feat(console): DKIM, DMARC & SPF records for custom domains

.github/workflows/main-starbase.yaml

@@ -51,7 +51,9 @@ jobs:
           secrets: |
             INTERNAL_CLOUDFLARE_ZONE_ID
             TOKEN_CLOUDFLARE_API
+            INTERNAL_DKIM_SELECTOR
         env:
           NODE_ENV: 'development'
           INTERNAL_CLOUDFLARE_ZONE_ID: ${{ secrets.INTERNAL_CLOUDFLARE_ZONE_ID }}
           TOKEN_CLOUDFLARE_API: ${{ secrets.TOKEN_CLOUDFLARE_API }}
+          INTERNAL_DKIM_SELECTOR: ${{ secrets.INTERNAL_DKIM_SELECTOR }}

.github/workflows/next-starbase.yaml

@@ -51,6 +51,8 @@ jobs:
           secrets: |
             INTERNAL_CLOUDFLARE_ZONE_ID
             TOKEN_CLOUDFLARE_API
+            INTERNAL_DKIM_SELECTOR
         env:
           INTERNAL_CLOUDFLARE_ZONE_ID: ${{ secrets.INTERNAL_CLOUDFLARE_ZONE_ID }}
           TOKEN_CLOUDFLARE_API: ${{ secrets.TOKEN_CLOUDFLARE_API }}
+          INTERNAL_DKIM_SELECTOR: ${{ secrets.INTERNAL_DKIM_SELECTOR }}

.github/workflows/release-starbase.yaml

@@ -50,7 +50,9 @@ jobs:
           secrets: |
             INTERNAL_CLOUDFLARE_ZONE_ID
             TOKEN_CLOUDFLARE_API
+            INTERNAL_DKIM_SELECTOR
         env:
           NODE_ENV: 'development'
           INTERNAL_CLOUDFLARE_ZONE_ID: ${{ secrets.INTERNAL_CLOUDFLARE_ZONE_ID }}
           TOKEN_CLOUDFLARE_API: ${{ secrets.TOKEN_CLOUDFLARE_API }}
+          INTERNAL_DKIM_SELECTOR: ${{ secrets.INTERNAL_DKIM_SELECTOR }}

apps/console/app/routes/apps/$clientId/domain-wip.tsx

@@ -25,10 +25,7 @@ import { BadRequestError } from '@proofzero/errors'
 import { getRollupReqFunctionErrorWrapper } from '@proofzero/utils/errors'
 
 import createStarbaseClient from '@proofzero/platform-clients/starbase'
-import {
-  getAuthzHeaderConditionallyFromToken,
-  getDNSRecordValue,
-} from '@proofzero/utils'
+import { getAuthzHeaderConditionallyFromToken } from '@proofzero/utils'
 import { generateTraceContextHeaders } from '@proofzero/platform-middleware/trace'
 
 import type { CustomDomain } from '@proofzero/platform.starbase/src/types'
@@ -37,6 +34,7 @@ import { DocumentationBadge } from '~/components/DocumentationBadge'
 import { requireJWT } from '~/utilities/session.server'
 
 import dangerVector from '~/images/danger.svg'
+
 type AppData = { customDomain?: CustomDomain; hostname: string; cname: string }
 
 export const loader: LoaderFunction = getRollupReqFunctionErrorWrapper(
@@ -55,6 +53,7 @@ export const loader: LoaderFunction = getRollupReqFunctionErrorWrapper(
     })
 
