2
Receiving mail from notification.intuit.com
Question asked by Jane Noel - 5/13/2019 at 12:35 PM
Answered
So I have a number of customers who use Quickbooks for Payroll and their employees get notifications.

One company is having an issue and is not receiving these and I'm not sure why.

Here are two clips from a log file for 4/24/19.  I've changed the domains to "working domain" and "notworkingdomain".  The first one that works goes through the spam check, processes, and finishes just fine.

The one that doesn't work just starts and ends - never going into the spam check at all.  I went looking for any unique settings on the domain or any rules that could affect it, but didn't find anything.

Does anyone have any idea why one domain successfully receives the intuit emails and the other does not.  (I found multiple domains that recieve the notifications...and only one that does not.

-------------------------------------------------------------------------
LOG CLIP 1 - This is the one that works as expected.
-------------------------------------------------------------------------
[2019.04.24] 10:50:47.498 [49658] Delivery started for bounces+2327135-b8f0-accountname=workingdomain.com@e.notification.intuit.com at 10:50:47 AM
[2019.04.24] 10:51:02.935 [49658] Added to SpamCheckQueue (0 queued; 7/30 processing)
[2019.04.24] 10:51:02.935 [49658] [SpamCheckQueue] Begin Processing.
[2019.04.24] 10:51:02.935 [49658] Starting Spam Checks.
[2019.04.24] 10:51:14.123 [49658] Spam check results: [REVERSE DNS LOOKUP: 0,Passed], [_CYREN: 0,Unknown], [_MESSAGESNIFFER: 0,code:0], [_SPF: 0,Pass], [_DK: 0,None], [_DKIM: 0,Pass], [BARRACUDA CENTRAL RBL: 0,passed], [CBL - ABUSE SEAT - DO NOT USE FOR OUTGOING: 0,passed], [HOSTKARMA - BLACKLIST: 0,passed], [MAILSPIKE Z: 0,passed], [NOABUSE: 0,passed], [NOPOSTMASTER: 0,passed], [SEM-URIBL: 0,passed], [SEM-URIRED: 0,passed], [SORBS 02 - HTTP: 0,passed], [SORBS 03 - SOCKS: 0,passed], [SORBS 04 - MISC: 0,passed], [SORBS 05 - SMTP: 0,passed], [SORBS 06 - RECENT: 0,passed], [SORBS 07 - WEB: 0,passed], [SORBS 08 - BLOCK: 0,passed], [SORBS 09 - ZOMBIE: 0,passed], [SORBS 10 - DYNAMIC IP: 0,passed], [SORBS 11 - BAD CONFIG: 0,passed], [SORBS 12 - NOMAIL: 0,passed], [SORBS 13 - NO SERVER: 0,passed], [SPAMCOP: 0,passed], [SPAMHAUS - PBL 1: 0,passed], [SPAMHAUS - PBL 2: 0,passed], [SPAMHAUS - SBL 1: 0,passed], [SPAMHAUS - SBL2: 0,passed], [SPAMHAUS - XBL 1: 0,passed], [SPAMHAUS - XBL 2: 0,passed], [SPAMHAUS - XBL 3: 0,passed], [SPAMHAUS - XBL 4: 0,passed], [SPAMHAUS ZEN: 0,passed], [SPAMRATS: 0,passed], [SURBL - ABUSE BUSTER: 0,passed], [SURBL - JWSPAMSPY: 0,passed], [SURBL - MALWARE: 0,passed], [SURBL - PHISHING: 0,passed], [SURBL - SA BLACKLIST: 0,passed], [SURBL - SPAMCOP WEB: 0,passed], [SURRIEL: 0,passed], [UCEPROTECT LEVEL 1: 0,passed], [UCEPROTECT LEVEL 2: 0,passed], [UCEPROTECT LEVEL 3: 0,passed], [URIBL - BLACK: 0,passed], [URIBL - GREY: 0,passed], [URIBL - MULTI: 0,passed], [URIBL - RED: 0,passed], [VIRUS RBL - MSRBL: 0,passed]
[2019.04.24] 10:51:14.123 [49658] Spam Checks completed.
[2019.04.24] 10:51:14.139 [49658] Removed from SpamCheckQueue (4 queued or processing)
[2019.04.24] 10:51:15.560 [49658] Added to LocalDeliveryQueue (0 queued; 1/50 processing)
[2019.04.24] 10:51:15.560 [49658] [LocalDeliveryQueue] Begin Processing.
[2019.04.24] 10:51:15.576 [49658] Starting local delivery to accountname@workingdomain.com
[2019.04.24] 10:51:15.639 [49658] Delivery for bounces+2327135-b8f0-accountname=workingdomain.com@e.notification.intuit.com to accountname@workingdomain.com has completed (Delivered) Filter: idbs@idboardshop.com
[2019.04.24] 10:51:15.639 [49658] End delivery to accountname@workingdomain.com (MessageID: <sV0z1-xiSVmSSLraqJkCOg@ismtpd0005p1sjc2.sendgrid.net>)
[2019.04.24] 10:51:15.639 [49658] Removed from LocalDeliveryQueue (1 queued or processing)
[2019.04.24] 10:51:18.623 [49658] Removing Spool message: Killed: False, Failed: False, Finished: True
[2019.04.24] 10:51:18.623 [49658] Delivery finished for bounces+2327135-b8f0-accountname=workingdomain.com@e.notification.intuit.com at 10:51:18 AM    

