refactor(auth): make MX signup validation opt-in (SIGNUP_MX_VALIDATION_ENABLED)

Aligns with the sibling feature SIGNUP_EMAIL_VALIDATION_ENABLED (disposable
blocking via harmony), which is also opt-in. Default-off avoids adding a DNS
dependency to the signup path and prevents surprise signup blocking on
self-hosted deployments with non-standard mail setups (internal domains, or a
too-broad MX entry catching legit shared infra like Cloudflare Email Routing).
Enable on hosted/abuse-targeted deployments via SIGNUP_MX_VALIDATION_ENABLED;
the flag doubles as the kill switch, so the separate DISABLE_ flag is removed.

Author: waleedlatif1

apps/sim/lib/auth/auth.ts

@@ -78,6 +78,7 @@ import {
   isOrganizationsEnabled,
   isRegistrationDisabled,
   isSignupEmailValidationEnabled,
+  isSignupMxValidationEnabled,
 } from '@/lib/core/config/feature-flags'
 import { PlatformEvents } from '@/lib/core/telemetry'
 import { getBaseUrl, isLocalhostUrl, parseOriginList } from '@/lib/core/utils/urls'
@@ -844,7 +845,7 @@ export const auth = betterAuth({
         })
       }
 
-      if (ctx.path.startsWith('/sign-up/email') && ctx.body?.email) {
+      if (isSignupMxValidationEnabled && ctx.path.startsWith('/sign-up/email') && ctx.body?.email) {
         const mxCheck = await validateSignupEmailMx(ctx.body.email)
         if (!mxCheck.allowed) {
           throw new APIError('FORBIDDEN', {

apps/sim/lib/core/config/env.ts

@@ -27,8 +27,8 @@ export const env = createEnv({
     ALLOWED_LOGIN_EMAILS:                  z.string().optional(),                  // Comma-separated list of allowed email addresses for login
     ALLOWED_LOGIN_DOMAINS:                 z.string().optional(),                  // Comma-separated list of allowed email domains for login
     BLOCKED_SIGNUP_DOMAINS:                z.string().optional(),                  // Comma-separated list of email domains blocked from signing up (e.g., "gmail.com,yahoo.com")
-    BLOCKED_EMAIL_MX_HOSTS:                z.string().optional(),                  // Comma-separated MX-host substrings blocked from signing up; matches the domain's resolved MX backend (e.g., "215.im,gravityengine.cc"). Catches throwaway domains that share a mail backend. Merged with built-in defaults.
-    DISABLE_SIGNUP_MX_VALIDATION:          z.boolean().optional(),                 // Kill switch to disable MX-based signup validation without a deploy
+    SIGNUP_MX_VALIDATION_ENABLED:          z.boolean().optional(),                 // Opt-in: validate the email's MX backend at signup (blocks no-MX domains and denylisted shared spam backends). Off by default; enable on hosted/abuse-targeted deployments.
+    BLOCKED_EMAIL_MX_HOSTS:                z.string().optional(),                  // Comma-separated MX-host substrings blocked from signing up; matches the domain's resolved MX backend (e.g., "215.im,gravityengine.cc"). Catches throwaway domains that share a mail backend. Merged with built-in defaults. Only used when SIGNUP_MX_VALIDATION_ENABLED is set.
     TRUSTED_ORIGINS:                       z.string().optional(),                  // Comma-separated additional origins to trust for auth (e.g., "https://app.example.com,https://www.example.com"). Merged into Better Auth trustedOrigins.
     TURNSTILE_SECRET_KEY:                  z.string().min(1).optional(),           // Cloudflare Turnstile secret key for captcha verification
     SIGNUP_EMAIL_VALIDATION_ENABLED:       z.boolean().optional(),                 // Enable disposable email blocking via better-auth-harmony (55K+ domains)

apps/sim/lib/core/config/feature-flags.ts

@@ -81,6 +81,13 @@ export const isEmailPasswordEnabled = !isFalsy(env.EMAIL_PASSWORD_SIGNUP_ENABLED
  */
 export const isSignupEmailValidationEnabled = isTruthy(env.SIGNUP_EMAIL_VALIDATION_ENABLED)
 
+/**
+ * Is MX-based signup validation enabled (blocks no-MX domains and denylisted shared spam
+ * mail backends). Opt-in to avoid adding a DNS dependency or blocking legitimate signups on
+ * self-hosted deployments with non-standard mail setups; enable on abuse-targeted deployments.
+ */
+export const isSignupMxValidationEnabled = isTruthy(env.SIGNUP_MX_VALIDATION_ENABLED)
+
 /**
  * Is Trigger.dev enabled for async job processing
  */

apps/sim/lib/messaging/email/validation.server.test.ts

@@ -7,7 +7,6 @@ const { mockResolveMx, envRef } = vi.hoisted(() => ({
   mockResolveMx: vi.fn(),
   envRef: {
     BLOCKED_EMAIL_MX_HOSTS: undefined as string | undefined,
-    DISABLE_SIGNUP_MX_VALIDATION: false,
   },
 }))
 
@@ -30,7 +29,6 @@ describe('validateSignupEmailMx', () => {
   beforeEach(() => {
     vi.clearAllMocks()
     envRef.BLOCKED_EMAIL_MX_HOSTS = undefined
-    envRef.DISABLE_SIGNUP_MX_VALIDATION = false
   })
 
   it('blocks the known shared spam backend 215.im', async () => {
@@ -83,14 +81,6 @@ describe('validateSignupEmailMx', () => {
     expect(result.reason).toBe('blocked_mx_backend')
   })
 
-  it('respects the DISABLE_SIGNUP_MX_VALIDATION kill switch', async () => {
-    envRef.DISABLE_SIGNUP_MX_VALIDATION = true
-    mockResolveMx.mockResolvedValue(mx('smtp.215.im'))
-    const result = await validateSignupEmailMx('simuser_abc@lyi25swr.cn')
-    expect(result.allowed).toBe(true)
-    expect(mockResolveMx).not.toHaveBeenCalled()
-  })
-
   it('allows when the email has no domain (defers to other validation)', async () => {
     const result = await validateSignupEmailMx('not-an-email')
     expect(result.allowed).toBe(true)

apps/sim/lib/messaging/email/validation.server.ts

@@ -41,11 +41,10 @@ export interface SignupEmailCheck {
  * users are never blocked by an infrastructure blip. Only a definitive
  * "domain has no MX" answer (`ENOTFOUND` / `ENODATA`) blocks.
  *
- * Server-only — imports `dns/promises`. Never import from client code.
+ * Server-only — imports `dns/promises`. Never import from client code. Gated by the caller
+ * behind `isSignupMxValidationEnabled`; this function performs the check unconditionally.
  */
 export async function validateSignupEmailMx(email: string): Promise<SignupEmailCheck> {
-  if (env.DISABLE_SIGNUP_MX_VALIDATION) return { allowed: true }
-
   const domain = email.split('@')[1]?.toLowerCase()
   if (!domain) return { allowed: true }