With Amavisd we don’t have the disclaimer issue even if still body has been modified. Amavisd just added the header about it and not play with body hash.
DKIM accepted this so this mast be just milter implementation in order to proceed with sending message.
: There are some caveats you should be aware of before using MIMEDefang.
: MIMEDefang potentially alters e-mail messages. This breaks a “gentleman’s
: agreement” that mail transfer agents do not modify message bodies. This
: could cause problems, for example, with encrypted or signed messages.
I understand your concern but I think this is correct description because finally we are modifying.
This is old thread and amavisd/milter described but have some sens and a bit of code and config.
Looks like in OpenDKIM should be options to which headers are restricted to sign in and which one not.