# GoHighLevel Best Practices 2026 — Research Brief *Compiled 2026-07-09 · Workshop → Automations → GHL Cleanup & Audit · Feeds checklist item 0.3* > **Who this is for:** Chris (non-technical). Every technical term is spelled out in plain language. This is the "what good looks like" reference we'll audit the AnchorWorks GHL account against. > > **Our situation (the lens for everything below):** We do **not** use GHL's built-in Funnel Builder. Our funnels are hand-coded HTML sitting on Cloudflare. GHL is only the **plumbing behind** those pages — it holds the contacts, sends the emails and texts, runs the automations, moves deals through the pipeline. That "GHL as backend only" setup is a recognized, respected pattern (people call it "headless GHL"), so we're not doing anything weird — we just have to wire it correctly. --- ## TL;DR — the 8-12 things that matter most 1. **Our "headless" setup is a legit, named pattern.** GHL as the brain (contacts, automations, messaging) while a custom Cloudflare front-end is the face is exactly what sophisticated operators do. The trade-off: **a few things simply can't be built through the API — workflows/automations still have to be created by hand inside GHL.** Plan for that; don't expect to code everything. 2. **The bridge from our Cloudflare pages into GHL is the "Inbound Webhook."** A webhook = an automatic messenger. When someone submits our custom form, our page pings a special GHL URL and hands over the lead's details. GHL catches it and starts a workflow. This is the single most important wire in our whole setup, and it's the thing an audit must confirm is firing. 3. **Always capture where the lead came from (UTMs) and pass it into GHL with the contact.** UTMs are the little `?utm_source=...` tags on a link that say "this person came from the Facebook ad." If we don't pass them through the webhook, GHL has no idea where anyone came from and our attribution is blind. 4. **Tags = temporary state. Custom fields = permanent facts.** This is the #1 rule for a clean account. "Hot-lead," "awaiting-reply" = tags (things that change). "Company name," "HVAC vs plumbing," "lead source" = custom fields (facts that stick). Mixing them up is what turns an account into a junk drawer. 5. **Tag sprawl is the classic disease.** Three tags that mean the same thing — `New Lead`, `new-lead`, `lead_new` — is how it starts. Pick one naming style, write it down, and delete duplicates. Audit unused tags quarterly. 6. **Name every workflow on a strict pattern and never edit a live one directly.** Duplicate it, bump the version number, test the copy, then swap it in. That gives us an undo button. A good pattern for us: `[Trigger]_[What it does]_[vN]`, e.g. `Webhook_LeadIntake_v2`. 7. **A2P 10DLC is mandatory to send business texts — no registration, no delivery.** A2P 10DLC = the carriers' (Verizon/AT&T/T-Mobile) required "business texting license" for normal 10-digit numbers. As of 2025 the carriers **block 100% of unregistered text traffic**. You register a **Brand** (who we are) and a **Campaign** (what we'll text about). If our texting isn't registered, our automations are silently dead. 8. **Email now legally requires SPF, DKIM, and DMARC — this is not optional since Feb 2024.** These three are the "return address, tamper-proof seal, and enforcement rule" that prove our email is really from us. Google/Yahoo **reject** unauthenticated bulk mail, and in Nov 2025 they moved from "delay it" to "permanently bounce it." Also required: one-click unsubscribe, and keeping spam complaints under 0.3% (aim under 0.1%). 9. **The old GHL "API key" is dead — use a Private Integration Token (PIT) instead.** GHL's old API (v1) reached end-of-support Dec 31, 2025 and you can no longer create old-style API keys. New connections use a **PIT** — a scoped, revocable password you generate in Settings. **Audit action: find any old API keys, confirm what uses them, rotate to PITs, and rotate PITs every 90 days.** 10. **There's now an OFFICIAL GHL "MCP server" — this is what lets Claude Code read and act on our account.