---
phase: 06-signing-flow
plan: "06"
type: execute
wave: 5
depends_on:
  - "06-05"
files_modified: []
autonomous: false
requirements:
  - LEGAL-04

must_haves:
  truths:
    - "SPF record exists for teressacopelandhomes.com with no duplicate (only one v=spf1 record)"
    - "DKIM record exists for teressacopelandhomes.com (TXT record at [selector]._domainkey subdomain)"
    - "DMARC record exists at _dmarc.teressacopelandhomes.com with at minimum p=none"
    - "MXToolbox SPF check shows green/pass"
    - "MXToolbox DKIM check shows green/pass"
    - "MXToolbox DMARC check shows green/pass"
    - "A test signing email sent to a real email address is received without spam filtering"
  artifacts: []
  key_links: []

user_setup:
  - service: dns-spf-dkim-dmarc
    why: "LEGAL-04 — DNS email authentication must be configured before any signing link is sent to a real client"
    env_vars: []
    dashboard_config:
      - task: "Check existing SPF record"
        location: "Run: dig TXT teressacopelandhomes.com | grep v=spf1 — if a record exists, MERGE your SMTP provider include into it (do not add a second SPF record — RFC 7208 forbids multiple v=spf1 records)"
      - task: "Add SPF TXT record"
        location: "DNS provider (Namecheap, Google Domains, etc.) — add TXT @ record: v=spf1 include:[smtp-provider] ~all"
      - task: "Generate and add DKIM record"
        location: "Your SMTP provider dashboard (Google Workspace: Admin > Apps > Gmail > Authenticate Email; Namecheap: Email > DKIM; Zoho: Mail > Domains > DKIM)"
      - task: "Add DMARC TXT record"
        location: "DNS provider — add TXT _dmarc record: v=DMARC1; p=none; rua=mailto:teressa@teressacopelandhomes.com"
---

<objective>
Verify that DNS email authentication (SPF, DKIM, DMARC) is correctly configured for teressacopelandhomes.com before any signing link is sent to a real client.

Purpose: LEGAL-04 — this is a non-negotiable compliance gate. Without SPF/DKIM/DMARC, signing emails will be spam-filtered or rejected, and the audit trail will be incomplete.
Output: All three DNS records verified as passing in MXToolbox + a real test email received successfully.
</objective>

<execution_context>
@/Users/ccopeland/.claude/get-shit-done/workflows/execute-plan.md
@/Users/ccopeland/.claude/get-shit-done/templates/summary.md
</execution_context>

<context>
@.planning/ROADMAP.md
@.planning/phases/06-signing-flow/06-CONTEXT.md
@.planning/phases/06-signing-flow/06-RESEARCH.md
</context>

<tasks>

<task type="auto">
  <name>Task 1: Automated DNS verification check</name>
  <files></files>
  <action>
Run DNS record checks using dig to show the current state before the human checkpoint:

```bash
# Check existing SPF (CRITICAL: only one v=spf1 record allowed per RFC 7208)
dig TXT teressacopelandhomes.com | grep -i "v=spf"

# Check for DKIM records (selector depends on SMTP provider — common selectors: google, default, mail, zoho)
dig TXT google._domainkey.teressacopelandhomes.com
dig TXT default._domainkey.teressacopelandhomes.com
dig TXT mail._domainkey.teressacopelandhomes.com

# Check DMARC
dig TXT _dmarc.teressacopelandhomes.com
```

Report the current state of each record. If any is missing, flag it clearly.

Also run a test SMTP connection to confirm the configured SMTP credentials work:
```bash
# Quick SMTP auth test using Node.js (from teressa-copeland-homes/)
cd /Users/ccopeland/temp/red/teressa-copeland-homes && node -e "
const nodemailer = require('nodemailer');
require('dotenv').config({ path: '.env.local' });
const t = nodemailer.createTransport({
  host: process.env.CONTACT_SMTP_HOST,
  port: Number(process.env.CONTACT_SMTP_PORT || 587),
  auth: { user: process.env.CONTACT_EMAIL_USER, pass: process.env.CONTACT_EMAIL_PASS }
});
t.verify().then(() => console.log('SMTP: OK')).catch(e => console.error('SMTP error:', e.message));
"
```

Output a summary of: which DNS records are present, which are missing, and whether SMTP auth succeeds.
  </action>
  <verify>
    <automated>dig TXT teressacopelandhomes.com | grep -E "v=spf|ANSWER" && dig TXT _dmarc.teressacopelandhomes.com | grep -E "v=DMARC|ANSWER"</automated>
  </verify>
  <done>DNS check output produced showing current state of SPF, DKIM, and DMARC records for teressacopelandhomes.com</done>
</task>

<task type="checkpoint:human-verify" gate="blocking">
  <name>Task 2: Human DNS configuration + MXToolbox verification gate</name>
  <files></files>
  <action>
Human task — cannot be automated. Configure SPF/DKIM/DMARC DNS records for teressacopelandhomes.com at your DNS provider and SMTP provider dashboard. See how-to-verify steps below.
  </action>
  <verify>
    <automated>MISSING — human must verify using MXToolbox at https://mxtoolbox.com/spf.aspx, https://mxtoolbox.com/dkim.aspx, https://mxtoolbox.com/dmarc.aspx</automated>
  </verify>
  <done>All three MXToolbox checks show green/pass; test email received in inbox (not spam)</done>
  <what-built>
    Automated DNS checks above show the current state of SPF, DKIM, and DMARC records for teressacopelandhomes.com.
    The signing flow code is complete (plans 01-05). This checkpoint verifies DNS is configured before any real client signing link is sent.
  </what-built>
  <how-to-verify>
    STEP 1: Check existing SPF record to avoid duplicates
    - Run: dig TXT teressacopelandhomes.com | grep "v=spf"
    - If a record exists: MERGE your SMTP provider's include into it (do NOT add a second v=spf1 record)
    - If no record exists: Add: TXT @ "v=spf1 include:[your-smtp-provider-include] ~all"

    STEP 2: Add DKIM key (get from your SMTP provider dashboard)
    - Google Workspace: Admin console > Apps > Google Workspace > Gmail > Authenticate email
    - Namecheap Email / Zoho Mail: Domain settings > DKIM
    - Add the TXT record they provide at [selector]._domainkey.teressacopelandhomes.com

    STEP 3: Add DMARC (monitoring mode — start with p=none)
    - Add TXT _dmarc record: "v=DMARC1; p=none; rua=mailto:teressa@teressacopelandhomes.com"

    STEP 4: Wait for DNS propagation (5 min to 1 hour for most providers)

    STEP 5: Verify all three pass at:
    - SPF: https://mxtoolbox.com/spf.aspx (enter teressacopelandhomes.com)
    - DKIM: https://mxtoolbox.com/dkim.aspx (enter domain + selector)
    - DMARC: https://mxtoolbox.com/dmarc.aspx (enter teressacopelandhomes.com)
    All three must show green/pass before sending any real client signing link.

    STEP 6: Send a test signing email from the app to your own email address and confirm it is received (not in spam).
  </how-to-verify>
  <resume-signal>
    Type "dns verified" once all three MXToolbox checks show green/pass and a test email is received successfully.
    Or describe any specific issues encountered (e.g., "SPF already exists — merged", "DKIM pending propagation").
  </resume-signal>
</task>

</tasks>

<verification>
All three MXToolbox checks pass green (SPF, DKIM, DMARC). Test signing email received in inbox (not spam). DNS propagation complete.
</verification>

<success_criteria>
LEGAL-04 satisfied when: SPF/DKIM/DMARC all show green in MXToolbox, a real test email is received without spam filtering, and Teressa confirms she has reviewed and approved the email template. After this checkpoint, signing links may be sent to real clients.
</success_criteria>

<output>
After completion, create `.planning/phases/06-signing-flow/06-06-SUMMARY.md`
</output>