Interesting findings that for emails sent to Proofpoint protected MX, they might get rejected if the source domain has a stronger DMARC policy, e.g. strict DKIM alignment.
It all begins with a DMARC report I received from Outlook…
<policy_evaluated>
<disposition>none</disposition>
<dkim>fail</dkim>
<spf>pass</spf>
</policy_evaluated>
I was then eager to find out why DKIM failed in this case, and did some tests with a domain that has its MX pointed to pphosted servers. In the end, I was able to reproduce the issue with a URL link in my email so that it will be rewritten to URL Defense link, as a result, the email body was modified, and resulted in dkim=fail (body hash did not verify).