You need to disable click time checking in the ClinetNet console, so the URLs in the message body are not re-written.

Email Security.cloud

We recommend to keep Click-time URL Protection enabled. The Click-time URL Protection service rewrites and performs checks on URLs in the emails that are delivered to your organization's users. Rewriting allows the service to manage access to the URLs throughout the email’s lifespan. This managed access ensures that the URL’s destination remains free of spam, phishing, or other malicious content. The Click-time URL Protection settings can be applied globally or to a specific domain.

We also recommend that DKIM-signed inbound emails not be excluded from URL rewriting. DKIM validation takes place at the MTA level and not at the endpoint level. This means that DKIM validation can be done before the URL is rewritten, so that the rewriting doesn’t break the validation. By contrast, because validation for both S/MIME and PGP is done on the endpoint, validation always takes place after rewriting, thus breaking encryption.