cloudflare-email_service 0.0.1 → 0.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e223425c0900fe465d1f698fa9a1cd8ae030e2e48c2c658216a0a2a87605ec12
-  data.tar.gz: ec9b3749cccfd800c335e16ec9b1c044d97fd993524abd44f578686cff03eaba
+  metadata.gz: cfedd8bad6300247c099669c46ecc795a2fb19faee035a1edf039717836a12b9
+  data.tar.gz: 44c03575adca32ba9e85ab037f140051fbc933afcaec13581ebcf3326df6d8ac
 SHA512:
-  metadata.gz: 76f656827c724a23ae557cb71a375eeb1cf4a85497a2d260733c7f775a7d520375fc80fbb3f19db7ec24374dd8aca018b4d3a4ddeef838048a563f1118a741e3
-  data.tar.gz: ee6b18139c3eef6372ec19a916317b76819d6ea2ee5d605aaa727d784ce2fe0abfea5944f618b369398af4c47eabc06b360727d2edd1d0178eb7f5175289ee3c
+  metadata.gz: 2c879194227a7591df1568a59857aba63d2d26b153db4ea7f4b0a5d3bb0ae38759be74429343403640e720a40b9a7c3782eeb6d6463f7796cf204980955032f3
+  data.tar.gz: 527048e68ef2e504228eeeb11df7efb55a8531fd0d11c92cf833b64a1c916e22d9feedb422636881695e4df41fb0ed89ead512a3f586e544ab6c826e1fc34ebe

data/CHANGELOG.md

@@ -4,6 +4,36 @@ All notable changes to this project are documented here. The format is based on
 [Keep a Changelog](https://keepachangelog.com/), and this project adheres to
 [Semantic Versioning](https://semver.org/).
 
+## [Unreleased]
+
+## [0.1.0] - 2026-06-18
+
+### Added
+- Optional, opt-in Action Mailbox ingress
+  (`require "cloudflare/email_service/action_mailbox"`) registering a
+  `:cloudflare` ingress at `POST /rails/action_mailbox/cloudflare/inbound_emails`.
+  A Cloudflare Email Worker forwards the raw RFC822 message, signed with
+  HMAC-SHA256 over `"<timestamp>.<body>"`; the ingress verifies the signature
+  (`CLOUDFLARE_EMAIL_INGRESS_SECRET` or the `cloudflare.ingress_secret`
+  credential) and rejects stale timestamps to block replays. The core gem stays
+  Rails-free; nothing loads unless the ingress is required.
+- A ready-to-deploy Cloudflare Email Worker ships with the gem at
+  `templates/cloudflare_email_worker.js`; find it locally via
+  `Cloudflare::EmailService.worker_template_path`.
+
+### Changed
+- Require Ruby 3.2+ (Ruby 3.1 is end-of-life and the Rails 8 integration needs
+  3.2.2+).
+- The `:cloudflare` ActionMailer delivery method now registers automatically
+  via a Railtie inside Rails — no `require "cloudflare/email_service/rails"`
+  needed. Set `config.action_mailer.delivery_method = :cloudflare` and go;
+  credentials are read from `CLOUDFLARE_ACCOUNT_ID` / `CLOUDFLARE_API_TOKEN`.
+
+### Fixed
+- `NetworkError` now also wraps TLS/SSL handshake failures
+  (`OpenSSL::SSL::SSLError`) on both transports, matching the documented error
+  contract.
+
 ## [0.0.1] - 2026-06-17
 
 ### Added

data/README.md

@@ -1,97 +1,38 @@
-# cloudflare-email_service
-
-[![CI](https://github.com/elvinaspredkelis/cloudflare-email_service/actions/workflows/ci.yml/badge.svg)](https://github.com/elvinaspredkelis/cloudflare-email_service/actions/workflows/ci.yml)
+# Cloudflare Email Service
 
 A small Ruby client for sending transactional email through the
-[Cloudflare Email Service](https://developers.cloudflare.com/email-service/),
-over either of two transports:
+[Cloudflare Email Service](https://developers.cloudflare.com/email-service/).
 
-- **REST** (default) — talks to the send endpoint directly with the Ruby
-  standard library (`net/http`). **Zero dependencies.** No Rails, no HTTP gems.
+Two interchangeable transports: **REST** (default — zero dependencies, just
+`net/http`) and **SMTP** (optional, via the [`mail`](https://rubygems.org/gems/mail)
+gem). Same `send_email` call either way; pick the transport in configuration.
 
-  ```
-  POST https://api.cloudflare.com/client/v4/accounts/{account_id}/email/sending/send
-  ```
+Developed at [Primevise](https://primevise.com).
 
