Raxx · internal docs

internal · gated ↑ index

Email DNS State — moosequest.net

Purpose: Authoritative record of email authentication DNS for moosequest.net. DNS authority: Oracle Dyn (home + business DNS — stays on Dyn per ops policy). Last audited: 2026-05-11 UTC Audited by: sre-agent (issues #1214)

Current state (as of 2026-05-11 UTC audit)

DNS was queried via dig +short against public resolvers. Results reflect Dyn-published records at time of audit.

Record	Type	Expected	Actual (audited)	Status
`moosequest.net` TXT (SPF)	TXT	`v=spf1 include:_spf.google.com ~all`	(empty — no TXT record)	MISSING
`google._domainkey.moosequest.net` TXT (DKIM)	TXT	Google Workspace DKIM public key	(no record)	MISSING
`_dmarc.moosequest.net` TXT (DMARC)	TXT	At minimum `v=DMARC1; p=none; rua=mailto:...`	(no record)	MISSING
`moosequest.net` MX	MX	Google Workspace MX fleet	`5 aspmx.l.google.com`, `10 alt1.aspmx.l.google.com`, `15 alt2.aspmx.l.google.com`	PRESENT

MX records are correct and cover Google Workspace inbound routing. All three email authentication records are absent.

Commands used

dig +short TXT moosequest.net
dig +short TXT _dmarc.moosequest.net
dig +short TXT google._domainkey.moosequest.net
dig +short MX moosequest.net

Required changes (Dyn console — operator action)

These records must be added via the Dyn DNS management console. Dyn DNS is not managed by Terraform or Cloudflare — edits are manual in the Dyn web UI.

Record 1 — SPF (add TXT at apex)

Field	Value
Host	`moosequest.net` (apex / `@`)
Type	TXT
TTL	3600
Value	`v=spf1 include:_spf.google.com ~all`

This covers Google Workspace outbound only. If Postmark ever sends from @moosequest.net addresses (currently it does not — Postmark sends from @raxx.app), add include:spf.mtasv.net to this record at that time. SPF lookup count: 1 (well under the 10-limit).

Record 2 — DKIM (add after generating key in Google Admin)

DKIM key generation is a human step in Google Workspace Admin — it cannot be scripted externally.

Step 1 (Google Admin console): 1. Open https://admin.google.com → Apps → Google Workspace → Gmail → Authenticate email. 2. Select domain: moosequest.net. 3. Click Generate new record. Choose 2048-bit key length (recommended). 4. Google shows a TXT record with selector google and a public key value.

Step 2 (Dyn console):

Field	Value
Host	`google._domainkey.moosequest.net`
Type	TXT
TTL	3600
Value	(the `p=...` key string from Google Admin — do not paste here; never inline DKIM keys in repo files)

Step 3 (Google Admin console): After adding the DNS record and waiting ~5 minutes for propagation, click Start authentication in Google Admin to activate DKIM signing.

Record 3 — DMARC (add TXT at `_dmarc` subdomain)

Start at p=none (monitoring only) per the card scope. Do not set p=quarantine or p=reject until a monitoring period confirms no legitimate mail is failing DMARC alignment.

Field	Value
Host	`_dmarc.moosequest.net`
Type	TXT
TTL	3600
Value	`v=DMARC1; p=none; rua=mailto:kris@moosequest.net; fo=1`

fo=1 requests failure reports for any DMARC mechanism failure (SPF or DKIM). Reports arrive at kris@moosequest.net — the same inbox that already receives rua from raxx.app.

Expected state after fix

Record	Expected value after remediation
SPF	`v=spf1 include:_spf.google.com ~all`
DKIM selector	`google._domainkey.moosequest.net` — key from Google Admin (2048-bit)
DMARC	`v=DMARC1; p=none; rua=mailto:kris@moosequest.net; fo=1`
MX	Unchanged (already correct)

Validation (post-fix)

After adding all three records, verify with:

# SPF
dig +short TXT moosequest.net | grep spf

# DKIM
dig +short TXT google._domainkey.moosequest.net | head -c 80

# DMARC
dig +short TXT _dmarc.moosequest.net

Expected: each command returns a non-empty result matching the values above.

For full header validation, send a test email from kris@moosequest.net to an external address and check the Authentication-Results header in the received message. Expected:

dkim=pass header.d=moosequest.net
spf=pass smtp.mailfrom=moosequest.net
dmarc=pass (policy=none)

DMARC ratchet path (Phase 2 — separate card)

After a 2–4 week monitoring window with p=none:

Review DMARC aggregate reports arriving at kris@moosequest.net.
Confirm no legitimate senders are failing DMARC alignment.
Escalate to p=quarantine in Dyn console (update the DMARC TXT value).
Monitor for 2 more weeks.
Escalate to p=reject.

This matches the ratchet posture already applied to raxx.app (p=quarantine since 2026-04-22).

Issue: #1214 (this card)
docs/business/business-email.md — Google Workspace multi-domain setup reference
docs/ops/email-routing.md — raxx.app mailbox routing map
raxx.app DMARC: p=quarantine; rua=mailto:kris@moosequest.net; fo=1 (already live)
Oracle Dyn console: https://portal.dynect.net/ — moosequest.net DNS authority

Auto-generated from docs/ in raxx-app/TradeMasterAPI. Gated behind Cloudflare Access. Re-deployed on every push to main.