Could you send me the raw content? You can do it via the community if you don't want to lay it out here.
The problem I see with some of these checks, is that information could change. Like for rDNS for example, doing a reverselookup on a potentially old email could result in a false positive. I'm also noticing that when we run this check at the SMTP level we use their connected ip. When we run on a retrieval all it has to go off of is the received line.