-- **SMTP** — submits over `smtp.mx.cloudflare.net:465` (implicit TLS). MIME is
-  built with the [`mail`](https://rubygems.org/gems/mail) gem, which is an
-  **optional** dependency loaded only when you actually use SMTP.
+<a href="https://github.com/elvinaspredkelis/cloudflare-email_service/actions/workflows/ci.yml"><img alt="CI" src="https://github.com/elvinaspredkelis/cloudflare-email_service/actions/workflows/ci.yml/badge.svg"></a>
+<a href="https://rubygems.org/gems/cloudflare-email_service"><img alt="Gem Version" src="https://img.shields.io/gem/v/cloudflare-email_service?color=10b981&include_prereleases&logo=ruby&logoColor=f43f5e"></a>
+<a href="https://rubygems.org/gems/cloudflare-email_service"><img alt="Gem Downloads" src="https://img.shields.io/gem/dt/cloudflare-email_service?color=10b981&include_prereleases&logo=ruby&logoColor=f43f5e"></a>
 
-Same `send_email` call either way — pick the transport in configuration.
+---
 
 ## Installation
 
-Add it to your `Gemfile`:
-
-```ruby
-gem "cloudflare-email_service"
-
-# Only if you use the SMTP transport:
-gem "mail"
 ```
-
-Then run `bundle install`. Or install directly:
-
-```sh
-gem install cloudflare-email_service
+bundle add cloudflare-email_service
 ```
 
-Requires Ruby 3.1+.
-
-## Credentials
-
-You need a Cloudflare **API token**, plus an **account id** for the REST
-transport. Token scope depends on the transport:
-
-| Transport | account id | API token scope        |
-| --------- | ---------- | ---------------------- |
-| REST      | required   | `Email Sending: Send`  |
-| SMTP      | not used   | `Email Sending: Edit`  |
-
-Provide them through the environment:
+Requires Ruby 3.2+. For the SMTP transport, also add the `mail` gem:
 
-```sh
-export CLOUDFLARE_ACCOUNT_ID="your-account-id"   # REST only
-export CLOUDFLARE_API_TOKEN="your-api-token"
-export CLOUDFLARE_EMAIL_TRANSPORT="rest"         # or "smtp" (default: rest)
 ```
-
-or explicitly in code (see below).
-
-## Choosing a transport
-
-The transport is selected once, in configuration; everything else — the
-`send_email` call, the returned `Response`, the error classes — is identical.
-
-```ruby
-# REST (default) — zero dependencies
-Cloudflare::EmailService.configure do |config|
-  config.transport  = :rest
-  config.account_id = ENV["CLOUDFLARE_ACCOUNT_ID"]
-  config.api_token  = ENV["CLOUDFLARE_API_TOKEN"]
-end
-
-# SMTP — requires the `mail` gem
-Cloudflare::EmailService.configure do |config|
-  config.transport = :smtp
-  config.api_token = ENV["CLOUDFLARE_API_TOKEN"] # account_id not needed
-end
+bundle add mail
 ```
 
-SMTP defaults to `smtp.mx.cloudflare.net:465` (implicit TLS); override with
-`config.smtp_host` / `config.smtp_port` if needed. If you select `:smtp` without
-the `mail` gem installed, a `ConfigurationError` is raised telling you to add it.
-
-You can also build a transport client directly:
-
-```ruby
-Cloudflare::EmailService::Client.new(account_id: "...", api_token: "...")     # REST
-Cloudflare::EmailService::SMTPClient.new(api_token: "...")                    # SMTP
-```
+---
 
 ## Usage
 
-### Global configuration
+Configure once with your Cloudflare API token (plus an account id for REST),
+then send:
 
 ```ruby
 require "cloudflare/email_service"
@@ -99,7 +40,6 @@ require "cloudflare/email_service"
 Cloudflare::EmailService.configure do |config|
   config.account_id = ENV["CLOUDFLARE_ACCOUNT_ID"]
   config.api_token  = ENV["CLOUDFLARE_API_TOKEN"]
-  config.timeout    = 30 # seconds (optional)
 end
 
 response = Cloudflare::EmailService.send_email(
@@ -114,91 +54,87 @@ response.success?   # => true
 response.delivered  # => ["recipient@example.com"]
 ```
 
-### Explicit client
+`Response` also exposes `#queued`, `#permanent_bounces`, `#errors`, `#status`,
+and the raw parsed `#body`.
+
+> [!TIP]
+> `from`, `to`, `cc`, `bcc`, and `reply_to` accept a string
+> (`"a@x.com"` or `"Display Name <a@x.com>"`), a hash (`{ email:, name: }`), or —
+> for `to` / `cc` / `bcc` — an array of either. Add files with
+> `attachments: [{ content: Base64.strict_encode64(bytes), filename:, type: }]`
+> and arbitrary headers with `headers: { "In-Reply-To" => "<id>" }`.
 
