From 9ee93451928da291051743b11eb40dba58f5bb00 Mon Sep 17 00:00:00 2001
From: teutat3s <teutates@mailbox.org>
Date: Fri, 3 Feb 2023 13:08:56 +0100
Subject: [PATCH] Fix DMARC policy for list.pub.solar

Our _dmarc TXT record by default protects all subdomains, so an
adversary can't send mails on behalf of any subdomains (p=reject, p
stands for policy). We add a _dmarc.list TXT record with the same policy
to allow sending mails via list.pub.solar's postfix.
See https://dmarcly.com/blog/how-dmarc-works-with-subdomains-dmarc-sp-tag
for more context
---
 terraform/lev-1/dns.tf | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/terraform/lev-1/dns.tf b/terraform/lev-1/dns.tf
index 0a8ab6e..66a8cdf 100644
--- a/terraform/lev-1/dns.tf
+++ b/terraform/lev-1/dns.tf
@@ -110,6 +110,11 @@ resource "namecheap_domain_records" "pub-solar" {
     type = "TXT"
     address = "v=DMARC1; p=reject;"
   }
+  record {
+    hostname = "_dmarc.list"
+    type = "TXT"
+    address = "v=DMARC1; p=reject;"
+  }
   record {
     hostname = "@"
     type = "MX"