It's important to note the recipient email address as there are many email environments and Email Service Providers that do not verify DKIM authentication, therefore it will always fail when emails are sent to these destinations. This does not mean that deliverability will be impacted negatively. If an email provider can not verify DKIM authenticity, then they likely do not use it as a factor for determining sender validity in their email rules. Most of the major Email Service Providers do verify DKIM. The two biggest ESPs are Gmail and Yahoo. Sending an email to one of these two ESPs is the true test of DKIM authentication.

Another thing that can cause DKIM to fail is by email relaying. If a message sent from Luminate Online is passed from one location to another, this could potentially cause a DKIM failure. DKIM signing works by creating a hash using the header and the private key. The recipient server then decrypts the hash and compares it to the header. If the two match, it is a pass, otherwise it fails. Since relaying (and sometimes a spam/virus scanner) adds information to the header, this could cause a mismatch and a fail. 

A good analogy is registered mail. If I send a registered letter to a mail handling company (like the UPS Store) and they sign for it, open it, and forward the contents in a new envelope, it is no longer a registered letter. The registry chain has been broken. The contents are still valid and you may trust the UPS Store to do this for you, but it is no longer a registered letter. It no longer comes from the original sender; it comes from the UPS store. In this way, the DKIM signature is being broken, but not by the original sender (Blackbaud). The signature says it is coming from our email server. However, once it is relayed, it is no longer coming from our server, but from the relay and thus, the signature fails.