We received this email from David: Hi, I'm David Palomino, I'm not sure if you are the ones who usually have to deal with this issues (if it's not the case, sorry about that). It seems that we're rejecting any mails coming from @telefonica.com (and that's a big problem, as they are our main partners for FxOS . I've checked this with several colleagues in TEF, and all with the same result. I'm copying and pasting below the info provided by SMTP server from TEF. If you are not responsible of checking this, please just let me know how to raise this. Thanks a lot! David Información de diagnóstico para los administradores: Generando servidor: smtptc.telefonica.com email@example.com mozilla.com.s5a1.psmtp.com #<mozilla.com.s5a1.psmtp.com #5.0.0 smtp; 550 Sender Authorization check failed - psmtp> #SMTP# Encabezados de mensajes originales: Return-Path: <firstname.lastname@example.org> Received: from smtptc.telefonica.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 2DCB288192 for <email@example.com>; Wed, 10 Sep 2014 11:58:02 +0200 (CEST) Received: from ESTGVMSP101.EUROPE.telefonica.corp (unknown [10.92.4.9]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtptc.telefonica.com (Postfix) with ESMTPS id 12CF88816E for <firstname.lastname@example.org>; Wed, 10 Sep 2014 11:58:02 +0200 (CEST) Received: from ESTGVMSP234.EUROPE.telefonica.corp ([fe80::709b:af58:f600:5455]) by ESTGVMSP101.EUROPE.telefonica.corp ([fe80::dcb3:36c9:e979:754d%11]) with mapi id 14.03.0146.002; Wed, 10 Sep 2014 11:57:58 +0200 From: CRISTINA HELGUERA SANCHEZ <email@example.com> To: David Palomino <firstname.lastname@example.org> Subject: Draft agenda workshop Thread-Topic: Draft agenda workshop Thread-Index: Ac/M3O0VZvOxwCkVTFCLBCehOfcAaQAAJ5rA Date: Wed, 10 Sep 2014 09:57:57 +0000 Message-ID: <7671CF9B5992944CA8B5C90A2E15BB952EC3D88F@ESTGVMSP234.EUROPE.telefonica.corp> Accept-Language: es-ES, en-US Content-Language: es-ES X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.92.4.9] Content-Type: multipart/alternative; boundary="_000_7671CF9B5992944CA8B5C90A2E15BB952EC3D88FESTGVMSP234EURO_" MIME-Version: 1.0 X-TM-AS-MML: No I am investigating but if someone could look at this as a matter of Urgency since they are a large partner of Mozilla.
"Another delivery report just 3 minutes ago: Reporting-MTA: dns; smtpar4.telefonica.com X-Postfix-Queue-ID: 6E8B4160173 X-Postfix-Sender: rfc822; email@example.com Arrival-Date: Wed, 10 Sep 2014 09:23:48 -0300 (ART) Final-Recipient: rfc822; firstname.lastname@example.org Original-Recipient: rfc822;email@example.com Action: failed Status: 5.0.0 Remote-MTA: dns; mozilla.com.s5a1.psmtp.com Diagnostic-Code: smtp; 550 Sender Authorization check failed - psmtp But with other Telefonica users it's working now (but with different MTA). "
Dave, is there anything we can do to allow these emails through our Postini checks?
(In reply to Ryan Watson [:w0ts0n] from comment #3) > Dave, is there anything we can do to allow these emails through our Postini > checks? I don't think we can without completely disabling SPF checks, which I wouldn't recommend. (In reply to Ryan Watson [:w0ts0n] from comment #1) > But with other Telefonica users it's working now (but with different MTA). ^^^^ this is a big clue. The sender is using an unauthorized MTA, the users who have it working are using the correct one.
https://support.google.com/a/answer/4568483?hl=en They need to eliminate one of those two SPF records, or combine them both into the same one.
So to summarize, now that I've thoroughly confused people as I posted stuff here as I found it, here's the real problem: The problem is in telefonica.com's DNS. They have 2 SPF records. One of them matches the IP they're sending from, the other doesn't. You're only allowed to have one. Whichever one it finds first will get used. This means their mail will be randomly failing depending on the order the records are returned (which are returned at random by the nameserver). The correct fix is to combine the two SPF records. Right now they have: telefonica.com descriptive text "v=spf1 mx ip4:126.96.36.199 ip4:188.8.131.52/31 ip4:184.108.40.206/31 ip4:220.127.116.11/31 ip4:18.104.22.168/31 ip4:22.214.171.124/31 ip4:126.96.36.199/31 ip4:188.8.131.52 ip4:184.108.40.206 ip4:220.127.116.11 ip4:18.104.22.168 ?all" telefonica.com descriptive text "v=spf1 include:spf.protection.outlook.com -all" They need to be combined into telefonica.com descriptive text "v=spf1 mx ip4:22.214.171.124 ip4:126.96.36.199/31 ip4:188.8.131.52/31 ip4:184.108.40.206/31 ip4:220.127.116.11/31 ip4:18.104.22.168/31 ip4:22.214.171.124/31 ip4:126.96.36.199 ip4:188.8.131.52 ip4:184.108.40.206 ip4:220.127.116.11 include:spf.protection.outlook.com ?all" Perhaps with the "?all" being a "-all" at the end instead, that choice would be up to them. There is nothing else we can do on our end, they need to fix their DNS.
Thank Dave. I'll see if I can get in contact with their IT team and pass the bug along.
Thanks a lot Dave and Ryan! I'll send this info to their IT team. Is it ok to cc them here in this bug? Cheers! David
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → WONTFIX
Hi, Just fyi, TEF originating mails are not being bounced right now, so working fine :-) Thanks a lot to all of you for your help! David
You need to log in before you can comment on or make changes to this bug.