Most mailservers don't send emails one character at a time. You appear to have a mental model of how a spam filter works that doesn't include fingerprinting the behavior of the sending server? Even open source mail servers do that, for example postscreen is a part of postfix.
Where it came from is one of the most important details!
Is this mail relay actually elided.org or is it impersonating elided.org?
There does not appear to be an SPF record for that domain so Gmail cannot determine if this is a fraudulent message, especially if the machine this request came from does not match the IP of the A record for that domain.