Indeed as the above user mentioned, some are matched but do not have a score. For example, if you are a banker and talk about "huge sums of money" then you may not want a negative score on your emails.
T_DKIM_INVALID is there to tell people that their DKIM implementation is broken. In my servers I always reject emails with an invalid DKIM. In addition, I don't use spamassassin for DKIM checking, but I prefer the check to happen earlier in the process via OpenDKIM milter during postfix processing. Thus, emails will be rejected earlier and spamassassin will have to do less work.
If you want, you can give T_DKIM_INVALID a score of 100 to just block those broken emails.
In OpenDKIM I use the following settings: