DKIMvalidator.com consistently says my DKIM is no good even when other sites say it is and opendkim-testkey say it is correct. It says “signature header invalid.”
The only think I can think of is that I do not have DSSEC enabled on the domain and this does result in a log event in opendkim-testkey. I wonder if that gives a result code to spamassassin on their setup for some reason.