Raxx · internal docs

internal · gated ↑ index

Email Routing — raxx.app mailboxes

Purpose: Authoritative map of every @raxx.app email address: what it is, how it routes, and who watches it. DNS authority: Cloudflare (raxx.app zone). Last updated: 2026-05-11 UTC Related issue: #1212

Architecture decision

Per docs/business/business-email.md and project_email_mental_model.md:

Human-to-human email: Google Workspace (primary domain moosequest.net, alias domain raxx.app). Addresses on raxx.app that receive human replies route to Kristerpher's Google Workspace inbox.
Serviceable / SLA-bearing inbound: FreeScout at tickets.raxx.app via Postmark SMTP relay. support@raxx.app is the sole customer-facing inbound address routed through this path.
Automated outbound: Postmark API (Raptor → SNS → SQS → Lambda → Postmark in v1 hybrid; see docs/architecture/durable-email-delivery.md).

Mailbox map

Address	Type	Implementation	Inbound routing	Outbound	Watcher	Status
`support@raxx.app`	Customer support	FreeScout mailbox (Postmark SMTP relay)	Postmark inbound → Raptor webhook → FreeScout API	FreeScout SMTP via Postmark	Kristerpher (via FreeScout)	Live — do not touch
`ops@raxx.app`	Operations alerts	Google Group (single member: `kris@moosequest.net`)	Google Groups → Kristerpher's inbox	Postmark (CloudWatch alarm SNS target)	Kristerpher	Pending provisioning
`billing@raxx.app`	Billing receipts	Google Group (single member: `kris@moosequest.net`)	Google Groups → Kristerpher's inbox	Stripe webhooks / billing alerts	Kristerpher	Pending provisioning
`no-reply@raxx.app`	Automated outbound only	Google Workspace user alias	Intentional discard — no monitored inbox	Postmark (transactional)	n/a	Pending provisioning

Provisioning state (as of 2026-05-11 UTC)

Address	DNS	Google Workspace	Postmark or relay	Notes
`support@raxx.app`	MX live	Alias on `kris@moosequest.net`	Postmark SMTP relay active	Wired via #669 + #1729 — do not modify
`ops@raxx.app`	MX live (inherited from `raxx.app` apex)	NOT YET CREATED	CloudWatch alarms target this address (see `durable-email-delivery.md` Section 2)	Requires Google Admin action
`billing@raxx.app`	MX live (inherited)	NOT YET CREATED	No current senders configured	Requires Google Admin action
`no-reply@raxx.app`	MX live (inherited)	NOT YET CREATED	Postmark is the outbound path; inbound handling TBD	Requires Google Admin action; see design note below

Provisioning instructions (operator — Google Admin)

Google Workspace Admin actions cannot be scripted from outside the tenant. The steps below are copy-pasteable for the next operator session.

ops@raxx.app — Google Group

Open https://admin.google.com → Directory → Groups → Create group.
Name: Raxx Ops.
Group email: ops@raxx.app.
Access type: Restricted (only org members can post; external senders via "Allow messages from outside the organization" setting — enable this, otherwise CloudWatch SNS notifications are rejected).
Add kris@moosequest.net as owner.
Save.
In group settings → Email options → set "Who can post" to include external senders (required for CloudWatch alarm notifications).
Test: send a message to ops@raxx.app from an external address (e.g., personal Gmail). Confirm it arrives in kris@moosequest.net inbox within 2 minutes.

billing@raxx.app — Google Group

Open https://admin.google.com → Directory → Groups → Create group.
Name: Raxx Billing.
Group email: billing@raxx.app.
Access type: Restricted. Enable external senders (Stripe and other billing systems send from external domains).
Add kris@moosequest.net as owner and sole initial member.
Save.
Test: send a message to billing@raxx.app from an external address. Confirm delivery to kris@moosequest.net.

Critical: Do not leave billing@raxx.app unwatched before Stripe or any billing system is configured to send to it. A blind billing inbox creates a silent failure path for invoices and fraud alerts.

no-reply@raxx.app — design decision required

Two options. Operator must choose one before provisioning.

