diff --git a/clients/putt-land-surveying/session-logs/2026-06/2026-06-10-discord-bot-dns-wipe-investigation.md b/clients/putt-land-surveying/session-logs/2026-06/2026-06-10-discord-bot-dns-wipe-investigation.md
new file mode 100644
index 0000000..8f08bab
--- /dev/null
+++ b/clients/putt-land-surveying/session-logs/2026-06/2026-06-10-discord-bot-dns-wipe-investigation.md
@@ -0,0 +1,125 @@
+# Session Log — puttsurveying.com DNS Wipe Investigation
+
+## User
+- **Executed by:** ClaudeTools Discord Bot (GURU-BEAST-ROG)
+- **Requested by:** Winter Williams (@winterguru, via Discord) - tech
+- **Role:** automation (acting on the requester's behalf)
+
+---
+
+## Session Summary
+
+Winter reported that puttsurveying.com was unable to receive email. Initial DNS investigation via nslookup against 8.8.8.8 confirmed that no MX records existed for the domain — the query returned only an SOA record, indicating a complete absence of mail exchanger entries. DNS serial `2026060900` confirmed a zone change had occurred on 2026-06-09, pointing to a recent DNS modification as the cause.
+
+Further investigation confirmed the domain is registered at GoDaddy (nameservers: ns45/ns47/ns48.domaincontrol.com, registrar: Wild West Domains LLC, a GoDaddy subsidiary). A check of our GoDaddy API returned `ACCESS_DENIED` for puttsurveying.com, confirming the domain is in the client's own GoDaddy account, not ours. No vault entry or wiki entry existed for this client.
+
+M365 tenant presence was confirmed via `login.microsoftonline.com` OpenID discovery endpoint and the GetUserRealm endpoint, which returned tenant ID `25008634-91b4-40aa-8113-78ea03826156` and brand name "Putt Land Surveying Inc". The correct M365 MX target `puttsurveying-com.mail.protection.outlook.com` was verified to resolve to Microsoft's Exchange Online protection IPs. Mailprotector was checked — all 25 domains listed, puttsurveying.com was not among them.
+
+A follow-up finding revealed that the website was also displaying a GoDaddy parking page. Fetching puttsurveying.com returned a redirect to `/lander` serving `img1.wsimg.com/parking-lander` — GoDaddy's default parking page injected when no A record is configured in the zone. Current A records (15.197.148.33 / 3.33.130.190) are GoDaddy's own parking IPs, not the client's original hosting. This confirmed the DNS wipe was broader than just mail records — the website A record was also deleted.
+
+Syncro ticket #32404 was created (assigned to Winter, status: Waiting on Customer) documenting the full scope of missing records. A follow-up comment was added after the website finding was confirmed. The ticket is blocked pending GoDaddy credentials or delegate access from the client, and the original website hosting IP/provider.
+
+---
+
+## Key Decisions
+
+- Assigned Syncro ticket to Winter (user_id 1737) since she is the tech working the issue, even though the API key is Mike's.
+- Set ticket status to "Waiting on Customer" rather than "In Progress" — the fix is fully scoped but blocked on client access.
+- Did not attempt to add DNS records via any workaround — domain is in the client's GoDaddy account and no legitimate path exists without credentials or delegate access.
+- Used GetUserRealm endpoint to confirm M365 tenant rather than requiring M365 admin credentials — non-authenticated public endpoint sufficient for tenant verification.
+- Checked Mailprotector before confirming M365-only mail flow — important to rule out a dual-layer setup before stating the correct MX records.
+
+---
+
+## Problems Encountered
+
+- **Mailprotector domain list showed `?` for domain names initially** — API response uses `name` field, not `domain`. Fixed by inspecting the first object's keys and re-parsing with correct field name.
+- **GoDaddy API returned ACCESS_DENIED** — domain is in client's own account. No workaround; documented as blocker.
+- **SecurityTrails and MXToolbox were bot-blocked (403 / timeout)** — could not retrieve historical MX records to identify prior mail provider. Resolved by using GetUserRealm to confirm M365 directly rather than inferring from historical DNS.
+- **Initial nslookup for puttsurveying-com.mail.protection.outlook.com appeared to not resolve** — only SOA returned in first check. Subsequent direct hostname resolution confirmed it resolves correctly to Exchange Online IPs.
