Email Routing — raxx.app mailboxes
Purpose: Authoritative map of every @raxx.app email address: what it is, how it routes, and who watches it.
DNS authority: Cloudflare (raxx.app zone).
Last updated: 2026-05-19 UTC
Related issue: #1212
Architecture decision
Per docs/business/business-email.md and project_email_mental_model.md:
- Human-to-human email: Google Workspace (primary domain
moosequest.net, alias domainraxx.app). Addresses onraxx.appthat receive human replies route to Kristerpher's Google Workspace inbox. - Serviceable / SLA-bearing inbound: FreeScout at
tickets.raxx.appvia Postmark SMTP relay.support@raxx.appis the sole customer-facing inbound address routed through this path. - Automated outbound: Postmark API (Raptor → SNS → SQS → Lambda → Postmark in v1 hybrid; see
docs/architecture/durable-email-delivery.md).
Mailbox map
| Address | Type | Implementation | Inbound routing | Outbound | Watcher | Status |
|---|---|---|---|---|---|---|
support@raxx.app |
Customer support | FreeScout mailbox (Postmark SMTP relay) | Postmark inbound → Raptor webhook → FreeScout API | FreeScout SMTP via Postmark | Kristerpher (via FreeScout) | Live — do not touch |
ops@raxx.app |
Operations alerts | Google Group (single member: kris@moosequest.net) |
Google Groups → Kristerpher's inbox | Postmark (CloudWatch alarm SNS target) | Kristerpher | Operator action pending — see runbook |
billing@raxx.app |
Billing receipts | Google Group (single member: kris@moosequest.net) |
Google Groups → Kristerpher's inbox | Stripe webhooks / billing alerts | Kristerpher | Operator action pending — see runbook |
no-reply@raxx.app |
Automated outbound only | Send-as alias on kris@moosequest.net (Option A) |
Bounce replies → Kristerpher's inbox (intentional, low-volume v1) | Postmark (transactional) | n/a | Operator action pending — see runbook |
Provisioning state (as of 2026-05-11 UTC)
| Address | DNS | Google Workspace | Postmark or relay | Notes |
|---|---|---|---|---|
support@raxx.app |
MX live | Alias on kris@moosequest.net |
Postmark SMTP relay active | Wired via #669 + #1729 — do not modify |
ops@raxx.app |
MX live (inherited from raxx.app apex) |
NOT YET CREATED | CloudWatch alarms target this address (see durable-email-delivery.md Section 2) |
Operator action required — see docs/ops/runbooks/google-workspace-mailbox-provisioning.md |
billing@raxx.app |
MX live (inherited) | NOT YET CREATED | No current senders configured | Operator action required — see docs/ops/runbooks/google-workspace-mailbox-provisioning.md |
no-reply@raxx.app |
MX live (inherited) | NOT YET CREATED | Postmark outbound path; Option A (send-as alias) chosen — see runbook | Operator action required — see docs/ops/runbooks/google-workspace-mailbox-provisioning.md |
Provisioning instructions (operator — Google Admin)
Google Workspace Admin actions cannot be scripted from outside the tenant. The full click-path runbook for all three addresses is in:
docs/ops/runbooks/google-workspace-mailbox-provisioning.md
That runbook covers:
- Step 0: convert raxx.app from alias → secondary domain (one-way, required before Group creation)
- Step 1: ops@raxx.app — Google Group with external sender access (required for CloudWatch)
- Step 2: billing@raxx.app — Google Group with external sender access (required for Stripe)
- Step 3: no-reply@raxx.app — send-as alias on kris@moosequest.net (Option A, zero license cost)
- Step 4: clear Postmark suppression list entries for all three addresses
- Step 5: run python3 scripts/ops/verify_email_provisioning.py to confirm all checks pass
Implementation decision for no-reply@raxx.app (locked 2026-05-19): Option A (send-as alias).
Zero license cost. Bounce replies land in operator inbox at acceptable v1 volume. Revisit Option B
(dedicated Workspace user) when customer volume makes automated bounce handling worthwhile.
Critical for billing@raxx.app: Do not leave it unwatched before Stripe or any billing system
is configured to send to it. A blind billing inbox creates a silent failure path for invoices and
fraud alerts.
Postmark sender signatures
Postmark sends on behalf of raxx.app using these verified signatures. DNS records are on Cloudflare.
| Signature | Postmark status | DKIM selector | SPF |
|---|---|---|---|
support@raxx.app |
Active (live) | pm._domainkey.raxx.app — verified |
include:spf.mtasv.net in raxx.app SPF |
As new addresses are added to Postmark (e.g., no-reply@raxx.app as a separate sender), update the table above and add the corresponding DKIM selector to Cloudflare DNS.
At v1, a single Postmark sender signature covering the raxx.app domain (not per-address) is sufficient. Postmark's domain-level signing means any @raxx.app from-address passes DKIM alignment.
SPF / DKIM / DMARC — raxx.app (current, verified)
| Record | Value | Status |
|---|---|---|
SPF (v=spf1 ...) |
v=spf1 include:_spf.google.com include:spf.mtasv.net ~all |
Live |
DKIM — Google (google._domainkey.raxx.app) |
2048-bit RSA key (Google Workspace) | Live |
DKIM — Postmark (pm._domainkey.raxx.app) |
RSA key (Postmark) | Live |
DMARC (_dmarc.raxx.app) |
v=DMARC1; p=quarantine; rua=mailto:kris@moosequest.net; fo=1 |
Live |
No changes required on raxx.app DNS for this card.
FreeScout mailbox IDs (for SNS/SQS routing map)
Per docs/architecture/durable-email-delivery.md Section 4, the inbound Lambda routing map in SSM (/raxx/email/mailbox_routing_map) references FreeScout numeric mailbox IDs. IDs must be confirmed after FreeScout mailbox creation.
| Address | FreeScout mailbox name | Mailbox ID | Confirmed |
|---|---|---|---|
support@raxx.app |
Support | TBD — retrieve via GET /api/mailboxes |
No |
ops@raxx.app |
Operations | TBD — retrieve after mailbox creation | No |
To retrieve IDs after FreeScout mailbox provisioning:
FS_KEY=$(infisical secrets get FREESCOUT_API_KEY --path /MooseQuest/freescout --env prod --plain)
curl -s \
-H "Authorization: Bearer $FS_KEY" \
https://tickets.raxx.app/api/mailboxes \
| python3 -m json.tool
Update the table above and the SSM parameter at /raxx/email/mailbox_routing_map when IDs are confirmed.
Related
- Issue: #1212 (this card)
docs/ops/runbooks/google-workspace-mailbox-provisioning.md— full operator click-path for Google Adminscripts/ops/verify_email_provisioning.py— post-provisioning DNS + suppression verification scriptscripts/ops/postmark_bounce_check.py— suppression list managementdocs/ops/email-dns-state.md— moosequest.net SPF/DKIM/DMARC statedocs/business/business-email.md— Google Workspace multi-domain architecturedocs/architecture/durable-email-delivery.md— email pipeline design (SNS/SQS/Lambda/Postmark)docs/ops/runbooks/freescout-postmark-relay.md— FreeScout outbound SMTP via Postmarkdocs/ops/runbooks/freescout-operations-mailbox-provisioning.md— ops mailbox setup in FreeScout