** MCP = the standard plug that lets an AI assistant talk to an app. GHL's official one lives at `services.leadconnectorhq.com/mcp/anthropic/v2`, works with Claude Code, and covers hundreds of operations across contacts, conversations, pipelines, calendars, etc. Realistic uses: auditing, reporting, bulk read/cleanup. **It's per-sub-account, scope-limited, and cannot build workflows** — so it's a great audit/reporting co-pilot, not a magic wand. 11. **GHL ships AI features almost weekly now** (Conversation AI for auto-replies, Voice AI that answers phone calls, "Ask AI" inside workflows). Useful to know they exist, but for us they're optional add-ons — not something the audit needs to chase. Treat as "nice to have," verify before relying on any specific claim. 12. **A well-run 2026 GHL account is boring on purpose:** one naming convention, tags-vs-fields discipline, versioned workflows, authenticated sending, registered texting, least-privilege logins with 2FA, and a quarterly clean-up. The checklist at the bottom is the yardstick. --- ## 1 · What changed in GoHighLevel in 2025-2026 **So what:** GHL is moving fast (near-weekly updates), and most of the change is AI plus a hard tightening of the API and sending rules. For us, the API and sending changes matter far more than the shiny AI toys. ### The changes that actually affect us - **API v1 is retired (Dec 31, 2025).** The old programmatic access method is end-of-support. Existing old connections may still limp along, but no fixes or support. Anything new must use API **v2** + a **Private Integration Token**. ([gohighlevel.com/post/deprecating-...v1][s-v1], [marketplace PIT docs][s-pit]) - **Private Integration Tokens (PIT) replace API keys.** More secure, scope-limited (you grant only the permissions the integration needs), and you can revoke a single one without breaking everything else. Recommendation from GHL: **rotate every 90 days**; unused legacy keys get auto-marked "Expired" after 90 days. ([marketplace PIT docs][s-pit]) - **Official MCP server launched (early 2026).** This is the sanctioned way for AI tools (including Claude Code) to touch the account. See section 3. ([GHL MCP docs][s-mcp]) ### The AI features (know they exist; verify before relying) - **Conversation AI** — a bot that auto-drafts/sends replies in SMS and web chat, now with memory across conversations and 30+ language transcription. Latency reportedly cut ~40% vs late-2025. ([gohighlevel.ai updates][s-updates], [netpartners][s-net]) - **Voice AI ("AI Employee")** — answers inbound phone calls like a receptionist, books appointments, writes what it learns back onto the contact record. Reportedly responds in under ~600ms and handles interruptions. Sold as an add-on (commonly cited around $97/mo for the AI Employee bundle). ([oneexpand review][s-voice], [gohighlevel.ai features][s-aifeatures]) - **Workflow AI / "Ask AI" inside workflows** — can pull structured data out of messy text (e.g. read a blob of form notes and extract a phone number) and answer "how's this workflow performing?" in plain English. Also: AI agents usable *inside* workflows via MCP. ([sawankr AI features][s-sawankr], [rsla changelog][s-rsla]) > **Honest caveat:** these AI claims come mostly from GHL-adjacent blogs and GHL's own marketing, and the numbers (latency, languages, price) drift month to month. Treat specific figures as "roughly true, verify in-app before we depend on one." Don't let AI features distract from the plumbing audit. --- ## 2 · The "GHL as backend / headless" pattern (this is us) **So what:** This whole section describes what AnchorWorks already does. The goal of the audit is to make sure we do it *cleanly*. ### The mental model - **GHL = the brain.** Contacts, workflows, email/SMS sequences, pipelines, reporting. There is no good replacement for GHL's automation engine, so this stays. ([zeon headless guide][s-headless]) - **Cloudflare + hand-coded HTML = the face.** Faster pages (operators report 90-100 PageSpeed vs 20-45 for native GHL pages), full design control, no GHL Funnel Builder clunk. ([zeon headless guide][s-headless]) - **The wire between them = webhooks + the v2 API.** ### How a lead gets from our page into GHL (the critical path) There are two ways, and we should know both: 1. **The Inbound Webhook (recommended for custom HTML).