How to be compliant with DKIM,DMARC and SPF

After everything configured in our exchange server we started to see DKIM en SPF fail headers for actually valid emails. After some research we discovered two issues

- your server adjusts the body of the incoming emails with some ‘feedback” message regarding how successful the scan on your side went. Because the message body got adjusted the DKIM validation will always fail on the exchange server side. To overcome this the DKIM validation should take place in your tool and your tool should use the ARC headers https://en.wikipedia.org/wiki/Authenticated_Received_Chain to communicate the validation results to the exchange server. Can you pls tell us how to achieve this?

To avoid that the message body is altered, they can remove signatures and disarmament.

The Protector acts as a mail transfer agent. It is normal that emails pass through one or more MTAs before being delivered.