+
+---
+
+## Configuration Changes
+
+No files modified in repo. New directory and session log created:
+- `clients/putt-land-surveying/session-logs/2026-06/` (created)
+- `clients/putt-land-surveying/session-logs/2026-06/2026-06-10-discord-bot-dns-wipe-investigation.md` (created)
+
+---
+
+## Credentials & Secrets
+
+No new credentials discovered or created. Vault paths accessed:
+- `services/godaddy-api.sops.yaml` — GoDaddy Production API key (read-only, used for domain lookup; returned ACCESS_DENIED for this domain)
+- `msp-tools/mailprotector.sops.yaml` — Mailprotector API key (read-only, used to check domain presence)
+
+---
+
+## Infrastructure & Servers
+
+- **Domain:** puttsurveying.com
+- **Registrar:** Wild West Domains, LLC (GoDaddy subsidiary)
+- **Nameservers:** ns45/ns47/ns48.domaincontrol.com
+- **Domain expiry:** 2031-01-31
+- **Domain status:** clientDeleteProhibited, clientRenewProhibited, clientTransferProhibited, clientUpdateProhibited
+- **Current A records (parking):** 15.197.148.33, 3.33.130.190 (GoDaddy parking IPs)
+- **M365 tenant name:** Putt Land Surveying Inc
+- **M365 tenant ID:** 25008634-91b4-40aa-8113-78ea03826156
+- **M365 MX target:** puttsurveying-com.mail.protection.outlook.com (resolves to 52.101.x.x range)
+- **Mailprotector:** Not configured — domain not present
+
+---
+
+## Commands & Outputs
+
+```bash
+# MX lookup — confirmed no MX records
+nslookup -type=MX puttsurveying.com 8.8.8.8
+# Result: SOA only, no MX records
+
+# M365 tenant confirmation
+curl -s "https://login.microsoftonline.com/GetUserRealm.srf?login=admin@puttsurveying.com&xml=1"
+# Result: <FederationBrandName>Putt Land Surveying Inc</FederationBrandName>, NameSpaceType=Managed
+
+# M365 MX hostname resolution
+nslookup puttsurveying-com.mail.protection.outlook.com 8.8.8.8
+# Result: 52.101.11.3, 52.101.8.51, 52.101.41.24, 52.101.42.14 — RESOLVES OK
+
+# GoDaddy API domain check
+curl -s -X GET "https://api.godaddy.com/v1/domains/puttsurveying.com/records" \
+  -H "Authorization: sso-key 2wXWWFcuYk_2RGxdvpe1WZV2yPMvNLGEe:5pQZs7H9WY7dwh59XsJMNr"
+# Result: {"code":"ACCESS_DENIED","message":"Authenticated user is not allowed access"}
+
+# Website check
+curl -s "https://puttsurveying.com"
+# Result: redirect to /lander — GoDaddy parking page confirmed
+# window.LANDER_SYSTEM="PW", window._trfd.push({ap:"parking"})
+```
+
+---
+
+## Pending / Incomplete Tasks
+
+- **Obtain GoDaddy access** — client needs to provide login credentials or grant delegate access (GoDaddy Settings -> Delegate Access -> Invite someone)
+- **Obtain original website hosting IP/provider** — cannot be reconstructed from current DNS; client must provide
+- **Add DNS records once access obtained:**
+  - `A`: `@` -> (client's original web hosting IP)
+  - `MX`: `@` -> `puttsurveying-com.mail.protection.outlook.com` (priority 0)
+  - `TXT`: `@` -> `v=spf1 include:spf.protection.outlook.com -all`
+  - `CNAME`: `autodiscover` -> `autodiscover.outlook.com`
+- **Close Syncro ticket #32404** after records are restored and mail/website confirmed working
+
+---
+
+## Reference Information
+
+- **Syncro ticket:** #32404 — https://computerguru.syncromsp.com/tickets/112504953
+- **Syncro customer ID:** 7180175 (PUTT LAND SURVEYING, INC.)
+- **Client email on record:** rphillips@puttsurveying.com
+- **GoDaddy API docs:** https://developer.godaddy.com/doc
+- **M365 MX record format:** `<domain>-<tld>.mail.protection.outlook.com`
+- **Standard M365 DNS records for puttsurveying.com:**
+  - MX: `puttsurveying-com.mail.protection.outlook.com` priority 0
+  - SPF: `v=spf1 include:spf.protection.outlook.com -all`
+  - CNAME autodiscover: `autodiscover.outlook.com`