From 8c51fa4b99dca1e7e2a6bca458dbf84bd5e9ac56 Mon Sep 17 00:00:00 2001
From: justin <justin@liquidator.optimal-reality.com>
Date: Fri, 5 Jun 2026 19:22:02 -0500
Subject: [PATCH] docs: record dual-stream implementation status + remaining
 DNS/prod steps

---
 docs/healthcare-email-stream-plan.md | 35 ++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)

diff --git a/docs/healthcare-email-stream-plan.md b/docs/healthcare-email-stream-plan.md
index ed24b28..25ddb4f 100644
--- a/docs/healthcare-email-stream-plan.md
+++ b/docs/healthcare-email-stream-plan.md
@@ -210,4 +210,39 @@ dead practice mailboxes (`550 5.1.1` from a clinic MX still hurts the hc IPs).
   clean delivery data.
 - DirectTrust signup to unlock the 242k Direct/HISP segment (separate effort).
 
+## Implementation status (built + validated)
+Committed and validated on dev:
+- **Audience split** — `scripts/healthcare_email_streams.py` (shared classifier)
+  + reworked `scripts/build_npi_outreach_lists.py` emit
+  `npi_healthcare_institutional/consumer.csv` + `npi_direct_secure.csv`.
+  Verified on May 2026 NPPES: 89,557 institutional rows.
+- **Postfix hc stream** — `infra/postfix/hc_stream_setup.sh` applied on the app
+  server: ports 2526/2527/2528 -> hcout1/2/3 -> IPs .107/.108/.109 (HELO
+  hcmta01-03). Proven: a send on :2527 egressed via hcout2 (.108) to the real
+  gmail MX; trucking transport_maps (.94-.96) untouched.
+- **listmonk-hc** — second instance (own `listmonk_hc` DB, own cap), 3 SMTP
+  servers = the 3 hc ports. Proven on dev: listmonk-hc container -> host :2526
+  (hcsubmit107) -> hcout1 (.107) -> real gmail MX.
+- **Ramp-cap** — `infra/postfix/pw-hc-rampcap.sh` (100->1000/h off
+  `/etc/postfix/hc-warmup-start`), independent of the trucking ramp.
+- **Deploy wiring** — deploy.sh/deploy-dev.sh bring up listmonk-hc;
+  `docker-compose.dev.override.yml` keeps dev (shared host) from clashing on
+  prod host ports / postgres volume.
+
+## REMAINING before any healthcare send (manual, needs Justin/DNS)
+1. **PTR / FCrDNS** for the hc IPs: `.107->hcmta01`, `.108->hcmta02`,
+   `.109->hcmta03` (.performancewest.net). Required or institutional MX will
+   spam/space us. (Currently .107-.109 have `mta18-20` PTR from the trucking
+   pool; repoint to hcmtaNN.)
+2. **SPF**: confirm `.107-.109` are authorized (they already are in the 20-IP
+   block, but verify after PTR change). DKIM/DMARC are domain-level, unchanged.
+3. **Install on prod**: create `listmonk_hc` DB + `--install`, configure its 3
+   SMTP servers (commands in deploy.sh header), run `hc_stream_setup.sh` on the
+   prod MTA, install `pw-hc-rampcap` cron.
+4. **Verify identity** with mail-tester / aboutmy.email from an hc IP (PTR + SPF
+   + DKIM + DMARC all pass) BEFORE importing the list.
+5. **Free MX+SMTP verify** the institutional CSV on a non-sending IP, import the
+   verified file into listmonk-hc, send small focused batches (overdue-first).
+
+
 ```