Is GMAIL incorrectly failing SPF?

I have figured it out. Not surprisingly, it was me misinterpreting the report, not Google getting their DMARC implementation wrong :)

The SPF result in the policy evaluated section that I was being confused by (copy posted in OP) is the DMARC evaluated SPF result after considering alignment.

This quote here explains the issue:

Please note that the SPF and DKIM results in the auth_results are raw results, regardless of Identifier Alignment; he results of the DMARC evaluation with Identifier Alignment are in the policy_evaluated section.

I checked the rest of the record and found that the raw results for the same record were, correctly, SPF pass.

So, what the DMARC report was telling me was that, while the SPF result was indeed from outlook.com (and hence was a raw 'pass') the return path header did not match my sending domain, which produces a DMARC evaluation SPF fail. Another reference here.

Basically, do not attempt to read the XML reports directly - they are hard for humans! I found this DMARC xml parser which does a fabulous job of allowing you to clearly see what the DMARC report is trying to tell you.