Extract OpenAPI schemas to separate file and move models to internal/model package

Split api/openapi.yaml schemas into api/schemas.yaml so structs can be
generated independently from the API server code. Models now generate
into internal/model/ via oapi-codegen, with the server referencing them
through import-mapping. Moved PtrTo helper to internal/utils and removed
storage.ReportSummary in favor of model.TestSummary.

.gitignore

@@ -26,5 +26,5 @@ logs/
 *.sqlite3
 
 # OpenAPI generated files
-internal/api/models.gen.go
 internal/api/server.gen.go
+internal/model/types.gen.go

Dockerfile

@@ -121,6 +121,7 @@ RUN echo "@edge https://dl-cdn.alpinelinux.org/alpine/edge/community" >> /etc/ap
     perl-xml-libxml \
     postfix \
     postfix-pcre \
+    rspamd \
     spamassassin \
     spamassassin-client \
     supervisor \
@@ -143,8 +144,11 @@ RUN mkdir -p /etc/happydeliver \
     /var/lib/authentication_milter \
     /var/spool/postfix/authentication_milter \
     /var/spool/postfix/spamassassin \
+    /var/spool/postfix/rspamd \
     && chown -R happydeliver:happydeliver /var/lib/happydeliver /var/log/happydeliver \
-    && chown -R mail:mail /var/spool/postfix/authentication_milter /var/spool/postfix/spamassassin
+    && chown -R mail:mail /var/spool/postfix/authentication_milter /var/spool/postfix/spamassassin \
+    && chown rspamd:mail /var/spool/postfix/rspamd \
+    && chmod 750 /var/spool/postfix/rspamd
 
 # Copy the built application
 COPY --from=builder /build/happyDeliver /usr/local/bin/happyDeliver
@@ -154,6 +158,7 @@ RUN chmod +x /usr/local/bin/happyDeliver
 COPY docker/postfix/ /etc/postfix/
 COPY docker/authentication_milter/authentication_milter.json /etc/authentication_milter.json
 COPY docker/spamassassin/ /etc/mail/spamassassin/
+COPY docker/rspamd/local.d/ /etc/rspamd/local.d/
 COPY docker/supervisor/ /etc/supervisor/
 COPY docker/entrypoint.sh /entrypoint.sh
 
@@ -165,7 +170,13 @@ RUN chmod +x /entrypoint.sh
 EXPOSE 25 8080
 
 # Default configuration
-ENV HAPPYDELIVER_DATABASE_TYPE=sqlite HAPPYDELIVER_DATABASE_DSN=/var/lib/happydeliver/happydeliver.db HAPPYDELIVER_DOMAIN=happydeliver.local HAPPYDELIVER_ADDRESS_PREFIX=test- HAPPYDELIVER_DNS_TIMEOUT=5s HAPPYDELIVER_HTTP_TIMEOUT=10s HAPPYDELIVER_RBL=zen.spamhaus.org,bl.spamcop.net,b.barracudacentral.org,dnsbl.sorbs.net,dnsbl-1.uceprotect.net,bl.mailspike.net
+ENV HAPPYDELIVER_DATABASE_TYPE=sqlite \
+    HAPPYDELIVER_DATABASE_DSN=/var/lib/happydeliver/happydeliver.db \
+    HAPPYDELIVER_DOMAIN=happydeliver.local \
+    HAPPYDELIVER_ADDRESS_PREFIX=test- \
+    HAPPYDELIVER_DNS_TIMEOUT=5s \
+    HAPPYDELIVER_HTTP_TIMEOUT=10s \
+    HAPPYDELIVER_RSPAMD_API_URL=http://127.0.0.1:11334
 
 # Volume for persistent data
 VOLUME ["/var/lib/happydeliver", "/var/log/happydeliver"]

README.md

@@ -6,7 +6,7 @@ An open-source email deliverability testing platform that analyzes test emails a
 
 ## Features
 
-- **Complete Email Analysis**: Analyzes SPF, DKIM, DMARC, BIMI, ARC, SpamAssassin scores, DNS records, blacklist status, content quality, and more
+- **Complete Email Analysis**: Analyzes SPF, DKIM, DMARC, BIMI, ARC, SpamAssassin and rspamd scores, DNS records, blacklist status, content quality, and more
 - **REST API**: Full-featured API for creating tests and retrieving reports
 - **LMTP Server**: Built-in LMTP server for seamless MTA integration
 - **Scoring System**: Gives A to F grades and scoring with weighted factors across dns, authentication, spam, blacklists, content, and headers
@@ -26,6 +26,7 @@ The easiest way to run happyDeliver is using the all-in-one Docker container tha
 - **Postfix MTA**: Receives emails on port 25
 - **authentication_milter**: Entreprise grade email authentication
 - **SpamAssassin**: Spam scoring and analysis
+- **rspamd**: Second spam filter for cross-validated scoring
 - **happyDeliver API**: REST API server on port 8080
 - **SQLite Database**: Persistent storage for tests and reports
 
@@ -162,10 +163,27 @@ The server will start on `http://localhost:8080` by default.
 
 #### 3. Integrate with your existing e-mail setup
 
-It is expected your setup annotate the email with eg. opendkim, spamassassin, ...
+It is expected your setup annotate the email with eg. opendkim, spamassassin, rspamd, ...
 happyDeliver will not perform thoses checks, it relies instead on standard software to have real world annotations.
 
