From 275eb5aec8d5db1ef9dd31191f3456f3531f7d27 Mon Sep 17 00:00:00 2001
From: Viktor Barzin <viktorbarzin@meta.com>
Date: Mon, 23 Feb 2026 20:30:30 +0000
Subject: [PATCH] [ci skip] mailserver: tighten DMARC policy to quarantine

Move DMARC enforcement from p=none (monitoring only) to p=quarantine
so spoofed emails from viktorbarzin.me are quarantined by recipients.
---
 stacks/platform/modules/cloudflared/cloudflare.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/stacks/platform/modules/cloudflared/cloudflare.tf b/stacks/platform/modules/cloudflared/cloudflare.tf
index 69722ff4..906403c7 100644
--- a/stacks/platform/modules/cloudflared/cloudflare.tf
+++ b/stacks/platform/modules/cloudflared/cloudflare.tf
@@ -130,7 +130,7 @@ resource "cloudflare_record" "mail_spf" {
 }
 
 resource "cloudflare_record" "mail_dmarc" {
-  content  = "\"v=DMARC1; p=none; pct=100; fo=1; ri=3600; sp=none; adkim=r; aspf=r; rua=mailto:e21c0ff8@dmarc.mailgun.org,mailto:adb84997@inbox.ondmarc.com; ruf=mailto:e21c0ff8@dmarc.mailgun.org,mailto:adb84997@inbox.ondmarc.com,mailto:postmaster@viktorbarzin.me;\""
+  content  = "\"v=DMARC1; p=quarantine; pct=100; fo=1; ri=3600; sp=quarantine; adkim=r; aspf=r; rua=mailto:e21c0ff8@dmarc.mailgun.org,mailto:adb84997@inbox.ondmarc.com; ruf=mailto:e21c0ff8@dmarc.mailgun.org,mailto:adb84997@inbox.ondmarc.com,mailto:postmaster@viktorbarzin.me;\""
   name     = "_dmarc.viktorbarzin.me"
   proxied  = false
   ttl      = 1