diff --git a/stacks/mailserver/modules/mailserver/extra/aliases.txt b/stacks/mailserver/modules/mailserver/extra/aliases.txt
index 40fb640d..61df501c 100644
--- a/stacks/mailserver/modules/mailserver/extra/aliases.txt
+++ b/stacks/mailserver/modules/mailserver/extra/aliases.txt
@@ -3,3 +3,10 @@ closely-keith-generated@viktorbarzin.me vbarzin@gmail.com
 literally-paolo-generated@viktorbarzin.me viktorbarzin@fb.com
 hastily-stefanie-generated@viktorbarzin.me elliestamenova@gmail.com
 vaultwarden@viktorbarzin.me me@viktorbarzin.me
+
+# plans@ -> spam@: authorizes tripit (SMTP-authed as spam@) to send mail
+# From: plans@viktorbarzin.me under docker-mailserver SPOOF_PROTECTION (the
+# smtpd_sender_login_maps union exact-matches this alias to spam@; the @domain
+# catch-all does NOT, so an explicit entry is required). Also keeps inbound
+# plans@ routing to spam@ for the tripit mail-ingest poller.
+plans@viktorbarzin.me spam@viktorbarzin.me
diff --git a/stacks/tripit/main.tf b/stacks/tripit/main.tf
index d790b7b0..87d87c2a 100644
--- a/stacks/tripit/main.tf
+++ b/stacks/tripit/main.tf
@@ -38,15 +38,19 @@ locals {
     PUSH_PROVIDER        = "webpush"
     LLM_MODE             = "fake"
     MAIL_INGEST_ENABLED  = "false"
-    # Outbound mail for linked-email verification — submitted via the cluster
-    # mailserver as spam@ (which relays out via Brevo). SMTP_PASSWORD comes from
-    # tripit-secrets (mapped to the existing PLANS_IMAP_PASSWORD). PUBLIC_BASE_URL
-    # builds the confirmation link mailed to the address.
+    # Outbound mail (linked-email verification + trip-share invites) — submitted
+    # via the cluster mailserver authenticated as spam@ (SMTP_USER), but sent
+    # From: plans@viktorbarzin.me (SMTP_FROM). docker-mailserver SPOOF_PROTECTION
+    # requires the login to "own" the From; an explicit plans@ -> spam@ virtual
+    # alias grants that (see mailserver extra/aliases.txt) and keeps inbound
+    # plans@ routing to spam@. Relays out via Brevo. SMTP_PASSWORD comes from
+    # tripit-secrets (the existing PLANS_IMAP_PASSWORD = spam@'s password).
+    # PUBLIC_BASE_URL builds the links mailed to recipients.
     EMAIL_PROVIDER  = "smtp"
     SMTP_HOST       = "mailserver.mailserver.svc"
     SMTP_PORT       = "587"
     SMTP_USER       = "spam@viktorbarzin.me"
-    SMTP_FROM       = "spam@viktorbarzin.me"
+    SMTP_FROM       = "plans@viktorbarzin.me"
     PUBLIC_BASE_URL = "https://tripit.viktorbarzin.me"
   }
 }