I get DMARC report from google, and the dkim check appears twice, one with pass, the other with fail status. This same report includes another record from the same IP with all pass status. Any idea what would cause this, or what should I fix?
Here are the relevant entries from the report, after sanitizing the domain name and IPs. Notice the second record has two different dkim entries for the same domain:
<record>
<row>
<source_ip>222.222.222.222</source_ip>
<count>2</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>pass</dkim>
<spf>pass</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from>mydomain.com</header_from>
</identifiers>
<auth_results>
<dkim>
<domain>mydomain.com</domain>
<result>pass</result>
</dkim>
<spf>
<domain>mydomain.com</domain>
<result>pass</result>
</spf>
</auth_results>
</record>
..
<record>
<row>
<source_ip>222.222.222.222</source_ip>
<count>2</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>pass</dkim>
<spf>pass</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from>mydomain.com</header_from>
</identifiers>
<auth_results>
<dkim>
<domain>mydomain.com</domain>
<result>pass</result>
</dkim>
<dkim>
<domain>mydomain.com</domain>
<result>fail</result>
</dkim>
<spf>
<domain>mydomain.com</domain>
<result>pass</result>
</spf>
</auth_results>
</record>
<record>
The message was likely signed twice, this is not uncommon. Double-signed messages happen the most when a message is forwarded. Is there any chance the message was forwarded somewhere within your domain?
As you can see, the single aligned DKIM pass was enough for DMARC-DKIM, so Google evaluated the double signature correctly. Some setups - Cisco Ironport in particular - do not handle double-signatures correctly, but the big ISPs like Google have no problem with it.