diff --git a/infrastructure/core/coredns-custom.yaml b/infrastructure/core/coredns-custom.yaml
index 8aeff14..6266a22 100644
--- a/infrastructure/core/coredns-custom.yaml
+++ b/infrastructure/core/coredns-custom.yaml
@@ -32,6 +32,9 @@ data:
         192.168.22.9 notes.bstein.dev
         192.168.22.9 office.bstein.dev
         192.168.22.9 pegasus.bstein.dev
+        3.136.224.193 pm-bounces.bstein.dev
+        3.150.68.49 pm-bounces.bstein.dev
+        18.189.137.81 pm-bounces.bstein.dev
         192.168.22.9 registry.bstein.dev
         192.168.22.9 scm.bstein.dev
         192.168.22.9 secret.bstein.dev
diff --git a/infrastructure/core/kustomization.yaml b/infrastructure/core/kustomization.yaml
index 6286186..257e1f0 100644
--- a/infrastructure/core/kustomization.yaml
+++ b/infrastructure/core/kustomization.yaml
@@ -6,5 +6,6 @@ resources:
   - ../modules/profiles/atlas-ha
   - coredns-custom.yaml
   - coredns-deployment.yaml
+  - ntp-sync-daemonset.yaml
   - ../sources/cert-manager/letsencrypt.yaml
   - ../sources/cert-manager/letsencrypt-prod.yaml
diff --git a/infrastructure/core/ntp-sync-daemonset.yaml b/infrastructure/core/ntp-sync-daemonset.yaml
new file mode 100644
index 0000000..ba97294
--- /dev/null
+++ b/infrastructure/core/ntp-sync-daemonset.yaml
@@ -0,0 +1,50 @@
+# infrastructure/core/ntp-sync-daemonset.yaml
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: ntp-sync
+  namespace: kube-system
+  labels:
+    app: ntp-sync
+spec:
+  selector:
+    matchLabels:
+      app: ntp-sync
+  template:
+    metadata:
+      labels:
+        app: ntp-sync
+    spec:
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+              - matchExpressions:
+                  - key: node-role.kubernetes.io/control-plane
+                    operator: DoesNotExist
+                  - key: node-role.kubernetes.io/master
+                    operator: DoesNotExist
+      containers:
+        - name: ntp-sync
+          image: public.ecr.aws/docker/library/busybox:1.36.1
+          imagePullPolicy: IfNotPresent
+          command: ["/bin/sh", "-c"]
+          args:
+            - |
+              set -eu
+              while true; do
+                ntpd -q -p pool.ntp.org || true
+                sleep 300
+              done
+          securityContext:
+            capabilities:
+              add: ["SYS_TIME"]
+            runAsUser: 0
+            runAsGroup: 0
+          resources:
+            requests:
+              cpu: 10m
+              memory: 16Mi
+            limits:
+              cpu: 50m
+              memory: 64Mi
diff --git a/services/monitoring/postmark-exporter-deployment.yaml b/services/monitoring/postmark-exporter-deployment.yaml
index 6406224..98791d9 100644
--- a/services/monitoring/postmark-exporter-deployment.yaml
+++ b/services/monitoring/postmark-exporter-deployment.yaml
@@ -18,9 +18,9 @@ spec:
         prometheus.io/path: "/metrics"
         vault.hashicorp.com/agent-inject: "true"
         vault.hashicorp.com/role: "monitoring"
-        vault.hashicorp.com/agent-inject-secret-postmark-env: "kv/data/atlas/monitoring/postmark-exporter"
+        vault.hashicorp.com/agent-inject-secret-postmark-env: "kv/data/atlas/shared/postmark-relay"
         vault.hashicorp.com/agent-inject-template-postmark-env: |
-          {{- with secret "kv/data/atlas/monitoring/postmark-exporter" -}}
+          {{- with secret "kv/data/atlas/shared/postmark-relay" -}}
           export POSTMARK_SERVER_TOKEN="{{ index .Data.data "apikey" }}"
           export POSTMARK_SERVER_TOKEN_FALLBACK="{{ index .Data.data "apikey" }}"
           {{- if index .Data.data "sending-limit" }}