We're in the "you're screwed regardless" territory here - like having an ISP who intercepts TLS connections and substitutes content as you download it. There's no real way to work around that, though you might be able to detect it if there are unforgeable signatures on some of the content (e.g. DKIM signatures from third parties on incoming emails) - though the intermediate can strip those too, so all you see is "unsigned" rather than "modified".
I think email clients should be rethinking how they communicate to users whether or not an email is signed, e.g. if the headers haven't been oversigned and/or the full body hasn't been signed then it may be better to just show the message as having been not signed at all.
