It has already been agreed that there is too little information to work with in this question, but I'd still like to point out the two most plausible and non-malicious explanations in case the question pops up again.
- The email you sent to the Vendor was not properly handled by Yourself.
Not meaning to point finger, but at any request for help, this should be the first suspicion. The "neither DKIM nor SPF pass" does not automatically say that both "failed". You may have one fail and one that wasn't configured at all for your domain.
This is of course the reason to have DMARC reports at all. Even if you seem to be sure of your setup, please do send a test email to e.g. gmail and read through the headers of the recipient email.
- The Vendor has an email forwarding system that isn't properly configured for DMARC.
This is unfortunately more common than one would hope. See reasons for reference:
https://www.dmarcanalyzer.com/forwarding-within-dmarc/
It is sometimes said that it's only a problem for SPF, but forwarders may change both headers and body for internal and perfectly innocent (but less valid) reasons. If the forwarder keeps your domain as From-address the DMARC report will be sent to you.
The next day, Postmark sent me my weekly DMARC report - and it
contained 2 failed entries originating from this vendor's domain,
saying that both SPF and DKIM failed.
I'm not familiar with Postmark, but for each fail it should be possible to see:
a) Which server reported the fail
b) What was the originating sender server
c) What was the DKIM signature domain
d) What was the SPF verification domain
Using this information it should be possible to learn more about the "spoof". When you say "originating from this Vendor domain" I can't clearly assume which of a-d you mean.
As also already pointed out, in both of these cases your email may have been lost and your request to the Vendor needs to be retried. Sending a follow-up email is a good way to check if the same report appear again of if it was a one-time thing.
In any case I'd say it is not a bad idea to ask the Vendor about the "spoof". They can probably help you with an explanation and you decide if you are willing to trust them. It may also be that they are unaware of a mail configuration problem they have.