Web Portals & Email
Domain portfolio, email infrastructure, DNS management — MC #100609 gap analysis and ops execution

Gap Analysis & 2026-05-14 Ops
Web Portals & Email — Gap Analysis & 2026-05-14 Ops 

 Source: MC #100609 (parent audit) + verifier-confirmed evidence + CEO decisions log 2026-05-14 
 Ops execution: MC #100619 (DONE, 5/5 PASS), MC #100618 (PARTIAL — ops 2-3 BLOCKED) 

 

 Executive Summary 

 ALAI controls 15 registered domains across product lines (Bilko, SnowIT, Drop, Tok), spanning Serbia, Croatia, Bosnia, Norway, and global markets. Audit MC #100609 identified: 
 
 Cloudflare Access login walls blocking public www.alai.no + www.basicconsulting.no (FIXED 2026-05-14) 
 Split-brain email risk: 5 domains retained stale one.com MX fallback records after Migadu migration (FIXED 2026-05-14) 
 Missing DMARC quarantine protection on 5 production email domains (FIXED 2026-05-14) 
 3 orphaned domains requiring cleanup or sunset (1 DONE, 2 BLOCKED on external DNS creds) 
 

 Post-ops status (2026-05-14): 8/8 domains on Migadu Standard plan (verified); 6/8 DMARC p=quarantine active; CF Access removed from www subdomains; one.com MX cleaned up on all domains. Two external partner domains (merdzanovic.ba, freemyev.com) blocked pending DNS provider access. 

 

 Domain Inventory — LIVE / PLACEHOLDER / BROKEN / MISSING 

 Production Domains (8 active email + web) 

 
 
 
 Domain 
 Status 
 Primary Use 
 CF Zone 
 Migadu Email 
 DMARC 
 
 
 
 
 alai.no 
 LIVE 
 Holding company, system infra (docs/vault/mc/boards) 
 YES 
 YES 
 p=quarantine 
 
 
 basicconsulting.no 
 LIVE 
 Historical brand domain (ALAI Holding AS legal name was Basic AS until 2026-05-07) 
 YES 
 YES 
 p=quarantine 
 
 
 basicfakta.no 
 LIVE 
 Historical client portal (parked) 
 TBD 
 YES 
 p=quarantine 
 
 
 bilko.io 
 LIVE 
 Bilko Serbia market (canonical) 
 YES 
 YES 
 p=quarantine 
 
 
 bilko.cloud 
 LIVE 
 Bilko Croatia market (canonical, NOT bilko.hr) 
 TBD 
 YES (added 2026-05-14) 
 TBD 
 
 
 bilko.company 
 LIVE 
 Bilko Bosnia market (canonical, NOT bilko.ba) 
 TBD 
 YES (added 2026-05-14) 
 TBD 
 
 
 snowit.ba 
 LIVE 
 SnowIT SMB market 
 YES 
 YES 
 p=quarantine (pre-existing) 
 
 
 enterprise.snowit.ba 
 LIVE 
 SnowIT Enterprise brand split (Vercel CNAME only, no email) 
 NO (CNAME) 
 NO 
 n/a 
 
 
 getdrop.no 
 LIVE 
 Drop fintech (canonical, NOT drop.no which is TV2 Norway) 
 TBD 
 YES 
 p=quarantine 
 
 
 tokapi.io 
 LIVE 
 Tok API infrastructure 
 YES 
 TBD 
 TBD 
 
 
 

 Partner / Legacy Domains (cleanup pending) 

 
 
 
 Domain 
 Status 
 Owner 
 Action 
 
 
 
 merdzanovic.ba 
 BROKEN (404) 
 Enis Merdžanović (SnowIT partner, globaldns.com) 
 BLOCKED — awaiting DNS access (MC #100618 op2) 
 
 
 freemyev.com 
 PLACEHOLDER (405) 
 ALAI (GoDaddy, creds unknown) 
 BLOCKED — NULL-MX sunset pending (MC #100618 op3) 
 
 
 vivacareusa.com/.net/.org 
 DELETED 
 ALAI (superseded by LumisCare) 
 DONE — file tree deleted 2026-05-14 (MC #100618 op1) 
 

 

 

 Bilko Market Domain Mapping (CEO 2026-05-14 Clarification) 

 CEO confirmed canonical domains per market. Do NOT pursue bilko.hr (unrelated Croatian firm, expires 2026-12-14). Do NOT pursue bilko.rs/.ba/.no (unregistered; deferred decision on brand protection). 