-Skip the global configuration and pass credentials per client — handy when you
-send from more than one account:
+> [!CAUTION]
+> The total message size (body + attachments) must not exceed **5 MiB**.
+
+Skip the global config and pass credentials per client when you send from more
+than one account:
 
 ```ruby
-client = Cloudflare::EmailService::Client.new(
-  account_id: ENV["CLOUDFLARE_ACCOUNT_ID"],
-  api_token: ENV["CLOUDFLARE_API_TOKEN"],
-)
+Cloudflare::EmailService::Client.new(account_id: "...", api_token: "...")  # REST
+Cloudflare::EmailService::SMTPClient.new(api_token: "...")                 # SMTP
+```
 
-client.send_email(
-  from: "welcome@yourdomain.com",
-  to: "recipient@example.com",
-  subject: "Welcome!",
-  text: "Thanks for signing up.",
-)
+#### Credentials
+
+Set credentials in `configure` (above) or through the environment:
+
+```sh
+export CLOUDFLARE_ACCOUNT_ID="your-account-id"   # REST only
+export CLOUDFLARE_API_TOKEN="your-api-token"
 ```
 
-### Addresses
+REST needs an `Email Sending: Send` token; SMTP needs `Email Sending: Edit` and
+no account id.
 
-`from`, `to`, `cc`, `bcc`, and `reply_to` accept:
+---
 
-- a plain string — `"user@example.com"` or `"Display Name <user@example.com>"`
-- a hash — `{ email: "user@example.com", name: "Display Name" }`
-  (`:address` is accepted as an alias for `:email`)
-- `to` / `cc` / `bcc` also accept an array of any of the above
+## Transports
 
-```ruby
-Cloudflare::EmailService.send_email(
-  from: { email: "welcome@yourdomain.com", name: "Acme" },
-  to: ["a@example.com", { email: "b@example.com", name: "B" }],
-  cc: "team@yourdomain.com",
-  reply_to: "support@yourdomain.com",
-  subject: "Hi",
-  text: "Hello",
-)
-```
+Both transports accept the same `send_email` call and return the same
+`Response` — they differ only in how the message reaches Cloudflare. Choose one
+with `config.transport`.
 
-### Attachments
+**REST** (`:rest`, the default) posts JSON to the Cloudflare API over HTTPS
+using only `net/http` from the standard library — no MIME assembly, no gems.
+Needs an `account_id` and an `Email Sending: Send` token. The right default for
+almost everything.
 
-Attachments are base64-encoded. The total message size (body + attachments)
-must not exceed **5 MiB**.
+**SMTP** (`:smtp`) submits over `smtp.mx.cloudflare.net:465` (implicit TLS), with
+MIME built by the [`mail`](https://rubygems.org/gems/mail) gem — loaded lazily,
+only when this transport is used. Needs an `Email Sending: Edit` token and no
+account id. Reach for it when your environment already speaks SMTP or only
+allows SMTP egress.
 
 ```ruby
-require "base64"
-
-Cloudflare::EmailService.send_email(
-  from: "reports@yourdomain.com",
-  to: "recipient@example.com",
-  subject: "Your report",
-  text: "See attached.",
-  attachments: [
-    {
-      content: Base64.strict_encode64(File.read("report.pdf")),
-      filename: "report.pdf",
-      type: "application/pdf",
-      disposition: "attachment", # optional
-    },
-  ],
-)
+Cloudflare::EmailService.configure do |config|
+  config.transport = :smtp           # default: :rest
+  config.api_token = ENV["CLOUDFLARE_API_TOKEN"]
+end
 ```
 
-### Custom headers
+> [!NOTE]
+> Selecting `:smtp` without the `mail` gem installed raises a
+> `ConfigurationError` telling you to add it.
+
+---
+
+## Rails
+
+Adding the gem registers a `:cloudflare` delivery method automatically — just
+point ActionMailer at it. No require, no initializer:
 
 ```ruby
-Cloudflare::EmailService.send_email(
-  from: "a@yourdomain.com",
-  to: "b@example.com",
-  subject: "Re: thread",
-  text: "Reply body",
-  headers: { "In-Reply-To" => "<msg-123@yourdomain.com>" },
-)
+# config/environments/production.rb
+config.action_mailer.delivery_method = :cloudflare
 ```
 
