E-sign email

I am having same problem! Did you get it solved?

Did happen with me only they saying wait for another 24h and its been 3 days now don't know who is works there but definitely they incompetent to do sort of work where is the management absolutely terrible service and its getting worst and worst 🤦‍♂️

Yes I am having problems and have been in the phone for 2 days the left hand don’t know what the right hand is doing.

I explained that if this does not go through I will need to go through credit checks again - thus impacting my credit file. The fact that they are aware of this surly they have a duty of care to alert new & existing customers of this giving the customer a choice.

Having the same issue upgraded on Sunday had no e-sign documents through had to upgrade again today because of it had all documents apart from the e-sign it’s stressing me out 

The error logs are as follows, this suggests that three.co.uk need to hire better technical staff 🙂

2023-09-05 11:52:04 H=cluster-j.mailcontrol.com [85.115.54.190]:60486 sender verify fail for <noreply@notification.three.co.uk>: cust7051-s.out.mailcontrol.com [85.115.60.190] : SMTP error from remote mail server after RCPT TO:<noreply@notification.three.co.uk>: 550 5.7.1 <noreply@notification.three.co.uk>... Relaying denied
2023-09-05 11:52:04 H=cluster-j.mailcontrol.com [85.115.54.190]:60486 X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no F=<noreply@notification.three.co.uk> rejected RCPT <EMAIL REDACTED>: Sender verify failed

Same exact problem here. It turns out that this is because three's technical support team is incompetent.

Let me dissect this issue for you...

Firstly, three send customers emails from multiple domains, which, is bad practice. In today's age, ideally, customers should be familiar with one or two solidly recognisable email addresses which they can easily identify as authentic. Once you introduce multiple subdomains and multiple emails, you muddy the situation and introduce security risks and vulnerabilities for your customers.

So, let's look at the email addresses which three use during the order checkout process:

@mails.three.co.uk
@servicemails.three.co.uk
@service.mails.three.co.uk
@notifications.three.co.uk

This is where it get's interesting. The first three emails work fine, they are set up correctly, they are secure, they have the appropriate authorisation and security protocols in place. Those emails are the accounts which send the 'order confirmation' and 'customer agreement form'. The reason you receive those emails but not the eSign one, is because those emails are sent from an email address that is properly configured on the server.

Unfortunately, problems arise when we investigate notifications.three.co.uk (which, it appears is the email address used to send the eSign form/link).

It turns out that notifications.three.co.uk domain DOES NOT have a DKIM or SPF record set up. This is awful news for three's customers, and introduces all kinds of vulnerabilities and security risks. Firstly, not having these records appropriately set-up, means that hackers can hijack, intercept or spoof emails to make them look like they were sent by three, when in fact they were not. The reason the eSign document is never received by customers, is because, it is sent from such a vulnerable email. Most email servers will rightfully reject this email without even putting it in the user's spam folder, it will simply be outright rejected and disappear into non-existence. This is because the recipient email server is unable to authenticate the authenticity of the sender.

I've tried to raise this issue multiple times, but, so far it's fallen on deaf ears. Nobody in their overseas call centre cares, nor do they understand English well enough to grasp how serious of a situation this is, and how urgently it should be addressed. This is a security risk.

Did you finally get your e sign sent to you if so how long did it eventually take?