Which should trigger every automated alarm bell, as well as SPF/DKIM checks. Which is where this falls apart slightly because in my experience, Gmail is pretty alert about flagging basic things like this.

The headers uploaded are the report email being sent to Google, not the original incoming email. We still don't know how this was spoofed.