docs(deliverability): Microsoft #1 priority + role mailboxes created (Carbonio)
Created postmaster@/abuse@/fbl@/dmarc@ as Carbonio DLs -> ops@ (they previously REJECTED 5.1.1, which would have blocked SNDS verification AND was silently dropping all DMARC aggregate reports). Verified accept-at-MX + delivered E2E. Reframe Microsoft as the #1 monitoring priority (85% of audience), Yahoo as lowest (<1%); add Carbonio admin access note; note DMARC parser now worth building.
This commit is contained in:
justin
parent
3ca960aca5
commit
49842bddbb
1 changed files with 31 additions and 14 deletions
|
|
@ -153,29 +153,46 @@ To set up from scratch next time: postmaster.google.com -> +Add domain ->
|
|||
performancewest.net -> copy the `google-site-verification=...` token -> add via
|
||||
the Hestia command above -> Verify.
|
||||
|
||||
### 🔴 MANUAL 2 — Microsoft SNDS + JMRP (Outlook/Hotmail/Live)
|
||||
### 🔴 MANUAL 2 — Microsoft SNDS + JMRP (Outlook/Hotmail/Live) — **#1 PRIORITY**
|
||||
**85% of our audience is Microsoft-hosted** (M365/Outlook/Hotmail), so this is the
|
||||
single most important monitoring tool. Microsoft already *accepts* our mail (~1.6%
|
||||
reputation rejects), so this tells us inbox-vs-junk + complaint rates.
|
||||
SNDS is **IP-based** (register the sending IPs), JMRP is the complaint feedback loop.
|
||||
1. **SNDS:** <https://sendersupport.olc.protection.outlook.com/snds/> -> "Request
|
||||
access" -> register IPs: **207.174.124.94** and **207.174.124.107** (the two
|
||||
live stream IPs; add .90 and .71 if you want full coverage). Verification goes
|
||||
to a role address on the IP's domain — use `postmaster@performancewest.net` or
|
||||
`abuse@performancewest.net` (ensure one of those receives mail via carrierone).
|
||||
to a role address on the IP's domain.
|
||||
2. **JMRP:** <https://sendersupport.olc.protection.outlook.com/pm/> -> sign in with
|
||||
a Microsoft account -> register the same IPs + a complaint-destination mailbox
|
||||
(e.g. `fbl@performancewest.net`). Complaints then arrive as ARF emails.
|
||||
a Microsoft account -> register the same IPs + a complaint-destination mailbox.
|
||||
Complaints then arrive as ARF emails.
|
||||
|
||||
**✅ PREREQ DONE (2026-06-19):** the role mailboxes Microsoft needs now exist and
|
||||
deliver. Created as Carbonio distribution lists routing to `ops@performancewest.net`:
|
||||
`postmaster@`, `abuse@`, `fbl@`, `dmarc@` — all verified ACCEPT at the MX +
|
||||
delivered end-to-end. (They previously REJECTED with 5.1.1, which would have blocked
|
||||
SNDS verification.) Use `postmaster@` or `abuse@` for SNDS verification and
|
||||
`fbl@performancewest.net` as the JMRP complaint destination.
|
||||
|
||||
> Carbonio mail admin: `ssh -p 22022 justin@207.174.124.15` (the **co.carrierone.com**
|
||||
> mail host; local workstation key, justin has NOPASSWD sudo). Run prov as zextras:
|
||||
> `sudo -u zextras /opt/zextras/bin/carbonio prov <cmd>` (e.g. `gaa`, `gadl`,
|
||||
> `cdl <addr>`, `adlm <dl> <member>`, `gdlm <dl>`).
|
||||
|
||||
### 🔴 MANUAL 3 — Yahoo Complaint Feedback Loop (Yahoo/AOL + att/sbcglobal/verizon)
|
||||
Lowest priority (<1% of audience), but cheap. CFL is DKIM-d= based.
|
||||
1. <https://senders.yahooinc.com/complaint-feedback-loop/> -> sign in -> register
|
||||
the domain `performancewest.net` (CFL is DKIM-d= based, so it covers all our
|
||||
IPs automatically since they all sign with the same `mail._domainkey`).
|
||||
2. Set the complaint destination to `fbl@performancewest.net`.
|
||||
the domains `performancewest.net` **and** `send.performancewest.net` (CFL keys
|
||||
off the DKIM `d=` value; bulk mail now signs `d=send.performancewest.net`).
|
||||
2. Set the complaint destination to `fbl@performancewest.net` (now live, see above).
|
||||
|
||||
### ✅ AUTOMATABLE LATER — DMARC aggregate reports (all providers, free)
|
||||
Gmail/Yahoo/Microsoft already send daily per-IP auth+disposition XML to
|
||||
`dmarc@performancewest.net` (our DMARC record has `rua=mailto:dmarc@...`). Nobody
|
||||
parses them yet. If we add IMAP creds for that mailbox (it's on carrierone MX) we
|
||||
can build a small collector/parser worker to chart per-IP pass/fail without any
|
||||
provider login. Deferred — provider dashboards above are faster to stand up.
|
||||
### ✅ DMARC aggregate reports — mailbox FIXED 2026-06-19 (parser still TODO)
|
||||
Gmail/Yahoo/Microsoft send daily per-IP auth+disposition XML to
|
||||
`dmarc@performancewest.net` (DMARC record has `rua=mailto:dmarc@...`). **That
|
||||
mailbox was REJECTING (5.1.1) until 2026-06-19 — we were silently losing every
|
||||
report.** It's now a Carbonio DL -> ops@ (verified delivering). Next: add IMAP creds
|
||||
for ops@ (or a dedicated dmarc mailbox) and build a small collector/parser worker to
|
||||
chart per-IP/per-domain pass-fail without any provider login. Now actually worth
|
||||
doing since the data finally arrives.
|
||||
|
||||
---
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue