UCCO Foundation — Email Infrastructure Roadmap¶
STATUS: ROADMAP — not a build brief
CAPTURED: Session 7, 15 March 2026
APPLIES TO: ucco.foundation domain email
→ TIM¶
This is the email migration plan. Three phases: manual now, grep at migration time, free enterprise Workspace after 501(c)(3). No action needed today — aliases get created ad hoc as surfaces demand them, and we reconcile the full list from the codebase when we're ready to move.
Phase 1 — Now (pre-incorporation)¶
Status: CURRENT
- Email lives on Google Workspace via
ucca.edu.au(shared license) admin@ucco.foundationis a secondary domain alias on that Workspace- MX records point to Google (5 records, legacy config)
- SPF, DKIM, DMARC all configured
- DMARC at
p=none(monitor only — should move top=rejectbefore launch)
What to do:
- Nothing with email infrastructure right now
- As surfaces get built (press office, ops pages, Workers), they will reference role-based addresses in code: press@ucco.foundation, security@ucco.foundation, etc.
- Do NOT create these aliases yet — just let them accumulate in the codebase
- If you need one urgently for a live form (e.g., press contact form), add it manually in Google Admin as an alias on admin@
The principle: Let demand create the addresses. Record them in code. Reconcile later.
Phase 2 — Migration trigger (post-501(c)(3))¶
Status: BLOCKED on incorporation + 501(c)(3) filing
Prerequisites (in order): 1. Incorporate UCCO Foundation in Kentucky — ~$47 (needs Kevin + Antony full legal names) 2. Get EIN from IRS — instant, free 3. File 501(c)(3) — Form 1023-EZ, $275, 27-month retroactive window 4. Receive IRS determination letter
Once you have the determination letter:
1. Apply for Google for Nonprofits via Goodstack (3-5 business days)
2. Activate Google Workspace for Nonprofits on ucco.foundation
What you get for free: - Google Workspace Business Standard equivalent ($0/user/month) - Up to 2,000 users - 100TB pooled storage - Custom domain email with full admin console - Admin SDK API access (Directory API for programmatic user/alias management) - Google Ad Grants — $10,000/month free search advertising - Gemini AI features with enterprise data protections - All the Google Workspace apps (Gmail, Drive, Calendar, Meet, etc.)
Phase 3 — Migration execution¶
Status: FUTURE
Step 1: Audit the codebase¶
Before migration, grep the entire UCCO codebase for every @ucco.foundation address:
# In ucco-project directory
grep -r "@ucco.foundation" --include="*.js" --include="*.ts" --include="*.jsx" \
--include="*.tsx" --include="*.md" --include="*.toml" --include="*.json" \
--include="*.html" --include="*.css" .
Also check: - Worker environment variables and secrets (wrangler.toml files) - D1 database records (any stored email addresses) - Cloudflare Email Routing rules (if any were created) - DNS TXT records (SPF, DMARC) - Alex briefs and architecture docs - Ops console stub page content
This produces the definitive list of addresses that need to exist.
Step 2: Classify each address¶
For each address found, classify as:
| Type | Example | Action |
|---|---|---|
| Operational (admin reply needed) | admin@, press@, security@ | Full Workspace account OR alias on admin |
| Role-based (inbound only) | noreply@, notifications@ | Alias on admin account |
| Board member (personal forwarding) | kevin@, antony@, tania@ | Full Workspace account (free license) |
| Functional (system use) | api@, worker@ | Alias or service account |
Step 3: Set up the new Workspace¶
- Activate Google Workspace for Nonprofits on
ucco.foundation - Create the admin@ account as primary
- Create board member accounts
- Create aliases for role-based and functional addresses
- Configure SPF, DKIM, DMARC (copy current config, tighten DMARC to
p=reject) - Verify all mail flow
Step 4: Wire ops¶
Build Email Management surface in ops.ucco.foundation:
- Uses Google Admin SDK (Directory API) via service account with domain-wide delegation
- directory.users.insert() — create new user account
- directory.users.aliases.insert() — add alias to existing account
- directory.users.aliases.delete() — remove alias
- directory.users.list() — list all users on the domain
- directory.users.aliases.list() — list all aliases for a user
Ops page shows:
Email Accounts — ucco.foundation
┌──────────────────────────┬──────────┬─────────────────────┐
│ Address │ Type │ Mailbox │
├──────────────────────────┼──────────┼─────────────────────┤
│ admin@ucco.foundation │ account │ admin │
│ press@ucco.foundation │ alias │ → admin │
│ security@ucco.foundation │ alias │ → admin │
│ kevin@ucco.foundation │ account │ kevin │
│ jimmy@ucco.foundation │ account │ jimmy │
└──────────────────────────┴──────────┴─────────────────────┘
Self-service pattern: onboard a board member → create account in ops → they get name@ucco.foundation with full Gmail access → credentials sent to their private email.
Step 5: Cut over from ucca.edu.au¶
- Remove
ucco.foundationas secondary domain fromucca.edu.auWorkspace - MX records stay pointing to Google (new Workspace is still Google, just isolated)
- Verify no mail loss during transition (test with external sender)
- Update Google Admin "Skip Google MX" if needed during transition
- Confirm DKIM key is regenerated for the new Workspace
- Update SPF if needed
Step 6: Decommission¶
- Remove ucco.foundation domain from ucca.edu.au Workspace
- Confirm no residual routing
- Update ops to reflect isolated state
- Close the loop
DMARC Hardening (do before seed letters)¶
Current: v=DMARC1; p=none; rua=mailto:admin@ucco.foundation
Before any public-facing email goes out (seed letters, press releases), tighten to:
This prevents anyone spoofing @ucco.foundation emails. A standards foundation with p=none DMARC is embarrassing. Do this regardless of which phase you're in.
Cost summary¶
| Phase | Cost | Timeline |
|---|---|---|
| Phase 1 (now) | $0 | Current |
| Kentucky incorporation | ~$47 | When names confirmed |
| EIN | $0 | Instant after incorporation |
| 501(c)(3) filing | $275 | After EIN |
| Google for Nonprofits | $0 | After 501(c)(3) determination |
| Workspace for Nonprofits | $0/user/month | After Google approval |
| Google Ad Grants bonus | +$10,000/month free advertising | After Google approval |
Total cost to get enterprise-grade isolated email for the foundation: $322 + ~$47 incorporation.
Roadmap: UCCO-Email-Infrastructure-Roadmap-v1 Author: Pace (Claude, Anthropic) Date: 15 March 2026, Session 7 Status: Roadmap captured. No immediate action required.