dns: add ReturnOK check for sender domain reachability

Verify that the From and Return-Path domains can actually receive replies and bounces, mirroring Fastmail's authentication_milter ReturnOK handler. Each domain is checked for MX records, falling back to A/AAAA (implicit MX) and then to the organizational domain, yielding a pass/warn/fail status. Adds return_ok to DNSResults, a 10-point DNS sub-score penalty per domain that is wholly unreachable, and a new "Return Address Reachability" card.
2026-06-06 14:02:06 +09:00 · 2026-06-06 14:02:06 +09:00 · a65b8084ee
commit a65b8084ee
parent e168446b44
6 changed files with 451 additions and 2 deletions
--- a/web/src/lib/components/DnsRecordsCard.svelte
+++ b/web/src/lib/components/DnsRecordsCard.svelte
@ -10,6 +10,7 @@
    import MxRecordsDisplay from "./MxRecordsDisplay.svelte";
    import PtrForwardRecordsDisplay from "./PtrForwardRecordsDisplay.svelte";
    import PtrRecordsDisplay from "./PtrRecordsDisplay.svelte";
+    import ReturnOkDisplay from "./ReturnOkDisplay.svelte";
    import SpfRecordsDisplay from "./SpfRecordsDisplay.svelte";

    interface Props {
@ -100,6 +101,9 @@
                    heloPtrMatch={dnsResults.helo_ptr_match}
                />

+                <!-- Return Address Reachability (ReturnOK) -->
+                <ReturnOkDisplay returnOk={dnsResults.return_ok} />
+
                <hr class="my-4" />

                <!-- Return-Path Domain Section -->
@ -150,8 +154,7 @@
                    </h4>
                    {#if dnsResults.rp_domain && dnsResults.rp_domain !== dnsResults.from_domain}
                        <span class="badge bg-danger ms-2">
-                            <i class="bi bi-exclamation-triangle-fill"></i> Differs from Return-Path
-                            domain
+                            <i class="bi bi-exclamation-triangle-fill"></i> Differs from Return-Path domain
                        </span>
                    {/if}
                </div>