DMARC reports both success and failure for selector1

Question

We have DKIM configured correctly, I think, but are getting unexpected mixed results from DMARC aggregate reports. I'm using contoso as a placeholder for the real domain prefix. My records do not literally say "contoso".

CNAME selector2._domainkey.contoso.com 7200 selector2-contoso-com._domainkey.contoso.onmicrosoft.com.
CNAME selector1._domainkey.contoso.com 7200 selector1-contoso-com._domainkey.contoso.onmicrosoft.com.

The DMARC aggregate report from Google shows both success and failure for selector1. What does this mean? Clearly the mail would be rejected if our DMARC was not currently p=none, so it's important to figure it out.

<record>
<row>
<source_ip>40.107.220.97</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>pass</dkim>
<spf>pass</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from>contoso.com</header_from>
</identifiers>
<auth_results>
<dkim>
<domain>contoso.com</domain>
<result>pass</result>
<selector>selector1</selector>
</dkim>
<dkim>
<domain>contoso.com</domain>
<result>fail</result>
<selector>selector1</selector>
</dkim>
<spf>
<domain>contoso.com</domain>
<result>pass</result>
</spf>
</auth_results>
</record>

Answer 1

Based on the extract you posted, for DKIM authentication, in the stream of messages there were fail and pass reports for the domain contoso.com using selector1. There was one sending IP used in this process, 40.107.220.97. Messages can contain multiple DKIM signatures, for example due to forwarding. Consequently, you may find multiple DKIM entries in an DMARC aggregate report.
In principle, messages pass DMARC if any DKIM signature is verified and aligned (domain d= of signature aligns with domain found in from).