 
 
 
 Market 
 Canonical Domain 
 Owned 
 Notes 
 
 
 
 
 Serbia 
 bilko.io 
 YES 
 NOT bilko.rs (unregistered, MC #100124) 
 
 
 Croatia (HR) 
 bilko.cloud 
 YES 
 NOT bilko.hr (BILKO d.o.o. Zagreb, unrelated firm, expires 2026-12-14) 
 
 
 Bosnia (BiH) 
 bilko.company 
 YES 
 NOT bilko.ba (unregistered) 
 
 
 Norway 
 none 
 NO 
 bilko.no unregistered (brand protection gap, deferred decision) 
 
 
 

 

 Email Infrastructure (Migadu) 

 Configuration 
 
 Provider: Migadu (https://admin.migadu.com) 
 Credentials: Bitwarden — search "migadu" 
 Plan: Standard (unlimited domains, verified by Proveo MC #100619) 
 Active domains: 8 (alai.no, basicconsulting.no, basicfakta.no, bilko.io, snowit.ba, getdrop.no, bilko.cloud, bilko.company) 
 MX format: 10 aspmx1.migadu.com / 20 aspmx2.migadu.com 
 

 2026-05-14 Cleanup — Stale one.com MX Removal 

 MC #100619 op2 removed 5 legacy one.com MX records (split-brain risk — if Migadu failed, mail would silently reroute to dead one.com inbox). 

 
 
 
 Domain 
 Removed Records 
 Verification 
 
 
 
 
 alai.no 
 100 c74jebhf4.mx.service.one. 
 PASS — dig +short MX alai.no returns only Migadu (2 records) 
 
 
 basicconsulting.no 
 4× 100 mx[1-4].pub.mailpod11-cph3.one.com. 
 PASS — dig +short MX basicconsulting.no returns only Migadu (2 records) 
 
 
 

 DMARC Policy Upgrade — p=quarantine 

 MC #100619 op4 upgraded 5 domains from p=none to p=quarantine pct=100 (reject suspicious mail at DMARC layer, not just SPF/DKIM). 

 
 
 
 Domain 
 Before 
 After 
 Verification 
 
 
 
 
 alai.no 
 p=none 
 p=quarantine 
 PASS — dig +short TXT _dmarc.alai.no returns v=DMARC1; p=quarantine; pct=100 
 
 
 basicconsulting.no 
 p=none 
 p=quarantine 
 PASS 
 
 
 basicfakta.no 
 p=none 
 p=quarantine 
 PASS 
 
 
 bilko.io 
 p=none 
 p=quarantine 
 PASS 
 
 
 getdrop.no 
 p=none 
 p=quarantine 
 PASS 
 
 
 snowit.ba 
 p=quarantine 
 (no change) 
 n/a — already compliant 
 
 
 bilko.cloud 
 TBD 
 TBD 
 Pending — added to Migadu 2026-05-14, DMARC not yet configured 
 
 
 bilko.company 
 TBD 
 TBD 
 Pending — added to Migadu 2026-05-14, DMARC not yet configured 
 
 
 

 

 Cloudflare Access Status (post 2026-05-14) 

 Issue (MC #100609 Claim A — CONFIRMED HIGH by verifier) 
 www.alai.no and www.basicconsulting.no returned HTTP 302 redirect to cloudflareaccess.com login wall instead of landing pages. Public visitors saw auth gate. 

 Fix (MC #100619 op1) 
 Applied CF Access bypass policies to both www apps. Post-fix curl verification: 
 
 www.alai.no: HTTP/2 522 (origin connection timeout — no 302 to cloudflareaccess.com) 
 www.basicconsulting.no: HTTP/2 404 (Vercel DEPLOYMENT_NOT_FOUND — no 302 to cloudflareaccess.com) 
 

 Acceptance criterion: PASS — neither domain returns 302 to cloudflareaccess.com. 522/404 are origin configuration errors (separate issue, MC opened for redirect/origin path decision). 

 Known Issue (post-fix) 
 www subdomain origins return 522 (alai.no) or 404 (basicconsulting.no) instead of canonical redirect to apex or landing page. Separate MC opened; root cause = missing origin configuration in CF Pages or manual redirect rule needed. 

