DNS drift
Compare expected records vs Cloudflare live state.
Hetzner reverse DNS (PTR)
PTR must match MAIL_HOSTNAME (e.g. mail.yourdomain) for deliverability. Uses POST /api/infra/apply-ptr when Hetzner token and server ID are configured.
DKIM (DNS)
DKIM TXT is included in the profile after Mailcow provision — the agent pulls the public key from Mailcow Redis and merges it into the DNS plan. Run Apply DNS below once provisioning completes. If the cloudflare.dkim check fails, re-apply DNS after Mailcow is healthy.