ccopeland/red
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6cf228c779293b5fac19a5b9826128fe481526d8
red/.planning/phases/06-signing-flow/06-06-PLAN.md

161 lines
7.3 KiB
Markdown
Raw Normal View History

docs(06-signing-flow): create phase plan
2026-03-20 11:18:47 -06:00
---
phase: 06-signing-flow
plan: "06"
type: execute
wave: 5
depends_on:
- "06-05"
files_modified: []
autonomous: false
requirements:
- LEGAL-04
must_haves:
truths:
- "SPF record exists for teressacopelandhomes.com with no duplicate (only one v=spf1 record)"
- "DKIM record exists for teressacopelandhomes.com (TXT record at [selector]._domainkey subdomain)"
- "DMARC record exists at _dmarc.teressacopelandhomes.com with at minimum p=none"
- "MXToolbox SPF check shows green/pass"
- "MXToolbox DKIM check shows green/pass"
- "MXToolbox DMARC check shows green/pass"
- "A test signing email sent to a real email address is received without spam filtering"
artifacts: []
key_links: []
user_setup:
- service: dns-spf-dkim-dmarc
why: "LEGAL-04 — DNS email authentication must be configured before any signing link is sent to a real client"
env_vars: []
dashboard_config:
- task: "Check existing SPF record"
location: "Run: dig TXT teressacopelandhomes.com | grep v=spf1 — if a record exists, MERGE your SMTP provider include into it (do not add a second SPF record — RFC 7208 forbids multiple v=spf1 records)"
- task: "Add SPF TXT record"
location: "DNS provider (Namecheap, Google Domains, etc.) — add TXT @ record: v=spf1 include:[smtp-provider] ~all"
- task: "Generate and add DKIM record"
location: "Your SMTP provider dashboard (Google Workspace: Admin > Apps > Gmail > Authenticate Email; Namecheap: Email > DKIM; Zoho: Mail > Domains > DKIM)"
- task: "Add DMARC TXT record"
location: "DNS provider — add TXT _dmarc record: v=DMARC1; p=none; rua=mailto:teressa@teressacopelandhomes.com"
---
<objective>
Verify that DNS email authentication (SPF, DKIM, DMARC) is correctly configured for teressacopelandhomes.com before any signing link is sent to a real client.
Purpose: LEGAL-04 — this is a non-negotiable compliance gate. Without SPF/DKIM/DMARC, signing emails will be spam-filtered or rejected, and the audit trail will be incomplete.
Output: All three DNS records verified as passing in MXToolbox + a real test email received successfully.
</objective>
<execution_context>
@/Users/ccopeland/.claude/get-shit-done/workflows/execute-plan.md
@/Users/ccopeland/.claude/get-shit-done/templates/summary.md
</execution_context>
<context>
@.planning/ROADMAP.md
@.planning/phases/06-signing-flow/06-CONTEXT.md
@.planning/phases/06-signing-flow/06-RESEARCH.md
</context>
<tasks>
<task type="auto">
<name>Task 1: Automated DNS verification check</name>
<files></files>
<action>
Run DNS record checks using dig to show the current state before the human checkpoint:
```bash
# Check existing SPF (CRITICAL: only one v=spf1 record allowed per RFC 7208)
dig TXT teressacopelandhomes.com | grep -i "v=spf"
# Check for DKIM records (selector depends on SMTP provider — common selectors: google, default, mail, zoho)
dig TXT google._domainkey.teressacopelandhomes.com
dig TXT default._domainkey.teressacopelandhomes.com
dig TXT mail._domainkey.teressacopelandhomes.com
# Check DMARC
dig TXT _dmarc.teressacopelandhomes.com
```
Report the current state of each record. If any is missing, flag it clearly.
