From de269338e9a6d19e54aada4fa90888fbdabc3930 Mon Sep 17 00:00:00 2001 From: John Carmack Date: Fri, 26 Jun 2026 20:31:45 -0700 Subject: [PATCH] Add Google Search Console verification to the apex TXT record Google domain-property verification needs a google-site-verification TXT at the apex. Route 53 allows only one TXT record-set per name, so the string is appended to the existing apex record alongside the SPF policy rather than as a second record (which Route 53 would reject). --- cdk/lib/email-stack.ts | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/cdk/lib/email-stack.ts b/cdk/lib/email-stack.ts index 2b94632..c50df20 100644 --- a/cdk/lib/email-stack.ts +++ b/cdk/lib/email-stack.ts @@ -48,11 +48,17 @@ export class StormdeckEmailStack extends Stack { identity: ses.Identity.publicHostedZone(zone), }); - // SPF — authorize Amazon SES to send for the domain. + // Apex TXT record set. Route 53 allows only one TXT record-set per name, so + // the SPF policy (authorizing Amazon SES to send) and the Google Search + // Console domain-verification string share this single record. (Logical id + // stays 'Spf' so CFN updates the values in place, not replacing the record.) new route53.TxtRecord(this, 'Spf', { zone, recordName: DOMAIN, - values: ['v=spf1 include:amazonses.com ~all'], + values: [ + 'v=spf1 include:amazonses.com ~all', + 'google-site-verification=bEdN5MsLRKcHmi5xlGSQRal-T7iLtQnR9LKO9EkAvFQ', + ], }); // DMARC — monitor mode to start; tighten after watching reports.