azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b626f0dfca634a8fb226cae67da863a4c9727f2f
claudetools/clients/dataforth/session-logs/2026-05-12-session.md

12 KiB
Raw Blame History

Session Log — Dataforth Corporation

Date: 2026-05-12 Type: Client work — GAGEtrak email investigation, jlohr forwarding setup, DKIM key rotation Ticket: #32142 (internal ID 108919783) — "Remote - Error message from Gagetrak"

User

  • User: Mike Swanson (mike)
  • Machine: DESKTOP-0O8A1RL
  • Role: admin

Session Summary

Investigated a GAGEtrak automated email delivery issue reported by Kevin Wackerly, who said he did not receive the expected Monday morning Calibration Due List email. The calibration@dataforth.com account was reviewed via Graph API and found fully healthy — sign-in allowed, SMTP AUTH enabled, password from the 2026-04-23 fix still in place. A search of Kevin's inbox confirmed the email WAS delivered, but on Tuesday (2026-05-12 at approx 8:34 AM MST) rather than Monday. The discrepancy was identified as a likely schedule drift in GAGEtrak on DF-GAGETRAK — Kevin was advised to verify the scheduled task on that machine.

DKIM configuration for dataforth.com was reviewed during the session. The EAC showed DKIM was already enabled. Selector2's TXT record had previously been NXDOMAIN, indicating the key had not been published by Microsoft. The client rotated the domain signing keys via EAC. Post-rotation DNS verification confirmed both selector1 and selector2 CNAMEs and TXT records are resolving correctly. M365 will automatically cut over signing from selector1 to selector2 on 2026-05-16.

A separate task involved setting up forwarding from jlohr@dataforth.com to mike@azcomputerguru.com for emails originating from ntirety.com. Joel Lohr is a retired Dataforth employee whose account is intentionally kept enabled to receive these emails. An inbox rule was created on the jlohr mailbox, but initial delivery attempts failed with 550 5.7.520 AS(7555) — the Dataforth tenant's default outbound spam policy blocks external auto-forwarding. A transport rule (BlindCopyTo) was attempted as an alternative but was blocked by an INKY PhishFence transport rule that fires at high priority with StopProcessingRules=true, killing all subsequent rules. The transport rule approach was abandoned. A scoped outbound spam filter policy (Allow-External-Forward-jlohr, AutoForwardingMode=On) was created targeting jlohr@dataforth.com specifically, then the inbox rule was re-created. Forward is configured and awaiting final delivery confirmation.

Key Decisions

  • jlohr account retention confirmed: Account kept enabled post-retirement at Mike's direction (2026-05-12) to receive ntirety.com email forwards. Active-directory.md updated to reflect this decision.
  • Scoped spam exception over tenant-wide: Created a per-sender outbound spam policy (Allow-External-Forward-jlohr) rather than modifying the Default policy — limits blast radius to jlohr only. Changing AutoForwardingMode tenant-wide would expose all users to the same capability.
  • Inbox rule over transport rule: Abandoned BlindCopyTo transport rule because INKY's stop-processing-rules action kills all downstream rules. Inbox rules execute post-delivery, outside the transport pipeline, and are not affected by INKY.
  • DKIM rotation accepted as-is: selector2 TXT was NXDOMAIN before rotation. After client rotated keys, Microsoft published the new key for selector2. Both selectors now valid. No manual DNS changes required — CNAMEs were already in place.
  • GAGEtrak schedule not changed: Confirmed email delivery is occurring, just on Tuesday not Monday. No changes made to GAGEtrak config — left for Kevin to investigate the schedule on DF-GAGETRAK.

