I have an issue where email is being marked as spam by Gmail/Google Apps systems.
When reading the mail headers, the most recent SPF check in the mail chain passes, but earlier checks fail. That is, the email has passed through a variety of systems, and earlier ones have failed SPF checks but more recent ones (including Gmail's servers) have passed SPF checks.
My question is, are previous SPF failures used to indicate spam, even when the most recent SPF check passes? Or is only the most recent SPF check in the message headers used?
For example, these are the ARC-Authentication-Results headers from the mail in question. As you can see, at the point that the most recent ARC (authenticated received chain) header was added, the mail passed SPF checks for that MTA, but an earlier MTA had failed an SPF check, as captured in the earlier ARC header.
Does this matter? Do anti-spam systems look at earlier failures in the message header chain, or do they only take into consideration the most recent MTAs check? My understanding is that the action=none part means that the email was not detected as spam at that point, or that the results from this should not be used by subsequent MTAs. Is this correct?
ARC-Authentication-Results: i=2; mx.google.com; arc=pass (i=1); spf=pass (google.com: domain of <removed> designates <removed> as permitted sender) smtp.mailfrom=<removed>
But an earlier MTA has failed an SPF check as captured by ARC at that point:
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=fail (sender ip is <removed>) smtp.rcpttodomain=<removed> smtp.mailfrom=<removed>; dmarc=none action=none header.from=<removed>; dkim=none (message not signed); arc=none