-------------------------------------------------------------------------
LOG CLIP 2 - This is the one that's not working
-------------------------------------------------------------------------

[2019.04.24] 13:15:33.630 [52520] Delivery started for bounces+2327135-e47c-accountname=notworkingdomain.com@e.notification.intuit.com at 1:15:33 PM
[2019.04.24] 13:15:33.646 [52520] Removing Spool message: Killed: False, Failed: True, Finished: False
[2019.04.24] 13:15:33.646 [52520] Delivery finished for bounces+2327135-e47c-accountname=notworkingdomain.com@e.notification.intuit.com at 1:15:33 PM    [id:452988152520]

-------------------------------------------------------------------------


Any ideas are appreciated.

Thanks,
Jane

6 Replies

Reply to Thread
0
Kyle Kerst Replied
Employee Post
This issue appears to be related to either a custom spam check, or a content filter you have configured at the system, domain, or user level:

[2019.04.24] 10:51:15.639 [49658] Delivery for bounces+2327135-b8f0-accountname=workingdomain.com@e.notification.intuit.com to accountname@workingdomain.com has completed (Delivered) Filter: idbs@idboardshop.com
Kyle Kerst System/Network Administrator SmarterTools Inc. (877) 357-6278 www.smartertools.com
1
Jane Noel Replied
Thanks Kyle - but the one you responded to (with the filters) is the one that is working.  (And I had another from a different domain on that same day that was also fine. )

The second clip doesn't have a filter listed - and that's the one that's not going through.
0
Tony Scholz Replied
Employee Post
Hello Jane, 

Generally when I see a Delivery session like this it times out or ends up in the Quarantine. Make sure that the "Spam Checks" log is set to detailed. 

First thing to do is to grab the session number, in this case -> 52520

Search the SMTP logs for the session number +.hdr and make sure 'Display Related Traffic' is selected

Search = 52520.hdr

Do you see any errors here. IF you do not the next step is to take the same session number and search the SPAM Logs to see if the AV caught the message. The search will not need the .hdr. Jus the session number. 

Looking forward to hearing what you find. 

Thank you
Tony Scholz System/Network Administrator SmarterTools Inc. (877) 357-6278 www.smartertools.com
0
Jane Noel Replied
Tony, this search in the SMTP log led to some additional information about why one works [49658] and one doesn't [52520].  Both appear to be coming from intuit, but the one fails because of a DMARC error.

There was nothing in the Spam Check Log. I set the Spam Check to Detailed, but on the date in question, it was set as "exceptions".

Is there anything I can do about that?  Or is it on the sending company to get their policy set up correctly?

THE EMAIL THAT WORKS [49658]
Sender email: quickbooks@notification.intuit.com

FAILS with a 550 Message rejected due to senders DMARC Policy [52520]
o1.e.notification.intuit.com.  

Here's the clip of the log.  I changed my client's name.  

---------------------------------------------------------------------------------
[2019.04.24] 13:15:30.661 [167.89.58.138][62764628] rsp: 220 mail.gds.us
[2019.04.24] 13:15:30.661 [167.89.58.138][62764628] connected at 4/24/2019 1:15:30 PM
[2019.04.24] 13:15:30.661 [167.89.58.138][62764628] Country code: US
[2019.04.24] 13:15:30.724 [167.89.58.138][62764628] cmd: EHLO o1.e.notification.intuit.com
[2019.04.24] 13:15:30.724 [167.89.58.138][62764628] rsp: 250-mail.gds.us Hello [167.89.58.138]250-SIZE 52425728250-AUTH LOGIN CRAM-MD5250-8BITMIME250-DSN250 OK
[2019.04.24] 13:15:30.802 [167.89.58.138][62764628] cmd: MAIL FROM:<bounces+2327135-e47c-accountname=accountdomain.com@e.notification.intuit.com>
[2019.04.24] 13:15:30.802 [167.89.58.138][62764628] senderEmail(1): bounces+2327135-e47c-accountname=accountdomain.com@e.notification.intuit.com parsed using: <bounces+2327135-e47c-accountname=accountdomain.com@e.notification.intuit.com>
[2019.04.24] 13:15:30.849 [167.89.58.138][62764628] rsp: 250 OK <bounces+2327135-e47c-accountname=accountdomain.com@e.notification.intuit.com> Sender ok
[2019.04.24] 13:15:30.849 [167.89.58.138][62764628] Sender accepted. Weight: 0. Block threshold: 20.
[2019.04.24] 13:15:30.911 [167.89.58.138][62764628] cmd: RCPT TO:<accountname@accountdomain.com>
[2019.04.24] 13:15:30.911 [167.89.58.138][62764628] rsp: 250 OK <accountname@accountdomain.com> Recipient ok
[2019.04.24] 13:15:30.974 [167.89.58.138][62764628] cmd: DATA
[2019.04.24] 13:15:30.974 [167.89.58.138][62764628] Performing PTR host name lookup for 167.89.58.138
[2019.04.24] 13:15:31.005 [167.89.58.138][62764628] PTR host name for 167.89.58.138 resolved as o1.e.notification.intuit.com
[2019.04.24] 13:15:31.021 [167.89.58.138][62764628] rsp: 354 Start mail input; end with <CRLF>.<CRLF>
[2019.04.24] 13:15:31.083 [167.89.58.138][62764628] senderEmail(2): noreply@paycheckrecords.com parsed using: "\"PaycheckRecords.com\" <noreply@paycheckrecords.com>" <quickbooks@notification.intuit.com>
[2019.04.24] 13:15:31.083 [167.89.58.138][62764628] Sender accepted. Weight: 0. Block threshold: 20.
[2019.04.24] 13:15:31.427 [167.89.58.138][62764628] rsp: 550 Message rejected due to senders DMARC policy
[2019.04.24] 13:15:31.427 [167.89.58.138][62764628] A trace of the DMARC processing follows.
[2019.04.24] 13:15:31.427 [167.89.58.138][62764628] Beginning DMARC check for bounces+2327135-e47c-accountname=accountdomain.com@e.notification.intuit.com from IP 167.89.58.138...
[2019.04.24] 13:15:31.427 [167.89.58.138][62764628] The from field for the message is ""\"PaycheckRecords.com\" <noreply@paycheckrecords.com>" <quickbooks@notification.intuit.com>".  Will look for DMARC policy record at _dmarc.paycheckrecords.com
[2019.04.24] 13:15:31.427 [167.89.58.138][62764628] Retrieved the following DMARC policy record for "paycheckrecords.com": v=DMARC1; p=reject; sp=none; rua=mailto:dmarc_rua@emaildefense.proofpoint.com; ruf=mailto:dmarc_ruf@emaildefense.proofpoint.com;fo=1
[2019.04.24] 13:15:31.427 [167.89.58.138][62764628] DMARC policy violated due to DKIM domain ("notification.intuit.com") not belonging to the same parent domain as the from address field domain ("paycheckrecords.com").
[2019.04.24] 13:15:31.427 [167.89.58.138][62764628] DMARC policy violated due to SPF domain ("e.notification.intuit.com") not belonging to the same parent domain as the from address field domain ("paycheckrecords.com").
[2019.04.24] 13:15:31.427 [167.89.58.138][62764628] Received message size: 5114 bytes
[2019.04.24] 13:15:31.442 [167.89.58.138][62764628] Successfully wrote to the HDR file. (C:\SmarterMail\Spool\SubSpool3\452988152520.hdr)
[2019.04.24] 13:15:31.442 [167.89.58.138][62764628] Data transfer succeeded but message rejected by DMARC
[2019.04.24] 13:15:31.489 [167.89.58.138][62764628] disconnected at 4/24/2019 1:15:31 PM

---------------------------------------------------------------------------------

Thanks,
Jane
0
Tony Scholz Replied
Employee Post Marked As Answer
Hello Jane, 

This particular fail is out of your hands. 

paycheckrecords.com has set this policy to reject any fails out of hand. 

  • p=reject
Full DMARC record. 

  • v=DMARC1; p=reject; sp=none; rua=mailto:dmarc_rua@emaildefense.proofpoint.com; ruf=mailto:dmarc_ruf@emaildefense.proofpoint.com;fo=1
They only thing that will stop this is for them to either update the DMARC record to not reject. ( This would not be the best idea as this is working as intended ) , add the domain to the SPF record, or Fix the DATA command passed to the server

  • DMARC policy violated due to SPF domain ("e.notification.intuit.com") not belonging to the same parent domain as the from address field domain ("paycheckrecords.com").

You will notice how they change the FROM address when passing the DATA to the server. IF this had not been changed I think it would have passed

Here is the DATA command

  • cmd: DATA
  • Performing PTR host name lookup for 167.89.58.138
  • PTR host name for 167.89.58.138 resolved as o1.e.notification.intuit.com
  • rsp: 354 Start mail input; end with <CRLF>.<CRLF>
  • senderEmail(2): noreply@paycheckrecords.com parsed using: "\"PaycheckRecords.com\" <noreply@paycheckrecords.com>" <quickbooks@notification.intuit.com>
  • Sender accepted. Weight: 0. Block threshold: 20.
  • rsp: 550 Message rejected due to senders DMARC policy
I hope this helps. 

Thank you
Tony Scholz System/Network Administrator SmarterTools Inc. (877) 357-6278 www.smartertools.com
0
Jane Noel Replied
Thanks Tony.  It does help.  This gives me the info I need to work with my customer and their Paycheck provider.  

THANKS!
Jane

Reply to Thread