@dbeato step 4 is wrong. The DKIM signer needs to be at the BOTTOM of this list, so it runs last. Otherwise, other transport agents may modify the message, which would render the signatures generated by the signer invalid.