org To: list@list.org Subject: Fix this Content-Type: text/plain
This is broken.
1234--
The fixed mail can additionally be DKIM signed by the list software.
The advantages of this, is that it will BOTH fix DKIM problems (since the signing is done from the list domain and not the sender domain), *AND* SPF, since the SPF will then be validated against the list domain and not sender domain).
Another advantage by encapsulating the mail into a new message/rfc822 container, is that you don't break any previous DKIM signatures, and also do not break any S/MIME or PGP signatures.