dns: document email auth records and rationale for out-of-band management

SPF / DKIM / DMARC for neurontechnologies.ai are managed via the Cloudflare
API rather than Terraform because the cloudflare_record provider rewrites
name="@" on apply, which forces replacement of the apex SPF record and
opens a propagation gap. A duplicate (malformed-quoted) apex SPF that was
causing Gmail to fail SPF was also removed via the API; the surviving
record is the canonical one and is documented here for traceability.
This commit is contained in:
Will Anderson
2026-05-01 22:49:32 -05:00
parent ec2d5794ec
commit 7ee6099139
+33
View File
@@ -28,3 +28,36 @@ resource "cloudflare_record" "soma_wildcard" {
proxied = true
ttl = 1
}
# ── Email authentication (managed via Cloudflare API, NOT Terraform) ─────────
# Transactional email goes through Resend (smtp.resend.com) using the
# `send.neurontechnologies.ai` subdomain as envelope-from. Workspace mail
# flows through Google MX. Both signing domains (resend, google) DKIM-align
# with the apex via the d= header so DMARC passes regardless of route.
#
# These records are intentionally NOT defined as Terraform resources:
# - The Cloudflare provider canonicalises `name = "@"` differently than the
# API's stored `name = "neurontechnologies.ai"`, which forces replacement
# of SPF on every `terraform apply` and would create a propagation gap.
# - Workspace MX/DKIM and the Resend records are stable enough that
# out-of-band Cloudflare-API management is safer than risking deletion
# during a routine apply.
#
# Current records (as of 2026-05-01):
# TXT @ v=spf1 include:_spf.google.com ~all
# TXT send v=spf1 include:amazonses.com ~all
# MX send feedback-smtp.us-east-1.amazonses.com (10)
# TXT resend._domainkey Resend DKIM key (verified in Resend dash)
# TXT google._domainkey Workspace DKIM key
# TXT _dmarc v=DMARC1; p=quarantine; rua=mailto:admin@…
# MX @ (x5) aspmx.l.google.com + 4 alt MX (Workspace)
#
# To change any of these, use the Cloudflare API directly:
# set -a; source ~/Secrets/credentials/infrastructure.env; set +a
# ZONE_ID=e844374f203dca4944d77d40ca0710ae
# curl -X PATCH "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records/<id>" \
# -H "X-Auth-Email: $CF_EMAIL" -H "X-Auth-Key: $CF_API_KEY" \
# -d '{"content":"..."}'
#
# DO NOT remove or modify SPF / DKIM / DMARC without verifying replacements
# first — losing any one will cause Gmail to junk transactional mail.