I recently implemented DMARC in monitoring mode, in order to begin preparing all the domains I manage. Here is the aggregate report for yesterday. I don't understand why DKIM would evaluate to false under policy_evaluated when DKIM is marked pass under auth_results. This domain (mydomain.io) sent one message yesterday (my own server is the SMTP server) to another domain I manage (myotherdomain.net) whose MX is Google Apps.
<?xml version="1.0" encoding="UTF-8" ?>
<feedback>
<report_metadata>
<org_name>google.com</org_name>
<email>noreply-dmarc-support@google.com</email>
<extra_contact_info>https://support.google.com/a/answer/2466580</extra_contact_info>
<report_id>xxx711</report_id>
<date_range>
<begin>1469923200</begin>
<end>1470009599</end>
</date_range>
</report_metadata>
<policy_published>
<domain>my.domain.io</domain>
<adkim>r</adkim>
<aspf>r</aspf>
<p>none</p>
<sp>none</sp>
<pct>100</pct>
</policy_published>
<record>
<row>
<source_ip>23.92.28.xx</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>fail</dkim>
<spf>pass</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from>mydomain.io</header_from>
</identifiers>
<auth_results>
<dkim>
<domain>myotherdomain.net</domain>
<result>pass</result>
</dkim>
<spf>
<domain>mydomain.io</domain>
<result>pass</result>
</spf>
</auth_results>
</record>
</feedback>
Best Answer
It is failing because the domain isn't aligned for DKIM.
The result in
<policy_evaluated>is assessed as follows:<auth_results>pass?<auth_results>aligned? That is, is the domain in<auth_results>the same domain as in<policy_published>?If the answers to 1 and 2 are Yes then the result is pass, otherwise it is fail.
In your case, for DKIM #1 is Yes, but #2 is No because the domain in
<policy_published>is mydomain.io but the domain reported in the<auth_results>for DKIM is myotherdomain.net.