Skip to content

Add outbound sender identity verification for maildesk-cf #17

Description

@rogu3bear

Context

maildesk-cf commit 229b04f adds public runbooks for outbound identity and deliverability:

  • docs/architecture/outbound-identity.md
  • docs/operations/deliverability.md
  • docs/operations/production-rollout.md

Inbound Email Routing can now be reconciled through email.routing_rule, but mail-ready status still needs outbound sender identity proof. Forwarding to an operator mailbox is not enough to claim replies will come from the original domain.

Needed Change

Add cfctl read/verify support for sender-domain and reply-identity readiness used by maildesk-cf. The surface should be usable by the future cfctl maildesk-cf verify flow and should avoid broad live-send tests by default.

Drift Classes

  • missing sender-domain authentication
  • unverified DKIM/SPF/DMARC posture
  • reply identity configured in policy but not verified for outbound send
  • provider status unavailable or ambiguous
  • sender adapter configured for a domain that is receive-only

Acceptance Criteria

  • Verification can report sender readiness per domain and per reply identity.
  • Output is machine-readable and safe to cite in template/private receipts.
  • It distinguishes Cloudflare Email Service support from optional provider adapters such as Resend.
  • It does not expose secret values.
  • It does not send live mail unless explicitly requested.

References

Metadata

Metadata

Assignees

No one assigned

    Labels

    documentationImprovements or additions to documentationenhancementNew feature or request

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions