Email Consolidation Plan¶
Created: 2026-05-24
Owner: Ron Davis (ron@vell.ai)
Status: Phase 0 in progress (DFW aliases); Phases 1-5 deferred until post-2026-06-23
This document is the canonical plan for consolidating ~15 paid Google Workspace seats into ~4 user accounts plus aliases. Goal: efficiency (cost reduction) + effectiveness (cleaner identity architecture aligned with the canonical email identities memory).
1. Current state (2026-05-24)¶
Mail provider routing¶
| Domain | MX target | Provider |
|---|---|---|
vell.ai |
aspmx.l.google.com |
Google Workspace |
knowan.com |
aspmx.l.google.com |
Google Workspace |
itsrondavis.com |
aspmx.l.google.com |
Google Workspace |
vell.io |
inbound-smtp.us-east-1.amazonaws.com |
AWS SES Inbound (not Workspace — Workspace accounts are zombies for historical mail only) |
Google Workspace user list (~15 paid seats)¶
| # | Display name | Last sign-in | Storage | |
|---|---|---|---|---|
| 1 | agent01@vell.ai |
Agent OpenClaw01 | A month ago | 0.001 GB |
| 2 | aws-mp@vell.ai |
AWS Marketplace | Over a year ago | 0.004 GB |
| 3 | hello@knowan.com |
Knowan Care | 2 years ago | 1.08 GB |
| 4 | proaudiovisual.sales@vell.ai |
Pro Audio Visual | Over a year ago | 0 GB |
| 5 | ron@knowan.com |
Ron Davis | 2 years ago | 1.34 GB |
| 6 | ron@vell.ai |
Ron Davis | 2 months ago* | 0.09 GB |
| 7 | ron@itsrondavis.com |
Ron Davis | 2 years ago | 0.001 GB |
| 8 | admin@vell.io |
Ron Davis | A month ago | 0.17 GB |
| 9 | ron@vell.io |
Ron Davis | A month ago | 0.18 GB |
| 10 | pay@vell.io |
Vell LLC | 2 months ago | 0.001 GB |
| 11 | admin@vell.ai |
Vell AI | 1 week ago | 0.002 GB |
| 12 | no-reply@vell.ai |
Vell No Reply | A year ago | 0 GB |
| 13 | ops@vell.ai |
Vell AI Operations | 8 months ago | 0 GB |
| 14 | security@vell.ai |
Vell AI Security | 8 months ago | 0 GB |
| 15 | billing@vell.ai |
Vell AI Billing | 8 months ago | 0 GB |
* Ron Davis ron@vell.ai last sign-in 22 minutes ago at time of this document creation.
2. Target state (4 paid seats + ~12 aliases)¶
Active user accounts (paid seats)¶
ron@vell.ai — Founder/personal identity¶
- Aliases (all → ron@vell.ai mailbox):
support@vell.ai(NEW — DFW)hello@vell.ai(NEW — DFW)waitlist@vell.ai(NEW — optional, for performance simulator form)ron@knowan.com(consolidate Knowan brand)hello@knowan.com(consolidate Knowan brand)ron@itsrondavis.com(personal domain)
admin@vell.ai — Operations/system/billing identity¶
- Aliases:
aws-mp@vell.aiproaudiovisual.sales@vell.aiops@vell.aisecurity@vell.ai(RFC 9116 — vulnerability researchers email security@ first)billing@vell.ai
agent01@vell.ai — OpenClaw agent (own login required)¶
- Keep as separate user — agent needs its own identity for Telegram + Kajabi MCP integration
no-reply@vell.ai — (decision pending)¶
- Keep as separate user only if the Laravel app needs to send authenticated mail FROM this address with proper SPF/DKIM/DMARC. Otherwise alias on
admin@vell.ai.