-## Rails / ActionMailer (optional)
-
-The core gem is Rails-agnostic. Rails integration is **opt-in** and loaded only
-when you require it — it registers a `:cloudflare` ActionMailer delivery method
-backed by whichever transport you configured.
+Credentials come from `CLOUDFLARE_ACCOUNT_ID` / `CLOUDFLARE_API_TOKEN` in the
+environment. To set them in code (or pick the SMTP transport), add an
+initializer:
 
 ```ruby
 # config/initializers/cloudflare_email_service.rb
-require "cloudflare/email_service/rails"
-
 Cloudflare::EmailService.configure do |c|
   c.account_id = Rails.application.credentials.dig(:cloudflare, :account_id)
   c.api_token  = Rails.application.credentials.dig(:cloudflare, :api_token)
@@ -206,80 +142,87 @@ Cloudflare::EmailService.configure do |c|
 end
 ```
 
+Your mailers then send through Cloudflare unchanged. Prefer ActionMailer's
+built-in `:smtp` delivery? Point it at Cloudflare with the settings helper:
+
 ```ruby
-# config/environments/production.rb
-config.action_mailer.delivery_method = :cloudflare
+config.action_mailer.delivery_method = :smtp
+config.action_mailer.smtp_settings   = Cloudflare::EmailService.smtp_settings(
+  api_token: Rails.application.credentials.dig(:cloudflare, :api_token),
+)
 ```
 
-Your mailers then send through Cloudflare unchanged:
+### Inbound email (Action Mailbox)
+
+Receive mail too. Cloudflare delivers inbound mail to an app only through an
+[Email Worker](https://developers.cloudflare.com/email-routing/email-workers/),
+so first enable
+[Email Routing](https://developers.cloudflare.com/email-service/get-started/route-emails/)
+on your domain (it adds the MX/SPF/DKIM records). Then a Worker forwards each
+message to a `:cloudflare`
+[Action Mailbox](https://guides.rubyonrails.org/action_mailbox_basics.html)
+ingress that ships with the gem. Three steps:
+
+**1. Require the ingress** — opt-in, so it stays out of send-only apps:
 
 ```ruby
-class WelcomeMailer < ApplicationMailer
-  def welcome(user)
-    mail(from: "welcome@yourdomain.com", to: user.email, subject: "Welcome")
-  end
-end
+# config/initializers/cloudflare_email_service.rb
+require "cloudflare/email_service/action_mailbox"
 ```
 
-Prefer ActionMailer's built-in SMTP delivery instead? Point it at Cloudflare
-with the provided settings helper — no adapter required:
+**2. Select it** and set the shared signing secret — either
+`CLOUDFLARE_EMAIL_INGRESS_SECRET` or the `cloudflare.ingress_secret` credential:
 
 ```ruby
-config.action_mailer.delivery_method = :smtp
-config.action_mailer.smtp_settings   = Cloudflare::EmailService.smtp_settings(
-  api_token: Rails.application.credentials.dig(:cloudflare, :api_token),
-)
+# config/environments/production.rb
+config.action_mailbox.ingress = :cloudflare
 ```
 
-## Response
+The route `POST /rails/action_mailbox/cloudflare/inbound_emails` is registered
+for you, and every request is verified by an HMAC-SHA256 signature with replay
+protection.
+
+**3. Deploy an Email Worker** that signs and forwards each message, and bind it
+to an Email Routing rule (or catch-all). One ships with the gem — set your app
+URL and give it the same `CLOUDFLARE_EMAIL_INGRESS_SECRET`, then deploy:
 
-`send_email` returns a `Cloudflare::EmailService::Response`:
+- In this repo: [`templates/cloudflare_email_worker.js`](templates/cloudflare_email_worker.js)
+- From the installed gem: `Cloudflare::EmailService.worker_template_path`
 
-| Method                | Returns                                            |
-| --------------------- | -------------------------------------------------- |
-| `#success?`           | `true` when Cloudflare accepted the request        |
-| `#delivered`          | array of accepted recipient addresses              |
-| `#queued`             | array of queued recipient addresses                |
-| `#permanent_bounces`  | array of permanently bounced addresses             |
-| `#errors`             | array of Cloudflare error objects                  |
-| `#status`             | the HTTP status code                               |
-| `#body`               | the raw parsed JSON body                           |
+> [!NOTE]
+> The Worker sends `Content-Type: message/rfc822`; the ingress rejects anything
+> else with `415 Unsupported Media Type`.
+
+---
 
 ## Errors
 
-Non-2xx responses (and unsuccessful payloads) raise a typed error. All inherit
-from `Cloudflare::EmailService::Error`:
+Non-2xx responses (and unsuccessful payloads) raise a typed error — every one a
+subclass of `Cloudflare::EmailService::Error`:
 