** In a GHL workflow you add an **"Inbound Webhook" trigger**; GHL generates a unique URL. Our Cloudflare form POSTs the lead's info (as JSON) to that URL. GHL "catches" it, and you **map** each incoming field (name, email, phone, plus UTMs and any custom data) to a contact field. From there the workflow runs. ([GHL inbound webhook help][s-inwebhook]) - **Rules to respect:** data must be JSON; keys in camelCase or snake_case; **email or phone is required** to create/identify the contact; arrays can't be used as custom values. ([GHL inbound webhook help][s-inwebhook]) 2. **Direct API v2 POST to the Contacts endpoint.** Our page (or a middle layer) calls GHL's Contacts API and creates the contact with custom fields + UTMs in one shot. More control, more setup. ([zeon headless guide][s-headless], [ghlstack][s-ghlstack]) **Optional middle layer (n8n / Make / Zapier):** sits between Cloudflare and GHL to enrich or validate the lead before GHL sees it (e.g. Clay enrichment, dedupe). Cleaner than hand-coding backend logic. We already run Clay + Reply.io, so a middleware hop is a natural fit. ([zeon headless guide][s-headless]) ### Best practices for piping form submissions in - **Always pass UTMs through.** Capture `utm_source/medium/campaign/term/content` on the page and send them with the contact so attribution survives. If we skip this, GHL is attribution-blind. ([zeon headless guide][s-headless]) - **Tag on entry.** The moment a lead lands, apply a source tag (e.g. `src-las-funnel`) so we always know the door they came through. - **Map to custom fields, not tags, for permanent data.** Company, trade, job title, deal size = custom fields. - **Validate on the page first** (client-side) so we don't push junk into GHL and burn API quota. - **Name the webhook action descriptively** inside the workflow (e.g. `Catch — LAS funnel lead`) so troubleshooting later is readable. ([GHL custom webhook help][s-custwebhook]) - **Watch API quota.** API calls are metered per plan; heavy campaign spikes can hit limits. ([zeon headless guide][s-headless]) ### What to keep in GHL vs outside | Job | Where | Why | |---|---|---| | Contact/lead records | **GHL** | It's the CRM; system of record for the pipeline | | Workflows / automations | **GHL** | No viable replacement; also can't be built via API | | Email & SMS sequences | **GHL** | Mature, built-in | | Pipeline / opportunities | **GHL** | Where deals live | | Reporting on pipeline | **GHL** | Native dashboards | | The actual funnel/landing pages | **Cloudflare (custom HTML)** | Speed + design control | | List-building / enrichment | **Clay** | Best-of-breed | | Cold outbound sending | **Reply.io** | Purpose-built for outbound | | Glue between all of it | **Webhooks / middleware** | Keeps each tool doing what it's best at | > **Key limit to internalize:** the GHL API today covers contacts, calendars, appointments, opportunities, pipelines, forms, products — **but NOT workflow creation or automation management.** Building/editing automations is a hands-in-GHL job. Any plan that assumes "we'll just script our workflows" is wrong today. ([zeon headless guide][s-headless]) --- ## 3 · Claude Code / AI-agent + GHL patterns in 2026 **So what:** We *can* point Claude Code at the GHL account to help audit, report, and bulk-clean — using the official connector. It's genuinely useful for our cleanup project. But it has hard limits, and there's a lot of hype. ### The real, official path - **GHL now has an official MCP server.** MCP ("Model Context Protocol") is just the standard plug that lets an AI assistant talk to an app's data. GHL's official server: `https://services.leadconnectorhq.com/mcp/anthropic/v2` (works with Claude.ai, Claude Code, Claude Cowork). ([GHL MCP docs][s-mcp]) - **How it connects:** either **OAuth** (one-click "sign in → pick the sub-account → approve permissions") or a **Private Integration Token**. OAuth grants broader permissions than a PIT. Setup is ~10-15 min. ([GHL MCP docs][s-mcp], [automatedmarketer setup][s-automktr]) - **What it can touch:** hundreds of operations across ~40 areas — contacts, conversations, opportunities, calendars, payments, products, invoices, emails. It works through a handful of unified tools (`search`, `fetch`, `execute_operation`, etc.) rather