Zombie accounts (delete after audit)¶
These Google Workspace users have @vell.io emails, but vell.io mail now routes through AWS SES. The Workspace mailboxes are storing historical mail only. Decision per account: archive + delete, or keep for legal hold.
ron@vell.ioadmin@vell.iopay@vell.io
3. Cost impact¶
Current annual cost: ~$210/mo (15 seats × $14 Business Standard) = $2,520/yr Target annual cost: ~$56/mo (4 seats × $14) = $672/yr Annual savings: ~$1,848/yr (assumes Business Standard; verify actual plan in admin → Billing)
If most retained accounts could downgrade to Business Starter ($7/mo with 30GB), savings extend further.
4. Phased rollout¶
| Phase | Window | Effort | Risk | Status |
|---|---|---|---|---|
0. DFW aliases (support@, hello@, waitlist@vell.ai) on ron@vell.ai |
2026-05-24 | 5 min | Zero (additive, same-domain) | DONE 2026-05-24 |
1.5a. Workspace DKIM for vell.ai |
2026-05-24 | 15 min | Low | DONE 2026-05-24 — verified PASS in Gmail header |
1.5b. SPF + DMARC for knowan.com (via R53 CLI) |
2026-05-24 | 30 sec via CLI | Low | DONE 2026-05-24 — propagated in <30 sec |
1.5c. Workspace DKIM for knowan.com |
This week | 5 min (2 browser + 30 sec CLI) | Low | Pending — needs admin.google.com Authenticate email step |
1.5d. SPF + DMARC + DKIM for itsrondavis.com (Cloudflare) |
Post-DFW | 15 min | Low | Pending — needs Cloudflare API token OR manual dashboard |
| 1. SaaS dependency audit (table in §5) | 2026-05-24 → 2026-06-22 | 30 min | Zero (read-only) | Pending |
2. Add consolidation aliases to admin@vell.ai |
Post-DFW | 1 hr | Blocked until Phase 4 — see §9 (alias-user collision) | Pending |
| 3. Migrate SaaS logins off retiring accounts | Post-DFW | 2-4 hr | Medium | Pending |
| 4. Google Takeout export + delete zombie users (unlocks Phase 2 aliases) | Post-DFW | 1 hr | Medium (irreversible) | Pending |
| 5. Downgrade Workspace plan / reduce seats | After step 4 | 15 min | Low (billing) | Pending |
5. SaaS dependency audit (Phase 1) — fill in before Phase 3¶
For each account being retired, list every external service where it's used as a login or contact. Don't delete the Workspace user until every row below has been migrated.
| Used as login for… | Receipts/notifications from… | Action | |
|---|---|---|---|
ron@knowan.com |
(TBD) | (TBD) | Update logins to ron@vell.ai, then alias |
hello@knowan.com |
(TBD) | (TBD) | Alias to ron@vell.ai |
ron@itsrondavis.com |
(TBD) | (TBD) | Alias to ron@vell.ai |
ron@vell.io |
M365 admin login, possibly AWS root? | (TBD) | Critical — check before any change |
admin@vell.io |
(TBD — possibly Apple ID?) | QBO receipts (per memory) | Critical — check before any change |
pay@vell.io |
(TBD) | Stripe receipts, AWS Marketplace receipts | Aliasable to admin@vell.ai if no logins |
aws-mp@vell.ai |
(TBD) | AWS Marketplace seller notifications | Alias to admin@vell.ai |
proaudiovisual.sales@vell.ai |
(TBD) | (TBD) | Alias to admin@vell.ai |
ops@vell.ai |
(TBD) | (TBD) | Alias to admin@vell.ai |
security@vell.ai |
(TBD) | (TBD) | Alias to admin@vell.ai |
billing@vell.ai |
(TBD) | Stripe, AWS billing, M365 billing | Alias to admin@vell.ai |
no-reply@vell.ai |
App outbound only | n/a | Decide: keep user vs alias |
Common SaaS to check (per account):
- AWS (root, IAM, Marketplace seller, Partner Central)
- Stripe (admin, billing receipts)
- GitHub (account, org owner)
- HubSpot (user, billing)
- DocuSign (account)
- Apple ID (Mac App Store, iCloud)
- Slack / Notion / Linear / Figma (workspace memberships)
- OpenAI / Anthropic / Bedrock (account billing)
- GoDaddy (domain registrar)
- AWS Marketplace seller profile
- QBO / Intuit (accounting platform)
- Auth0 / Cognito identities
- Zoom, Loom (paid subscriptions)
- M365 (the 1 Business Standard license — currently uses admin@vell.io)
6. Critical gotchas to watch for¶
- AWS root account email is hard to change. If any retiring email is on an AWS root account, change it BEFORE deleting the Workspace user. Recovery without root access requires AWS support tickets that can take days.
