# Email Delivery Investigation: Canva Emails Not Arriving — Alma Montt **Date:** 2026-05-20 **Tenant:** cascadestucson.com (207fa277-e9d8-4eb7-ada1-1064d2221498) **Reported by:** Alma Montt (alma.montt@cascadestucson.com) **Issue:** Not receiving emails from Canva (team invite + future notifications) --- ## Root Cause **New mailbox provisioning race condition.** Alma's mailbox is brand-new (first email received 2026-05-19 21:11 UTC). The Canva team invite was sent before or shortly after provisioning, during a window when the mailbox was not yet fully available to external senders. The email was rejected/dropped at the SMTP layer — it never entered EOP processing. Confirmed: No quarantined messages found for Alma.Montt@cascadestucson.com. **Contributing factor (hardened anti-spam config):** The tenant has the Standard Preset Security Policy active since 2026-04-17 with: - `BulkThreshold: 6` (aggressive — BCL ≥ 6 treated as bulk spam) - `HighConfidenceSpamAction: Quarantine` (high-confidence spam goes to org quarantine, not junk) Canva invite emails route via Amazon SES (`mail.canva.com`) and would be at risk of hitting BCL 6 threshold under this policy for future invites. --- ## Findings | Check | Result | |---|---| | Mailbox exists | Yes — `Alma.Montt@cascadestucson.com`, UserMailbox | | Inbox rules | None | | Junk email | Empty | | Quarantine (org-level) | 0 messages for Alma | | Blocked senders | None | | Other users receiving Canva | Yes — crystal.rodriguez receives `marketing@engage.canva.com` | | MX record | Correct (cascadestucson-com.mail.protection.outlook.com) | | Canva SPF | Valid (`_spf1-9.canva.com` include chain) | | Active anti-spam preset | Standard Preset Security Policy (since 2026-04-17) | --- ## Remediation Applied 1. **`Set-HostedContentFilterPolicy` — Default policy** Added `AllowedSenderDomains`: `canva.com`, `mail.canva.com`, `engage.canva.com` [CONFIRMED] Verified via `Get-HostedContentFilterPolicy` 2. **`Set-HostedContentFilterPolicy` — Standard Preset Security Policy** Added same three domains to `AllowedSenderDomains` [CONFIRMED] Verified — note: Microsoft warned "All recommended properties will be controlled by Microsoft" (preset policy managed by MS; override may be reset if Microsoft changes the preset) 3. **`Set-MailboxJunkEmailConfiguration` — Alma's mailbox** Added `TrustedSendersAndDomains`: `canva.com`, `mail.canva.com`, `engage.canva.com` [CONFIRMED] Verified via `Get-MailboxJunkEmailConfiguration` 4. **Historical search submitted** Job ID: `21325332-a2a1-49c0-abb8-d0c6b88c7b0f` Scope: All mail to `Alma.Montt@cascadestucson.com` from Canva senders, May 18–20 Results will be emailed to `admin@cascadestucson.com` --- ## Action Required **Crystal Rodriguez needs to resend the Canva team invite to alma.montt@cascadestucson.com.** The original invite was lost to a new-mailbox provisioning race. The direct join link Crystal already provided in email (RE: canva info, 2026-05-19) still works and Alma can use it immediately. For future invites and Canva email notifications: the org allow list changes will ensure delivery. --- ## Vault Paths Accessed - `clients/cascades-tucson/m365-admin.sops.yaml` — tenant ID, admin credentials - `msp-tools/computerguru-security-investigator.sops.yaml` — Graph read token - `msp-tools/computerguru-exchange-operator.sops.yaml` — EXO write token