#!/usr/bin/env bash
# Amazon SES prerequisites for BIMI (domain identity, Easy DKIM, custom MAIL FROM).
# Requires AWS CLI v2. Does NOT publish Route 53 records automatically — print tokens for review.
#
# Usage:
#   REGION=us-east-1 DOMAIN=example.com MAILFROM=mail.example.com ./ses-bimi-setup.sh
set -euo pipefail

REGION="${REGION:-us-east-1}"
DOMAIN="${DOMAIN:?Set DOMAIN=example.com}"
MAILFROM="${MAILFROM:-mail.${DOMAIN}}"

echo "Region=$REGION Domain=$DOMAIN MailFrom=$MAILFROM"

echo "== Create / ensure domain identity =="
aws sesv2 create-email-identity \
  --region "$REGION" \
  --email-identity "$DOMAIN" \
  2>/dev/null || echo "(identity may already exist)"

echo "== Enable Easy DKIM (RSA 2048) =="
aws sesv2 put-email-identity-dkim-attributes \
  --region "$REGION" \
  --email-identity "$DOMAIN" \
  --signing-enabled

echo "== DKIM tokens (publish as CNAMEs) =="
aws sesv2 get-email-identity \
  --region "$REGION" \
  --email-identity "$DOMAIN" \
  --query 'DkimAttributes.Tokens' \
  --output table

echo "== Configure custom MAIL FROM =="
aws sesv2 put-email-identity-mail-from-attributes \
  --region "$REGION" \
  --email-identity "$DOMAIN" \
  --mail-from-domain "$MAILFROM" \
  --behavior-on-mx-failure USE_DEFAULT_VALUE

echo "== MAIL FROM status =="
aws sesv2 get-email-identity \
  --region "$REGION" \
  --email-identity "$DOMAIN" \
  --query 'MailFromAttributes' \
  --output table

cat <<EOF

Next (manual DNS — see dns-record-examples.md):
  1. Publish Easy DKIM CNAMEs from the tokens above
  2. Publish SPF TXT + MX for $MAILFROM
  3. Publish DMARC at enforcement (p=quarantine|reject; pct=100)
  4. Host SVG (+ optional PEM) over HTTPS
  5. Publish default._bimi.$DOMAIN TXT

Validate:
  aws sesv2 get-email-identity --region $REGION --email-identity $DOMAIN
EOF