-| Class                  | When                                          |
-| ---------------------- | --------------------------------------------- |
-| `ConfigurationError`   | missing `account_id` / `api_token`            |
-| `ValidationError`      | the message is missing required fields        |
-| `AuthenticationError`  | HTTP 401 / 403                                |
-| `RequestError`         | HTTP 400 / 422 and other 4xx                  |
-| `RateLimitError`       | HTTP 429                                      |
-| `ServerError`          | HTTP 5xx                                      |
-| `NetworkError`         | connection failures and timeouts              |
+| Class                 | When                                       |
+| --------------------- | ------------------------------------------ |
+| `ConfigurationError`  | missing `account_id` / `api_token`         |
+| `ValidationError`     | the message is missing required fields     |
+| `AuthenticationError` | HTTP 401 / 403                             |
+| `RequestError`        | HTTP 400 / 422 and other 4xx               |
+| `RateLimitError`      | HTTP 429                                    |
+| `ServerError`         | HTTP 5xx                                    |
+| `NetworkError`        | connection, timeout, and TLS failures      |
 
-API errors carry extra context:
+API errors also carry `#status` and `#errors` for context.
 
-```ruby
-begin
-  Cloudflare::EmailService.send_email(...)
-rescue Cloudflare::EmailService::APIError => e
-  e.status   # => 403
-  e.errors   # => [{ "code" => 10000, "message" => "Authentication error" }]
-  e.message  # => "[10000] Authentication error"
-end
-```
+---
 
 ## Development
 
 ```sh
-bundle install
 bundle exec rake test     # run the Minitest suite
 bundle exec rubocop       # lint
 ```
 
+---
+
 ## License
 
 Released under the [MIT License](LICENSE.txt).

data/lib/cloudflare/email_service/action_mailbox.rb

@@ -0,0 +1,79 @@
+# frozen_string_literal: true
+
+require "cloudflare/email_service"
+require "cloudflare/email_service/inbound"
+
+# Opt-in Action Mailbox ingress: forwards inbound mail from a Cloudflare Email
+# Worker into Action Mailbox. Not loaded by the core gem — require it explicitly
+# and select it with `config.action_mailbox.ingress = :cloudflare`. The route is
+# registered automatically. See the README for setup and the Worker snippet.
+if defined?(ActionMailbox)
+  module ActionMailbox
+    module Ingresses
+      module Cloudflare
+        # Receives the raw RFC822 message a Cloudflare Email Worker forwards and
+        # hands it to Action Mailbox for routing. The Worker signs each request
+        # (HMAC-SHA256 over "<timestamp>.<body>"); we verify the signature and
+        # reject stale timestamps before accepting the message.
+        class InboundEmailsController < ActionMailbox::BaseController
+          before_action :verify_signature, :require_valid_rfc822_message
+
+          def create
+            if raw_body.empty?
+              head :unprocessable_entity
+            else
+              ActionMailbox::InboundEmail.create_and_extract_message_id!(raw_body)
+              head :no_content
+            end
+          end
+
+          private
+
+          def verify_signature
+            case ::Cloudflare::EmailService::Inbound.verify(
+              secret: signing_secret,
+              timestamp: request.headers["X-CF-Email-Timestamp"],
+              signature: request.headers["X-CF-Email-Signature"],
+              body: raw_body,
+            )
+            when :ok then nil
+            when :stale then head :request_timeout
+            else head :unauthorized
+            end
+          end
+
+          def require_valid_rfc822_message
+            return if request.media_type == "message/rfc822"
+
+            head :unsupported_media_type
+          end
+
+          # Read once, as binary, so the bytes match exactly what the Worker
+          # signed and what Action Mailbox stores.
+          def raw_body
+            @raw_body ||= begin
+              request.body.rewind if request.body.respond_to?(:rewind)
+              request.body.read.to_s.b
+            end
+          end
+
+          # Shared HMAC secret, from the environment or Rails credentials.
+          def signing_secret
+            ENV["CLOUDFLARE_EMAIL_INGRESS_SECRET"] ||
+              ::Rails.application.credentials.dig(:cloudflare, :ingress_secret).to_s
+          end
+        end
+      end
+    end
+  end
+
+  # Register the route so it works like the built-in ingresses. Guarded for
+  # non-Rails requires; add the route by hand if your boot order skips this.
+  if defined?(Rails) && Rails.respond_to?(:application) && Rails.application
+    Rails.application.routes.append do
+      post "/rails/action_mailbox/cloudflare/inbound_emails" =>
+             "action_mailbox/ingresses/cloudflare/inbound_emails#create",
+           as: :rails_cloudflare_inbound_emails
+    end
+  end
+end

data/lib/cloudflare/email_service/client.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require "net/http"
+require "openssl"
 require "json"
 require "uri"
 
