The problem here is that Department of State has set their DMARC policy correctly to reject and the victim is using a server that correctly checks the policy, so sender spoofing should not be possible.
However, the Outlook server in between launders the email by 1) not honoring the DMARC policy and 2) rewriting the email headers to originate from Department of State.
As DMARC requires that either SPF or DKIM alignment passes, the laundered email will pass the DMARC check on the victim's side who expects to be protected from this kind of spoofing.
Really the solution here should be an extension to DMARC where you can set a policy that BOTH SPF and DKIM checks need to pass and be aligned in order for the email to be delivered, rather than just one.
However, the Outlook server in between launders the email by 1) not honoring the DMARC policy and 2) rewriting the email headers to originate from Department of State.
As DMARC requires that either SPF or DKIM alignment passes, the laundered email will pass the DMARC check on the victim's side who expects to be protected from this kind of spoofing.
Really the solution here should be an extension to DMARC where you can set a policy that BOTH SPF and DKIM checks need to pass and be aligned in order for the email to be delivered, rather than just one.