diff --git a/services/mail.nix b/services/mail.nix
index 0f2e9737..67f7f6dc 100644
--- a/services/mail.nix
+++ b/services/mail.nix
@@ -1,10 +1,15 @@
-{ config, lib, pkgs, witch, sources, ... }:
+{ config, lib, tf, pkgs, witch, sources, ... }:
 
 with lib;
 
 {
   imports = [ sources.nixos-mailserver.outPath ];
 
+  deploy.tf.variables.domainkey_kitty = {
+    type = "string";
+    value.shellCommand = "bitw get infra/domainkey-kitty";
+  };
+
   deploy.tf.dns.records.kittywitch_mx = {
     tld = "kittywit.ch.";
     domain = "@";
@@ -20,6 +25,18 @@ with lib;
     txt.value = "v=spf1 ip4:168.119.126.111 ip6:${(head config.networking.interfaces.enp1s0.ipv6.addresses).address} -all";
   };
 
+  deploy.tf.dns.records.kittywitch_dmarc = {
+    tld = "kittywit.ch.";
+    domain = "_dmarc";
+    txt.value = "v=DMARC1; p=none";
+  };
+
+  deploy.tf.dns.records.kittywitch_domainkey = {
+    tld = "kittywit.ch.";
+    domain = "mail._domainkey";
+    txt.value = tf.variables.domainkey_kitty.ref;
+  };
+
   mailserver = {
     enable = true;
     fqdn = "athame.kittywit.ch";