Just happened to notice this in a log:
DKIM TempFail: An error of type occured during lookup of the domains DKIM public key. DKIM verification for this message will be skipped.
So if/when a dkim check fails, the check is skipped. Doesn't seem like the best idea, or at least one we should control what happens with. One the dkim check options, we currently only score pass, fail, and none. Can we have an option in there that replaces fail with scores for tempfail and permfail and then we can adjust accordingly?