@@ -32,8 +33,8 @@ module Cloudflare
       # Builds and sends a message. Accepts the same keyword arguments as
       # {Message#initialize}.
       # @return [Response]
-      def send_email(**kwargs)
-        deliver(Message.new(**kwargs))
+      def send_email(**)
+        deliver(Message.new(**))
       end
 
       # Sends a pre-built {Message}.
@@ -58,7 +59,8 @@ module Cloudflare
 
         handle(http(uri).request(request))
       rescue Timeout::Error, Errno::ECONNREFUSED, Errno::ECONNRESET,
-             Errno::EHOSTUNREACH, Errno::ETIMEDOUT, SocketError, IOError => e
+             Errno::EHOSTUNREACH, Errno::ETIMEDOUT, SocketError, IOError,
+             OpenSSL::SSL::SSLError => e
         raise NetworkError, "request failed: #{e.class}: #{e.message}"
       end
 

data/lib/cloudflare/email_service/inbound.rb

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+require "openssl"
+
+module Cloudflare
+  module EmailService
+    # Verifies the HMAC-SHA256 signature a Cloudflare Email Worker attaches to a
+    # forwarded inbound message. The Worker signs `"<timestamp>.<raw body>"` with
+    # a shared secret and sends the timestamp and hex digest as headers; this
+    # recomputes the digest, compares it in constant time, and rejects stale
+    # timestamps to block replays.
+    #
+    # Pure and Rails-free (stdlib OpenSSL only) so it can be unit-tested on its
+    # own; the Action Mailbox ingress is a thin wrapper around {.verify}.
+    module Inbound
+      module_function
+
+      # Reject timestamps more than this many seconds from now (either side).
+      REPLAY_WINDOW = 300
+
+      # @return [Symbol] :ok, :stale (timestamp outside the window), or
+      #   :bad_signature (missing/empty input or digest mismatch).
+      def verify(secret:, timestamp:, signature:, body:, now: Time.now.to_i)
+        return :bad_signature if [secret, timestamp, signature, body].any? { |v| v.to_s.empty? }
+        return :stale if (now - timestamp.to_i).abs > REPLAY_WINDOW
+
+        # Build the signed payload in binary: raw RFC822 bodies carry bytes > 127
+        # (8bit transfer encoding, binary attachments), which would raise
+        # Encoding::CompatibilityError if interpolated into a UTF-8 string.
+        signed = "#{timestamp}.".b + body.to_s.b
+        expected = OpenSSL::HMAC.hexdigest("SHA256", secret.to_s, signed)
+        secure_compare(expected, signature.to_s) ? :ok : :bad_signature
+      end
+
+      # Constant-time string comparison. Bails early on a length mismatch, which
+      # the digest's fixed width makes safe to leak.
+      def secure_compare(expected, actual)
+        return false unless expected.bytesize == actual.bytesize
+
+        OpenSSL.fixed_length_secure_compare(expected, actual)
+      end
+    end
+  end
+end

data/lib/cloudflare/email_service/rails.rb

@@ -4,22 +4,21 @@ require "cloudflare/email_service"
 
 module Cloudflare
   module EmailService
-    # Opt-in Rails / ActionMailer integration.
+    # Rails / ActionMailer integration. Registers a `:cloudflare` delivery
+    # method backed by the configured transport.
     #
-    # This file is NOT loaded by the core gem — require it explicitly (e.g. from
-    # an initializer) to register a `:cloudflare` ActionMailer delivery method
-    # backed by the configured transport:
+    # Inside a Rails app this loads automatically via {Railtie} — just set the
+    # delivery method and credentials; no require needed:
     #
-    #   # config/initializers/cloudflare_email_service.rb
-    #   require "cloudflare/email_service/rails"
+    #   # config/environments/production.rb
+    #   config.action_mailer.delivery_method = :cloudflare
     #
+    #   # credentials come from ENV (CLOUDFLARE_ACCOUNT_ID / CLOUDFLARE_API_TOKEN)
+    #   # or an initializer:
     #   Cloudflare::EmailService.configure do |c|
     #     c.account_id = Rails.application.credentials.dig(:cloudflare, :account_id)
     #     c.api_token  = Rails.application.credentials.dig(:cloudflare, :api_token)
     #   end
-    #
-    #   # config/environments/production.rb
-    #   config.action_mailer.delivery_method = :cloudflare
     module Rails
       # Converts an ActionMailer-built Mail::Message into the keyword arguments
       # accepted by {Message#initialize}.
@@ -124,13 +123,16 @@ module Cloudflare
 end
 
