In the version I looked at, the scammer sent it to their own email account and did a replay attack against the victim - which doesn't invalidate the cryptographic anti-spam signature.