It appeared that in case querying DKIM key (like default._domainkey.somedomain.org) is either blocked on configuration level or fails on some reason, the DKIM_INVALID symbol is set with adding spam score for the message that can be in fact legitimate one.

For example:
Jun 28 09:21:56.419 [75520] dbg: dkim: performing public DKIM key lookup and signature verification
Jun 28 09:21:56.419 [75520] dbg: dns: bgsend, query TXT/default._domainkey.somedomain.org blocked by dns_query_restriction: somedomain.org
Jun 28 09:21:56.419 [75520] dbg: dkim: DKIM signature i=@somedomain.org d=somedomain.org
Jun 28 09:21:56.420 [75520] dbg: dkim: FAILED DKIM, i=@somedomain.org, d=somedomain.org, s=default, a=rsa-sha256, c=simple/simple, unknown key size, invalid, matches author domain

In fact DKIM check itself didn't fail but instead it was not performed, so the real DKIM check status is unknown and not invalid, and the message was not altered, so if query would be successful, it wouldn't fail. According to RFC 6376 section 6.1.2 the result should be "PERMFAIL" that is not equal to "DKIM INVALID", so corresponding symbol should not be set and score should not be added.
This is in fact disputable case but it was found that due to DNS query failing legitimate mail is handled as spam, so false positive result.