Creating a Yandex Cloud Postbox address and verifying domain ownership with Terraform
In this tutorial, you will use Terraform to create an address in Yandex Cloud Postbox and add resource records to your domain’s DNS zone to verify domain ownership and send emails.
You can add a resource record for domain ownership verification to Yandex Cloud DNS, if you have delegated the domain, or with your domain registrar.
To access Yandex Cloud Postbox, the tutorial uses an API compatible with AWS SESv2, so the AWS
- Get your cloud ready.
- Delegate your domain to Cloud DNS.
- Prepare keys for signing emails.
- Create your infrastructure.
- Test the service.
If you no longer need the resources you created, delete them.
Get your cloud ready
Sign up for Yandex Cloud and create a billing account:
- Navigate to the management console
and log in to Yandex Cloud or create a new account. - On the Yandex Cloud Billing
page, make sure you have a billing account linked and it has theACTIVE
orTRIAL_ACTIVE
status. If you do not have a billing account, create one and link a cloud to it.
If you have an active billing account, you can navigate to the cloud page
Learn more about clouds and folders here.
Required paid resources
The costs to support the infrastructure for creating an address, verifying domain ownership, and sending emails include:
- Fee for sent emails (see Yandex Cloud Postbox pricing).
- Fee for public DNS queries and DNS zones if using Yandex Cloud DNS (see Cloud DNS pricing).
Delegate your domain to Cloud DNS
If you have a registered domain name, you can use Yandex Cloud DNS to manage the domain.
To delegate a domain to Cloud DNS, in your account on your domain registrar's website, specify the DNS server addresses in the domain settings:
ns1.yandexcloud.net
ns2.yandexcloud.net
Delegation does not take effect immediately. Internet provider servers normally update records within 24 hours (86,400 seconds). This depends on the TTL value which specifies how long domain records are cached.
You can check domain delegation using Whoisdig
utility:
dig +short NS example.com
Result:
ns2.yandexcloud.net.
ns1.yandexcloud.net.
Prepare keys for signing emails
To sign emails, create an RSA
-
Create a
generate-key.sh
script with the following contents:#!/bin/bash # Generate private key openssl genrsa -out raw_privatekey.pem 2048 # Generate public key from the private key openssl rsa -in raw_privatekey.pem -pubout -out publickey.pem # Process private key for AWS (remove headers and line breaks) cat raw_privatekey.pem | grep -v "BEGIN" | grep -v "END" | tr -d '\n' > privatekey.pem # Format public key for DKIM DNS TXT record # Remove headers, strip newlines and concatenate for DNS TXT record DKIM_DNS_VALUE=$(cat publickey.pem | grep -v "BEGIN" | grep -v "END" | tr -d '\n') echo "$DKIM_DNS_VALUE" > dkim_dns_value.txt echo "Keys generated:" echo "- privatekey.pem (AWS-formatted private key)" echo "- publickey.pem (Public key)" echo "- raw_privatekey.pem (Original private key with headers)" echo "- dkim_dns_value.txt (Public key formatted for DKIM DNS TXT record)"
-
In the terminal, navigate to the folder with the script and run it:
./generate-key.sh
The script will create:
privatekey.pem
: Private key in the AWS provider’s format.publickey.pem
: Public key.raw_privatekey.pem
: Original private key.dkim_dns_value.txt
: Value for creating a DKIM record.
Create your infrastructure
With Terraform
Terraform is distributed under the Business Source License
For more information about the provider resources, see the relevant documentation on the Terraform
To create an infrastructure using Terraform:
-
Install Terraform, get the credentials, and specify the source for installing Yandex Cloud (see Configure a provider, step 1).
-
Set up your infrastructure description files:
-
Clone the repository with configuration files.
git clone https://github.com/yandex-cloud-examples/yc-postbox-tf.git
-
Navigate to the repository directory. Make sure it contains the following files:
postbox-email-identity.tf
: New infrastructure configurationpostbox-email-identity.auto.tfvars
: User data file
Learn more about the properties of Terraform resources in the relevant Terraform guides:
-
-
In the
postbox-email-identity.auto.tfvars
file, set the following user-defined properties:folder_id
: Folder ID.domain_signing_selector
: Selector for domain signing, e.g.,_postbox
.domain
: Domain for sending emails, e.g.,mail.example.com
.dns_zone_name
: Name of an existing DNS zone to which the record will be added.
-
Create the resources:
-
In the terminal, go to the directory where you edited the configuration file.
-
Make sure the configuration file is correct using this command:
terraform validate
If the configuration is correct, you will get this message:
Success! The configuration is valid.
-
Run this command:
terraform plan
You will see a detailed list of resources. No changes will be made at this step. If the configuration contains any errors, Terraform will show them.
-
Apply the changes:
terraform apply
-
Type
yes
and press Enter to confirm the changes.
-
Note
If using a different DNS service, you need to add the DKIM record yourself as described in the service documentation. You can use the following Terraform code to get the DKIM record value:
output "dkim_record" {
value = {
value = "v=DKIM1;h=sha256;k=rsa;p=${trim(local.public_key, "\n")}"
name = "${var.domain_signing_selector}._domainkey.${var.domain}"
type = "TXT"
ttl = 3600
}
}
After creating the infrastructure, test the service.
Test the service
Make sure the address was successfully created and send a test email:
- In the management console
, select the folder where you created the address. - Select Cloud Postbox.
- Select the address you created and make sure the test status on the address page has changed to
Success
. - Send a test email.
How to delete the resources you created
To stop paying for the resources you created:
-
Open the
postbox-email-identity.tf
file and delete your infrastructure description from it. -
Apply the changes:
-
In the terminal, go to the directory where you edited the configuration file.
-
Make sure the configuration file is correct using this command:
terraform validate
If the configuration is correct, you will get this message:
Success! The configuration is valid.
-
Run this command:
terraform plan
You will see a detailed list of resources. No changes will be made at this step. If the configuration contains any errors, Terraform will show them.
-
Apply the changes:
terraform apply
-
Type
yes
and press Enter to confirm the changes.
-