Email message headers pass SPF check after failing earlier SPF checks. Will this result in spam?

Question

I have an issue where email is being marked as spam by Gmail/Google Apps systems.

When reading the mail headers, the most recent SPF check in the mail chain passes, but earlier checks fail. That is, the email has passed through a variety of systems, and earlier ones have failed SPF checks but more recent ones (including Gmail's servers) have passed SPF checks.

My question is, are previous SPF failures used to indicate spam, even when the most recent SPF check passes? Or is only the most recent SPF check in the message headers used?

For example, these are the ARC-Authentication-Results headers from the mail in question. As you can see, at the point that the most recent ARC (authenticated received chain) header was added, the mail passed SPF checks for that MTA, but an earlier MTA had failed an SPF check, as captured in the earlier ARC header.

Does this matter? Do anti-spam systems look at earlier failures in the message header chain, or do they only take into consideration the most recent MTAs check? My understanding is that the action=none part means that the email was not detected as spam at that point, or that the results from this should not be used by subsequent MTAs. Is this correct?

ARC-Authentication-Results: i=2; mx.google.com; arc=pass (i=1); spf=pass (google.com: domain of <removed> designates <removed> as permitted sender) smtp.mailfrom=<removed>

But an earlier MTA has failed an SPF check as captured by ARC at that point:

ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=fail (sender ip is <removed>) smtp.rcpttodomain=<removed> smtp.mailfrom=<removed>; dmarc=none action=none header.from=<removed>; dkim=none (message not signed); arc=none

Answer 1

With regard to SPF, Google is notorious for looking at the entire chain of Received: headers instead of just SPF-checking the host that actually connects and delivers mail to them. So yes, any earlier SPF fails in the headers of the mail you deliver to Google will increase the chances of it being flagged as spam.

I don't know why they do this, but it may be for DMARC reporting reasons. Then again, it may be for other reasons. Anyway, Google has a somewhat useful tool to show you what they think of your message headers. There is also their good old Postmaster Tools. Signing up there to find out when they think you are being naughty is always a good idea when you send to Gmail and Google Workspace accounts.

The "action=none" part in ARC means the sender side's DKIM policy cleared the mail or that there was no DKIM policy in place for that particular mail hop. You will have to look at the other ARC headers to figure out why the MTA that wrote the header end came to that conclusion.

Either way, action=none is not supposed to be anything but a statement of fact ('this is what I decided') for that particular mail hop.

Answer 2

Just my 2 cents - it might be worthwhile checking your DKIM and DMARC to ensure those are correct and in place. We have had similar issues in the past when either was not configured correctly. I hope this helps.