diff --git a/nix/sources.json b/nix/sources.json
index a5251eff..a1fb15de 100644
--- a/nix/sources.json
+++ b/nix/sources.json
@@ -131,10 +131,10 @@
         "homepage": null,
         "owner": "arcnmx",
         "repo": "tf-nix",
-        "rev": "217a0d1c61da95d0cb91c9f52138743d0dfc6e4e",
-        "sha256": "0fr740nj0c3sldl5f7abrdxlfpr2iz15ghpafmhhrrgvbyh24aq4",
+        "rev": "3b875e43623265965c111d701b3224f5cc11952b",
+        "sha256": "0xwk56g848c3mc6g4wz8m7dv7bk6z6b1ajck2ddf4ghnllylc87p",
         "type": "tarball",
-        "url": "https://github.com/arcnmx/tf-nix/archive/217a0d1c61da95d0cb91c9f52138743d0dfc6e4e.tar.gz",
+        "url": "https://github.com/arcnmx/tf-nix/archive/3b875e43623265965c111d701b3224f5cc11952b.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     }
 }
diff --git a/services/mail.nix b/services/mail.nix
index 9db28903..0f2e9737 100644
--- a/services/mail.nix
+++ b/services/mail.nix
@@ -1,4 +1,6 @@
-{ config, pkgs, witch, sources, ... }:
+{ config, lib, pkgs, witch, sources, ... }:
+
+with lib;
 
 {
   imports = [ sources.nixos-mailserver.outPath ];
@@ -12,6 +14,12 @@
     };
   };
 
+  deploy.tf.dns.records.kittywitch_spf = {
+    tld = "kittywit.ch.";
+    domain = "@";
+    txt.value = "v=spf1 ip4:168.119.126.111 ip6:${(head config.networking.interfaces.enp1s0.ipv6.addresses).address} -all";
+  };
+
   mailserver = {
     enable = true;
     fqdn = "athame.kittywit.ch";