- Domain registrar (GoDaddy). Domain transfers and DNS changes often require email confirmation to the registrant email. Ensure the GoDaddy account login isn't on a retiring email.
- 2FA recovery. Many SaaS accounts use email for 2FA recovery. If you lose access to the recovery email, you lose access to the account.
- M365 Business Standard subscription. Currently signed in as
admin@vell.io. Don't delete the Workspaceadmin@vell.iouser without first verifying whether the M365 login is the same identity or independent. - Apple ID consolidation. Per session 2026-05-24, user noted iCloud is on
kalgary1@gmail.com. Don't conflate with this consolidation — Apple ID cleanup is a separate effort.
7. Open questions¶
- What Google Workspace plan is actually in effect? Check
admin.google.com → Billing. Determines real cost savings. - Does
no-reply@vell.aineed to remain a user (for app outbound auth) or can it be an alias? Check Laravel appMAIL_FROM_ADDRESSand SES configuration. - Are any
*@vell.ioWorkspace users needed for legal hold of historical mail? Consult retention policy before deletion. - Should
security@vell.airoute to a separate inbox (vulnerability disclosure isolation) or alias toadmin@vell.ai? Industry convention says either works; defaults to alias for now.
8. Email auth setup (Phase 1.5) — DKIM/SPF/DMARC per domain¶
Why this is its own phase: outbound replies from cross-domain aliases will spam-folder or get rejected if the From-domain lacks SPF, DKIM, and DMARC. The audit on 2026-05-24 found:
| Domain | SPF | DKIM (Workspace selector) | DMARC | Verdict |
|---|---|---|---|---|
vell.ai |
✓ v=spf1 include:_spf.google.com include:amazonses.com ~all |
❌ MISSING at google._domainkey.vell.ai (only SES + Mailchimp DKIM are published) |
✓ p=quarantine w/ reporting |
Deliverable today via SPF alignment, but adding Workspace DKIM is high-value cheap-win |
knowan.com |
❌ none | ❌ none | ❌ none | Cross-domain aliases unsafe to send-from |
itsrondavis.com |
❌ none | ❌ none | ❌ none | Cross-domain aliases unsafe to send-from |
8a. Workspace DKIM for vell.ai ✓ DONE 2026-05-24¶
admin.google.com → Apps → Google Workspace → Gmail → Authenticate email- Select domain
vell.ai - Click Generate new record → choose 2048-bit key (modern default)
- Workspace shows you a TXT record:
- Host:
google._domainkey.vell.ai - Value:
v=DKIM1; k=rsa; p=MIIBIjANBg...(long key) - AWS Console → Route 53 →
vell.aihosted zone → Create record - Record name:
google._domainkey - Type: TXT
- Value: paste the entire
v=DKIM1...value (Route 53 handles quoting automatically) - TTL: 3600
- Wait 5-10 min for propagation. Verify with:
dig +short TXT google._domainkey.vell.ai - Back in Workspace admin → click Start authentication
- Workspace confirms verification — outbound vell.ai mail now signs with DKIM
8b. knowan.com email auth — SPF + DMARC DONE 2026-05-24 via CLI; DKIM pending¶
SPF + DMARC published via aws route53 change-resource-record-sets (zone Z2QMVXGS3MJYF1) and verified resolving in <30 sec:
| Record name | Type | Value | TTL | Status |
|---|---|---|---|---|
knowan.com. (apex) |
TXT | v=spf1 include:_spf.google.com ~all |
3600 | ✓ Live |
_dmarc.knowan.com. |
TXT | v=DMARC1; p=quarantine; pct=100; rua=mailto:dmarc-reports@vell.ai; fo=1 |
3600 | ✓ Live |
google._domainkey.knowan.com. |
TXT | (generate via admin.google.com → Authenticate email → select knowan.com) |
3600 | Pending — 2 min browser + 30 sec CLI |
8c. itsrondavis.com email auth (15 min — Cloudflare)¶
itsrondavis.com is on Cloudflare (dash.cloudflare.com → itsrondavis.com → DNS). Same three records as knowan.com (just a different DNS UI to add them in).
8d. Cross-domain aliases become safe to send-from¶
After 8b and 8c are propagated and authentication is "Started" in Workspace, the following aliases can be safely added on ron@vell.ai:
- ron@knowan.com
- hello@knowan.com
- ron@itsrondavis.com
Until then, they can be added as receive-only aliases (default behavior — Gmail doesn't auto-enable "Send mail as" for new aliases) without breaking anything.
9. Alias-user collision constraint (Phase 2 sequencing)¶
Discovered 2026-05-24 when attempting to add aliases on admin@vell.ai. Google Workspace blocks alias creation if the target address already exists as a standalone user — sensible (the address can't route to two mailboxes), but it constrains Phase 2 sequencing.
Phase 2 aliases targeting admin@vell.ai that CURRENTLY FAIL (all six are existing users):
- aws-mp@vell.ai (user: AWS Marketplace)
- proaudiovisual.sales@vell.ai (user: Pro Audio Visual)
- ops@vell.ai (user: Vell AI Operations)
- security@vell.ai (user: Vell AI Security)
- billing@vell.ai (user: Vell AI Billing)
- no-reply@vell.ai (user: Vell No Reply)
Correct sequence to unblock:
1. Phase 1: SaaS audit identifies any service using these as a login
2. Phase 3: migrate those logins to a kept user
3. Phase 4: Google Takeout each → delete the user account
4. THEN add as alias on admin@vell.ai (collision gone — alias creates cleanly)
Memory: [[workspace-alias-user-collision]] saved 2026-05-24 so future sessions avoid suggesting "just add aliases" before this sequence runs.
10. Scheduling tool decisions (2026-05-24)¶
Both Calendly and HubSpot Meetings are kept in the stack. Decision rationale:
| Tool | Use for | Binding |
|---|---|---|
| Calendly | External partner-facing scheduling — DFW follow-ups, podcast/press bookings, public booking link on the DFW handout if added later | ron@vell.ai Google Calendar; Zoom → admin@vell.io |
| HubSpot Meetings | Internal/CRM-tracked scheduling — existing pipeline contacts, team scheduling if/when hired, anything that benefits from auto-capture to a HubSpot contact record | ron@vell.ai Google Calendar (same as above — no double-booking); Zoom → admin@vell.io |
Both bind to the same Google Calendar so there's no double-booking risk.