     const { hostname } = new URL(PASSPORT_URL)
+
     return json({ customDomain, hostname })
   }
 )
@@ -185,7 +184,9 @@ const HostnameStatus = ({
   const [deleteModalOpen, setDeleteModalOpen] = useState(false)
   const isPreValidated =
     customDomain.status === 'active' && customDomain.ssl.status === 'active'
-  const isValidated = isPreValidated && customDomain.dns_records.every(r => r.value === r.expected_value)
+  const isValidated =
+    isPreValidated &&
+    customDomain.dns_records.every((r) => r.value?.includes(r.expected_value))
   const bgStatusColor = isValidated ? 'bg-green-600' : 'bg-orange-500'
   const textStatusColor = isValidated ? 'text-green-600' : 'text-orange-500'
   const statusText = isValidated ? 'Validated' : 'Not Validated'
@@ -247,6 +248,7 @@ const HostnameStatus = ({
                 customDomain.ssl.validation_records?.[0].txt_value ||
                 'Setting up...'
               }
+              disableCopier={customDomain.ssl.status === 'active'}
             />
             <DNSRecord
               title="Hostname pre-validation"
@@ -258,22 +260,25 @@ const HostnameStatus = ({
               value={
                 customDomain.ownership_verification?.value || 'Setting up...'
               }
+              disableCopier={customDomain.status === 'active'}
             />
           </div>
 
           <Text size="sm" weight="medium" className="text-gray-700">
             Step 2: CNAME Record
           </Text>
           <div className="flex flex-col p-4 space-y-5 box-border border rounded-lg">
-            {isPreValidated && Array.from(customDomain.dns_records || []).map((r) => (
-              <DNSRecord
-                title={r.record_type === 'CNAME' ? '' : r.name}
-                type={r.record_type}
-                validated={r.value === r.expected_value}
-                value={r.expected_value}
-                key={r.expected_value}
-              />
-            ))}
+            {isPreValidated &&
+              Array.from(customDomain.dns_records || []).map((r) => (
+                <DNSRecord
+                  name={r.name}
+                  title={''}
+                  type={r.record_type}
+                  validated={r.value?.includes(r.expected_value) ?? false}
+                  value={r.expected_value}
+                  key={r.expected_value}
+                />
+              ))}
             {!isPreValidated && (
               <div className="flex flex-row p-4 space-x-4 bg-gray-50">
                 <TbInfoCircle size={20} className="text-gray-500 shrink-0" />
@@ -297,9 +302,10 @@ type DNSRecordProps = {
   name?: string
   value: string
   type: 'TXT' | 'CNAME'
+  disableCopier?: boolean
 }
 
-const DNSRecord = ({ title, validated, name, value, type }: DNSRecordProps) => {
+const DNSRecord = ({ title, validated, name, value, type, disableCopier = false }: DNSRecordProps) => {
   const statusColor = validated ? 'bg-green-600' : 'bg-orange-500'
   return (
     <div className="flex flex-row flex-wrap space-x-4">
@@ -320,7 +326,7 @@ const DNSRecord = ({ title, validated, name, value, type }: DNSRecordProps) => {
               >
                 {name}
               </Text>
-              <div>
+              {!disableCopier && <div>
                 <Copier
                   value={name}
                   color="text-gray-500"
@@ -332,7 +338,7 @@ const DNSRecord = ({ title, validated, name, value, type }: DNSRecordProps) => {
                     )
                   }
                 />
-              </div>
+              </div>}
             </div>
           </div>
         </div>
@@ -350,7 +356,7 @@ const DNSRecord = ({ title, validated, name, value, type }: DNSRecordProps) => {
             >
               {value}
             </Text>
-            <div>
+            {!disableCopier && <div>
               <Copier
                 value={value}
                 color="text-gray-500"
@@ -362,7 +368,7 @@ const DNSRecord = ({ title, validated, name, value, type }: DNSRecordProps) => {
                   )
                 }
               />
-            </div>
+            </div>}
           </div>
         </div>
       </div>

apps/passport/app/routes/connect/email/otp.ts

@@ -66,13 +66,9 @@ export const loader: LoaderFunction = getRollupReqFunctionErrorWrapper(
           appName: appProps.name,
         }
 
