sync: auto-sync from DESKTOP-0O8A1RL at 2026-05-20 10:58:31

Author: Mike Swanson
Machine: DESKTOP-0O8A1RL
Timestamp: 2026-05-20 10:58:31

clients/cascades-tucson/reports/2026-05-20-canva-email-delivery.md

@@ -0,0 +1,74 @@
+# Email Delivery Investigation: Canva Emails Not Arriving — Alma Montt
+**Date:** 2026-05-20  
+**Tenant:** cascadestucson.com (207fa277-e9d8-4eb7-ada1-1064d2221498)  
+**Reported by:** Alma Montt (alma.montt@cascadestucson.com)  
+**Issue:** Not receiving emails from Canva (team invite + future notifications)
+
+---
+
+## Root Cause
+
+**New mailbox provisioning race condition.** Alma's mailbox is brand-new (first email received 2026-05-19 21:11 UTC). The Canva team invite was sent before or shortly after provisioning, during a window when the mailbox was not yet fully available to external senders. The email was rejected/dropped at the SMTP layer — it never entered EOP processing.
+
+Confirmed: No quarantined messages found for Alma.Montt@cascadestucson.com.
+
+**Contributing factor (hardened anti-spam config):**  
+The tenant has the Standard Preset Security Policy active since 2026-04-17 with:
+- `BulkThreshold: 6` (aggressive — BCL ≥ 6 treated as bulk spam)
+- `HighConfidenceSpamAction: Quarantine` (high-confidence spam goes to org quarantine, not junk)
+
+Canva invite emails route via Amazon SES (`mail.canva.com`) and would be at risk of hitting BCL 6 threshold under this policy for future invites.
+
+---
+
+## Findings
+
+| Check | Result |
+|---|---|
+| Mailbox exists | Yes — `Alma.Montt@cascadestucson.com`, UserMailbox |
+| Inbox rules | None |
+| Junk email | Empty |
+| Quarantine (org-level) | 0 messages for Alma |
+| Blocked senders | None |
+| Other users receiving Canva | Yes — crystal.rodriguez receives `marketing@engage.canva.com` |
+| MX record | Correct (cascadestucson-com.mail.protection.outlook.com) |
+| Canva SPF | Valid (`_spf1-9.canva.com` include chain) |
+| Active anti-spam preset | Standard Preset Security Policy (since 2026-04-17) |
+
+---
+
+## Remediation Applied
+
+1. **`Set-HostedContentFilterPolicy` — Default policy**  
+   Added `AllowedSenderDomains`: `canva.com`, `mail.canva.com`, `engage.canva.com`  
+   [CONFIRMED] Verified via `Get-HostedContentFilterPolicy`
+
+2. **`Set-HostedContentFilterPolicy` — Standard Preset Security Policy**  
+   Added same three domains to `AllowedSenderDomains`  
+   [CONFIRMED] Verified — note: Microsoft warned "All recommended properties will be controlled by Microsoft" (preset policy managed by MS; override may be reset if Microsoft changes the preset)
+
+3. **`Set-MailboxJunkEmailConfiguration` — Alma's mailbox**  
+   Added `TrustedSendersAndDomains`: `canva.com`, `mail.canva.com`, `engage.canva.com`  
+   [CONFIRMED] Verified via `Get-MailboxJunkEmailConfiguration`
+
+4. **Historical search submitted**  
+   Job ID: `21325332-a2a1-49c0-abb8-d0c6b88c7b0f`  
+   Scope: All mail to `Alma.Montt@cascadestucson.com` from Canva senders, May 18–20  
+   Results will be emailed to `admin@cascadestucson.com`
+
+---
+
+## Action Required
+
+**Crystal Rodriguez needs to resend the Canva team invite to alma.montt@cascadestucson.com.**
+
+The original invite was lost to a new-mailbox provisioning race. The direct join link Crystal already provided in email (RE: canva info, 2026-05-19) still works and Alma can use it immediately.
+
+For future invites and Canva email notifications: the org allow list changes will ensure delivery.
+
+---
+
+## Vault Paths Accessed
+- `clients/cascades-tucson/m365-admin.sops.yaml` — tenant ID, admin credentials
+- `msp-tools/computerguru-security-investigator.sops.yaml` — Graph read token
+- `msp-tools/computerguru-exchange-operator.sops.yaml` — EXO write token