I am having the same issue, the only way i appear to be able to verify my identity is via email, but i am not receiving these. Please can someone at Revolut help!
because of my user level i currently cannot open new topics. So i need to respond on this topic to create a bug report:
There is a big issue regarding verification codes by email! Currently not every Revolut customer can receive verification codes by e-mail because of misconfiguration of Revolut DNS settings. I already contacted the customer support but they are unable to forward to IT department and think its client side problem. But thats totally wrong.
Lots of e-mail provider are using SPF (Sender Policy Framework) to verify sender Domain and prevent phishing attacks by faking domain.
If SPF is used on client side then the receiving mail server is checking the TXT-DNS record of the sender-domain. In case of Revolut its the following settings:
This setting includes a list of IP-Addresses (e.g. references to IP-Lists) which mailserver are allowed to send e-mails under the @revolut.com Domain.
The different departments/services from Revolut are using different mailserver. For this reason not all communication is affected. Currently i could only see the problem for verification e-mails - but they are for sure very important for login process. The IP address of the server sending verification e-mails is missing in this list. So emails to mailserver who are using SPF security are refusing this emails because sender IP is not allowed to use @revolut.com domain:
In this sample the IP is 192.174.91.95.
Owner of this IP-block is Sparkpost. So Revolut is using Sparkpost for sending verification e-mails. But they forgot to add Sparkpost to DNS TXT entry.
Revolut: Please add this to SPF TXT record
include:_spf.eu.sparkpostmail.com
Its explained in detail here:
Thanks! Hope somebody from IT department read this topic.
I don’t think accepting softfail would be a good solution and will only cause much more spam and phishing. Especially a bank shouldn’t set softfail-option (which was integrated in SPF for testing purposes) to prevent @revolut.com phishing emails. Its not hard to configure SPF correctly !!
There are also lots of big e-mail provider who handle same way softfail SPF as fail. Other options wouldn’t really make really sense - providing a list of allowed IPs but also allow any other IP makes no sense for me.
And even systems who allow softfail would normally classify such kind of incoming e-mail as spam because of bad reputation.