sync: auto-sync from GURU-5070 at 2026-06-23 07:57:32

Author: Mike Swanson
Machine: GURU-5070
Timestamp: 2026-06-23 07:57:32
This commit is contained in:
2026-06-23 07:58:24 -07:00
parent 3e414c1572
commit 5f30e1154a
8 changed files with 217 additions and 3 deletions

View File

@@ -71,7 +71,12 @@ CryoWeave manufactures custom cryogenic cable assemblies (millikelvin to 300K) f
- **DMARC** `_dmarc``v=DMARC1; p=quarantine; sp=quarantine; fo=1; rua=mailto:rua@azcomputerguru.com` (hardened from p=none to **p=quarantine** 2026-06-15; **promote to p=reject** after ~1 week of clean aggregate reports confirm all legit senders — incl. the IX website/contact form — align). Cross-domain report authorization published on the azcomputerguru.com Cloudflare zone: `cryoweave.com._report._dmarc.azcomputerguru.com TXT "v=DMARC1;"` (2026-06-15). `rua@azcomputerguru.com` **shared mailbox created** in ACG's tenant (DisplayName "DMARC Reports", GUID 46b898f8-cfac-4b81-8980-e681b13fb833, mike@ FullAccess+automap) — full reporting chain live; aggregate reports arrive within ~24h. (NB: a single `*._report._dmarc` wildcard does NOT cover a 2-label reported domain; add one per-client record on the azcomputerguru.com Cloudflare zone.)
- **DKIM** (M365 selector1/2): CNAMEs published + **signing ENABLED 2026-06-15** (`Get-DkimSigningConfig`: Enabled=True, Status=Valid, 2048-bit). Targets `selector1-cryoweave-com._domainkey.cryoweave.w-v1.dkim.mail.microsoft` (+ selector2).
- Stale `mail.cryoweave.com` CNAME → old Neptune (67.206.163.124) **removed**.
- **Outbound-email issue (open):** Greg reports mail not reaching recipients. SPF passes/aligns, so auth isn't hard-failing; pending **message trace** (EXO app-only access still propagating after onboarding) + Greg's NDR to pinpoint restriction/reject/junk. DKIM+DMARC gaps were the most likely junking cause.
- **Outbound-email issue (open):** Greg reports mail not reaching recipients. SPF passes/aligns, so auth isn't hard-failing; pending **message trace** + Greg's NDR to pinpoint restriction/reject/junk.
- **DMARC-report analysis (2026-06-23):** cryoweave M365 outbound is **clean** — NO outbound connector/transport rule, mail leaves from Microsoft IPs, and the Google aggregate report shows **dmarc=pass**. The DMARC "failures" in `rua@azcomputerguru.com` were **receiver-side artifacts**: cryoweave mail sent to INKY-protected receivers (azcomputerguru.com and other ACG/INKY tenants) gets re-injected by INKY (`ipw-outbound.inkyphishfence.com`), which breaks SPF+DKIM at *that receiver*. cryoweave itself is NOT on INKY. So Greg's deliverability issue (if real) is likely NOT a cryoweave-side auth problem for normal recipients — investigate the specific recipients/NDRs. See [[reference_inky_outbound_breaks_dmarc]].
- **Website contact-form mail — FIXED (2026-06-23):** The WordPress site (Ninja Forms) previously sent via cPanel PHP-mail (`envelope=ix.azcomputerguru.com`, cPanel `default` DKIM), which failed DMARC. Now routed through **Microsoft Graph (app-only)** so it sends as a real M365 mailbox, DMARC-aligned:
- **`noreply@cryoweave.com`** — shared mailbox (no license), GUID `19495079-8295-4df2-8e51-4686fc764648`.
- **App "CryoWeave Web Mailer"** (`client_id 4003c79e-d4ac-4265-ba36-da783d89ee4d`), Graph `Mail.Send` (application), **scoped by `New-ApplicationAccessPolicy`** (group `webmailer-scope@cryoweave.com`) to send ONLY as noreply@. Secret in vault `clients/cryoweave/web-mailer-app.sops.yaml` (expires 2028-06-23).
- **mu-plugin** `wp-content/mu-plugins/cw-graph-mailer.php` overrides `wp_mail()` via `pre_wp_mail` → POSTs Graph `sendMail` as noreply@, preserving To/Cc/Reply-To/Subject/body; **falls back to default wp_mail on any Graph failure**. Verified: `wp_mail()` returns `true` (Graph 202).
### Network