From 61b59f4084e7e90bd437e81f9c7cd68b95f1523c Mon Sep 17 00:00:00 2001
From: Sean Rankine <sean.rankine@me.com>
Date: Tue, 21 Apr 2026 16:23:00 +0100
Subject: [PATCH] Require TLS for sending form submission via SES

This means that all form submission sent by email will require the to use TLS to send the email from SES to the recipent mailbox. This prevent the connection to be downgraded and the submission to sent over plaintext.
---
 infra/modules/ses/main.tf | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/infra/modules/ses/main.tf b/infra/modules/ses/main.tf
index 28d48c148..14b2b04f5 100644
--- a/infra/modules/ses/main.tf
+++ b/infra/modules/ses/main.tf
@@ -55,6 +55,10 @@ resource "aws_sesv2_configuration_set" "form_submissions" {
     reputation_metrics_enabled = true
   }
 
+  delivery_options {
+    tls_policy = "REQUIRE"
+  }
+
   suppression_options {
     suppressed_reasons = [] # We don't want to use the suppression list for form submission emails
   }