DMARC and DKIM Alignment with Multiple DKIM Signatures

Without DKIM you can use the "Reply-To" header so replies go to the original sender.

There are two ways forwarding a message can happen. The normal way that users forward emails is by creating a new message which includes the text (and any attachments) of the old message. The normal way that servers forward email is by relaying the message - so adding in any headers and sending the message on to another server.

DMARC is specifically designed top stop messages that have been spoofed. If you configure your mail server to send a message that appears to be spoofed, then DMARC helps us to identify it. That's what it is for.

So what you really want to do is send a new message to your user that is originated from your domain (so your own SPF and DKIM policies apply) but has "Reply-To" set to the original sender.

I don't use Postfix but this sounds like a distribution list (albeit with a single member) to me.

Why isn't this mail being rejected?

In short: probably because customers pay reputable mail service such as Sendgrid for their ability to successfully deliver email and they are quite good at what they do...

From a technical perspective:

Sendgrid used it's own sendgrid.net domain in the EnvelopeFrom and Return-Path, which in pure SPF then makes the sendgrid.net SPF policy apply, not the the SPF policy of your own domain.

Sendgrid also adds it's own DKIM signature which, since it sets the d=sendgrid.net domain, is not validating your From: user@knextion.com header, but it still adds trust that the message was send via sendgrid.

When neither SPF nor DKIM fail GMail won't trigger the DMARC policy for your domain.

If you're a domain owner, you'll first need to configure SPF records and DKIM keys on all outbound email streams. DMARC relies upon these technologies to ensure signature integrity. A message that fails SPF and/or DKIM checks will trigger the DMARC policy (source: https://support.google.com/a/answer/2466580?hl=en)