 # Register the delivery method when ActionMailer is present. Guarded so this
-# file is safe to require in a non-Rails process.
-if defined?(ActiveSupport)
-  ActiveSupport.on_load(:action_mailer) do
-    add_delivery_method :cloudflare, Cloudflare::EmailService::Rails::DeliveryMethod
-  end
-elsif defined?(ActionMailer::Base)
+# file is safe to require in a non-Rails process. ActionMailer::Base is checked
+# first so that when the Railtie requires this inside an `on_load(:action_mailer)`
+# hook (mailer already loaded), registration happens immediately rather than
+# scheduling a second, nested hook that may not run.
+if defined?(ActionMailer::Base)
   ActionMailer::Base.add_delivery_method(
     :cloudflare, Cloudflare::EmailService::Rails::DeliveryMethod
   )
+elsif defined?(ActiveSupport)
+  ActiveSupport.on_load(:action_mailer) do
+    add_delivery_method :cloudflare, Cloudflare::EmailService::Rails::DeliveryMethod
+  end
 end

data/lib/cloudflare/email_service/railtie.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+require "rails/railtie"
+
+module Cloudflare
+  module EmailService
+    # Registers the `:cloudflare` ActionMailer delivery method automatically
+    # inside a Rails app, so adding the gem is enough — no explicit require.
+    #
+    # Loaded only when Rails is present (see cloudflare/email_service.rb), so the
+    # core gem stays Rails-free. Registration is inert until a host opts in with
+    # `config.action_mailer.delivery_method = :cloudflare`.
+    class Railtie < ::Rails::Railtie
+      initializer "cloudflare_email_service.action_mailer",
+                  before: "action_mailer.set_configs" do
+        ActiveSupport.on_load(:action_mailer) do
+          require "cloudflare/email_service/rails"
+        end
+      end
+    end
+  end
+end

data/lib/cloudflare/email_service/smtp_client.rb

@@ -36,8 +36,8 @@ module Cloudflare
       # Builds and sends a message. Accepts the same keyword arguments as
       # {Message#initialize}.
       # @return [Response]
-      def send_email(**kwargs)
-        deliver(Message.new(**kwargs))
+      def send_email(**)
+        deliver(Message.new(**))
       end
 
       # Sends a pre-built {Message} over SMTP.
@@ -54,7 +54,8 @@ module Cloudflare
         # Every other SMTP protocol error (busy, syntax, fatal, unknown, ...).
         raise ServerError, e.message
       rescue Timeout::Error, Errno::ECONNREFUSED, Errno::ECONNRESET,
-             Errno::EHOSTUNREACH, Errno::ETIMEDOUT, SocketError, IOError => e
+             Errno::EHOSTUNREACH, Errno::ETIMEDOUT, SocketError, IOError,
+             OpenSSL::SSL::SSLError => e
         raise NetworkError, "SMTP delivery failed: #{e.class}: #{e.message}"
       end
 
@@ -148,6 +149,7 @@ module Cloudflare
       def load_dependencies!
         require "mail"
         require "net/smtp"
+        require "openssl"
       rescue LoadError => e
         raise ConfigurationError,
               "the SMTP transport needs the `mail` gem — add `gem \"mail\"` " \

data/lib/cloudflare/email_service/version.rb

@@ -2,6 +2,6 @@
 
 module Cloudflare
   module EmailService
-    VERSION = "0.0.1"
+    VERSION = "0.1.0"
   end
 end

data/lib/cloudflare/email_service.rb

@@ -51,8 +51,16 @@ module Cloudflare
       # Convenience: build a {Client} from the global config and send.
       # Accepts the same keyword arguments as {Message#initialize}.
       # @return [Response]
-      def send_email(**kwargs)
-        client.send_email(**kwargs)
+      def send_email(**)
+        client.send_email(**)
+      end
+
+      # Absolute path to the shipped Cloudflare Email Worker template that signs
+      # and forwards inbound mail to the Action Mailbox ingress. Set your app URL
+      # and secret in it, then deploy it.
+      # @return [String]
+      def worker_template_path
+        File.expand_path("../../templates/cloudflare_email_worker.js", __dir__)
       end
 
