Quoting Glen Martin (glen@glen-martin.com):
MLMs can achieve this, imperfectly, and are overkill. But they're not magic, they just screw with the headers so downstream can't detect the envelope or body changes.
What you call screwing with the headers is, in my experience, the only way that retransmitted mail is going to arrive at its end-destination not seeming like an attempt to forge the upstream sender's domain.
Have you tried to use the pipe syntax of aliases, eg don@linuxmafia.org: | /usr/sbin/DKIMstripper-sendmail.sh donmarti@whereever.com // I just made this up, don't shoot me
Alas, shell pipelines in /etc/aliases are so notoriously a security hazard that modern MTAs of my experience disable parsing them by default, and you re-enable that parsing at your peril.
Of course, there are other ways of stripping DKIM headers, and that's tempting. I can imagine any number of reasons why this action might end up having adverse consequences, though.