Problems Encountered

  • 550 5.7.520 AS(7555) — external auto-forwarding blocked: Dataforth tenant default outbound spam policy (AutoForwardingMode=Automatic) rejects all external auto-forwards including inbox rules. Resolved by creating a scoped outbound spam filter policy for jlohr@dataforth.com with AutoForwardingMode=On.
  • Transport rule BlindCopyTo silently failing: INKY PhishFence transport rule "INKY - Post-Processing - Inbox" (ID B859327F-3FBD-4BE7-A47A-97D02F1558A7) fires first and calls StopProcessingRules=true, preventing our BCC rule from executing. Confirmed via Get-MessageTraceDetailV2 — detail showed INKY rule event followed immediately by delivery, with no custom rule event. Resolved by abandoning transport rule approach entirely and using inbox rule instead.
  • Inbox rule deleted mid-session: During the transport rule investigation the inbox rule was removed. Re-created after the spam policy exception was confirmed.
  • Get-MessageTrace deprecated: Get-MessageTrace returns validation error. Switched to Get-MessageTraceV2 throughout. Get-MessageTraceDetail likewise replaced by Get-MessageTraceDetailV2.
  • Graph API UPN lookup for calibration@ returned nulls: Looked up by object ID (cdb246e8-a7f9-416b-a07c-e5b5cc50ec1d) sourced from Exchange ExternalDirectoryObjectId field instead.
  • Transport rule scope mismatch: New-HostedOutboundSpamFilterRule does not accept SentTo (inbound concept). Corrected to From (sender) parameter — appropriate for outbound spam rules scoped to a specific sending account.

M365 Configuration Changes

Object Type Change
Allow-External-Forward-jlohr HostedOutboundSpamFilterPolicy Created — AutoForwardingMode=On
Allow-External-Forward-jlohr-rule HostedOutboundSpamFilterRule Created — From: jlohr@dataforth.com, Priority: 0
Forward ntirety.com to Mike Swanson Inbox Rule (jlohr mailbox) Created — FromAddressContainsWords: ntirety.com, ForwardTo: mike@azcomputerguru.com
Forward ntirety.com to jlohr -> Mike Swanson Transport Rule Created (now defunct — blocked by INKY). Candidate for deletion.
dataforth.com DKIM DkimSigningConfig Keys rotated by client. KeyCreationTime: 2026-05-12T17:24:18Z. RotateOnDate: 2026-05-16T17:24:18Z. SelectorBeforeRotateOnDate: selector1

Infrastructure Reference

System Detail
Dataforth M365 tenant 7dfa3ce8-c496-4b51-ab8d-bd3dcd78b584 / dataforth.com
ACG M365 tenant ce61461e-81a0-4c84-bb4a-7b354a9a356d / azcomputerguru.com
DF-GAGETRAK 192.168.0.102 — GAGEtrak calibration software host
calibration@dataforth.com object ID cdb246e8-a7f9-416b-a07c-e5b5cc50ec1d
jlohr@dataforth.com Joel Lohr — retired, account retained for ntirety.com forwarding
DKIM selector1 CNAME selector1._domainkey.dataforth.com → selector1-dataforth-com._domainkey.dataforthcom.onmicrosoft.com
DKIM selector2 CNAME selector2._domainkey.dataforth.com → selector2-dataforth-com._domainkey.dataforthcom.onmicrosoft.com
INKY PhishFence transport rule "INKY - Post-Processing - Inbox", ID: B859327F-3FBD-4BE7-A47A-97D02F1558A7 — fires StopProcessingRules, blocks all subsequent transport rules
Syncro ticket #32142 / internal ID 108919783 — "Remote - Error message from Gagetrak"

Credentials

  • calibration@dataforth.com password: lMRCN#o2uP3$cwuoKIx0 (set 2026-04-23, still active)
  • Remediation tool tiers used: investigator (Graph read), exchange-op (Exchange write), user-manager (Graph user write)
  • Token cache: /tmp/remediation-tool/{tenant-id}/{tier}.jwt (55-min TTL)
  • Vault files:
    • Security Investigator: msp-tools/computerguru-security-investigator.sops.yaml
    • Exchange Operator: msp-tools/computerguru-exchange-operator.sops.yaml
    • User Manager: msp-tools/computerguru-user-manager.sops.yaml
  • Syncro API key: T259810e5c9917386b-52c2aeea7cdb5ff41c6685a73cebbeb3
  • Syncro API base: https://computerguru.syncromsp.com/api/v1
  • Syncro comment endpoint: POST /api/v1/tickets/{id}/comment (not /comments)

Key API Calls

# DKIM signing config (works via InvokeCommand, NOT via direct adminapi path)
POST https://outlook.office365.com/adminapi/beta/{tenant}/InvokeCommand
{"CmdletName": "Get-DkimSigningConfig", "Parameters": {"Identity": "dataforth.com"}}

