EHD-1474: Prevent email spoofing

jamesgriff · jamesgriff · commit 46f3d9eaf924 · 2025-03-12T14:23:23.000Z
diff --git a/terraform/dev.tfvars b/terraform/dev.tfvars
@@ -6,4 +6,6 @@ create_dns_record = true
 dns_record_subdomain_including_dot = "dev."
 
 create_redirect_from_www_domain = false
-dns_record_www_domain_including_dot = "www.dev."
+dns_record_www_domain_including_dot = "www.dev."
+
+prevent_email_spoofing = false
diff --git a/terraform/prevent_email_spoofing.tf b/terraform/prevent_email_spoofing.tf
@@ -0,0 +1,50 @@
+
+locals {
+    dns_zones_to_protect_against_email_spoofing = (
+      var.prevent_email_spoofing ?
+      tomap({
+          zone_1 = data.aws_route53_zone.route_53_zone_for_our_domain,
+      })
+      : tomap({})
+    )
+}
+
+resource "aws_route53_record" "dns_record_to_protect_against_email_spoofing__SPF" {
+  for_each = local.dns_zones_to_protect_against_email_spoofing
+
+  type = "TXT"
+  name = each.value.name  // No subdomain
+  records = ["v=spf1 -all"]
+  ttl = 60
+  zone_id = each.value.zone_id
+}
+
+resource "aws_route53_record" "dns_record_to_protect_against_email_spoofing__DMARC" {
+  for_each = local.dns_zones_to_protect_against_email_spoofing
+
+  type = "TXT"
+  name = "_dmarc.${each.value.name}"
+  records = ["v=DMARC1;p=reject;sp=reject;adkim=s;aspf=s;fo=1;rua=mailto:dmarc-rua@dmarc.service.gov.uk"]
+  ttl = 60
+  zone_id = each.value.zone_id
+}
+
+resource "aws_route53_record" "dns_record_to_protect_against_email_spoofing__DKIM" {
+  for_each = local.dns_zones_to_protect_against_email_spoofing
+
+  type = "TXT"
+  name = "*._domainkey.${each.value.name}"
+  records = ["v=DKIM1; p="]
+  ttl = 60
+  zone_id = each.value.zone_id
+}
+
+resource "aws_route53_record" "dns_record_to_protect_against_email_spoofing__MX" {
+  for_each = local.dns_zones_to_protect_against_email_spoofing
+
+  type = "MX"
+  name = each.value.name  // No subdomain
+  records = ["0 ."]
+  ttl = 60
+  zone_id = each.value.zone_id
+}
diff --git a/terraform/prod.tfvars b/terraform/prod.tfvars
@@ -7,3 +7,5 @@ dns_record_subdomain_including_dot = ""
 
 create_redirect_from_www_domain = true
 dns_record_www_domain_including_dot = "www."
+
+prevent_email_spoofing = true
diff --git a/terraform/variables.tf b/terraform/variables.tf
@@ -42,6 +42,13 @@ variable "dns_record_www_domain_including_dot" {
   description = "The www. domain (including dot - e.g. 'www.dev.' or just 'www.' for production) for the www domain redirect"
 }
 
+variable "prevent_email_spoofing" {
+  type = bool
+  description = "Should terraform create DNS records to prevent email spoofing (only required for the prod environment)"
+  default = false
+}
+
+
 // SECRETS
 // These variables are set in GitHub Actions environment-specific secrets
 // Most of these are passed to the application via Elastic Beanstalk environment variables
