Infrastructure

Email architecture

Two pieces: Resend handles outbound transactional mail from no-reply@getnimbus.net, Cloudflare Email Routing handles inbound for every named address on the zone and forwards to the founder's Gmail.

Outbound

Resend

RESEND_API_KEY + RESEND_FROM_EMAIL + RESEND_FROM_NAME set in Vercel. SPF + DKIM verified on the zone.

Inbound

Cloudflare Email Routing

Catch-all + per-address rules → forwarded to fooglegiber@gmail.com. Receive-only by design; sending stays in Resend.

Address map

AddressDirectionViaPurpose
no-reply@getnimbus.netOutboundResendTransactional: receipts, password reset, 2FA codes, signup verify
support@getnimbus.netBothCF→Gmail / ResendCustomer support — replies via /dashboard/support tickets
abuse@getnimbus.netInboundCF→GmailAbuse + DMCA reports
security@getnimbus.netInboundCF→GmailResponsible disclosure
press@getnimbus.netInboundCF→GmailPress inquiries
jobs@getnimbus.netInboundCF→GmailOpen application
enterprise@getnimbus.netBothCF→Gmail / ResendEnterprise deal qualification
partners@getnimbus.netInboundCF→GmailPartner program inquiries
hi@getnimbus.netInboundCF→GmailGeneric inbound

DNS records on getnimbus.net

# Cloudflare Email Routing — required MX
@        MX  10  route1.mx.cloudflare.net.
@        MX  21  route2.mx.cloudflare.net.
@        MX  35  route3.mx.cloudflare.net.

# SPF — Resend + Cloudflare Email Routing
@        TXT  "v=spf1 include:_spf.mx.cloudflare.net include:amazonses.com ~all"

# DKIM — Resend domain key (record name + value provided in Resend dashboard)
resend._domainkey  TXT  "v=DKIM1; k=rsa; p=<resend_public_key>"

# DMARC — alignment + reporting
_dmarc   TXT  "v=DMARC1; p=quarantine; rua=mailto:dmarc@getnimbus.net"

Adding a new inbound address

  1. Cloudflare dashboard → getnimbus.net → Email → Email Routing → Routing rules
  2. Click Create address
  3. Address: whatever@getnimbus.net
  4. Action: Send to an address → pick destination
  5. Save. Propagates in <60 seconds.

Adding a new outbound sender

  1. Update RESEND_FROM_EMAIL in Vercel env
  2. Or override per-call: pass from param to sendTransactional()
  3. Verify the address in Resend dashboard if it's a new domain

Operational tips

  • Don't keep catch-all on forever. Spammers will hit random addresses. Once you've enumerated the addresses you actually use, disable the catch-all and rely on per-address routing.
  • DMARC starts at p=quarantine, not reject. Watch two weeks of reports, then tighten to p=reject.
  • Outbound from Gmail is not supported. Gmail's send-as feature requires SMTP credentials Cloudflare Email Routing does not expose. Always route outbound through Resend.
← Email setupTransactional emailDNS setup