Hi Raymond,
Just had a look at the issue. The problem is a bug in GitLab which I just filed (
https://gitlab.com/gitlab-org/gitlab-ce/issues/30617) which adds a header twice. The double header causes Amavis (the virus scanner) to mark mails as originating from a malicious source.
By the way, you're aware that the mails are also sent to cmucl-commits on the domain
cmucl.cons.org (mail address obfuscation) but that that mailbox doesn't exist on that domain? Should that "To" address be removed?
(You can find this configuration on the GitLab project settings page (Services section):