Why is OpenDMARC using my (the recipients) configuration for incoming mail?

Question

Recently I've had some incoming emails be rejected by my mail server for failing DMARC checks. Upon closer inspection I noticed that the logs mentioned that the rejection was because OpenDMARC was applying my policy instead of the sender's policy. A, slightly redacted, example of a failed exchange sending mail from info@random.tld to random.tld@mydomain.tld would be

postfix/smtpd[19698]: connect from mail-eopbgr80052.outbound.protection.outlook.com[40.107.8.52]
postfix/smtpd[19698]: Anonymous TLS connection established from mail-eopbgr80052.outbound.protection.outlook.com[40.107.8.52]: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)
policyd-spf[19706]: Pass; identity=helo; client-ip=40.107.8.52; helo=eur04-vi1-obe.outbound.protection.outlook.com; envelope-from=info@random.tld; receiver=random.tld@mydomain.tld
policyd-spf[19706]: Pass; identity=mailfrom; client-ip=40.107.8.52; helo=eur04-vi1-obe.outbound.protection.outlook.com; envelope-from=info@random.tld; receiver=random.tld@mydomain.tld
postfix/smtpd[19698]: 3578F66A0006: client=mail-eopbgr80052.outbound.protection.outlook.com[40.107.8.52]
postfix/cleanup[19707]: 3578F66A0006: message-id=<AM5PR0201MB22602B5B4998B49514A63C76B2540@AM5PR0201MB2260.eurprd02.prod.outlook.com>
opendkim[598]: 3578F66A0006: mail-eopbgr80052.outbound.protection.outlook.com [40.107.8.52] not internal
opendkim[598]: 3578F66A0006: not authenticated
opendkim[598]: 3578F66A0006: failed to parse Authentication-Results: header field
opendkim[598]: 3578F66A0006: DKIM verification successful
opendkim[598]: 3578F66A0006: s=selector1-random.tld d=random.onmicrosoft.com SSL
opendmarc[605]: implicit authentication service: mail.mydomain.tld
opendmarc[605]: 3578F66A0006 ignoring Authentication-Results at 1 from vps.mydomain.tld
opendmarc[605]: 3578F66A0006: mydomain.tld fail
postfix/cleanup[19707]: 3578F66A0006: milter-reject: END-OF-MESSAGE from mail-eopbgr80052.outbound.protection.outlook.com[40.107.8.52]: 5.7.1 rejected by DMARC policy for mydomain.tld; from=<info@random.tld> to=<random.tld@mydomain.tld> proto=ESMTP helo=<EUR04-VI1-obe.outbound.protection.outlook.com>
postfix/smtpd[19698]: disconnect from mail-eopbgr80052.outbound.protection.outlook.com[40.107.8.52] ehlo=2 starttls=1 mail=1 rcpt=1 data=0/1 quit=1 commands=6/7

Note the third line from the bottom. In this specific case the sender does not have their own DMARC policy. Other emails send from info@random.tld tend to arrive just fine.

In the last year it has also failed once on forwarding my work account and once forwarding my university account.

Can this behavior be caused by a certain (mis)configuration on either end, or is this a bug?

I am running OpenDMARC version 1.3.1. With the following config, trimmed for clarity:

##  AuthservID (string)
##      defaults to MTA name
#
AuthservID mail.mydomain.tld
PidFile /var/run/opendmarc.pid
##  RejectFailures { true | false }
##      default "false"
##
RejectFailures true
Syslog true
UserID opendmarc:opendmarc
PublicSuffixList /usr/share/publicsuffix/
IgnoreAuthenticatedClients true

Answer 1

Configure matching AuthservID for all local milters.

Alternatively: add all your trusted IDs to TrustedAuthServIDs in opendmarc. Simply removing the line is usually sufficient as well, as it defaults to MTA name in both opendkim and opendmarc.

AuthservID mail.mydomain.tld
ignoring Authentication-Results at 1 from vps.mydomain.tld

opendmarc only considers trusted results when evaluating a message, hence the ignoring log line. Trusted results are identified by an identifier that is typically equal to postconf myhostname.

In this specific case the sender does not have their own DMARC policy.

But still, opendmarc is applying your, the recipients policy - because you explicitly told it to. Your policy is to reject failures (RejectFailures true). This decision is independent from your DMARC policy for outgoing mail (as defined in DNS). The default is to only add the header, regardless of the outcome of the DMARC evaluation.