# Brevo domain authentication — 360degreelogicalmktg.com

Goal: move email sending from "delivered via brevosend.com return-path" to
authenticated `@360degreelogicalmktg.com` — better deliverability, lower spam-tab
risk, professional From: line for brand-client users.

Status as of 2026-06-12:
- Domain registered in Brevo: ✓ (auto-created when first sender added)
- DNS records added at registrar: ✗ (this walkthrough adds them)
- Brevo `verified`: false → will become true after DNS + re-poll
- Brevo `authenticated`: false → will become true after DNS + re-poll

Registrar: Hostinger (NS = ns1/ns2.dns-parking.com → manage in hPanel)
DNS Zone Editor: https://hpanel.hostinger.com/domains/ → click domain → DNS / Name Servers

---

## Records to add at Hostinger DNS

Set TTL = **300 seconds** on each new/modified record so Brevo's authentication
poll converges in minutes (you can bump TTL back to default once green).

| # | Action | Type | Host / Name | Value | Notes |
|---|--------|------|-------------|-------|-------|
| 1 | **ADD** | TXT | `@` | `brevo-code:09af5f67f93389cd0b86fe37e94d2f7b` | Domain ownership proof |
| 2 | **ADD** | CNAME | `brevo1._domainkey` | `b1.360degreelogicalmktg-com.dkim.brevo.com` | DKIM signing key 1 |
| 3 | **ADD** | CNAME | `brevo2._domainkey` | `b2.360degreelogicalmktg-com.dkim.brevo.com` | DKIM signing key 2 |
| 4 | **MODIFY** | TXT | `@` (existing SPF) | `v=spf1 include:_spf.google.com include:spf.brevo.com ~all` | EDIT the existing SPF — do NOT add a second TXT starting with `v=spf1` (RFC 7208 disallows it; both fail silently) |
| 5 | **ADD** | TXT | `_dmarc` | `v=DMARC1; p=none; rua=mailto:rua@dmarc.brevo.com` | OR add `,mailto:postmaster@360degreelogicalmktg.com` to get a copy of aggregate reports yourself |

### Records to NOT touch (existing, used by Google Workspace)

- MX → `smtp.google.com` (inbound mail goes to Google — leave it)
- A/AAAA at `@` → currently points to the Hostinger VPS — leave it

---

## Step-by-step at Hostinger hPanel

1. Sign in at https://hpanel.hostinger.com (use the same Google account you use
   for Google Workspace at `business@360degreelogicalmktg.com`, or whichever email
   the Hostinger account is registered with).
2. Click **Domains** → pick `360degreelogicalmktg.com`.
3. In the left sidebar click **DNS / Name servers**.
4. Scroll to **DNS records**.

### Add records 1, 2, 3, 5 (four new records)

For each row in the table above marked **ADD**:
- Click **Add new record**
- Choose the Type (TXT or CNAME)
- Paste the Host into the **Name** field
- Paste the Value
- Set TTL = 300
- Save

### Modify record 4 (SPF)

- Find the existing TXT at the root (`@`) that starts with `v=spf1`
- Click ✎ Edit (do NOT delete and re-add; edit in place)
- Replace value with: `v=spf1 include:_spf.google.com include:spf.brevo.com ~all`
- Set TTL = 300
- Save

### Verify your additions

After saving, the panel typically shows all records in a list. Re-check that:
- There is exactly ONE TXT at `@` starting with `v=spf1`
- There is exactly ONE TXT at `@` starting with `brevo-code:`
- `brevo1._domainkey` resolves as CNAME → `b1.360degreelogicalmktg-com.dkim.brevo.com`
- `brevo2._domainkey` resolves as CNAME → `b2.360degreelogicalmktg-com.dkim.brevo.com`
- `_dmarc` TXT exists

---

## DNS propagation check (from VPS)

After saving in Hostinger, wait 2–5 minutes, then verify from the VPS:

```bash
dig +short TXT 360degreelogicalmktg.com           # should now show TWO TXT lines: spf1 (with Brevo), brevo-code
dig +short CNAME brevo1._domainkey.360degreelogicalmktg.com
dig +short CNAME brevo2._domainkey.360degreelogicalmktg.com
dig +short TXT _dmarc.360degreelogicalmktg.com
```

If any line is empty, Hostinger save likely didn't apply — go back and re-save.

---

## Trigger Brevo to re-verify

Once DNS is propagated (the dig above shows all four), tell Claude or run:

```bash
KEY=$(grep '^BREVO_API_KEY=' /root/360lm-web/.env | cut -d= -f2-)
curl -sS -X PUT -H "api-key: $KEY" -H "accept: application/json" \
  https://api.brevo.com/v3/senders/domains/360degreelogicalmktg.com/authenticate
```

Expected on success: `{"message":"Domain authentication initiated...","domain":"..."}`
or the same call returns the domain object with `authenticated:true`.

If still pending: wait 15–30 minutes (DNS recursive caches refreshing) and re-call.
**Don't poll faster than once per 10 minutes** — Brevo rate-limits and rapid
polls don't speed it up.

---

## After authentication = true

1. Update worker From email to a clean per-app address. Edit `/root/360lm-web/.env`:
   ```
   BREVO_FROM_EMAIL=no-reply@360degreelogicalmktg.com
   BREVO_FROM_NAME=360 Degree Logical Marketing — Recce Portal
   ```
   (Choose `no-reply@`, `notifications@`, `recce@` etc. — any local-part works once the domain is authenticated.)

2. Recreate the worker:
   ```bash
   cd /root/360lm-web && docker compose up -d --force-recreate counters-mail-relay
   ```

3. Fire a smoke test:
   ```sql
   INSERT INTO counters.mail_outbox (to_email, subject, body_html, body_text)
   VALUES ('haris.lal.1974@gmail.com', 'Brevo PROD - smoke test (authenticated domain)',
           '<p>Hi — this email is sent from the authenticated <code>@360degreelogicalmktg.com</code> domain.</p>',
           'Hi — this email is sent from the authenticated 360degreelogicalmktg.com domain.');
   ```

4. Inbox check (no Promotions tab, no Brevo return-path footer):
   - From: should now show `no-reply@360degreelogicalmktg.com` (not `business@11449036.brevosend.com`)
   - Headers: DKIM=pass for `360degreelogicalmktg.com`, SPF=pass

5. Bump DNS TTLs back to default (3600 or so) in Hostinger after green for 24h.

---

## Backout

If anything goes wrong:
- Revert SPF to `v=spf1 include:_spf.google.com ~all` (just remove the `include:spf.brevo.com` token)
- Delete the four new records (brevo-code TXT, both DKIM CNAMEs, DMARC TXT)
- Revert `BREVO_FROM_EMAIL=business@360degreelogicalmktg.com` and recreate worker
- Google Workspace inbound mail (`smtp.google.com` MX) is untouched throughout — no risk to incoming email
