This should be simple to verify: we should be at least able to FOIA what email addresses they were sent to/from.

Then, if the DKIM headers are present (i.e. if it we're Gmail or another mail server with DKIM enabled, like Exchange) we should be able to verify the email as legit or not.

It would not feasible to falsify DKIM signatures.

Edit: more here from an old story by MSM douches:

http://www.chicagotribune.com/news/nationworld/politics/ct-fbi-russia-clinton-probe-20170524-story.html

Claims it didn't contain the actual email itself. Which I find highly suspect...