From d976829ee6dcb06ca6e14dca71b85fa62ea4c9c6 Mon Sep 17 00:00:00 2001
From: Rasmus Wejlgaard <pez@pez.sh>
Date: Sat, 28 Mar 2026 20:45:56 +0000
Subject: [PATCH] tighten DMARC policy from p=none to p=quarantine

PESO-78

- enforce DMARC with p=quarantine (failed messages get quarantined)
- add adkim=r and aspf=r for relaxed DKIM/SPF alignment
---
 terraform/cloudflare_dns.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/terraform/cloudflare_dns.tf b/terraform/cloudflare_dns.tf
index d31f78c..8093d8a 100644
--- a/terraform/cloudflare_dns.tf
+++ b/terraform/cloudflare_dns.tf
@@ -424,7 +424,7 @@ resource "cloudflare_dns_record" "dmarc" {
   zone_id = cloudflare_zone.pez-sh.id
   name    = "_dmarc"
   type    = "TXT"
-  content = "v=DMARC1; p=none; rua=mailto:pez@pez.sh"
+  content = "v=DMARC1; p=quarantine; rua=mailto:pez@pez.sh; adkim=r; aspf=r"
   ttl     = 1
 }