# Outbound spam policy (scoped to jlohr)
{"CmdletName": "New-HostedOutboundSpamFilterPolicy", "Parameters": {"Name": "Allow-External-Forward-jlohr", "AutoForwardingMode": "On"}}
{"CmdletName": "New-HostedOutboundSpamFilterRule", "Parameters": {"Name": "Allow-External-Forward-jlohr-rule", "HostedOutboundSpamFilterPolicy": "Allow-External-Forward-jlohr", "From": ["jlohr@dataforth.com"]}}

# Inbox rule on jlohr
{"CmdletName": "New-InboxRule", "Parameters": {"Mailbox": "jlohr@dataforth.com", "Name": "Forward ntirety.com to Mike Swanson", "FromAddressContainsWords": ["ntirety.com"], "ForwardTo": ["mike@azcomputerguru.com"], "StopProcessingRules": false}}

# Message trace (V2 required — V1 deprecated Sept 2025)
{"CmdletName": "Get-MessageTraceV2", "Parameters": {"RecipientAddress": "...", "StartDate": "...", "EndDate": "..."}}
{"CmdletName": "Get-MessageTraceDetailV2", "Parameters": {"MessageTraceId": "...", "RecipientAddress": "..."}}

Files Created / Modified

File Action
clients/dataforth/session-logs/2026-05-12-session.md Created — this file
clients/dataforth/docs/active-directory.md Updated — jlohr row: noted account retention and ntirety forward; Action Items: strikethrough on disable-jlohr item

Pending / Follow-Up

  • [VERIFY] Confirm jlohr inbox rule forward is delivering to mike@azcomputerguru.com — trigger one more ntirety.com test email
  • [CLEANUP] Delete defunct transport rule "Forward ntirety.com to jlohr -> Mike Swanson" (blocked by INKY, serves no purpose)
  • [DATAFORTH ACTION] Kevin Wackerly to verify GAGEtrak scheduled task on DF-GAGETRAK (192.168.0.102) — confirm whether run day is Monday or Tuesday
  • [AUTO 2026-05-16] DKIM rotation to selector2 — automatic, no action required; verify selector2 is signing after that date if desired
  • [LONG-TERM] Consider pushing Dataforth to Microsoft Authenticator from SMS MFA (noted from 2026-05-03 session, still pending Dan Center decision)
  • [LONG-TERM] Confirm "Dime Client" app with Dan Center (noted from 2026-05-03 session)

Syncro

Field Value
Ticket # #32142 (internal 108919783)
Subject Remote - Error message from Gagetrak
Customer Dataforth Corp (id: 578095)
Status Customer Reply (unchanged this session)
Comment added ID 410543322, 2026-05-12 10:33 AM MST
Comment added ID 410550508, 2026-05-12 11:08 AM MST — forward delivery confirmed

Update: 11:08 MST

Forward Delivery Confirmed

Third ntirety.com test email triggered after inbox rule was re-created and outbound spam exception was in place:

  • ntirety.com email arrived at jlohr@dataforth.com: 17:58:33 UTC
  • Inbox rule fired, forwarded as FW: to mike@azcomputerguru.com: 17:58:47 UTC (14 seconds)
  • Dataforth outbound trace status: Delivered

Forward is fully operational. Ticket #32142 updated with confirmation comment (ID 410550508).

Infrastructure Context Documented

Clarification from Mike: the jlohr forward was set up specifically to receive infrastructure notifications from ntirety.com, which hosts Dataforth's public DNS (dataforth.com zone). DNS changes go through the ntirety portal — not a registrar panel.

Docs updated to capture this:

  • clients/dataforth/docs/overview.md — DNS Host: ntirety.com added to Environment Summary
  • clients/dataforth/docs/active-directory.md — jlohr row updated with ntirety DNS context

Defunct Transport Rule

The transport rule "Forward ntirety.com to jlohr -> Mike Swanson" (BlindCopyTo) remains in place but is non-functional — blocked by INKY PhishFence StopProcessingRules action. Candidate for cleanup.

Reference in New Issue View Git Blame Copy Permalink