Can a Comcast.net email admin please contact me? One of your non-outermost email servers is running an SPF/SenderID filter (so all messages from domains with –all SPF/SenderID records are getting rejected, regardless of sending server).
Yes, I understand that people who have never worked in a large providers won't get it. Nevertheless, I still think it is a good idea for folks to have separate infrastructure for contacts such as abuse, security, postmaster so they can work even when other groups in a large company
make changes to their corporate gateways, routers, etc.
Instead of relying on firstname.lastname@example.org or email@example.com, which
get messed up because a corporate IT person is trying to keep stuff out
of the corporate network; you might also consider things like http://postmaster.example.com/ or firstname.lastname@example.org which
can be routed to its own separate infrastructure.
What's to get? If a particular error is easy to make (applying a
large-system mail policy that fouls up the abuse desk is an easy
mistake to make) and there's a relatively easy alternate system design
which discourages that mistake (a separate RHS for the abuse desk that
doesn't go through the primary mail path is an easy alternate system
design) then when the mistake is made, the ROOT CAUSE is the design
error (unified mail system) rather than the instant operator error
which revealed it.
Two errors but only one root cause. It seems perfectly straightforward to me.
Well, silly of them to  run an spf/sender id filter and  to run
it on an internal mailhost
Equally silly of you to publish spf records in this day and age
though. Get rid of the record and that solves your issue rather