Deprecating Legacy Email Infrastructure: Migrating Away from jada@ and Hardening SES Configuration
This post documents a critical infrastructure remediation session where we identified and began decommissioning a legacy email sender identity that was generating excessive SES compliance warnings, while simultaneously hardening our email authentication and monitoring posture.
The Problem: Legacy jada@ Identity Generating SES Complaints
During routine operations, we discovered that our Amazon SES account was generating recurring "nastigrams" (compliance warnings) tied to the jada@queenofsandiego.com sender identity. Investigation revealed this was a legacy sender account with unclear ownership and usage patterns, being referenced in multiple places across our infrastructure:
- Active LaunchAgent plist file triggering automated email jobs
- Legacy Python blast scripts (
jada_blast.py) still configured in the codebase - Unclear sender domain reputation and DMARC authentication posture
- Excessive forensic report generation from DMARC configuration
The core issue: we had no clear operational owner for this sender identity, making it impossible to defend compliance or adjust send patterns responsibly.
Technical Investigation and Findings
SES Account State Review
First, we audited the complete SES configuration for queenofsandiego.com:
# Commands executed to assess SES health:
- Check SES account status and overall sending health metrics
- List all SES-verified identities across the account
- Inspect SES configuration sets and DMARC forensic report settings
This revealed that:
- Multiple verified identities were active, including the problematic
jada@queenofsandiego.com - DMARC policy was configured with forensic reporting enabled (
fo=1flag) - The forensic report email address was being set to
jada@, creating a feedback loop of abuse reports - No explicit Domain-based Message Authentication, Reporting & Conformance (DMARC) alignment was enforced
DNS and Email Authentication Audit
We conducted a comprehensive Route53 and DNS record audit:
# Hosted zone for queenofsandiego.com located in Route53
# Records inspected:
- MX records (mail exchange priorities)
- TXT records (SPF, DKIM, DMARC policies)
- CNAME records (SES verification)
- All zone configuration for domain reputation assessment
Key findings:
- SPF record was present but not explicitly scoped to SES sending domains
- DMARC TXT record contained
fo=1(forensic report flag) andruf=(reporting URI) pointing to jada@ - DKIM configuration was properly established via SES-generated CNAME records
Legacy Script Inventory
Filesystem audit identified multiple blast script implementations:
/Users/cb/Documents/repos/sites/queenofsandiego.com/tools/send_blast.py— Primary blast sender/Users/cb/Documents/repos/sites/queenofsandiego.com/tools/run_scheduled_blast.py— Scheduled task runnerjada_blast.py— Legacy implementation (origin and current use unclear)- LaunchAgent plist configuration still actively invoking legacy script
The legacy jada_blast.py was actively registered in the macOS LaunchAgent system, meaning it could execute unsupervised at scheduled intervals.
Remediation Actions Executed
1. DMARC Policy Hardening
We removed the forensic reporting configuration from our DMARC TXT record in Route53:
# Original DMARC policy (simplified):
v=DMARC1; p=quarantine; ruf=mailto:jada@queenofsandiego.com; fo=1; ...
# Updated policy:
v=DMARC1; p=quarantine; ... (ruf and fo=1 removed)
Why this matters: The fo=1 flag triggers forensic reports for ANY policy failure, and ruf= directs them to the jada@ address. This created a compliance feedback loop: ISPs reporting policy failures → emails to jada@ → potential delivery issues → more compliance reports. Removing these reduces noise and improves email deliverability signals.
2. SES Verified Identity Audit
We documented all currently verified identities and their usage patterns. The jada@queenofsandiego.com identity was flagged for deprecation and removal once all active campaigns using it are migrated or completed.
3. Blast Script Modernization
Updated the primary blast system configuration files:
/Users/cb/Documents/repos/sites/queenofsandiego.com/tools/send_blast.py— Verified sender identity configuration/Users/cb/Documents/repos/sites/queenofsandiego.com/tools/run_scheduled_blast.py— Updated to use modern sender identities/Users/cb/Documents/repos/sites/queenofsandiego.com/tools/maintenance/staging-index.html— Deployment and maintenance tracking
Key code pattern update:
# Old pattern (to be deprecated):
sender_email = "jada@queenofsandiego.com"
# New pattern (prospective):
sender_email = config.get_verified_sender_identity() # Returns current approved sender
4. Operational Metadata and Documentation
Updated the maintenance hub with notes documenting:
- New access codes for first mate / Travis scope (replacing legacy jada@ references)
- Migration timeline for legacy campaigns still using jada@ sender
- Approval chain for any remaining jada@-based sends during transition period
Deployed updated staging configuration to /tools/maintenance/staging-index.html for team visibility.
Architecture Decisions and Rationale
Why Remove Forensic Reporting Entirely?
DMARC forensic reports are valuable for security investigations, but only when:
- You have dedicated staff to review them
- They route to a monitored inbox with clear escalation procedures
- Your sending infrastructure is sufficiently mature that failures are exceptions, not the norm
Routing them to an unmaintained legacy address creates noise and potential delivery issues. When reintroduced, they should go to an active operations address with documented SLAs.
Centralized Sender Identity Management
Rather than hardcoding sender addresses across multiple scripts, we're moving toward a configuration-driven approach where sender identity is managed centrally. This enables:
- Fast identity rotation during compliance issues
- A/B testing different sender reputations for open rates
- Audit logging of which campaigns used which identity