Skip to content

Email Pipeline

Saga the Watchful — Seneschal

By the end of this chapter you’ll understand:

  • How inbound mail is accepted via Cloudflare Email Routing and forwarded to the regent’s inbox
  • How the licensing Worker delivers license keys through Resend’s API
  • Why the subdomain split keeps SPF records clean and how SPF, DKIM, and DMARC interlock

What it is

The inbound and outbound email infrastructure for casaconomy.com. Inbound mail arrives via Cloudflare Email Routing and forwards to the regent’s Proton mailbox. Outbound mail (license keys, notifications) is sent through Resend’s API from the licensing Worker.

How it fits

Email is the “bannerstone” — the first external-facing service the keep raised, and the foundation that licensing and future user communication rest on. It sits entirely on the Cloudflare + Resend axis, requiring no additional providers.

Cloudflare DNS

Outbound

Inbound

SMTP

forward

POST /emails

SMTP via SES

validated by

signs with

checks

External sender

CF Email Routing

casaconomy.com MX

Proton

casaconomy@proton.me

Licensing Worker

licenses.casaconomy.com

Resend API

send.casaconomy.com

User inbox

SPF records

DKIM keys

DMARC policy

Components

SourceResponsibility
.agents/skills/casaconomy-cloudflare/references/zone.mdCanonical DNS + Email Routing state (source of truth)
.agents/skills/casaconomy-cloudflare/scripts/cfOperator CLI for CF zone: MX records, routing rules, destinations
.agents/skills/casaconomy-resend/references/account.mdCanonical Resend state: domain, tokens, aliases
.agents/skills/casaconomy-resend/scripts/resendOperator CLI for Resend: send, verify domains, check delivery
workers/licensing/src/lib/email.tsProduction send functions: sendWelcomeEmail(), sendRevocationEmail()
workers/licensing/src/handlers/access_request.tsTrigger: license issuance calls sendWelcomeEmail()

Data flow

Inbound path

  1. External sender delivers to hello@, support@, or licenses@casaconomy.com
  2. CF MX records (route{1,2,3}.mx.cloudflare.net, priority 43/48/51) accept delivery
  3. CF Email Routing evaluates rules — all addresses plus catch-all forward to casaconomy@proton.me
  4. Proton receives and stores. Regent reads on phone or desktop.

Outbound path (license delivery)

User inboxAWS SES (eu-west-1)Resend APILicensing WorkerUserUser inboxAWS SES (eu-west-1)Resend APILicensing WorkerUserSPF passes (envelope-from: send.casaconomy.com)DKIM passes (resend._domainkey.casaconomy.com)DMARC passes (p=none → monitor)POST /v1/access-requests {email}generate license key, store in D1POST /emails {from: licenses@, to: user, key}relay via SESdeliver with DKIM signature

DNS authentication records

The domain split isolates inbound and outbound SPF without collision.

TypeNamePurpose
MX (3 records)casaconomy.comCF Email Routing acceptance
TXT (SPF)casaconomy.cominclude:_spf.mx.cloudflare.net ~all — inbound only
TXT (DKIM)cf2024-1._domainkey.casaconomy.comCF Email Routing DKIM for forwarded mail
MXsend.casaconomy.comSES bounce feedback path
TXT (SPF)send.casaconomy.cominclude:amazonses.com ~all — outbound envelope-from
TXT (DKIM)resend._domainkey.casaconomy.comResend DKIM for From-header domain
TXT (DMARC)_dmarc.casaconomy.comv=DMARC1; p=none; rua=mailto:hello@casaconomy.com; aspf=s; adkim=s

Why the subdomain split works: SPF checks the envelope-from (send.casaconomy.com), while DKIM and DMARC check the From-header domain (casaconomy.com). Each authentication mechanism validates against the right scope without interference.

DMARC ratchet plan: p=none (monitor) → p=quarantine after 1 clean week of aggregate reports → p=reject after 2 more clean weeks. Aggregate reports arrive at hello@casaconomy.com.

Secrets and tokens

All secrets are machine-local, never committed.

SecretScopeStorage
CLOUDFLARE_API_TOKENZone:DNS:Edit, Zone:Email Routing Rules:Edit~/.paperclip/secrets/cloudflare.env
RESEND_API_TOKENSend-only (production code + Worker)~/.paperclip/secrets/resend.env + wrangler secret
RESEND_ADMIN_TOKENFull access (operator tasks, revoked between sessions)~/.paperclip/secrets/resend.env

Failure modes + recovery

FailureWhat happensRecovery
CF Email Routing destination unverifiedInbound mail silently droppedRe-verify via cf email destinations; check regent’s Proton spam
Resend API token expired/revokedOutbound sends fail with 401; Worker returns 500 to callerRotate token in Resend dashboard, update wrangler secret put RESEND_API_TOKEN
DKIM key rotationOld key still valid during overlap; no gapResend handles rotation; verify via resend domains records
DMARC reject on legitimate mailMail quarantined or rejected by recipientCheck rua aggregate reports; if false positive, relax DMARC back to p=quarantine
SES bounce rate too highResend / SES may throttle or suspend sendingMonitor Resend dashboard; clean recipient list

What’s planned to change

  • DMARC ratchet — move from p=none to p=reject once aggregate reports show clean alignment (tracked manually, no CAS yet).
  • CAS-1093 (sync) — sync notifications may add a second outbound email trigger from sync.casaconomy.com Worker.
  • CAS-1100 (licensing tiers) — paid tier emails (receipts, renewal reminders) will add templates to workers/licensing/src/lib/email.ts.

Worked example

The outbound sequence diagram above — user submits an access request, Worker generates a license key, Resend delivers it through SES — is the canonical worked example for this chapter. Each authentication record in the DNS table plays a specific role in that delivery: SPF validates the sending server, DKIM signs the message, DMARC tells receiving servers what to do when checks fail.

Recap

  • Inbound mail is accepted at Cloudflare’s MX records and forwarded to casaconomy@proton.me — the relay never touches our own servers.
  • Outbound license keys travel from the licensing Worker through Resend’s API, signed with DKIM, delivered via SES.
  • The subdomain split (casaconomy.com for inbound, send.casaconomy.com for outbound) keeps the two SPF records from colliding, which is what makes DMARC alignment possible.

What changed {#what-changed}

This chapter was introduced in CAS-3637 Phase 3 (The Casaconomy Book) as the canonical reference for the email infrastructure.

See: CHANGELOG → 2026-05-18