type: decision
status: active
timestamp: 2026-06-20
tags: [decisions, infrastructure, dns, email, spaceship, cloudflare]
status: active
timestamp: 2026-06-20
tags: [decisions, infrastructure, dns, email, spaceship, cloudflare]
Spaceship is the registrar; Cloudflare hosts DNS + email routing
Domains at Spaceship. NS to Cloudflare. Email Routing to Gmail
Spaceship is the registrar; Cloudflare hosts DNS + email routing
Decision
Three roles, three places, one inbox:
- Registrar = Spaceship. The user’s existing registrar holds
oriz.in,oriz.me, and any future family domains. WHOIS privacy is on, auto-renew enabled. - DNS host = Cloudflare DNS. Spaceship NS records point at Cloudflare’s nameservers. All A / AAAA / CNAME / MX / TXT records are managed at Cloudflare.
- Inbound email = Cloudflare Email Routing ? forwards
*@oriz.in,*@oriz.me, and every per-extension / per-site subdomain into one Gmail inbox. The family does not host mailboxes.
This supersedes the earlier “use Cloudflare Registrar everywhere”
direction — Cloudflare Registrar stays documented as a swap target
in services/infra/domain/cloudflare-registrar.md
but is not the active pick.
Why
- The user already runs Spaceship as their existing registrar across personal domains. Consolidating the new
oriz*domains there keeps renewal management in one place — fewer dashboards, fewer payment methods to track, one set of renewal alerts in Gmail. - DNS at Cloudflare is non-negotiable: it integrates Pages / Workers / R2 / DNS / Email Routing in one dashboard, and is free at any scale the family hits. Spaceship’s bundled DNS is fine but doesn’t have the integration surface.
- Cloudflare Email Routing is free up to 200 routing addresses per zone with unlimited forwarding volume — far more than the family will ever need. Pairs with Resend for outbound, so receive ? send both stay free.
- One Gmail inbox is the simplest possible mail surface — all routing rules live at Cloudflare; per-purpose labels live at Gmail; no additional inbox to monitor.
- Domain renewal at Spaceship is the same narrow card-on-file exception the family already accepts for any registrar (see
no-card-on-file.md) — it’s not a new exception.
Implications
DNS / domain plumbing
- At Spaceship: NS records for each zone set to the pair Cloudflare assigns (
xxx.ns.cloudflare.com). Verify withdig NS oriz.in. - Cloudflare DNS holds all other records:
- Apex
oriz.in? Cloudflare Pages project for the home site *.oriz.insubdomains ? individual Cloudflare Pages projects (persubdomains-under-oriz-in.md,cloudflare-pages-for-all-sites.md)auth.oriz.in? Firebase Auth’s hosted handlerapi.oriz.in? Hono Workers.oriz.in? short-link Workerstatus.oriz.in? Better Stack status pagestatus-backup.oriz.in? Instatus mirror- MX ? Cloudflare Email Routing’s three MX hosts
- Apex
Email plumbing
- Cloudflare Email Routing: catch-all
*@oriz.in ? <user>@gmail.com, plus curated rules forsupport@,security@,dmarc@,noreply@(drop). - SPF:
v=spf1 include:_spf.mx.cloudflare.net include:<resend-spf-host> -all— verify the merged SPF stays inside the 10-lookup limit. - DMARC:
v=DMARC1; p=quarantine; rua=mailto:dmarc@oriz.in;(forwards to Gmail). - DKIM: Resend’s keys for outbound; Email Routing preserves original DKIM state on inbound forwards.
- Gmail filters apply per-purpose labels (
oriz/support,oriz/security, …) so a single inbox stays navigable.
Operational
- Renewal notifications route to the same Gmail inbox via the catch-all ? starred + labelled by Gmail filters.
- Adding a new
oriz*domain: register at Spaceship ? add zone at Cloudflare ? flip NS at Spaceship ? enable Email Routing at Cloudflare ? add catch-all rule. ~10 minutes. - Migrating an existing domain TO Spaceship: 5-7 day registrar transfer. DNS stays put on Cloudflare throughout — zero resolution downtime.
What we don’t do
- No Spaceship DNS — even though it’s free, NS-delegating to Cloudflare gets us the integrated dashboard and free DDoS / Pages auto-wire.
- No Spaceship email forwarder — Cloudflare Email Routing is the only forwarder used.
- No mailbox hosting — the family neither runs Postfix nor pays for Google Workspace / Fastmail / Migadu. Inbound forwards to one Gmail; outbound goes through Resend.
- No Cloudflare Registrar for new domains — Spaceship is now the active registrar. Cloudflare Registrar stays documented as a swap target only.
Cross-refs
- Spaceship registrar service entry
- Cloudflare DNS service entry
- Cloudflare Email Routing service entry
- Cloudflare Registrar — documented swap target
- Cloudflare Pages for all sites
- Subdomains under oriz.in
- Resend — outbound transactional
- No card-on-file rule — domain-renewal exception