From 49842bddbbee30bf7856aba414a22886ae66717f Mon Sep 17 00:00:00 2001 From: justin Date: Thu, 18 Jun 2026 23:31:20 -0500 Subject: [PATCH] docs(deliverability): Microsoft #1 priority + role mailboxes created (Carbonio) Created postmaster@/abuse@/fbl@/dmarc@ as Carbonio DLs -> ops@ (they previously REJECTED 5.1.1, which would have blocked SNDS verification AND was silently dropping all DMARC aggregate reports). Verified accept-at-MX + delivered E2E. Reframe Microsoft as the #1 monitoring priority (85% of audience), Yahoo as lowest (<1%); add Carbonio admin access note; note DMARC parser now worth building. --- docs/deliverability.md | 45 +++++++++++++++++++++++++++++------------- 1 file changed, 31 insertions(+), 14 deletions(-) diff --git a/docs/deliverability.md b/docs/deliverability.md index 81e269e..d28440f 100644 --- a/docs/deliverability.md +++ b/docs/deliverability.md @@ -153,29 +153,46 @@ To set up from scratch next time: postmaster.google.com -> +Add domain -> performancewest.net -> copy the `google-site-verification=...` token -> add via the Hestia command above -> Verify. -### 🔴 MANUAL 2 — Microsoft SNDS + JMRP (Outlook/Hotmail/Live) +### 🔴 MANUAL 2 — Microsoft SNDS + JMRP (Outlook/Hotmail/Live) — **#1 PRIORITY** +**85% of our audience is Microsoft-hosted** (M365/Outlook/Hotmail), so this is the +single most important monitoring tool. Microsoft already *accepts* our mail (~1.6% +reputation rejects), so this tells us inbox-vs-junk + complaint rates. SNDS is **IP-based** (register the sending IPs), JMRP is the complaint feedback loop. 1. **SNDS:** -> "Request access" -> register IPs: **207.174.124.94** and **207.174.124.107** (the two live stream IPs; add .90 and .71 if you want full coverage). Verification goes - to a role address on the IP's domain — use `postmaster@performancewest.net` or - `abuse@performancewest.net` (ensure one of those receives mail via carrierone). + to a role address on the IP's domain. 2. **JMRP:** -> sign in with - a Microsoft account -> register the same IPs + a complaint-destination mailbox - (e.g. `fbl@performancewest.net`). Complaints then arrive as ARF emails. + a Microsoft account -> register the same IPs + a complaint-destination mailbox. + Complaints then arrive as ARF emails. + +**✅ PREREQ DONE (2026-06-19):** the role mailboxes Microsoft needs now exist and +deliver. Created as Carbonio distribution lists routing to `ops@performancewest.net`: +`postmaster@`, `abuse@`, `fbl@`, `dmarc@` — all verified ACCEPT at the MX + +delivered end-to-end. (They previously REJECTED with 5.1.1, which would have blocked +SNDS verification.) Use `postmaster@` or `abuse@` for SNDS verification and +`fbl@performancewest.net` as the JMRP complaint destination. + +> Carbonio mail admin: `ssh -p 22022 justin@207.174.124.15` (the **co.carrierone.com** +> mail host; local workstation key, justin has NOPASSWD sudo). Run prov as zextras: +> `sudo -u zextras /opt/zextras/bin/carbonio prov ` (e.g. `gaa`, `gadl`, +> `cdl `, `adlm
`, `gdlm
`). ### 🔴 MANUAL 3 — Yahoo Complaint Feedback Loop (Yahoo/AOL + att/sbcglobal/verizon) +Lowest priority (<1% of audience), but cheap. CFL is DKIM-d= based. 1. -> sign in -> register - the domain `performancewest.net` (CFL is DKIM-d= based, so it covers all our - IPs automatically since they all sign with the same `mail._domainkey`). -2. Set the complaint destination to `fbl@performancewest.net`. + the domains `performancewest.net` **and** `send.performancewest.net` (CFL keys + off the DKIM `d=` value; bulk mail now signs `d=send.performancewest.net`). +2. Set the complaint destination to `fbl@performancewest.net` (now live, see above). -### ✅ AUTOMATABLE LATER — DMARC aggregate reports (all providers, free) -Gmail/Yahoo/Microsoft already send daily per-IP auth+disposition XML to -`dmarc@performancewest.net` (our DMARC record has `rua=mailto:dmarc@...`). Nobody -parses them yet. If we add IMAP creds for that mailbox (it's on carrierone MX) we -can build a small collector/parser worker to chart per-IP pass/fail without any -provider login. Deferred — provider dashboards above are faster to stand up. +### ✅ DMARC aggregate reports — mailbox FIXED 2026-06-19 (parser still TODO) +Gmail/Yahoo/Microsoft send daily per-IP auth+disposition XML to +`dmarc@performancewest.net` (DMARC record has `rua=mailto:dmarc@...`). **That +mailbox was REJECTING (5.1.1) until 2026-06-19 — we were silently losing every +report.** It's now a Carbonio DL -> ops@ (verified delivering). Next: add IMAP creds +for ops@ (or a dedicated dmarc mailbox) and build a small collector/parser worker to +chart per-IP/per-domain pass-fail without any provider login. Now actually worth +doing since the data finally arrives. ---