If the email failed email fail Domain-based Message Authentication, Reporting and Conformance (DMARC), why did it get delivered?

This one turns out to be pretty easy to answer. See this:

Authentication-Results

mx.google.com; spf=pass (google.com: domain of podesta@law.georgetown.edu designates 157.56.111.54 as permitted sender) smtp.mailfrom=podesta@law.georgetown.edu; dmarc=fail (p=NONE dis=NONE) header.from=outlook.com

That means that on the server there is no policy ("p") set telling the server what to do if the message fails DMARC testing...

According to DMARC's website

Does DMARC “p=none” affect the way my emails get delivered?

No. A “p=none” policy means that the Domain Owner is not asking the Receiver to take action if a DMARC check fails. This policy allows the domain owner to receive reports about messages using their domain even if they haven’t deployed SPF/DKIM, so that they could for example determine if their domain is being abused by phishers. There would be no change in how their messages are treated; however they would now have some visibility into what mail is being sent under the domain’s name. If you have not yet deployed SPF or DKIM, we do not recommend implementing them at the same time as DMARC. Change only one parameter at a time and start by DMARC first because of its reporting capabilities.

If you have deployed SPF and/or DKIM, this policy allows you to monitor your progress in deploying these protections to all of your message streams. Monitoring the domain while implementing authentication measures lets you assess the potential impact before moving to a policy that requests more aggressive protective actions by receivers, such as “p=quarantine” or “p=reject”.

Please note that receivers may have any number of filtering measures in use besides DMARC. These mechanisms, many of which have been in use for a decade or more, may include message content scanning, reputation associated with sending IP addresses, and even checking SPF and DKIM results. So even if a domain owner publishes a “p=none” policy, a receiver may still take action on a message they deem to be suspicious, or that fails an SPF or DKIM check, based on these other mechanisms. However with DMARC the domain owner will now receive statistics on such messages and be able to tell which IP address they came from, and whether they passed or failed SPF or DKIM, and can take corrective action accordingly.

In other words, the people managing this server told it, if an email fails DMARC testing, don't do anything.

Conclusion: The message was delivered because the server was configured to allow it to be delivered, even though it failed DMARC testing.