The message needs at least one valid authentication identifier. In this version of the specification, the only supported identifier type is DKIM [RFC6376]. Hence, senders MUST apply at least one valid DKIM signature to the message. The List-Unsubscribe and List-Unsubscribe-Post headers MUST be covered by the signature and included in the "h=" tag of a valid DKIM-Signature header field. If the message does not have the required DKIM signature, the mail receiver SHOULD NOT offer a one-click unsubscribe for that message.
https://datatracker.ietf.org/doc/html/rfc8058#section-4
This will require updating our exim config to sign additional headers as List-Unsubscribe-Post is not included in the default set.