DEV Community

Simon Shine
Simon Shine

Posted on

A Terraform DNS moment

tl;dr: I stuck the IPv4 and IPv6 address of my VPS into an SPF record field text.

I manage my DNS with Terraform. This means that past domain registration and changing nameservers, I manage DNS with the Terraform command-line interface and git. Today I experienced a moment of happiness when two pieces of personal infrastructure fitted.

The scenario: I'm setting up a send-only email server on a VPS for Gitea notifications. If this works out well, I will consider using it for a newsletter. Doing this on a commercial cloud VPS means that my server's IPv4 address gets a bad score. One way to improve on that score is to add an SPF record.

For my personal email hosted at FastMail, the SPF record is simpler:

$ dig +short TXT simonshine.dk
"v=spf1 include:spf.messagingengine.com -all"
Enter fullscreen mode Exit fullscreen mode

Their SPF record contains a bunch of ip4:... rules.

To let the world know that I'm sending emails from my VPS, I simply list its IP address:

resource "digitalocean_record" "spf_example_com" {
  domain = digitalocean_domain.example_com.name
  type   = "TXT"
  name   = "@"
  value  = "v=spf1 ${format("ip4:%s ip6:%s",
    digitalocean_droplet.example_droplet.ipv4_address,
    digitalocean_droplet.example_droplet.ipv6_address)} -all"
}
Enter fullscreen mode Exit fullscreen mode

This encourages receivers of emails from this domain to reject the email if it didn't originate from this server. The part that got me blogging is that I didn't hardcode the IP addresses of my server, but rather, the value was taken from the deployment configuration of the concrete server.

Top comments (0)