than hundreds of buttons. ([GHL MCP docs][s-mcp]) ### What's realistic (for our cleanup) - **Auditing & reporting:** "List every tag and how many contacts have it," "show pipelines and stages," "find contacts with no source tag." Excellent fit. - **Bulk read / triage:** pull data out for review, spot duplicates, summarize workflows. - **Programmatic contact/opportunity updates** — within granted scopes. ### What's hype / not possible - **It's per-sub-account, not agency-wide** — one connection = one location. ([GHL MCP docs][s-mcp]) - **It's scope-limited and gated** — sensitive actions require extra confirmation; it can only do what its permissions allow. ([GHL MCP docs][s-mcp]) - **It (and the API) can't build workflows/automations** — same limit as section 2. So "have the AI rebuild all our automations" is not a thing today. - **Community MCP servers** (e.g. `mastanley13/GoHighLevel-MCP` on GitHub) advertise 250-500+ tools for deeper access. More power, but **unofficial** = more security and reliability risk. For a non-technical owner, **start with the official server.** ([github mastanley13][s-github]) ### Managing workflows/snapshots "as code" - **Snapshots** are GHL's built-in way to save and clone an account's setup (workflows, pipelines, etc.). They're the closest thing to "version control" GHL offers, and the practical way to back up before big changes. **Take a snapshot before any deletion.** (This is a native GHL feature; verify current behavior in-app.) > **Bottom line:** the official MCP server turns Claude Code into a strong **audit and reporting co-pilot** for our account. It is not a way to rebuild automations. Use it read-heavy first. --- ## 4 · Account hygiene & audit best practices **So what:** This is the heart of the cleanup. Below is the concrete standard a well-run account meets. ### Workflow naming & organization - **One strict naming pattern, written down, enforced.** A common agency pattern is `[Type/Trigger]_[Function]_[vN]` — e.g. `AUTO_LeadQual_v2`, `Webhook_LASIntake_v1`. Pick one and rename non-compliant workflows. ([aiop audit guide][s-audit], [ghlstack][s-ghlstack]) - **Never edit a live workflow directly.** Duplicate → increment version → test the copy → swap in. Gives a rollback path. ([tkturners setup][s-tk]) - **Folders** to separate `Active` / `Archived` / `Testing`. Date-prefix archives: `[ARCHIVE-2024-Q1]_Name`. ([aiop audit guide][s-audit]) ### Tag taxonomy & governance (avoid sprawl) - **The rule: "Fields = data, Tags = state."** Permanent facts → custom fields. Temporary status → tags. ([aiop audit guide][s-audit]) - **Tiered tag categories:** Source (`src-…`), Status (`status-…`), Action (`do-…`). A prefix system stops sprawl. - **Consolidate duplicates** (`New Lead` / `new-lead` / `lead_new` → one tag). - **Quarterly:** audit and archive unused tags. ([aiop audit guide][s-audit]) ### Pipeline design - **One pipeline per business state** (e.g. Sales, then a separate Fulfillment/Delivery pipeline) — don't cram everything into one. ([aiop audit guide][s-audit]) - **Outcome-based stages** with clear entry criteria, not vague ones like "Contacted." Each stage should drive an automation or a report. - **AnchorWorks doctrine note:** Chris runs **"no lost deals"** — every deal is nurture-forever or do-not-contact. So **don't build a "Lost" stage or a won/(won+lost) close-rate.** Model it as nurture vs suppressed instead. *(From AnchorWorks memory, not the web sources.)* ### Deleting dead funnels/domains safely (our Phase 1) 1. Report every funnel + its last submission date; flag anything with **zero submissions in 90+ days**. 2. **Take a snapshot backup first.** 3. **Confirm no workflow, trigger, tag, or live ad points at it** — especially anything wired to `las.myanchorworks.com` (Ethan's live funnel — do not touch). 4. Pause inbound capture a few days before deleting. 