Also run a test SMTP connection to confirm the configured SMTP credentials work:
```bash
# Quick SMTP auth test using Node.js (from teressa-copeland-homes/)
cd /Users/ccopeland/temp/red/teressa-copeland-homes && node -e "
const nodemailer = require('nodemailer');
require('dotenv').config({ path: '.env.local' });
const t = nodemailer.createTransport({
host: process.env.CONTACT_SMTP_HOST,
port: Number(process.env.CONTACT_SMTP_PORT || 587),
auth: { user: process.env.CONTACT_EMAIL_USER, pass: process.env.CONTACT_EMAIL_PASS }
});
t.verify().then(() => console.log('SMTP: OK')).catch(e => console.error('SMTP error:', e.message));
"
```
Output a summary of: which DNS records are present, which are missing, and whether SMTP auth succeeds.
</action>
<verify>
<automated>dig TXT teressacopelandhomes.com | grep -E "v=spf|ANSWER" && dig TXT _dmarc.teressacopelandhomes.com | grep -E "v=DMARC|ANSWER"</automated>
</verify>
<done>DNS check output produced showing current state of SPF, DKIM, and DMARC records for teressacopelandhomes.com</done>
</task>
<task type="checkpoint:human-verify" gate="blocking">
<name>Task 2: Human DNS configuration + MXToolbox verification gate</name>
<files></files>
<action>
Human task — cannot be automated. Configure SPF/DKIM/DMARC DNS records for teressacopelandhomes.com at your DNS provider and SMTP provider dashboard. See how-to-verify steps below.
</action>
<verify>
<automated>MISSING — human must verify using MXToolbox at https://mxtoolbox.com/spf.aspx, https://mxtoolbox.com/dkim.aspx, https://mxtoolbox.com/dmarc.aspx</automated>
</verify>
<done>All three MXToolbox checks show green/pass; test email received in inbox (not spam)</done>
<what-built>
Automated DNS checks above show the current state of SPF, DKIM, and DMARC records for teressacopelandhomes.com.
The signing flow code is complete (plans 01-05). This checkpoint verifies DNS is configured before any real client signing link is sent.
</what-built>
<how-to-verify>
STEP 1: Check existing SPF record to avoid duplicates
- Run: dig TXT teressacopelandhomes.com | grep "v=spf"
- If a record exists: MERGE your SMTP provider's include into it (do NOT add a second v=spf1 record)
- If no record exists: Add: TXT @ "v=spf1 include:[your-smtp-provider-include] ~all"
STEP 2: Add DKIM key (get from your SMTP provider dashboard)
- Google Workspace: Admin console > Apps > Google Workspace > Gmail > Authenticate email
- Namecheap Email / Zoho Mail: Domain settings > DKIM
- Add the TXT record they provide at [selector]._domainkey.teressacopelandhomes.com
STEP 3: Add DMARC (monitoring mode — start with p=none)
- Add TXT _dmarc record: "v=DMARC1; p=none; rua=mailto:teressa@teressacopelandhomes.com"
STEP 4: Wait for DNS propagation (5 min to 1 hour for most providers)
STEP 5: Verify all three pass at:
- SPF: https://mxtoolbox.com/spf.aspx (enter teressacopelandhomes.com)
- DKIM: https://mxtoolbox.com/dkim.aspx (enter domain + selector)
- DMARC: https://mxtoolbox.com/dmarc.aspx (enter teressacopelandhomes.com)
All three must show green/pass before sending any real client signing link.
STEP 6: Send a test signing email from the app to your own email address and confirm it is received (not in spam).
</how-to-verify>
<resume-signal>
Type "dns verified" once all three MXToolbox checks show green/pass and a test email is received successfully.
Or describe any specific issues encountered (e.g., "SPF already exists — merged", "DKIM pending propagation").
</resume-signal>
</task>
</tasks>
<verification>
All three MXToolbox checks pass green (SPF, DKIM, DMARC). Test signing email received in inbox (not spam). DNS propagation complete.
</verification>
<success_criteria>
LEGAL-04 satisfied when: SPF/DKIM/DMARC all show green in MXToolbox, a real test email is received without spam filtering, and Teressa confirms she has reviewed and approved the email template. After this checkpoint, signing links may be sent to real clients.
</success_criteria>
<output>
After completion, create `.planning/phases/06-signing-flow/06-06-SUMMARY.md`
</output>
Reference in New Issue Copy Permalink