-        // Commented out because
-        // we need to figure out DKIM
-        // for custom domains
-        // https://github.com/proofzero/rollupid/issues/2326
-        // if (customDomain) {
-        //   themeProps.hostname = customDomain.hostname
-        // }
+        if (customDomain) {
+          themeProps.hostname = customDomain.hostname
+        }
       }
 
       const state = await addressClient.generateEmailOTP.mutate({

packages/utils/getDNSRecordValue.ts

@@ -3,7 +3,7 @@ import * as dnsPacket from '@dnsquery/dns-packet'
 export default async function (
   domain: string,
   recordType: 'TXT' | 'CNAME'
-): Promise<string | null> {
+): Promise<string[] | undefined> {
   function getRandomInt(min: number, max: number) {
     return Math.floor(Math.random() * (max - min + 1)) + min
   }
@@ -32,14 +32,21 @@ export default async function (
 
   const responseBuffer = new Uint8Array(await dnsQuery.arrayBuffer())
   const packet = dnsPacket.decode(responseBuffer)
-  if (!packet.answers || !packet.answers.length) return null
-
-  //We take only the first answer as if we're being specific enough with the
-  //domain, there should only be one
-  const response = packet.answers[0]
-  const recValue =
-    response.type === 'TXT'
-      ? new TextDecoder().decode((response.data as Buffer[])[0])
-      : (response.data as string)
-  return recValue
+  if (!packet.answers || !packet.answers.length) return undefined
+
+  const td = new TextDecoder()
+  const values = packet.answers.map((a) => {
+    if (a.type === 'TXT') {
+      const strParts = []
+      for (const data of a.data) {
+        strParts.push(td.decode(data as Buffer))
+      }
+
+      return strParts.join('')
+    }
+
+    return a.data as string
+  })
+
+  return values
 }

platform/email/src/emailFunctions.ts

@@ -59,7 +59,7 @@ export async function send(
             name: message.recipient.name,
           },
         ],
-        dkim_domain: env.INTERNAL_DKIM_DOMAIN,
+        dkim_domain: message.customHostname ?? env.INTERNAL_DKIM_DOMAIN,
         dkim_selector: env.INTERNAL_DKIM_SELECTOR,
         dkim_private_key: env.KEY_DKIM_PRIVATEKEY,
       },
@@ -94,6 +94,7 @@ export async function send(
 
 export type NotificationSender =
   | {
+      hostname: string
       name: string
       address: string
     }
@@ -105,12 +106,14 @@ export async function sendNotification(
   customSender?: NotificationSender
 ) {
   let from: NotificationSender = {
+    hostname: env.INTERNAL_DKIM_DOMAIN,
     name: env.NotificationFromName,
     address: `${env.NotificationFromUser}@${env.INTERNAL_DKIM_DOMAIN}`,
   }
 
   if (customSender) {
     from = {
+      hostname: customSender.hostname,
       name: customSender.name,
       address: customSender.address,
     }

platform/email/src/jsonrpc/methods/sendOTPEmail.ts

@@ -79,6 +79,7 @@ export const sendEmailNotificationMethod = async ({
   let customSender: NotificationSender
   if (input.themeProps?.hostname) {
     customSender = {
+      hostname: input.themeProps.hostname,
       address: `no-reply@${input.themeProps.hostname}`,
       name: input.themeProps.appName,
     }

platform/email/src/types.ts

@@ -31,6 +31,7 @@ export type EmailMessage = {
   from: EmailAddressComponents
   recipient: EmailAddressComponents
   content: EmailContent
+  customHostname?: string
 }
 
 export type EmailNotification = Omit<EmailMessage, 'from'>

platform/starbase/src/jsonrpc/context.ts

@@ -8,7 +8,6 @@ import { ApplicationURN } from '@proofzero/urns/application'
 import {
   generateTraceContextHeaders,
   generateTraceSpan,
-  TraceSpan,
 } from '@proofzero/platform-middleware/trace'
 
 /**
@@ -28,6 +27,7 @@ interface CreateInnerContextOptions
   INTERNAL_PASSPORT_SERVICE_NAME: string
   INTERNAL_CLOUDFLARE_ZONE_ID: string
   TOKEN_CLOUDFLARE_API: string
+  INTERNAL_DKIM_SELECTOR: string
 }
 /**
  * Inner context. Will always be available in your procedures, in contrast to the outer context.

