Question 3 (Part 1):
If the message was sent between two companies, or between two SMTP relays that use DKIM (an anti-spam tool) there might be a secret digital signature that they may not be aware of.
Namely it can be proved that a message was not altered if the message has a DKIM signature and passes. This is a hidden signature that most people don't think of that is not related to SMIME and is often secretly included in messages. For example Yahoo and GMail DKIM sign all outbound messages unbeknownst to senders or recipients. Depending on your scenario, it's possible that the messages you are concerned about are DKIM signed, but the presence of this signature is unknown to you or your client.
Just know that a DKIM signature
- ... is not SMIME (often called a digital signature)
- ... won't be displayed in Web browsers / Outlook even if it exists
- ... is a tool used in Anti-spam technologies
- ... may not sign the whole message, or a portion therein (via the -l parameter, or by omitting key headers of the message)
- ... Can fail if a intermediate SMTP server modifies the message (mailing lists, homebrew SMTP forwarders, etc)
Generally speaking a signed DKIM message will pass if it's not modified. If a DKIM message fails, there is a small chance that a skilled email engineer / developer could make the encryption "pass" if the failure is due solely to to infrastructure concerns.
TL;DR - A signed DKIM message that passes AND signs the from, to, subject, and body means the message was not modified. A failure of DKIM means nothing (mal-intent or otherwise).
(Part 2)
Outside of a DKIM pass, it's not possible to prove that the messages were not tampered with in this situation. However there might be a way to detect tampering looking at the MAPI properties of the message. For starters the "Header" property will contain the original subject if the subject line was edited.
If the message was modified there are various internal Date/Time stamps that may be updated, and depending on the Outlook version, the username who modified the message is stored in the message as well. When I last investigated this, there was a difference between which fields were updated during a message move (from one folder to another) vs right clicking and editing the message (or marking it as read).
The message body is stored in at least two locations in a MAPI message: the plain text version, a rich text version, and the original. It is possible that an edited version of the message would update one (but not all) instances of the message.
If the message resides on the Exchange server database, the message may reside in one or more "streams". These message streams exist for the exclusive usage of MAPI or OWA and sometimes go out of sync. This can happen if a message is modified, and "property promotion" might be able to shed light on a modified message.
Having said that, outside of DKIM or SMIME there is nothing to prove that a message was not modified, however there might be a way to prove it was altered.
The tool you need to investigate these low-level properties is called MFCMapi.