RFC 6376, "DomainKeys Identified Mail (DKIM) Signatures", September 2011Source of RFC: dkim (sec)
Errata ID: 5551
Reported By: Borislav Petrov
Date Reported: 2018-11-09
Rejected by: Barry Leiba
Date Rejected: 2019-04-30
Section 6.3. says:
If an MTA does wish to reject such messages during an SMTP session (for example, when communicating with a peer who, by prior agreement, agrees to only send signed messages), and a signature is missing or does not verify, the handling MTA SHOULD use a 550/5.7.x reply code. Where the Verifier is integrated within the MTA and it is not possible to fetch the public key, perhaps because the key server is not available, a temporary failure message MAY be generated using a 451/4.7.5 reply code, such as: 451 4.7.5 Unable to verify signature - key server unavailable Temporary failures such as inability to access the key server or other external service are the only conditions that SHOULD use a 4xx SMTP reply code.
This contradicts RFC5321 which says:
...a relay SMTP has no need to inspect or
act upon the header section or body of the message data and MUST NOT
do so except to add its own "Received:" header field...
There is nothing in the cited text above that suggests modifications to the message. The text only talks about which SMTP reply codes to use.