Good to hear it is fixed.
What happened was that locally generated email, for example an invitation for
the portal or a “forgot password” email, did not have the date header set. The
back-end than DKIM signed the email with the missing date. After handling , the
back-end sends the email to Postfix for delivery. Postfix by default however
adds certain header fields to the email if they are missing (data, to, from,
message-id). Because the message was DKIM signed without a date header, adding
the date header to the email caused the DKIM signature to be invalid.
The system was modified to ensure that all locally generated emails include a
date header. An alternative approach would have been to configure Postfix by
setting the local_header_rewrite_clients parameter to an empty value, which
prevents the mail server from automatically adding missing headers.