Hello Mark! DKIM signing will unfortunately not work for this domain if traffic is going through another device and having its headers/body modified. This is due to the body/headers being hashed, then modified after leaving the server, which invalidates the DKIM signature. To correct that you'll want to adjust your Firewall MTA settings so that modifications are not being made.

That being said, I could see benefit in being able to export the DKIM key for inclusion in the firewall, so I'm going to get a feature request submitted on this for you and will follow up with you when I hear back from our Product Management team.

In the meantime I hope that the reply here may help to stimulate further responses as there may be administrators out there that have made this work. Have a good one!

Should I just let the MTA apply the DKIM signature? 

You only need one valid signature.  As Kyle said, the critical requirement is that the message is not modified after the signature is applied.   It is unfortunate that SmarterMail's DKIM configuration cannot be exported, so if you need a signature on a different device, you will need to use a different key pair and a different scope parameter.   You can create a public/private key pair with OpensSSL and other tools

Quick update for you guys on this one. Development has not yet finished reviewing the request I submitted on this, but advised me that you can obtain the private key from the domain's settings.json file within the dkim_private_key value, and that this key is in PEM format.

If you're handy with OpenSSL you could likely convert that to the appropriate format from there, then import that into your Firewall/MTA device. I'm going to work on setting up some testing on this here and will follow-up again when I have news. I hope this helps!