I can't help pointing out that the root cause here is that the email server is signing various things in the email that the email server did not originate. There would be no problems with forwarding if the originating user signed the email instead. The identity of the email originator is what the email recipient is actually interested in. The UI could then show if you actually know the entity sending the email rather than if your email server knows the originating email server.