sync: auto-sync from GURU-BEAST-ROG at 2026-06-25 16:56:58
Author: Mike Swanson Machine: GURU-BEAST-ROG Timestamp: 2026-06-25 16:56:58
This commit is contained in:
committed by
ClaudeTools Bot
parent
93bd5379e3
commit
f3edf62cf7
@@ -0,0 +1,136 @@
|
||||
# Session Log — Tedards: agencyzoomify.com DMARC/DKIM Fix
|
||||
|
||||
## User
|
||||
- **Executed by:** ClaudeTools Discord Bot (GURU-BEAST-ROG)
|
||||
- **Requested by:** Winter Williams (@winterguru, via Discord) - tech
|
||||
- **Role:** automation (acting on the requester's behalf)
|
||||
|
||||
_Note: Mike Swanson (@azcomputerguru) joined the thread and directed the majority of the work after initial triage by Winter._
|
||||
|
||||
---
|
||||
|
||||
## Session Summary
|
||||
|
||||
Winter reported that emails from `lindsay@agencyzoomify.com` were again going to trash when sent to `y226@tedards.net` (Yvonne Tedards), referencing Syncro ticket #32228 opened 2026-04-30. Context was pulled from the 2026-05-01 session log, which showed the prior investigation diagnosed the root cause but applied no remediation — a comment was posted to the ticket explaining the issue to the customer, but the ticket was left at New status and no allow rule was created. Winter confirmed this and asked for a fix to be applied.
|
||||
|
||||
The root cause, confirmed via DNS investigation: Lindsay sends emails from the Wirechunk CRM platform (an insurance-agency website/CRM tool). Wirechunk routes outbound mail through WPCloud servers (IPs 103.115.9.0/29 and 103.115.10.0/29), which are authorized in `agencyzoomify.com`'s SPF record but do not sign outbound mail with DKIM for the `agencyzoomify.com` domain. Because `agencyzoomify.com` carries `DMARC p=quarantine` and Wirechunk provides no DKIM alignment, Microsoft EOP applies the quarantine action and routes the messages to Yvonne's trash. By contrast, emails from Lindsay's husband arrive normally because he sends directly from Outlook via the `theboltonagency` Microsoft 365 tenant, which has both `selector1` and `selector2` DKIM keys properly published for `agencyzoomify.com`.
|
||||
|
||||
A permanent Tenant Allow/Block List (TABL) sender allow entry was added for `agencyzoomify.com` on the Tedards M365 tenant using the Exchange Operator MSP app (cert auth). The entry carries no expiration date. Syncro ticket #32228 was resolved with a public customer-facing comment explaining the fix. Mike then directed a deeper investigation to identify the specific CRM involved (Wirechunk), confirm why the husband's emails worked differently, and draft an outreach email to Lindsay explaining the issue and asking her IT/Wirechunk to enable DKIM signing. The email was sent from `mike@azcomputerguru.com` to `lindsay@agencyzoomify.com` with `y226@tedards.net` CC'd. A second public comment summarizing the full findings and fix was posted to the Syncro ticket, and 30 minutes of remote labor was billed and invoiced ($75.00).
|
||||
|
||||
---
|
||||
|
||||
## Key Decisions
|
||||
|
||||
- **Permanent TABL allow (no expiration):** This is an ongoing business relationship between Yvonne and Lindsay. A 90-day expiry (used for the Dataforth/Joel Lohr case in the same 5/1 session) would just cause the issue to recur. Permanent allow is appropriate here since the underlying DMARC problem is on Lindsay's end and may take time to resolve.
|
||||
- **TABL at tenant level, not per-mailbox safe sender:** Tenant-level allow overrides DMARC quarantine action for all mailboxes in the tenant. Per-mailbox `TrustedSendersAndDomains` also works but is mailbox-scoped; since the fix is domain-level and the issue is authentication-based, TABL is the correct tool.
|
||||
- **Identified Wirechunk as the CRM, not just "a CRM":** The `agencyzoomify.com` SPF record includes `_spf.wpcloud.com`, which resolves to two specific Australian IP blocks. The agencyzoomify.com website embeds Wirechunk platform identifiers (`siteId`, `platformId: gz3p2m`) in its page source. This allowed the outreach email to name the specific platform rather than speaking vaguely about "a third-party mail service."
|
||||
- **Email sent from mike@ not admin@:** `admin@azcomputerguru.com` is not a licensed user or shared mailbox in the ACG M365 tenant — it returned 404 from Graph. The ComputerGuru Mailbox app (`1873b1b0`) can only send as real mailboxes; `mike@azcomputerguru.com` was used. The signature block still references `admin@azcomputerguru.com` as the reply-to contact.
