DLP violation

Could be related to the DLP Policy (Sophos recommended files)? Because this Policy will actually hit on S/MIME Signed Emails.

As you know, a S/MIME Email will have a certificate attached to it. 

Yes, turns out the Sophos knows about the issue with default policy including the extension, but their document/KB which states which extensions it blocks doesn't state it as one of them.

Using a custom policy list and unticking certificates category may have resolved it.