Phase 3 -- Operator Checklist: Postmark Domain Verification

Stub. Authored on 2026-05-05 during the Phase 1 operator walkthrough to capture a deliverable scope item that surfaced from the Postmark domain-verification help article. The checklist is fleshed out into a complete operator-runbook companion during Phase 3 planning. Phase 1 surfaces this stub so operators see the upcoming work during the Phase 1 walkthrough.

Scope

After the Phase 3 Corporate Email stack deploys the DNS records emitted by the new dns-email-records.ts construct, the operator must complete a manual verification step in the Postmark Console before Postmark unlocks live mail delivery for the Free Kanban Tool. This checklist captures the steps the operator runs on that day.

Verification target

The verification target is the Corporate zone parent — arda.ardamails.com — under the PostmarkProd account. Verifying the parent covers all sub-domains that share its DKIM key (e.g., freekanban.arda.ardamails.com), removing the need for per-subdomain verification clicks for additional Corporate-instance-group consumers added after Free Kanban.

The decision to verify at the parent (arda.ardamails.com) instead of at each leaf (freekanban.arda.ardamails.com, …) was made on 2026-05-05 during the Phase 1 walkthrough; it is restated here so it is visible to Phase 3 implementers without requiring a back-reference to that conversation. Phase 3 planning will record it formally in decision-log.md as a new DQ-R1-NNN entry under Round R1-Phase3 (the specific number will be assigned at Phase 3 planning time; DQ-R1-008 is already taken by the ardamails.com zone-import decision in this PR’s Round R1-Phase2).

Inputs (from Phase 3 deploy)

The Phase 3 Corporate Email stack provisions DNS records under arda.ardamails.com:

• DKIM TXT record at <selector>._domainkey.arda.ardamails.com.
• Return-Path CNAME at pm_bounces.arda.ardamails.com -> pm.mtasv.net.
• (Optional) DMARC TXT at _dmarc.arda.ardamails.com (already on the Phase 3 deliverables list per architecture-overview.md § DMARC).

The records are emitted by the dns-email-records.ts construct in Arda-cards/infrastructure. The DKIM selector and value are captured by the Phase A run of the Corporate CLI (one-time, idempotent) and exposed via cdk.context.json; Phase B (cdk deploy) reads the captured public values and emits the records.

Outputs

• arda.ardamails.com is a Verified sending domain in the PostmarkProd account.
• The PostmarkProd account is out of sandbox (approval request submitted and granted, if required).
• Sub-domains under arda.ardamails.com (starting with freekanban.arda.ardamails.com) inherit the verified state for live sending.

Operator steps (to be expanded during Phase 3 planning)

The following is a draft sequence; Phase 3 planning extends each step with exact UI screenshots, troubleshooting rows, and verification commands.

1. Confirm DNS records propagated after the Phase 3 deploy:

   dig CNAME pm_bounces.arda.ardamails.com   # expect: pm.mtasv.net
   dig TXT  <selector>._domainkey.arda.ardamails.com   # expect: a v=DKIM1 record
   dig TXT  _dmarc.arda.ardamails.com   # optional; expect: a v=DMARC1 record

2. Open the Postmark Sender Signatures page for the PostmarkProd account at https://account.postmarkapp.com/signature_domains.

3. Locate the entry for arda.ardamails.com that the Phase 3 deploy registered via the Postmark API. Click Verify for the DKIM and Return-Path rows.

4. Confirm green status on both rows (DKIM and Return-Path). Postmark calls the verified state “the magic trifecta of email authentication”; on signature_domains this appears as green checkmarks against each record type.

5. (If the account is in sandbox) Submit the Postmark approval request from the account dashboard. Wait for Postmark support review (typically minutes to hours).

6. Smoke test: send one test email from the Free Kanban Tool to a non-owner address. Confirm delivery + DKIM/SPF pass at the recipient (Authentication-Results header in the recipient’s email shows dkim=pass).

Consequences for Phase 4

Phase 4 (per-partition mail sub-zones) follows the same shape:

• Per partition: verify {partition}.ardamails.com (e.g., prod.ardamails.com, dev.ardamails.com) under the appropriate Postmark account (PostmarkProd for prod/demo; PostmarkNonProd for dev/stage/kyle).
• The Phase 4 spec will mirror this checklist, parameterised by partition.

References

• Postmark help — How do I verify a domain: https://postmarkapp.com/support/article/how-do-i-verify-a-domain
• Postmark Console — Sender Signatures: https://account.postmarkapp.com/signature_domains
• ../1-external-resources/specification.md — Phase 1 contract; this checklist supersedes the implicit assumption that account-creation alone unlocks live sending.
• ../phases.md — Phase 3 deliverables; this checklist is a companion to the Free Kanban Tool deploy task and will be referenced by Phase 3’s specification.md when authored.
• ../decision-log.md — decisions that scope the email-integration project; the parent-domain verification decision is recorded here during Phase 3 planning.