5. **Archive rather than hard-delete** where possible; log every deletion. ([aiop audit guide][s-audit]) ### Deliverability hygiene - SPF/DKIM/DMARC on every sending domain (section 5). - A2P 10DLC registered for SMS (section 5). - **Auto-suppress hard bounces:** workflow → tag `bounced-invalid` → pull from active sends. - Frequency caps (e.g. ≤3 messages/week/contact) and quiet hours. ([aiop audit guide][s-audit]) ### Security, users & API keys - **Least privilege:** give each user the smallest role that works; revoke stale admin logins. - **2FA on for everyone; no shared logins** (one login = one human). ([aiop audit guide][s-audit]) - **Kill legacy API keys; move to PITs; rotate PITs every 90 days.** Name each integration explicitly (e.g. `ReplyIO_LeadSync`) so you know what would break if you revoke it. ([marketplace PIT docs][s-pit], [aiop audit guide][s-audit]) - Store tokens in a password manager, never pasted into a workflow note. --- ## 5 · Deliverability & sending (email + SMS) **So what:** If this isn't set up right, our automations run but the messages never arrive — the worst kind of broken, because it looks like it's working. This deserves its own audit pass. ### Email — the Google/Yahoo rules (enforced since Feb 1, 2024) Three things everyone sending real volume must have. Plain-language version: - **SPF** = a public list of who's allowed to send email using our domain (the "approved senders" list). - **DKIM** = a tamper-proof seal that proves the email wasn't altered and really came from us. - **DMARC** = the rule that tells inbox providers what to do if SPF/DKIM fail (and lets us monitor abuse). All three must be set up **and must "align"** (agree with each other) or bulk mail gets rejected. ([martech][s-martech], [securityboulevard][s-secboul], [dmarcian][s-dmarcian]) Also required / expected: - **One-click unsubscribe** in marketing emails (a working "list-unsubscribe" header). ([martech][s-martech]) - **Spam complaint rate under 0.3%** (Google's hard ceiling; aim **under 0.1%**). ([powerdmarc][s-powerdmarc]) - **"Bulk sender" = 5,000+ messages/day to Gmail** — but the auth requirements are good practice at any volume. ([martech][s-martech]) - **Enforcement got harder in Nov 2025:** providers went from temporarily delaying bad mail to **permanently rejecting** it. ([securityboulevard][s-secboul]) **Clean email setup for us:** 1. Send from a **dedicated subdomain** (e.g. `mail.myanchorworks.com`), not the root domain — protects the main domain's reputation. 2. SPF + DKIM + DMARC on that subdomain, all aligned. 3. **Warm it up** — start ~20-50 emails/day, ramp over 4-6 weeks. Cold-blasting a fresh domain tanks reputation. 4. Remove hard bounces immediately; monitor via **Google Postmaster Tools** + MXToolbox. ([gohighlevel.ai deliverability][s-deliv], [help GHL postmaster][s-postmaster]) ### SMS — A2P 10DLC (mandatory to text at all) - **What it is:** "Application-to-Person, 10-Digit Long Code" = the carriers' required registration for a business to send automated texts from a normal 10-digit number. Think "business texting license." ([hiregohighleveldeveloper][s-a2p], [GHL A2P help][s-a2phelp]) - **Why it exists:** to stop spam. Carriers now **block 100% of unregistered traffic.** No registration = zero texts delivered, silently. ([hiregohighleveldeveloper][s-a2p]) - **Two parts:** 1. **Brand registration** — proves who the business is: legal name, tax ID (EIN), address, website, industry. 2. **Campaign registration** — describes what we'll text: use-case, **sample messages**, how people opt in, how they opt out (STOP), expected volume. ([hiregohighleveldeveloper][s-a2p], [GHL A2P help][s-a2phelp]) - **Sole Proprietor vs Standard Brand:** solo/tiny businesses can register as a **Sole Proprietor** (lighter, lower volume); registered companies with an EIN use **Standard** (higher throughput, more trust). AnchorWorks has an LLC/EIN → **Standard** path. ([GHL sole-prop guide][s-soleprop], [GHL standard guide][s-standard]) - **Common rejection reasons (avoid these):** vague campaign descriptions; **missing opt-in/consent language on the form**; sending promo texts under a "transactional" campaign; sample messages that don't match what the workflow actually sends. ([hiregohighleveldeveloper][s-a2p]) - **GHL-specific tip:** the **sample messages you register must match the real messages your workflows send**, and don't bake templates into snapshots that won't match reality. ([hiregohighleveldeveloper][s-a2p]) - **Non-negotiables to have live before texting:** a visible SMS consent checkbox on the form, a privacy policy page, a terms page, and working STOP opt-out. ([hiregohighleveldeveloper][s-a2p]) > **Cost/timeline honesty:** registration carries small one-time + recurring carrier fees and vetting, and approval can take anywhere from hours to a couple weeks depending on category — the exact numbers move and weren't consistent across sources, so **confirm current fees/timeline inside GHL at registration time.