161 lines
7.3 KiB
Markdown
161 lines
7.3 KiB
Markdown
---
|
|
phase: 06-signing-flow
|
|
plan: "06"
|
|
type: execute
|
|
wave: 5
|
|
depends_on:
|
|
- "06-05"
|
|
files_modified: []
|
|
autonomous: false
|
|
requirements:
|
|
- LEGAL-04
|
|
|
|
must_haves:
|
|
truths:
|
|
- "SPF record exists for teressacopelandhomes.com with no duplicate (only one v=spf1 record)"
|
|
- "DKIM record exists for teressacopelandhomes.com (TXT record at [selector]._domainkey subdomain)"
|
|
- "DMARC record exists at _dmarc.teressacopelandhomes.com with at minimum p=none"
|
|
- "MXToolbox SPF check shows green/pass"
|
|
- "MXToolbox DKIM check shows green/pass"
|
|
- "MXToolbox DMARC check shows green/pass"
|
|
- "A test signing email sent to a real email address is received without spam filtering"
|
|
artifacts: []
|
|
key_links: []
|
|
|
|
user_setup:
|
|
- service: dns-spf-dkim-dmarc
|
|
why: "LEGAL-04 — DNS email authentication must be configured before any signing link is sent to a real client"
|
|
env_vars: []
|
|
dashboard_config:
|
|
- task: "Check existing SPF record"
|
|
location: "Run: dig TXT teressacopelandhomes.com | grep v=spf1 — if a record exists, MERGE your SMTP provider include into it (do not add a second SPF record — RFC 7208 forbids multiple v=spf1 records)"
|
|
- task: "Add SPF TXT record"
|
|
location: "DNS provider (Namecheap, Google Domains, etc.) — add TXT @ record: v=spf1 include:[smtp-provider] ~all"
|
|
- task: "Generate and add DKIM record"
|
|
location: "Your SMTP provider dashboard (Google Workspace: Admin > Apps > Gmail > Authenticate Email; Namecheap: Email > DKIM; Zoho: Mail > Domains > DKIM)"
|
|
- task: "Add DMARC TXT record"
|
|
location: "DNS provider — add TXT _dmarc record: v=DMARC1; p=none; rua=mailto:teressa@teressacopelandhomes.com"
|
|
---
|
|
|
|
<objective>
|
|
Verify that DNS email authentication (SPF, DKIM, DMARC) is correctly configured for teressacopelandhomes.com before any signing link is sent to a real client.
|
|
|
|
Purpose: LEGAL-04 — this is a non-negotiable compliance gate. Without SPF/DKIM/DMARC, signing emails will be spam-filtered or rejected, and the audit trail will be incomplete.
|
|
Output: All three DNS records verified as passing in MXToolbox + a real test email received successfully.
|
|
</objective>
|
|
|
|
<execution_context>
|
|
@/Users/ccopeland/.claude/get-shit-done/workflows/execute-plan.md
|
|
@/Users/ccopeland/.claude/get-shit-done/templates/summary.md
|
|
</execution_context>
|
|
|
|
<context>
|
|
@.planning/ROADMAP.md
|
|
@.planning/phases/06-signing-flow/06-CONTEXT.md
|
|
@.planning/phases/06-signing-flow/06-RESEARCH.md
|
|
</context>
|
|
|
|
<tasks>
|
|
|
|
<task type="auto">
|
|
<name>Task 1: Automated DNS verification check</name>
|
|
<files></files>
|
|
<action>
|
|
Run DNS record checks using dig to show the current state before the human checkpoint:
|
|
|
|
```bash
|
|
# Check existing SPF (CRITICAL: only one v=spf1 record allowed per RFC 7208)
|
|
dig TXT teressacopelandhomes.com | grep -i "v=spf"
|
|
|
|
# Check for DKIM records (selector depends on SMTP provider — common selectors: google, default, mail, zoho)
|
|
dig TXT google._domainkey.teressacopelandhomes.com
|
|
dig TXT default._domainkey.teressacopelandhomes.com
|
|
dig TXT mail._domainkey.teressacopelandhomes.com
|
|
|
|
# Check DMARC
|
|
dig TXT _dmarc.teressacopelandhomes.com
|
|
```
|
|
|
|
Report the current state of each record. If any is missing, flag it clearly.
|
|
|
|
Also run a test SMTP connection to confirm the configured SMTP credentials work:
|
|
```bash
|
|
# Quick SMTP auth test using Node.js (from teressa-copeland-homes/)
|
|
cd /Users/ccopeland/temp/red/teressa-copeland-homes && node -e "
|
|
const nodemailer = require('nodemailer');
|
|
require('dotenv').config({ path: '.env.local' });
|
|
const t = nodemailer.createTransport({
|
|
host: process.env.CONTACT_SMTP_HOST,
|
|
port: Number(process.env.CONTACT_SMTP_PORT || 587),
|
|
auth: { user: process.env.CONTACT_EMAIL_USER, pass: process.env.CONTACT_EMAIL_PASS }
|
|
});
|
|
t.verify().then(() => console.log('SMTP: OK')).catch(e => console.error('SMTP error:', e.message));
|
|
"
|
|
```
|
|
|
|
Output a summary of: which DNS records are present, which are missing, and whether SMTP auth succeeds.
|
|
</action>
|
|
<verify>
|
|
<automated>dig TXT teressacopelandhomes.com | grep -E "v=spf|ANSWER" && dig TXT _dmarc.teressacopelandhomes.com | grep -E "v=DMARC|ANSWER"</automated>
|
|
</verify>
|
|
<done>DNS check output produced showing current state of SPF, DKIM, and DMARC records for teressacopelandhomes.com</done>
|
|
</task>
|
|
|
|
<task type="checkpoint:human-verify" gate="blocking">
|
|
<name>Task 2: Human DNS configuration + MXToolbox verification gate</name>
|
|
<files></files>
|
|
<action>
|
|
Human task — cannot be automated. Configure SPF/DKIM/DMARC DNS records for teressacopelandhomes.com at your DNS provider and SMTP provider dashboard. See how-to-verify steps below.
|
|
</action>
|
|
<verify>
|
|
<automated>MISSING — human must verify using MXToolbox at https://mxtoolbox.com/spf.aspx, https://mxtoolbox.com/dkim.aspx, https://mxtoolbox.com/dmarc.aspx</automated>
|
|
</verify>
|
|
<done>All three MXToolbox checks show green/pass; test email received in inbox (not spam)</done>
|
|
<what-built>
|
|
Automated DNS checks above show the current state of SPF, DKIM, and DMARC records for teressacopelandhomes.com.
|
|
The signing flow code is complete (plans 01-05). This checkpoint verifies DNS is configured before any real client signing link is sent.
|
|
</what-built>
|
|
<how-to-verify>
|
|
STEP 1: Check existing SPF record to avoid duplicates
|
|
- Run: dig TXT teressacopelandhomes.com | grep "v=spf"
|
|
- If a record exists: MERGE your SMTP provider's include into it (do NOT add a second v=spf1 record)
|
|
- If no record exists: Add: TXT @ "v=spf1 include:[your-smtp-provider-include] ~all"
|
|
|
|
STEP 2: Add DKIM key (get from your SMTP provider dashboard)
|
|
- Google Workspace: Admin console > Apps > Google Workspace > Gmail > Authenticate email
|
|
- Namecheap Email / Zoho Mail: Domain settings > DKIM
|
|
- Add the TXT record they provide at [selector]._domainkey.teressacopelandhomes.com
|
|
|
|
STEP 3: Add DMARC (monitoring mode — start with p=none)
|
|
- Add TXT _dmarc record: "v=DMARC1; p=none; rua=mailto:teressa@teressacopelandhomes.com"
|
|
|
|
STEP 4: Wait for DNS propagation (5 min to 1 hour for most providers)
|
|
|
|
STEP 5: Verify all three pass at:
|
|
- SPF: https://mxtoolbox.com/spf.aspx (enter teressacopelandhomes.com)
|
|
- DKIM: https://mxtoolbox.com/dkim.aspx (enter domain + selector)
|
|
- DMARC: https://mxtoolbox.com/dmarc.aspx (enter teressacopelandhomes.com)
|
|
All three must show green/pass before sending any real client signing link.
|
|
|
|
STEP 6: Send a test signing email from the app to your own email address and confirm it is received (not in spam).
|
|
</how-to-verify>
|
|
<resume-signal>
|
|
Type "dns verified" once all three MXToolbox checks show green/pass and a test email is received successfully.
|
|
Or describe any specific issues encountered (e.g., "SPF already exists — merged", "DKIM pending propagation").
|
|
</resume-signal>
|
|
</task>
|
|
|
|
</tasks>
|
|
|
|
<verification>
|
|
All three MXToolbox checks pass green (SPF, DKIM, DMARC). Test signing email received in inbox (not spam). DNS propagation complete.
|
|
</verification>
|
|
|
|
<success_criteria>
|
|
LEGAL-04 satisfied when: SPF/DKIM/DMARC all show green in MXToolbox, a real test email is received without spam filtering, and Teressa confirms she has reviewed and approved the email template. After this checkpoint, signing links may be sent to real clients.
|
|
</success_criteria>
|
|
|
|
<output>
|
|
After completion, create `.planning/phases/06-signing-flow/06-06-SUMMARY.md`
|
|
</output>
|