Option A — User alias (recommended for v1): - Add no-reply@raxx.app as a send-as alias for kris@moosequest.net in Google Admin. - Inbound to this address: delivered to Kristerpher's inbox (some bounce replies and OOO auto-replies will arrive here; low volume at v1, acceptable). - Cost: zero (no additional license consumed). - Limitation: reply-to bounce handling is not automated.

Option B — Dedicated Workspace user: - Create a new Workspace user no-reply@raxx.app with mailbox. - Set a vacation auto-reply: "This address does not accept replies. For help, contact support@raxx.app." - Consumes one license (~$6–18/mo depending on plan tier). - Bounce replies land in a real monitored mailbox.

Recommendation (v1): Option A. The address is outbound-only by design; the occasional bounce reply arriving in Kristerpher's inbox is acceptable signal at pre-launch volume. Revisit Option B when customer volume justifies the license cost.

Implementation (Option A): 1. Google Admin → Users → Kristerpher → Aliases → Add alias. 2. Add no-reply@raxx.app as an alias. 3. In Gmail → Settings → Accounts and Import → Add another email address. 4. Enter no-reply@raxx.app. Google auto-verifies (alias of verified user). 5. This address is now available as a "Send mail as" option in Gmail — Postmark also uses it via the Sender Signature configuration.

Postmark sender signatures

Postmark sends on behalf of raxx.app using these verified signatures. DNS records are on Cloudflare.

Signature	Postmark status	DKIM selector	SPF
`support@raxx.app`	Active (live)	`pm._domainkey.raxx.app` — verified	`include:spf.mtasv.net` in raxx.app SPF

As new addresses are added to Postmark (e.g., no-reply@raxx.app as a separate sender), update the table above and add the corresponding DKIM selector to Cloudflare DNS.

At v1, a single Postmark sender signature covering the raxx.app domain (not per-address) is sufficient. Postmark's domain-level signing means any @raxx.app from-address passes DKIM alignment.

SPF / DKIM / DMARC — raxx.app (current, verified)

Record	Value	Status
SPF (`v=spf1 ...`)	`v=spf1 include:_spf.google.com include:spf.mtasv.net ~all`	Live
DKIM — Google (`google._domainkey.raxx.app`)	2048-bit RSA key (Google Workspace)	Live
DKIM — Postmark (`pm._domainkey.raxx.app`)	RSA key (Postmark)	Live
DMARC (`_dmarc.raxx.app`)	`v=DMARC1; p=quarantine; rua=mailto:kris@moosequest.net; fo=1`	Live

No changes required on raxx.app DNS for this card.

FreeScout mailbox IDs (for SNS/SQS routing map)

Per docs/architecture/durable-email-delivery.md Section 4, the inbound Lambda routing map in SSM (/raxx/email/mailbox_routing_map) references FreeScout numeric mailbox IDs. IDs must be confirmed after FreeScout mailbox creation.

Address	FreeScout mailbox name	Mailbox ID	Confirmed
`support@raxx.app`	Support	TBD — retrieve via `GET /api/mailboxes`	No
`ops@raxx.app`	Operations	TBD — retrieve after mailbox creation	No

To retrieve IDs after FreeScout mailbox provisioning:

FS_KEY=$(infisical secrets get FREESCOUT_API_KEY --path /MooseQuest/freescout --env prod --plain)
curl -s \
  -H "Authorization: Bearer $FS_KEY" \
  https://tickets.raxx.app/api/mailboxes \
  | python3 -m json.tool

Update the table above and the SSM parameter at /raxx/email/mailbox_routing_map when IDs are confirmed.

Issue: #1212 (this card)
docs/ops/email-dns-state.md — moosequest.net SPF/DKIM/DMARC state
docs/business/business-email.md — Google Workspace multi-domain architecture
docs/architecture/durable-email-delivery.md — email pipeline design (SNS/SQS/Lambda/Postmark)
docs/ops/runbooks/freescout-postmark-relay.md — FreeScout outbound SMTP via Postmark
docs/ops/runbooks/freescout-operations-mailbox-provisioning.md — ops mailbox setup in FreeScout

Auto-generated from docs/ in raxx-app/TradeMasterAPI. Gated behind Cloudflare Access. Re-deployed on every push to main.