** --- ## The "well-run GHL account in 2026" checklist Use this as the audit yardstick. Check each against the AnchorWorks sub-account. **Structure & naming** - [ ] One documented workflow naming convention; all workflows comply (`[Trigger]_[Function]_[vN]`) - [ ] Workflows sorted into `Active` / `Archived` / `Testing` folders; archives date-prefixed - [ ] No live workflow edited in place — versioned duplicates only, with a rollback copy **Tags & fields** - [ ] Tags = temporary state only; permanent facts live in custom fields - [ ] Prefix system in use (`src-`, `status-`, `do-`); no duplicate/near-duplicate tags - [ ] Unused tags archived (quarterly) **Pipelines** - [ ] One pipeline per business state; outcome-based stages with entry criteria - [ ] No "Lost" stage — nurture-forever vs do-not-contact (AnchorWorks doctrine) - [ ] Each stage drives an automation or a report **Inbound (our Cloudflare → GHL wire)** - [ ] Every custom funnel has a working Inbound Webhook into GHL (tested, catching leads) - [ ] UTMs captured on-page and mapped into GHL with the contact - [ ] Source tag applied on entry; permanent data mapped to custom fields - [ ] Webhook actions named descriptively for troubleshooting **Email deliverability** - [ ] Dedicated sending subdomain (not the root domain) - [ ] SPF + DKIM + DMARC set up and aligned on every sending domain - [ ] One-click unsubscribe live in marketing emails - [ ] Spam complaint rate under 0.3% (target <0.1%); monitored via Postmaster Tools - [ ] Hard-bounce auto-suppression workflow in place; domain warmed before volume **SMS deliverability** - [ ] A2P 10DLC **Brand** registered (Standard, EIN) - [ ] A2P 10DLC **Campaign** registered; sample messages match real workflow texts - [ ] SMS consent checkbox on forms + privacy/terms pages + working STOP opt-out **Security & access** - [ ] Least-privilege roles; stale/admin logins revoked - [ ] 2FA on for all users; no shared logins - [ ] No legacy v1 API keys in use; all integrations on Private Integration Tokens - [ ] PITs named per integration and rotated every 90 days **Cleanup discipline (Phase 1)** - [ ] Snapshot taken before any deletion - [ ] Dead funnels/domains identified (zero submissions 90+ days), confirmed unwired, archived/deleted with a log - [ ] Nothing touched that's connected to `las.myanchorworks.com` **AI / tooling (optional but available)** - [ ] Official GHL MCP server connected to Claude Code for audit/reporting (read-first) - [ ] Clear on the limit: API/MCP can't build workflows — automations are hands-in-GHL --- ## Sources *All accessed 2026-07-09. Reliability note: GHL's own help docs and marketplace docs are authoritative for API/PIT/MCP/A2P mechanics. Third-party blogs (gohighlevel.ai, zeon, aiop, etc.) are useful for patterns and checklists but repeat GHL marketing on AI feature claims — treat specific AI numbers as "verify in-app." Deliverability rules (SPF/DKIM/DMARC, Google/Yahoo) are well-corroborated across independent security sources.* - [s-v1] https://www.gohighlevel.com/post/deprecating-the-highlevel-api-v1-and-migrating-to-v2 — GHL's own notice that API v1 hit end-of-support Dec 31, 2025; migrate to v2. (Authoritative.) - [s-pit] https://marketplace.gohighlevel.com/docs/Authorization/PrivateIntegrationsToken/ — Official docs on Private Integration Tokens replacing API keys; 90-day rotation guidance. (Authoritative.) - [s-mcp] https://marketplace.gohighlevel.com/docs/other/mcp/ — Official LeadConnector MCP server: endpoints, OAuth vs PIT auth, unified tools, per-sub-account + scope limits. (Authoritative.) - [s-inwebhook] https://help.gohighlevel.com/support/solutions/articles/48001237383 — Official help: how the Inbound Webhook trigger works, field mapping, JSON/camelCase rules, email-or-phone