diff --git a/docs/deliverability.md b/docs/deliverability.md
index 81e269e..d28440f 100644
--- a/docs/deliverability.md
+++ b/docs/deliverability.md
@@ -153,29 +153,46 @@ To set up from scratch next time: postmaster.google.com -> +Add domain ->
performancewest.net -> copy the `google-site-verification=...` token -> add via
the Hestia command above -> Verify.
-### 🔴 MANUAL 2 — Microsoft SNDS + JMRP (Outlook/Hotmail/Live)
+### 🔴 MANUAL 2 — Microsoft SNDS + JMRP (Outlook/Hotmail/Live) — **#1 PRIORITY**
+**85% of our audience is Microsoft-hosted** (M365/Outlook/Hotmail), so this is the
+single most important monitoring tool. Microsoft already *accepts* our mail (~1.6%
+reputation rejects), so this tells us inbox-vs-junk + complaint rates.
SNDS is **IP-based** (register the sending IPs), JMRP is the complaint feedback loop.
1. **SNDS:** -> "Request
access" -> register IPs: **207.174.124.94** and **207.174.124.107** (the two
live stream IPs; add .90 and .71 if you want full coverage). Verification goes
- to a role address on the IP's domain — use `postmaster@performancewest.net` or
- `abuse@performancewest.net` (ensure one of those receives mail via carrierone).
+ to a role address on the IP's domain.
2. **JMRP:** -> sign in with
- a Microsoft account -> register the same IPs + a complaint-destination mailbox
- (e.g. `fbl@performancewest.net`). Complaints then arrive as ARF emails.
+ a Microsoft account -> register the same IPs + a complaint-destination mailbox.
+ Complaints then arrive as ARF emails.
+
+**✅ PREREQ DONE (2026-06-19):** the role mailboxes Microsoft needs now exist and
+deliver. Created as Carbonio distribution lists routing to `ops@performancewest.net`:
+`postmaster@`, `abuse@`, `fbl@`, `dmarc@` — all verified ACCEPT at the MX +
+delivered end-to-end. (They previously REJECTED with 5.1.1, which would have blocked
+SNDS verification.) Use `postmaster@` or `abuse@` for SNDS verification and
+`fbl@performancewest.net` as the JMRP complaint destination.
+
+> Carbonio mail admin: `ssh -p 22022 justin@207.174.124.15` (the **co.carrierone.com**
+> mail host; local workstation key, justin has NOPASSWD sudo). Run prov as zextras:
+> `sudo -u zextras /opt/zextras/bin/carbonio prov ` (e.g. `gaa`, `gadl`,
+> `cdl `, `adlm `, `gdlm `).
### 🔴 MANUAL 3 — Yahoo Complaint Feedback Loop (Yahoo/AOL + att/sbcglobal/verizon)
+Lowest priority (<1% of audience), but cheap. CFL is DKIM-d= based.
1. -> sign in -> register
- the domain `performancewest.net` (CFL is DKIM-d= based, so it covers all our
- IPs automatically since they all sign with the same `mail._domainkey`).
-2. Set the complaint destination to `fbl@performancewest.net`.
+ the domains `performancewest.net` **and** `send.performancewest.net` (CFL keys
+ off the DKIM `d=` value; bulk mail now signs `d=send.performancewest.net`).
+2. Set the complaint destination to `fbl@performancewest.net` (now live, see above).
-### ✅ AUTOMATABLE LATER — DMARC aggregate reports (all providers, free)
-Gmail/Yahoo/Microsoft already send daily per-IP auth+disposition XML to
-`dmarc@performancewest.net` (our DMARC record has `rua=mailto:dmarc@...`). Nobody
-parses them yet. If we add IMAP creds for that mailbox (it's on carrierone MX) we
-can build a small collector/parser worker to chart per-IP pass/fail without any
-provider login. Deferred — provider dashboards above are faster to stand up.
+### ✅ DMARC aggregate reports — mailbox FIXED 2026-06-19 (parser still TODO)
+Gmail/Yahoo/Microsoft send daily per-IP auth+disposition XML to
+`dmarc@performancewest.net` (DMARC record has `rua=mailto:dmarc@...`). **That
+mailbox was REJECTING (5.1.1) until 2026-06-19 — we were silently losing every
+report.** It's now a Carbonio DL -> ops@ (verified delivering). Next: add IMAP creds
+for ops@ (or a dedicated dmarc mailbox) and build a small collector/parser worker to
+chart per-IP/per-domain pass-fail without any provider login. Now actually worth
+doing since the data finally arrives.
---