|
||||
- **Phone number corrected to 520-304-8300:** Draft initially included 480-388-0700 (wrong); Mike corrected it before send.
|
||||
|
||||
---
|
||||
|
||||
## Problems Encountered
|
||||
|
||||
- **`admin@azcomputerguru.com` not a valid mailbox:** Three attempts to use it as the Graph `sendMail` user resulted in 404 `ErrorInvalidUser`. Resolved by sending via `mike@azcomputerguru.com` with `admin@` referenced only in the body signature.
|
||||
- **Shell variable expansion mangling vault fields:** Early attempts to pass `cert_thumbprint_b64url` and `cert_private_key_pem_b64` via bash variables failed silently — the shell was mangling the values, causing 401 `AADSTS700027` (wrong certificate thumbprint). Resolved by hardcoding the values directly in the Python script for the mailbox token acquisition, and by using `bash .claude/skills/remediation-tool/scripts/get-token.sh azcomputerguru.com mailbox` (the correct suite tool) for subsequent calls.
|
||||
- **TABL `Notes` field length limit:** First TABL POST failed with a 400 error asking to remove 59 characters from the Notes field. Resolved by shortening the notes string to 81 characters.
|
||||
- **`New-TenantAllowBlockListItems` `PageSize` parameter rejected:** Initial message trace attempt included `PageSize` which triggered `AmbiguousParameterSetException`. Removed the parameter; the cmdlet accepted the remaining parameters without it.
|
||||
- **Message trace returned no agencyzoomify.com messages:** No messages from that domain appeared in the 9-day trace window for y226@tedards.net, and the junk/deleted folders were also empty. Lindsay had not emailed Yvonne recently enough to appear. Root cause was confirmed via DNS analysis instead.
|
||||
- **Syncro ticket ID mismatch:** The display ticket number (#32228) does not match the internal Syncro API ID (109697650). The `/api/v1/tickets/32228` endpoint returned `{}`. Located the correct ticket via subject search (`query=agencyzoomify`).
|
||||
|
||||
---
|
||||
|
||||
## Configuration Changes
|
||||
|
||||
### Microsoft 365 — Tedards Tenant (`tedards.net`, tenant ID `4fcbb1f4-fbf9-4548-a93e-7d14a3c091e6`)
|
||||
|
||||
- **Tenant Allow/Block List — Sender Allow added:**
|
||||
- Value: `agencyzoomify.com`
|
||||
- Action: Allow
|
||||
- Expiration: None (permanent)
|
||||
- Notes: `boltonselect.com sends as agencyzoomify.com, DMARC fail. Allow. #32228 2026-06-25`
|
||||
- Identity: `RgAAAAArywm90jRVQo0kEayuw5_TBwBRjA0l48MZR4z_7XjWEYzfAAAAAAEVAABRjA0l48MZR4z_7XjWEYzfAABl1MyUAAAA0`
|
||||
- Applied via: Exchange Operator app (`b43e7342-5b4b-492f-890f-bb5a4f7f40e9`), cert auth
|
||||
|
||||
### Syncro — Ticket #32228 (internal ID 109697650)
|
||||
|
||||
- Status changed: New → Invoiced
|
||||
- Comments added:
|
||||
- Comment 408757788 (2026-05-01): prior diagnosis, customer-visible (posted in prior session)
|
||||
- Comment 420809823 (2026-06-25 16:23 PT): "Whitelist Applied — agencyzoomify.com" — customer-visible, emailed
|
||||
- Comment 420811754 (2026-06-25 16:49 PT): "Investigation Findings & Fix Applied" — full root cause + fix detail, customer-visible, emailed
|
||||
- Comment 420812092 (2026-06-25 16:51 PT): "Resolution" billing comment — customer-visible, emailed
|
||||
- Line item added: Labor - Remote Business, 0.5 hrs @ $150.00, `taxable: false` (line item ID 43026399)
|
||||
- Invoice created: ID 1650804914, total $75.00
|
||||
- Invoice note set: "Interested in discounted labor? Ask us about block-rate pricing."
