Files
claudetools/clients/cascades-tucson/reports/2026-05-20-canva-email-delivery.md
Mike Swanson 098e1d4156 sync: auto-sync from DESKTOP-0O8A1RL at 2026-05-20 10:58:31
Author: Mike Swanson
Machine: DESKTOP-0O8A1RL
Timestamp: 2026-05-20 10:58:31
2026-05-20 10:58:35 -07:00

75 lines
3.4 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Email Delivery Investigation: Canva Emails Not Arriving — Alma Montt
**Date:** 2026-05-20
**Tenant:** cascadestucson.com (207fa277-e9d8-4eb7-ada1-1064d2221498)
**Reported by:** Alma Montt (alma.montt@cascadestucson.com)
**Issue:** Not receiving emails from Canva (team invite + future notifications)
---
## Root Cause
**New mailbox provisioning race condition.** Alma's mailbox is brand-new (first email received 2026-05-19 21:11 UTC). The Canva team invite was sent before or shortly after provisioning, during a window when the mailbox was not yet fully available to external senders. The email was rejected/dropped at the SMTP layer — it never entered EOP processing.
Confirmed: No quarantined messages found for Alma.Montt@cascadestucson.com.
**Contributing factor (hardened anti-spam config):**
The tenant has the Standard Preset Security Policy active since 2026-04-17 with:
- `BulkThreshold: 6` (aggressive — BCL ≥ 6 treated as bulk spam)
- `HighConfidenceSpamAction: Quarantine` (high-confidence spam goes to org quarantine, not junk)
Canva invite emails route via Amazon SES (`mail.canva.com`) and would be at risk of hitting BCL 6 threshold under this policy for future invites.
---
## Findings
| Check | Result |
|---|---|
| Mailbox exists | Yes — `Alma.Montt@cascadestucson.com`, UserMailbox |
| Inbox rules | None |
| Junk email | Empty |
| Quarantine (org-level) | 0 messages for Alma |
| Blocked senders | None |
| Other users receiving Canva | Yes — crystal.rodriguez receives `marketing@engage.canva.com` |
| MX record | Correct (cascadestucson-com.mail.protection.outlook.com) |
| Canva SPF | Valid (`_spf1-9.canva.com` include chain) |
| Active anti-spam preset | Standard Preset Security Policy (since 2026-04-17) |
---
## Remediation Applied
1. **`Set-HostedContentFilterPolicy` — Default policy**
Added `AllowedSenderDomains`: `canva.com`, `mail.canva.com`, `engage.canva.com`
[CONFIRMED] Verified via `Get-HostedContentFilterPolicy`
2. **`Set-HostedContentFilterPolicy` — Standard Preset Security Policy**
Added same three domains to `AllowedSenderDomains`
[CONFIRMED] Verified — note: Microsoft warned "All recommended properties will be controlled by Microsoft" (preset policy managed by MS; override may be reset if Microsoft changes the preset)
3. **`Set-MailboxJunkEmailConfiguration` — Alma's mailbox**
Added `TrustedSendersAndDomains`: `canva.com`, `mail.canva.com`, `engage.canva.com`
[CONFIRMED] Verified via `Get-MailboxJunkEmailConfiguration`
4. **Historical search submitted**
Job ID: `21325332-a2a1-49c0-abb8-d0c6b88c7b0f`
Scope: All mail to `Alma.Montt@cascadestucson.com` from Canva senders, May 1820
Results will be emailed to `admin@cascadestucson.com`
---
## Action Required
**Crystal Rodriguez needs to resend the Canva team invite to alma.montt@cascadestucson.com.**
The original invite was lost to a new-mailbox provisioning race. The direct join link Crystal already provided in email (RE: canva info, 2026-05-19) still works and Alma can use it immediately.
For future invites and Canva email notifications: the org allow list changes will ensure delivery.
---
## Vault Paths Accessed
- `clients/cascades-tucson/m365-admin.sops.yaml` — tenant ID, admin credentials
- `msp-tools/computerguru-security-investigator.sops.yaml` — Graph read token
- `msp-tools/computerguru-exchange-operator.sops.yaml` — EXO write token