platform/starbase/src/jsonrpc/methods/createCustomDomain.ts

@@ -55,9 +55,10 @@ export const createCustomDomain: CreateCustomDomainMethod = async ({
     )
     const customDomain: CustomDomain = {
       ...customHostname,
-      dns_records: getExpectedCustomDomainDNSRecords(
+      dns_records: await getExpectedCustomDomainDNSRecords(
         customHostname.hostname,
-        input.passportHostname
+        input.passportHostname,
+        ctx
       ),
     }
     const node = await getApplicationNodeByClientId(clientId, ctx.StarbaseApp)

platform/starbase/src/jsonrpc/methods/getAppPublicProps.ts

@@ -42,8 +42,8 @@ export const getAppPublicProps = async ({
           customDomain?.status === 'active' &&
           customDomain?.ssl.status === 'active' &&
           Boolean(
-            customDomain?.dns_records?.every(
-              (r) => r.expected_value === r.value
+            customDomain?.dns_records?.every((r) =>
+              r.value?.includes(r.expected_value)
             )
           ),
       },

platform/starbase/src/jsonrpc/validators/app.ts

@@ -108,7 +108,7 @@ export const CustomDomainDNSRecordsSchema = z.array(
     name: z.string(),
     record_type: z.union([z.literal('TXT'), z.literal('CNAME')]),
     expected_value: z.string(),
-    value: z.string().optional().nullable(),
+    value: z.array(z.string()).optional(),
   })
 )
 

platform/starbase/src/nodes/application.ts

@@ -283,7 +283,7 @@ export default class StarbaseApp extends DOProxy {
     if (
       customDomain.status === 'active' &&
       customDomain.ssl.status === 'active' &&
-      stored.dns_records.every((rec) => rec.value === rec.expected_value)
+      stored.dns_records.every((rec) => rec.value?.includes(rec.expected_value))
     )
       return this.unsetCustomDomainAlarm()
 

platform/starbase/src/types.ts

@@ -27,6 +27,7 @@ export interface Environment {
   INTERNAL_PASSPORT_SERVICE_NAME: string
   INTERNAL_CLOUDFLARE_ZONE_ID: string
   TOKEN_CLOUDFLARE_API: string
+  INTERNAL_DKIM_SELECTOR: string
 }
 
 export const EDGE_APPLICATION: EdgeURN = EdgeSpace.urn('owns/app')

platform/starbase/src/utils/cloudflare.ts

@@ -1,5 +1,6 @@
 import { InternalServerError } from '@proofzero/errors'
 import { CustomDomain, CustomDomainDNSRecords } from '../types'
+import { Context } from '../jsonrpc/context'
 
 const API_URL = 'https://api.cloudflare.com/client/v4'
 
@@ -150,17 +151,30 @@ export const deleteWorkerRoute = async (
   )
 }
 
-export const getExpectedCustomDomainDNSRecords = (
+export const getExpectedCustomDomainDNSRecords = async (
   customHostname: string,
-  passportUrl: string
-): CustomDomainDNSRecords => {
+  passportUrl: string,
+  ctx: Context
+): Promise<CustomDomainDNSRecords> => {
   const result: CustomDomainDNSRecords = []
 
-  //Add other expected DNS records here, eg. DMARC, SPF, DKIM, etc
   result.push({
     name: customHostname,
     record_type: 'CNAME',
     expected_value: passportUrl,
   })
+
+  result.push({
+    record_type: 'CNAME',
+    name: `${ctx.INTERNAL_DKIM_SELECTOR}._domainkey.${customHostname}`,
+    expected_value: `${ctx.INTERNAL_DKIM_SELECTOR}._domainkey.notifications.rollup.id`,
+  })
+
+  result.push({
+    record_type: 'CNAME',
+    name: `_dmarc.${customHostname}`,
+    expected_value: `_dmarc.notifications.rollup.id`,
+  })
+
   return result
 }