azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
098e1d415621d5fa2bb9e65a1d4c90288789fd35
claudetools/clients/cascades-tucson/reports/2026-05-20-canva-email-delivery.md
Mike Swanson 098e1d4156 sync: auto-sync from DESKTOP-0O8A1RL at 2026-05-20 10:58:31 
Author: Mike Swanson
Machine: DESKTOP-0O8A1RL
Timestamp: 2026-05-20 10:58:31
2026-05-20 10:58:35 -07:00

3.4 KiB
Raw Blame History

Email Delivery Investigation: Canva Emails Not Arriving — Alma Montt

Date: 2026-05-20
Tenant: cascadestucson.com (207fa277-e9d8-4eb7-ada1-1064d2221498)
Reported by: Alma Montt (alma.montt@cascadestucson.com)
Issue: Not receiving emails from Canva (team invite + future notifications)

Root Cause

New mailbox provisioning race condition. Alma's mailbox is brand-new (first email received 2026-05-19 21:11 UTC). The Canva team invite was sent before or shortly after provisioning, during a window when the mailbox was not yet fully available to external senders. The email was rejected/dropped at the SMTP layer — it never entered EOP processing.

Confirmed: No quarantined messages found for Alma.Montt@cascadestucson.com.

Contributing factor (hardened anti-spam config):
The tenant has the Standard Preset Security Policy active since 2026-04-17 with:

  • BulkThreshold: 6 (aggressive — BCL ≥ 6 treated as bulk spam)
  • HighConfidenceSpamAction: Quarantine (high-confidence spam goes to org quarantine, not junk)

Canva invite emails route via Amazon SES (mail.canva.com) and would be at risk of hitting BCL 6 threshold under this policy for future invites.

Findings

Check Result
Mailbox exists Yes — Alma.Montt@cascadestucson.com, UserMailbox
Inbox rules None
Junk email Empty
Quarantine (org-level) 0 messages for Alma
Blocked senders None
Other users receiving Canva Yes — crystal.rodriguez receives marketing@engage.canva.com
MX record Correct (cascadestucson-com.mail.protection.outlook.com)
Canva SPF Valid (_spf1-9.canva.com include chain)
Active anti-spam preset Standard Preset Security Policy (since 2026-04-17)

Remediation Applied

  1. Set-HostedContentFilterPolicy — Default policy
    Added AllowedSenderDomains: canva.com, mail.canva.com, engage.canva.com
    [CONFIRMED] Verified via Get-HostedContentFilterPolicy

  2. Set-HostedContentFilterPolicy — Standard Preset Security Policy
    Added same three domains to AllowedSenderDomains
    [CONFIRMED] Verified — note: Microsoft warned "All recommended properties will be controlled by Microsoft" (preset policy managed by MS; override may be reset if Microsoft changes the preset)

  3. Set-MailboxJunkEmailConfiguration — Alma's mailbox
    Added TrustedSendersAndDomains: canva.com, mail.canva.com, engage.canva.com
    [CONFIRMED] Verified via Get-MailboxJunkEmailConfiguration

  4. Historical search submitted
    Job ID: 21325332-a2a1-49c0-abb8-d0c6b88c7b0f
    Scope: All mail to Alma.Montt@cascadestucson.com from Canva senders, May 1820
    Results will be emailed to admin@cascadestucson.com

Action Required

Crystal Rodriguez needs to resend the Canva team invite to alma.montt@cascadestucson.com.

The original invite was lost to a new-mailbox provisioning race. The direct join link Crystal already provided in email (RE: canva info, 2026-05-19) still works and Alma can use it immediately.

For future invites and Canva email notifications: the org allow list changes will ensure delivery.

Vault Paths Accessed

  • clients/cascades-tucson/m365-admin.sops.yaml — tenant ID, admin credentials
  • msp-tools/computerguru-security-investigator.sops.yaml — Graph read token
  • msp-tools/computerguru-exchange-operator.sops.yaml — EXO write token
Reference in New Issue View Git Blame Copy Permalink