From b00791f1b1199dc9f887e01ca55911e1cd549437 Mon Sep 17 00:00:00 2001
From: "Rasmus \"Pez\" Wejlgaard" <pez@pez.sh>
Date: Sat, 28 Mar 2026 20:46:50 +0000
Subject: [PATCH] Update SPF and tighten DMARC for poste.io (#5)

* update SPF record: replace protonmail with poste.io mail server

PESO-77

- replace include:_spf.protonmail.ch with ip4:167.235.134.154 and ip6:2a01:4f8:1c1e:9c53::1 (nuremberg-a / mail.pez.sh)
- tighten from ~all (softfail) to -all (hardfail)

* tighten DMARC policy from p=none to p=quarantine

PESO-78

- enforce DMARC with p=quarantine (failed messages get quarantined)
- add adkim=r and aspf=r for relaxed DKIM/SPF alignment
---
 terraform/cloudflare_dns.tf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/terraform/cloudflare_dns.tf b/terraform/cloudflare_dns.tf
index 23bc04b..8093d8a 100644
--- a/terraform/cloudflare_dns.tf
+++ b/terraform/cloudflare_dns.tf
@@ -424,7 +424,7 @@ resource "cloudflare_dns_record" "dmarc" {
   zone_id = cloudflare_zone.pez-sh.id
   name    = "_dmarc"
   type    = "TXT"
-  content = "v=DMARC1; p=none; rua=mailto:pez@pez.sh"
+  content = "v=DMARC1; p=quarantine; rua=mailto:pez@pez.sh; adkim=r; aspf=r"
   ttl     = 1
 }
 
@@ -432,7 +432,7 @@ resource "cloudflare_dns_record" "root-txt-spf" {
   zone_id = cloudflare_zone.pez-sh.id
   name    = "@"
   type    = "TXT"
-  content = "v=spf1 include:_spf.protonmail.ch ~all"
+  content = "v=spf1 ip4:167.235.134.154 ip6:2a01:4f8:1c1e:9c53::1 -all"
   ttl     = 1
 }