SPF or DKIM alignment issues with Google
We know that SPF and DKIM can fail or become unaligned due to some forwarders, but for Gmail specifically, we're also aware of some GSuite features that don't offer full authentication. We're still working on a complete list of all of them, but so far we see the most authentication failures when sending messages through Google Calendar or Google Drive.
Let's dive into this a bit more with an example! When Google sends out a calendar invite for a GSuite account, they send it from your domain, but the Return-Path header on those emails uses the calendar-server.bounces.google.com domain. This means that SPF is unaligned for DMARC as both the From and Return-Path domains need to match to achieve alignment.
Full DMARC compliance is a known limitation of using Google services for now, but by ensuring you're signing your domain with DKIM and using the same domain for your messages' Return-Path headers (SPF) whenever possible, you'll minimize how often those limitations could actually cause DMARC to fail. Anticipating these kinds of issues, the DMARC authors ensured only one -- SPF or DKIM -- has to pass and align in order to satisfy DMARC.
A lesser-known limitation is when sending to a group or role-based recipient using GSuite. Many servers will re-write the From so that it matches the Gsuite domain, something like:
From: "example.com" via "Recipient" <email@example.com>
But Google only rewrites the "From" header when the DMARC policy of the original sender is set to "reject" or "quarantine". If you have a "none" policy, then from Google's perspective, failing DMARC with a "none" policy doesn't actually prevent delivery, so they don't go through the trouble to re-write the From.