Skip to content
Casaconomy Book

Email Pipeline

Email pipeline

OwnerSaga (Seneschal)
Last reviewed2026-04-29 by Saga
Next review2026-07-29
Source paths.agents/skills/casaconomy-cloudflare/, .agents/skills/casaconomy-resend/, workers/licensing/src/lib/email.ts

What it is

The inbound and outbound email infrastructure for casaconomy.com. Inbound mail arrives via Cloudflare Email Routing and forwards to the regent’s Proton mailbox. Outbound mail (license keys, notifications) is sent through Resend’s API from the licensing Worker.

How it fits

Email is the “bannerstone” — the first external-facing service the keep raised, and the foundation that licensing and future user communication rest on. It sits entirely on the Cloudflare + Resend axis, requiring no additional providers.

Cloudflare DNS

Outbound

Inbound

SMTP

forward

POST /emails

SMTP via SES

validated by

signs with

checks

External sender

CF Email Routing

casaconomy.com MX

Proton

casaconomy@proton.me

Licensing Worker

licenses.casaconomy.com

Resend API

send.casaconomy.com

User inbox

SPF records

DKIM keys

DMARC policy

Components

SourceResponsibility
.agents/skills/casaconomy-cloudflare/references/zone.mdCanonical DNS + Email Routing state (source of truth)
.agents/skills/casaconomy-cloudflare/scripts/cfOperator CLI for CF zone: MX records, routing rules, destinations
.agents/skills/casaconomy-resend/references/account.mdCanonical Resend state: domain, tokens, aliases
.agents/skills/casaconomy-resend/scripts/resendOperator CLI for Resend: send, verify domains, check delivery
workers/licensing/src/lib/email.tsProduction send functions: sendWelcomeEmail(), sendRevocationEmail()
workers/licensing/src/handlers/access_request.tsTrigger: license issuance calls sendWelcomeEmail()

Data flow

Inbound path

  1. External sender delivers to hello@, support@, or licenses@casaconomy.com
  2. CF MX records (route{1,2,3}.mx.cloudflare.net, priority 43/48/51) accept delivery
  3. CF Email Routing evaluates rules — all addresses plus catch-all forward to casaconomy@proton.me
  4. Proton receives and stores. Regent reads on phone or desktop.

Outbound path (license delivery)

User inboxAWS SES (eu-west-1)Resend APILicensing WorkerUserUser inboxAWS SES (eu-west-1)Resend APILicensing WorkerUserSPF passes (envelope-from: send.casaconomy.com)DKIM passes (resend._domainkey.casaconomy.com)DMARC passes (p=none → monitor)POST /v1/access-requests {email}generate license key, store in D1POST /emails {from: licenses@, to: user, key}relay via SESdeliver with DKIM signature

DNS authentication records

The domain split isolates inbound and outbound SPF without collision.

TypeNamePurpose
MX (3 records)casaconomy.comCF Email Routing acceptance
TXT (SPF)casaconomy.cominclude:_spf.mx.cloudflare.net ~all — inbound only
TXT (DKIM)cf2024-1._domainkey.casaconomy.comCF Email Routing DKIM for forwarded mail
MXsend.casaconomy.comSES bounce feedback path
TXT (SPF)send.casaconomy.cominclude:amazonses.com ~all — outbound envelope-from
TXT (DKIM)resend._domainkey.casaconomy.comResend DKIM for From-header domain
TXT (DMARC)_dmarc.casaconomy.comv=DMARC1; p=none; rua=mailto:hello@casaconomy.com; aspf=s; adkim=s

Why the subdomain split works: SPF checks the envelope-from (send.casaconomy.com), while DKIM and DMARC check the From-header domain (casaconomy.com). Each authentication mechanism validates against the right scope without interference.

DMARC ratchet plan: p=none (monitor) → p=quarantine after 1 clean week of aggregate reports → p=reject after 2 more clean weeks. Aggregate reports arrive at hello@casaconomy.com.

Secrets and tokens

All secrets are machine-local, never committed.

SecretScopeStorage
CLOUDFLARE_API_TOKENZone:DNS:Edit, Zone:Email Routing Rules:Edit~/.paperclip/secrets/cloudflare.env
RESEND_API_TOKENSend-only (production code + Worker)~/.paperclip/secrets/resend.env + wrangler secret
RESEND_ADMIN_TOKENFull access (operator tasks, revoked between sessions)~/.paperclip/secrets/resend.env

Failure modes + recovery

FailureWhat happensRecovery
CF Email Routing destination unverifiedInbound mail silently droppedRe-verify via cf email destinations; check regent’s Proton spam
Resend API token expired/revokedOutbound sends fail with 401; Worker returns 500 to callerRotate token in Resend dashboard, update wrangler secret put RESEND_API_TOKEN
DKIM key rotationOld key still valid during overlap; no gapResend handles rotation; verify via resend domains records
DMARC reject on legitimate mailMail quarantined or rejected by recipientCheck rua aggregate reports; if false positive, relax DMARC back to p=quarantine
SES bounce rate too highResend / SES may throttle or suspend sendingMonitor Resend dashboard; clean recipient list

What’s planned to change

  • DMARC ratchet — move from p=none to p=reject once aggregate reports show clean alignment (tracked manually, no CAS yet).
  • CAS-1093 (sync) — sync notifications may add a second outbound email trigger from sync.casaconomy.com Worker.
  • CAS-1100 (licensing tiers) — paid tier emails (receipts, renewal reminders) will add templates to workers/licensing/src/lib/email.ts.

Last reviewed: 2026-04-29 by Saga. Next review: 2026-07-29.

What changed {#what-changed}

This chapter was introduced in CAS-3637 Phase 3 (The Casaconomy Book) as the canonical reference for the email infrastructure.

See: CHANGELOG → 2026-05-18