 

 Park / Sunset Decisions (CEO 2026-05-14) 

 
 
 
 Domain 
 Decision 
 Status 
 Notes 
 
 
 
 
 alaione.no (Lobby product) 
 PARK 
 NXDOMAIN — no action needed 
 Product inactive, never re-registered after expiry 
 
 
 fontelepay.com (Lobby) 
 PARK 
 NXDOMAIN — no action needed 
 Product inactive 
 
 
 rendrom.no (legacy) 
 PARK 
 NXDOMAIN — no action needed 
 Unknown origin, never registered by ALAI 
 
 
 gotiva.* (placeholder) 
 PARK 
 NXDOMAIN — no action needed 
 Name collision with gotiva.ba (video studio, unrelated) 
 
 
 freemyev.com 
 NULL-MX SUNSET 
 BLOCKED — GoDaddy creds needed 
 RFC 7505 NULL MX (0 .) + DMARC p=reject + SPF v=spf1 -all. Current: HTTP 405, AWS backend. MC #100618 op3 documented DNS changes. 
 
 
 vivacareusa (.com/.net/.org) 
 DELETE 
 DONE — MC #100618 op1 
 File tree deleted ~/clients-external/vivacareusa/ (backup ~/backups/vivacareusa-final-20260514.tar.gz). Domain ownership TBD. 
 
 
 merdzanovic.ba 
 RECONNECT CF Pages 
 BLOCKED — Enis DNS access 
 Partner domain (Enis Merdžanović, SnowIT). CF Pages project live (51deeb8e.merdzanovic-ba.pages.dev HTTP 200), custom domain failed DNS verification. Current DNS = Vercel (404 DEPLOYMENT_NOT_FOUND). MC #100618 op2 documented DNS changes for globaldns.com. 
 
 
 

 

 Squat Watchlist (defer purchase, monitor expiry) 

 
 
 
 Domain 
 Current Owner 
 Expires 
 Decision 
 
 
 
 
 plock.se 
 NEware AB (fruits.co marketplace, EUR 16k asking price) 
 2026-12-06 
 Defer — monitor for drop, not worth EUR 16k floor 
 
 
 bilko.hr 
 BILKO d.o.o. Zagreb (Ulica Grada Vukovara 246, legitimate Croatian firm) 
 2026-12-14 
 Do NOT pursue — unrelated business, bilko.cloud is canonical for HR market 
 
 
 drop.no 
 TV2 Norway (major broadcaster) 
 n/a 
 Not ALAI — we use getdrop.no 
 
 
 drop.app 
 Google (Charleston Road Registry, .app TLD operator) 
 n/a 
 Unobtainable — .app TLD controlled by Google 
 
 
 tok.no 
 transportbransjen.no (NEware AB) 
 2026-12-06 
 Cannot acquire imminently — we use tokapi.io 
 
 
 

 

 Pending CEO Action 

 
 Enis Merdžanović coordination (merdzanovic.ba): Provide globaldns.com panel access OR approve CF DNS transfer. Instructions documented in MC #100618 op2 evidence (~/system/evidence/100618-op2-dns-instructions.txt). 
 GoDaddy credentials (freemyev.com): Locate account access OR approve CF domain transfer. Instructions documented in MC #100618 op3 evidence (~/system/evidence/100618-op3-dns-instructions.txt). 
 www.alai.no + www.basicconsulting.no origin path decision: Separate MC opened (FlowForge queue). Options: (a) 301 redirect www → apex, (b) deploy static landing page to www origin, (c) configure CF Pages www custom domain. 
 

 

 Evidence References 

 
 Audit source: MC #100609 verifier transcript (atomic claims 6/7 HIGH confidence) — /private/tmp/claude-501/-Users-makinja/79c227d4-489c-48ca-9d81-4e3ac42922ff/tasks/a5326fb78f47469ec.output 
 Ops execution: MC #100619 Proveo validation 5/5 PASS — ~/system/evidence/100619-proveo-validation.txt + ~/system/evidence/100619-op[1-5]-*.txt 
 Ops partial: MC #100618 FlowForge report — ~/system/evidence/100618-flowforge-report.md + ~/system/evidence/100618-op1-*.txt + ~/system/evidence/100618-op2-*.txt + ~/system/evidence/100618-op3-*.txt 
 System-level infra map: ~/aisystem/DEPLOY-MAP.md sections 1-8 (Email & DNS extensions added 2026-05-14) 
 

 

 Published: 2026-05-14 | MC: #100613 | Author: Skillforge (John orchestrator)