Fix DMARC policy for list.pub.solar

Our _dmarc TXT record by default protects all subdomains, so an adversary can't send mails on behalf of any subdomains (p=reject, p stands for policy). We add a _dmarc.list TXT record with the same policy to allow sending mails via list.pub.solar's postfix. See https://dmarcly.com/blog/how-dmarc-works-with-subdomains-dmarc-sp-tag for more context
2023-02-03 13:08:56 +01:00 · 2023-02-03 13:08:56 +01:00 · 9ee9345192
parent db234cdb5b
commit 9ee9345192
1 changed files with 5 additions and 0 deletions
--- a/terraform/lev-1/dns.tf
+++ b/terraform/lev-1/dns.tf
@ -110,6 +110,11 @@ resource "namecheap_domain_records" "pub-solar" {
    type = "TXT"
    address = "v=DMARC1; p=reject;"
  }
+  record {
+    hostname = "_dmarc.list"
+    type = "TXT"
+    address = "v=DMARC1; p=reject;"
+  }
  record {
    hostname = "@"
    type = "MX"