feat: add DMARC, SPF, and null MX record support

gcharest · gcharest · commit 2fda5edccf1a · 2026-03-21T23:34:18.000-04:00
diff --git a/terragrunt/modules/route53-records/main.tf b/terragrunt/modules/route53-records/main.tf
@@ -1,3 +1,16 @@
+locals {
+  dmarc_tags = compact([
+    "v=DMARC1",
+    "p=${var.dmarc_policy}",
+    "pct=${var.dmarc_pct}",
+    var.dmarc_subdomain_policy == null ? null : "sp=${var.dmarc_subdomain_policy}",
+    var.dmarc_aggregate_report_uri == null ? null : "rua=mailto:${var.dmarc_aggregate_report_uri}",
+    var.dmarc_forensic_report_uri == null ? null : "ruf=mailto:${var.dmarc_forensic_report_uri}",
+    var.dmarc_alignment_dkim == null ? null : "adkim=${var.dmarc_alignment_dkim}",
+    var.dmarc_alignment_spf == null ? null : "aspf=${var.dmarc_alignment_spf}",
+  ])
+  dmarc_record = join("; ", local.dmarc_tags)
+}
 resource "aws_route53_record" "cloudfront" {
   zone_id = var.route53_zone_id
   name    = var.domain_name
@@ -47,3 +60,34 @@ resource "aws_route53_record" "www_ipv6" {
     evaluate_target_health = false
   }
 }
+
+
+resource "aws_route53_record" "spf" {
+  count   = var.enable_spf_record ? 1 : 0
+  zone_id = var.route53_zone_id
+  name    = var.domain_name
+  type    = "TXT"
+  ttl     = var.txt_ttl
+
+  records = [var.spf_record_value]
+}
+
+resource "aws_route53_record" "null_mx" {
+  count   = var.enable_null_mx_record ? 1 : 0
+  zone_id = var.route53_zone_id
+  name    = var.domain_name
+  type    = "MX"
+  ttl     = var.txt_ttl
+
+  records = [var.null_mx_record_value]
+}
+
+resource "aws_route53_record" "dmarc" {
+  count   = var.enable_dmarc_record ? 1 : 0
+  zone_id = var.route53_zone_id
+  name    = "_dmarc.${var.domain_name}"
+  type    = "TXT"
+  ttl     = var.txt_ttl
+
+  records = [local.dmarc_record]
+}
diff --git a/terragrunt/modules/route53-records/variables.tf b/terragrunt/modules/route53-records/variables.tf
@@ -25,6 +25,109 @@ variable "create_www_subdomain" {
   default     = true
 }
 
+variable "txt_ttl" {
+  description = "TTL in seconds for TXT records managed by this module"
+  type        = number
+  default     = 3600
+}
+
+variable "enable_spf_record" {
+  description = "Whether to create an SPF TXT record at the apex domain"
+  type        = bool
+  default     = true
+}
+
+variable "spf_record_value" {
+  description = "SPF TXT value to publish at apex (use v=spf1 -all for non-sending domains)"
+  type        = string
+  default     = "v=spf1 -all"
+}
+
+variable "enable_null_mx_record" {
+  description = "Whether to publish a null MX record (RFC7505) indicating the domain does not accept email"
+  type        = bool
+  default     = true
+}
+
+variable "null_mx_record_value" {
+  description = "MX record value for null MX (RFC7505); keep as '0 .' unless you need normal mail routing"
+  type        = string
+  default     = "0 ."
+}
+
+variable "enable_dmarc_record" {
+  description = "Whether to create a DMARC TXT record"
+  type        = bool
+  default     = true
+}
+
+variable "dmarc_policy" {
+  description = "DMARC policy for the organizational domain (none, quarantine, reject)"
+  type        = string
+  default     = "reject"
+
+  validation {
+    condition     = contains(["none", "quarantine", "reject"], var.dmarc_policy)
+    error_message = "dmarc_policy must be one of: none, quarantine, reject."
+  }
+}
+
+variable "dmarc_subdomain_policy" {
+  description = "Optional DMARC subdomain policy (sp tag). Set null to omit"
+  type        = string
+  default     = null
+
+  validation {
+    condition     = var.dmarc_subdomain_policy == null || contains(["none", "quarantine", "reject"], var.dmarc_subdomain_policy)
+    error_message = "dmarc_subdomain_policy must be null or one of: none, quarantine, reject."
+  }
+}
+
+variable "dmarc_pct" {
+  description = "DMARC pct tag value (0-100)"
+  type        = number
+  default     = 100
+
+  validation {
+    condition     = var.dmarc_pct >= 0 && var.dmarc_pct <= 100
+    error_message = "dmarc_pct must be between 0 and 100."
+  }
+}
+
+variable "dmarc_aggregate_report_uri" {
+  description = "Optional DMARC aggregate report mailbox, without mailto: prefix"
+  type        = string
+  default     = null
+}
+
+variable "dmarc_forensic_report_uri" {
+  description = "Optional DMARC forensic report mailbox, without mailto: prefix"
+  type        = string
+  default     = null
+}
+
+variable "dmarc_alignment_dkim" {
+  description = "Optional DMARC DKIM alignment mode (r or s). Set null to omit"
+  type        = string
+  default     = null
+
+  validation {
+    condition     = var.dmarc_alignment_dkim == null || contains(["r", "s"], var.dmarc_alignment_dkim)
+    error_message = "dmarc_alignment_dkim must be null, r, or s."
+  }
+}
+
+variable "dmarc_alignment_spf" {
+  description = "Optional DMARC SPF alignment mode (r or s). Set null to omit"
+  type        = string
+  default     = null
+
+  validation {
+    condition     = var.dmarc_alignment_spf == null || contains(["r", "s"], var.dmarc_alignment_spf)
+    error_message = "dmarc_alignment_spf must be null, r, or s."
+  }
+}
+
 variable "tags" {
   description = "Common tags for all resources"
   type        = map(string)