       # Cloudflare SMTP submission settings, in the shape both {SMTPClient} and
@@ -77,3 +85,7 @@ module Cloudflare
     end
   end
 end
+
+# Auto-wire the ActionMailer delivery method when running inside Rails. Guarded
+# so the core gem stays Rails-free everywhere else.
+require_relative "email_service/railtie" if defined?(Rails::Railtie)

data/templates/cloudflare_email_worker.js

@@ -0,0 +1,41 @@
+// Cloudflare Email Worker for cloudflare-email_service inbound (Action Mailbox).
+//
+// Forwards each received message to your Rails app's :cloudflare ingress, signed
+// with HMAC-SHA256 over "<timestamp>.<body>" so the ingress can verify it and
+// reject replays.
+//
+// Setup:
+//   1. Replace the URL below with your app's host.
+//   2. Set CLOUDFLARE_EMAIL_INGRESS_SECRET as a Worker secret, matching the
+//      app's CLOUDFLARE_EMAIL_INGRESS_SECRET (or cloudflare.ingress_secret).
+//   3. Bind the Worker to your Email Routing rule and deploy (e.g. wrangler).
+
+export default {
+  async email(message, env) {
+    // arrayBuffer (not text) preserves the raw bytes of non-UTF-8 messages.
+    const raw = new Uint8Array(await new Response(message.raw).arrayBuffer());
+    const ts = Math.floor(Date.now() / 1000).toString();
+
+    const key = await crypto.subtle.importKey(
+      "raw", new TextEncoder().encode(env.CLOUDFLARE_EMAIL_INGRESS_SECRET),
+      { name: "HMAC", hash: "SHA-256" }, false, ["sign"],
+    );
+    const signed = new Uint8Array([...new TextEncoder().encode(ts + "."), ...raw]);
+    const digest = await crypto.subtle.sign("HMAC", key, signed);
+    const sig = [...new Uint8Array(digest)].map((b) => b.toString(16).padStart(2, "0")).join("");
+
+    const response = await fetch("https://your-app.example.com/rails/action_mailbox/cloudflare/inbound_emails", {
+      method: "POST",
+      headers: {
+        "Content-Type": "message/rfc822",
+        "X-CF-Email-Timestamp": ts,
+        "X-CF-Email-Signature": sig,
+      },
+      body: raw,
+    });
+
+    // Reject on failure so Cloudflare bounces the message rather than silently
+    // accepting (and dropping) it.
+    if (!response.ok) message.setReject(`ingress error ${response.status}`);
+  },
+};

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: cloudflare-email_service
 version: !ruby/object:Gem::Version
-  version: 0.0.1
+  version: 0.1.0
 platform: ruby
 authors:
 - Elvinas Predkelis
@@ -9,6 +9,34 @@ bindir: bin
 cert_chain: []
 date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: actionmailbox
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '7.1'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '7.1'
+- !ruby/object:Gem::Dependency
+  name: actionmailer
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '7.1'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '7.1'
 - !ruby/object:Gem::Dependency
   name: mail
   requirement: !ruby/object:Gem::Requirement
@@ -37,6 +65,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '5.0'
+- !ruby/object:Gem::Dependency
+  name: railties
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '7.1'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '7.1'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -79,11 +121,11 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3.0'
-description: A small Ruby client for sending transactional email via the Cloudflare
-  Email Service. The REST transport is dependency-free; the optional SMTP transport
-  uses the `mail` gem only when selected.
+description: A small Ruby client for the Cloudflare Email Service with zero runtime
+  dependencies and optional Rails integration (ActionMailer delivery and Action Mailbox
+  inbound).
 email:
-- elvinas@trip1.com
+- elvinas@primevise.com
 executables: []
 extensions: []
 extra_rdoc_files: []
@@ -92,14 +134,18 @@ files:
 - LICENSE.txt
 - README.md
 - lib/cloudflare/email_service.rb
+- lib/cloudflare/email_service/action_mailbox.rb
 - lib/cloudflare/email_service/client.rb
 - lib/cloudflare/email_service/configuration.rb
 - lib/cloudflare/email_service/errors.rb
+- lib/cloudflare/email_service/inbound.rb
 - lib/cloudflare/email_service/message.rb
 - lib/cloudflare/email_service/rails.rb
+- lib/cloudflare/email_service/railtie.rb
 - lib/cloudflare/email_service/response.rb
 - lib/cloudflare/email_service/smtp_client.rb
 - lib/cloudflare/email_service/version.rb
+- templates/cloudflare_email_worker.js
 homepage: https://github.com/elvinaspredkelis/cloudflare-email_service
 licenses:
 - MIT
@@ -114,14 +160,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '3.1'
+      version: '3.2'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.6.7
+rubygems_version: 3.6.9
 specification_version: 4
-summary: Send email through the Cloudflare Email Service (REST or SMTP).
+summary: Send and receive email through the Cloudflare Email Service.
 test_files: []