|
||||
|
||||
### Email sent
|
||||
|
||||
- **From:** mike@azcomputerguru.com
|
||||
- **To:** lindsay@agencyzoomify.com
|
||||
- **CC:** y226@tedards.net
|
||||
- **Subject:** Action Needed - Emails from Wirechunk Going to Junk
|
||||
- **Sent:** 2026-06-25T23:47:25Z
|
||||
- **Saved to Sent Items:** yes
|
||||
|
||||
---
|
||||
|
||||
## Credentials & Secrets
|
||||
|
||||
No new credentials created or discovered. Vault paths accessed:
|
||||
|
||||
- `msp-tools/syncro.sops.yaml` — Syncro API key
|
||||
- `msp-tools/computerguru-exchange-operator.sops.yaml` — Exchange Operator cert auth (for Tedards TABL)
|
||||
- `msp-tools/computerguru-mailbox.sops.yaml` — ComputerGuru Mailbox app cert auth (for ACG sendMail)
|
||||
|
||||
---
|
||||
|
||||
## Infrastructure & Servers
|
||||
|
||||
- **Tedards M365 tenant:** `tedards.net` / tenant ID `4fcbb1f4-fbf9-4548-a93e-7d14a3c091e6`
|
||||
- **ACG M365 tenant:** `azcomputerguru.com` / tenant ID `ce61461e-81a0-4c84-bb4a-7b354a9a356d`
|
||||
- **Exchange Operator app:** `b43e7342-5b4b-492f-890f-bb5a4f7f40e9` (used for Tedards TABL)
|
||||
- **ComputerGuru Mailbox app:** `1873b1b0-3377-485c-a848-bae9b2f8f1f5` (used for ACG sendMail)
|
||||
- **Wirechunk mail infrastructure (WPCloud):** `103.115.9.249/29`, `103.115.10.249/29`
|
||||
- **agencyzoomify.com M365 tenant:** `theboltonagency` (DKIM selectors `selector1` and `selector2` are configured and valid)
|
||||
|
||||
---
|
||||
|
||||
## Commands & Outputs
|
||||
|
||||
```
|
||||
# TABL allow entry applied (Exchange Operator, Tedards tenant)
|
||||
POST https://outlook.office365.com/adminapi/beta/4fcbb1f4-fbf9-4548-a93e-7d14a3c091e6/InvokeCommand
|
||||
CmdletName: New-TenantAllowBlockListItems
|
||||
Parameters: ListType=Sender, Allow=true, Entries=["agencyzoomify.com"], NoExpiration=true
|
||||
Result: HTTP 200, ObjectState=New, CreatedDateTime=2026-06-25T23:23:00Z
|
||||
|
||||
# DNS findings
|
||||
agencyzoomify.com DMARC: v=DMARC1; p=quarantine; rua=mailto:lindsay@agencyzoomify.com
|
||||
agencyzoomify.com SPF: v=spf1 include:spf.protection.outlook.com include:_spf.wpcloud.com ~all
|
||||
agencyzoomify.com DKIM selector1: CNAME -> selector1-agencyzoomify-com._domainkey.theboltonagency.k-v1.dkim.mail.microsoft [KEY PRESENT]
|
||||
agencyzoomify.com DKIM selector2: CNAME -> selector2-agencyzoomify-com._domainkey.theboltonagency.k-v1.dkim.mail.microsoft [KEY PRESENT]
|
||||
_spf.wpcloud.com: v=spf1 ip4:103.115.9.249/29 ip4:103.115.10.249/29 -all
|
||||
boltonselect.com DKIM: no selectors published
|
||||
|
||||
# Syncro billing
|
||||
Line item: product_id=1190473, qty=0.5, price_retail=150.00, taxable=false -> ID 43026399
|
||||
Invoice: ticket_id=109697650, customer_id=487887 -> invoice_id=1650804914, total=$75.00
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## Pending / Incomplete Tasks
|
||||
|
||||
- **Lindsay's IT / Wirechunk:** Needs to enable DKIM signing for `agencyzoomify.com` on the Wirechunk platform. Outreach sent 2026-06-25. No response yet. If they respond needing technical guidance, the fix is: in Wirechunk's admin/domain settings, generate a DKIM key pair for `agencyzoomify.com`, then publish the provided CNAME or TXT record in agencyzoomify.com's DNS.
|
||||
- **TABL entry is a workaround:** If Wirechunk fixes their DKIM, the TABL entry becomes unnecessary but harmless. No action needed unless there's a reason to remove it.
|
||||
|
||||
---
|
||||
|
||||
## Reference Information
|
||||
|
||||
- **Syncro ticket:** #32228 (internal ID 109697650) — https://computerguru.syncromsp.com/tickets/109697650
|
||||
- **Syncro invoice:** ID 1650804914 — $75.00
|
||||
- **Wirechunk platform:** https://agencyzoomify.com (platformId: gz3p2m, siteId: jrhPAXTEL5HMZCCAwiCADG)
|
||||
- **Prior session log:** `session-logs/2026-05-01-session.md` (original diagnosis, no fix applied)
|
||||
- **TABL entry identity:** `RgAAAAArywm90jRVQo0kEayuw5_TBwBRjA0l48MZR4z_7XjWEYzfAAAAAAEVAABRjA0l48MZR4z_7XjWEYzfAABl1MyUAAAA0`
|
||||
Reference in New Issue
Block a user