requirement. (Authoritative for our critical wire.) - [s-custwebhook] https://help.gohighlevel.com/support/solutions/articles/48001238167 — Official help: outbound Custom Webhook action, naming/auth best practices. - [s-a2phelp] https://help.gohighlevel.com/support/solutions/articles/155000004539 — Official GHL A2P campaign registration step-by-step + FAQs. - [s-soleprop] https://help.gohighlevel.com/support/solutions/articles/155000000340 — Official GHL Sole Proprietor brand registration guide. - [s-standard] https://help.gohighlevel.com/support/solutions/articles/48001225526 — Official GHL Standard brand registration guide. - [s-postmaster] https://help.gohighlevel.com/support/solutions/articles/155000004150 — Official GHL guide to Google Postmaster Tools for monitoring sender reputation. - [s-headless] https://zeon.studio/blog/headless-gohighlevel — Detailed "headless GHL" pattern: what stays in GHL vs outside, API coverage (and its gaps — no workflow creation), webhook/embed methods, UTM/attribution best practices. (Best single source for our architecture.) - [s-audit] https://www.aiop.uk/post/how-to-audit-gohighlevel — Concrete sub-account audit checklist: naming, tags-vs-fields, pipeline design, safe funnel deletion, security/roles, API key hygiene. (Best single source for the audit.) - [s-ghlstack] https://ghlstack.com/ghl-api-and-webhook-stack/ — API + webhook integration patterns for 2026 (corroborates inbound/outbound wiring). - [s-a2p] https://hiregohighleveldeveloper.com/blog/a2p-10dlc-compliance-gohighlevel-agencies-2026/ — Plain-language A2P 10DLC for GHL: brand vs campaign, required info, rejection reasons, GHL-specific tips. - [s-deliv] https://www.gohighlevel.ai/blog/gohighlevel-email-deliverability — GHL email deliverability setup: dedicated subdomain, SPF/DKIM/DMARC, warm-up schedule, list hygiene. - [s-martech] https://martech.org/new-rules-for-bulk-email-senders-from-google-yahoo-what-you-need-to-know/ — Independent explainer of the Feb 2024 Google/Yahoo bulk-sender rules (auth, one-click unsub, spam rate, 5k/day threshold). - [s-secboul] https://securityboulevard.com/2025/11/google-and-yahoo-updated-email-authentication-requirements-for-2025/ — Independent security source; Nov 2025 shift from delaying to permanently rejecting unauthenticated mail. - [s-dmarcian] https://dmarcian.com/yahoo-and-google-dmarc-required/ — DMARC authority on the Google/Yahoo DMARC-required rules and alignment. - [s-powerdmarc] https://powerdmarc.com/bulk-email-sender-requirements/ — Corroborates spam-rate ceilings (<0.3%, target <0.1%) and multi-provider bulk rules. - [s-updates] https://www.gohighlevel.ai/blog/gohighlevel-updates-2026 — Roundup of 2025-2026 platform/AI changes (treat feature specifics as marketing-adjacent). - [s-aifeatures] https://www.gohighlevel.ai/blog/gohighlevel-ai-features — Catalog of GHL AI tools (Conversation/Voice/Workflow AI) — verify specifics in-app. - [s-voice] https://oneexpand.com/gohighlevel-voice-ai-review-2026/ — Third-party Voice AI review (response latency, AI Employee positioning/pricing). - [s-sawankr] https://sawankr.com/courses/go-highlevel/gohighlevel-ai-features-2026-conversation-ai-voice-ai-and-workflow-ai-explained — Explainer of the three AI pillars and workflow AI capabilities. - [s-net] https://netpartners.marketing/gohighlevel-ai-2026/ — "Every AI feature mapped" overview (corroborates Conversation AI memory/latency claims). - [s-rsla] https://rsla.io/blog/go-high-level-new-features-2025 — Monthly changelog of GHL feature releases 2025-2026. - [s-tk] https://www.tkturners.com/blog/complete-gohighlevel-setup-guide-for-2026 — Setup guide corroborating versioned-workflow / never-edit-live discipline. - [s-automktr] https://automatedmarketer.net/how-to-connect-claude-code-to-gohighlevel-using-mcp-step-by-step-setup/ — Step-by-step connecting Claude Code to GHL via the official MCP (auth flow, setup time). - [s-github] https://github.com/mastanley13/GoHighLevel-MCP — Example community MCP server (250-500+ tools); unofficial, higher risk — noted for completeness. --- *End of brief. Next: this feeds checklist item 0.3 → then Phase 1 (funnel/domain cleanup) → Phase 2 (full audit) using the yardstick above.*