Critical Zoom-binding gotcha to watch for¶
When connecting Calendly + HubSpot Meetings + Google Calendar each to Zoom (three separate OAuth flows), they ALL must point at the same Zoom account — admin@vell.io. Failure modes:
- Accidentally OAuthing to the old AWS Amazon Zoom account (dies 2026-06-05)
- Accidentally OAuthing to a stale personal Zoom from another email
- One tool silently uses a different Zoom while others use the right one → inconsistent meeting links → partial first-impression failures
Verification after each OAuth (30 sec per tool): 1. Create a test meeting in the tool 2. Click the Zoom link 3. Look at the host name shown briefly before entry — should be admin@vell.io display name 4. If you see "Amazon" or AWS branding, disconnect Zoom in that tool's settings and reconnect with admin@vell.io credentials
11. Session log — 2026-05-24¶
Wins shipped:
| Item | Surface | Status |
|---|---|---|
| DFW handout page + QR + print stylesheet | dev branch commits 852ee949b, 66ff7718e |
Live at dev.vell.ai/dfw-handout |
| vell.io → vell.ai cleanup migration + blade/JSON edits | dev branch commit 111f6cbbc |
Pending promotion to main |
vell.ai aliases (support@, hello@, waitlist@) on ron@vell.ai |
Google Workspace | ✓ Saved |
| Google Workspace DKIM for vell.ai | R53 google._domainkey.vell.ai |
✓ Verified PASS in Gmail header |
| knowan.com SPF + DMARC | R53 via CLI | ✓ Propagated <30 sec |
| Identity architecture per tool | Memory reference_identity_architecture_per_tool.md |
Saved |
| Marketing-first positioning anchor | Memory project_marketing_first_positioning.md |
Saved |
| Take-action preference for system-driven work | Memory feedback_take_action_on_system_driven_tasks.md |
Saved |
| Workspace alias-user collision constraint | Memory feedback_workspace_alias_user_collision.md |
Saved |
| Calendly + HubSpot Meetings split (this doc §10) | This doc | Saved |
Rabbit holes avoided / corrected:
- Microsoft Entra vell.ai verification (vell.ai is Google Workspace, not M365 — confirmed via MX dig)
- Adding vell.ai to M365 to enable Zoom-in-Outlook add-in (not needed — Google Calendar native Zoom integration is the right path for ron@vell.ai meetings)
Pending browser tasks (ranked by ROI):
1. Install Zoom for Google Workspace add-on → https://workspace.google.com/marketplace/app/zoom_for_google_workspace_add_on/364750910244 (5 min)
2. Verify Zoom appears as a conferencing option in Google Calendar event creation (2 min)
3. Verify Calendly + HubSpot Meetings both connect to admin@vell.io Zoom (see §10 gotcha)
4. Update Outlook signature: "Director of Technology" → "Founder, Vellocity" (3 min, do after 2026-06-05 resignation)
5. Archive the Microsoft "Please update DNS settings for vell.ai" email — leftover from the Entra rabbit hole (30 sec)
6. Generate Workspace DKIM for knowan.com (2 min browser → paste value here → I add R53 record via CLI)
12. Related context¶
- Canonical email identities (memory) — provider mapping + role split; vell.ai/knowan.com/itsrondavis.com on Google Workspace; vell.io on AWS SES inbound; M365 only for 1 Office license
- Identity architecture per tool (memory) —
ron@vell.ai= personal/not-delegatable;admin@vell.ai= ops/delegatable to VA; table of which tool maps to which identity - Marketing-first positioning (memory) — marketing/media company that happens to have software; anchor at docs/marketing/VELLOCITY_MEDIA_GROWTH_STRATEGY.md:5
- Take action on system-driven tasks (memory) — when CLI-doable, do it (don't walk Ron through); reserve walkthroughs for browser-only admin
- Workspace alias-user collision (memory) — alias add blocked when target is an existing user; consolidation sequence audit→migrate→delete-user→THEN alias
- Infrastructure rabbit holes (memory) — pattern to watch when Ron starts adjacent cleanup mid-task; bias to minimum-viable-path
- Founder transition (memory) — financial countdown context (~$14K liquid, last day 2026-06-05) favors $1.8K/yr savings on Workspace consolidation
- AWS→Vell tooling parallel (memory) — Outlook + Zoom add-in muscle memory; the meeting workflow that triggered this whole consolidation
- DFW handout 2026-06-23 (memory) — the deadline driving Phase 0 prioritization
- DFW handout artifact — print/PDF source for the handout shipped to dev