dns: add ReturnOK check for sender domain reachability

Verify that the From and Return-Path domains can actually receive replies and bounces, mirroring Fastmail's authentication_milter ReturnOK handler. Each domain is checked for MX records, falling back to A/AAAA (implicit MX) and then to the organizational domain, yielding a pass/warn/fail status. Adds return_ok to DNSResults, a 10-point DNS sub-score penalty per domain that is wholly unreachable, and a new "Return Address Reachability" card.
2026-06-06 14:02:06 +09:00 · 2026-06-06 14:02:06 +09:00 · a65b8084ee
commit a65b8084ee
parent e168446b44
6 changed files with 451 additions and 2 deletions
--- a/api/schemas.yaml
+++ b/api/schemas.yaml
@ -829,12 +829,49 @@ components:
        helo_ptr_match:
          type: boolean
          description: Whether the announced HELO hostname matches one of the sender's PTR records (case-insensitive)
+        return_ok:
+          $ref: '#/components/schemas/ReturnOK'
        errors:
          type: array
          items:
            type: string
          description: DNS lookup errors

+    ReturnOK:
+      type: object
+      description: Whether the sender domains can receive replies and bounces (MX, with A/AAAA fallback)
+      properties:
+        from:
+          $ref: '#/components/schemas/ReturnOKDomain'
+        return_path:
+          $ref: '#/components/schemas/ReturnOKDomain'
+
+    ReturnOKDomain:
+      type: object
+      required:
+        - domain
+        - status
+      properties:
+        domain:
+          type: string
+          description: Domain that was evaluated
+          example: "example.com"
+        status:
+          type: string
+          enum: [pass, warn, fail]
+          x-go-type: string
+          description: pass = MX present, warn = only A/AAAA records (implicit MX), fail = no records
+        has_mx:
+          type: boolean
+          description: Whether the domain has at least one MX record
+        has_address:
+          type: boolean
+          description: Whether the domain has an A or AAAA record (implicit MX fallback)
+        org_domain:
+          type: string
+          description: Organizational domain used as fallback when the domain itself had no records
+          example: "example.com"
+
    MXRecord:
      type: object
      required: