URL link(s) in signed messages by DKIM, SMIME and/or PGP have not been rewritten by URL Click-time URL Protection service.
You have excluded signed messages from the service.
Services > Email Services > Anti-Malware
Click-time URL Protection Settings
Symantec initially advised administrators not to apply click-time protection to the inbound emails that are securely signed using DKIM, S/MIME, and PGP. Rewriting the URLs changes the content of the email. This breaks encryption for the methods that expect an exact match between what is sent and what is received. Though this guidance remains in place for S/MIME and PGP, Symantec now recommends that DKIM-signed inbound emails not be excluded from URL rewriting. DKIM validation takes place at the MTA level and not at the endpoint level. This means that DKIM validation can be done before the URL is rewritten so that the rewriting doesn’t break the validation. By contrast, because validation for both S/MIME and PGP is done on the endpoint, validation always takes place after rewriting, thus breaking encryption.
Note: Be careful to implement DKIM checking using Email Security.cloud only. You cannot perform DKIM checking on an MTA that is downstream from Email Security.cloud without breaking the signatures for the messages that contain rewritten URLs.
How to check if the message is signed:
DKIM: DKIM signature can be found in the mail header
Example: DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
S/MIME: smime.p7s or smine.p7m file is attached to the mail.
PGP: Email contents have been delivered as a .asc file.