There is a domain (yandex.ru) which has a [* "v=spf1 -all"], even _adsp._domainkey has this TXT entry.
So, dkim-milter kept complaining "ADSP query: missing parameter(s) in policy data" and had been rejecting mail from this domain.
I've tried to setup local adsp policy (yandex.ru:unknown), it didn't helped (thogh it stopped complaining in logs, the mail didn't get through anyway...)
Then tried adding domain into PeerList file (yandex.ru), it didn't worked either. The logs are clean, and the mail from this domain is blocked.
How to whitelist this domain after all? I had to switch to sign-only mode because of this...
Mar 22 00:22:52 xenon dkim-filter: 077151CF958 ADSP query: missing parameter(s) in policy data
Mar 22 00:22:52 xenon postfix/cleanup: 077151CF958: milter-hold: END-OF-MESSAGE from forwards1.yandex.ru[18.104.22.168]: milter triggers HOLD action; from=<email@example.com> to=<firstname.lastname@example.org> proto=ESMTP helo=<forwards1.yandex.ru>