SPF (sender framework policy) is a system to declare which IP addresses can be trusted to send email from. It uses a text record on the domain name of the sender. In the example above, there is the following line

Authentication-Results: mx.google.com; spf=pass (google.com: domain of no-reply@reactivedesign.co.uk designates 94.136.40.61 as permitted sender) smtp.mail=no-reply@reactivedesign.co.uk

Google checked and found the IP address was allowed to send email from this address.

This indicates that the mails are not being spoofed but are genuinely coming from the originating domain mailservers. This would suggest vulnerabilities within their mailservers that are now compromised, or hosting management system such as the recent plesk 0day vulnerability.