-Choose one of the following way to integrate happyDeliver in your existing setup:
+#### Receiver Hostname
+
+happyDeliver filters `Authentication-Results` headers by hostname to only trust headers added by your MTA (and not headers that may have been injected by the sender). By default, it uses the system hostname (`os.Hostname()`).
+
+If your MTA's `authserv-id` (the hostname at the beginning of `Authentication-Results` headers) differs from the machine running happyDeliver, you must set it explicitly:
+
+```bash
+./happyDeliver server -receiver-hostname mail.example.com
+```
+
+Or via environment variable:
+```bash
+HAPPYDELIVER_RECEIVER_HOSTNAME=mail.example.com ./happyDeliver server
+```
+
+**How to find the correct value:** look at the `Authentication-Results` headers in a received email. They start with the authserv-id, e.g. `Authentication-Results: mail.example.com; spf=pass ...` — in this case, use `mail.example.com`.
+
+If the value is misconfigured, happyDeliver will log a warning when the last `Received` hop doesn't match the expected hostname.
 
 #### Postfix LMTP Transport
 
@@ -269,7 +287,7 @@ The deliverability score is calculated from A to F based on:
 - **Authentication**: IPRev, SPF, DKIM, DMARC, BIMI and ARC validation
 - **Blacklist**: RBL/DNSBL checks
 - **Headers**: Required headers, MIME structure, Domain alignment
-- **Spam**: SpamAssassin score
+- **Spam**: SpamAssassin and rspamd scores (combined 50/50)
 - **Content**: HTML quality, links, images, unsubscribe
 
 ## Funding

api/config-models.yaml

@@ -1,5 +1,9 @@
-package: api
+package: model
 generate:
   models: true
-  embedded-spec: false
+  embedded-spec: true
-output: internal/api/models.gen.go
+output: internal/model/types.gen.go
+output-options:
+  skip-prune: true
+import-mapping:
+  ./schemas.yaml: "-"

api/config-server.yaml

@@ -1,5 +1,8 @@
 package: api
 generate:
   gin-server: true
+  models: true
   embedded-spec: true
 output: internal/api/server.gen.go
+import-mapping:
+  ./schemas.yaml: git.happydns.org/happyDeliver/internal/model

docker/README.md

@@ -110,14 +110,38 @@ Default configuration for the Docker environment:
 The container accepts these environment variables:
 
 - `HAPPYDELIVER_DOMAIN`: Email domain for test addresses (default: happydeliver.local)
+- `HAPPYDELIVER_RECEIVER_HOSTNAME`: Hostname used to filter `Authentication-Results` headers (see below)
+- `POSTFIX_CERT_FILE` / `POSTFIX_KEY_FILE`: TLS certificate and key paths for Postfix SMTP
 
-Note that the hostname of the container is used to filter the authentication tests results.
+### Receiver Hostname
 
-Example:
+happyDeliver filters `Authentication-Results` headers by hostname to only trust results from the expected MTA. By default, it uses the system hostname (i.e., the container's `--hostname`).
+
+In the all-in-one Docker container, the container hostname is also used as the `authserv-id` in the embedded Postfix and authentication_milter, so everything matches automatically.
+
+**When bypassing the embedded Postfix** (e.g., routing emails from your own MTA via LMTP), your MTA's `authserv-id` will likely differ from the container hostname. In that case, set `HAPPYDELIVER_RECEIVER_HOSTNAME` to your MTA's hostname:
+
+```bash
+docker run -d \
+  -e HAPPYDELIVER_DOMAIN=example.com \
+  -e HAPPYDELIVER_RECEIVER_HOSTNAME=mail.example.com \
+  ...
+```
+
+To find the correct value, look at the `Authentication-Results` headers in a received email — they start with the authserv-id, e.g. `Authentication-Results: mail.example.com; spf=pass ...`.
+
+If the value is misconfigured, happyDeliver will log a warning when the last `Received` hop doesn't match the expected hostname.
+
+Example (all-in-one, no override needed):
 ```bash
 docker run -e HAPPYDELIVER_DOMAIN=example.com --hostname mail.example.com ...
 ```
 
+Example (external MTA integration):
+```bash
+docker run -e HAPPYDELIVER_DOMAIN=example.com -e HAPPYDELIVER_RECEIVER_HOSTNAME=mail.example.com ...
+```
+
 ## Volumes
 
 **Required volumes:**

docker/entrypoint.sh

@@ -15,6 +15,10 @@ mkdir -p /var/spool/postfix/authentication_milter
 chown mail:mail /var/spool/postfix/authentication_milter
 chmod 750 /var/spool/postfix/authentication_milter
 
+mkdir -p /var/spool/postfix/rspamd
+chown rspamd:mail /var/spool/postfix/rspamd
+chmod 750 /var/spool/postfix/rspamd
+
 # Create log directory
 mkdir -p /var/log/happydeliver /var/cache/authentication_milter /var/spool/authentication_milter /var/lib/authentication_milter /run/authentication_milter
 chown happydeliver:happydeliver /var/log/happydeliver

docker/postfix/main.cf

@@ -28,7 +28,7 @@ transport_maps = pcre:/etc/postfix/transport_maps
 # OpenDKIM for DKIM verification
 milter_default_action = accept
 milter_protocol = 6
-smtpd_milters = unix:/var/spool/postfix/authentication_milter/authentication_milter.sock unix:/var/spool/postfix/spamassassin/spamass-milter.sock
+smtpd_milters = unix:/var/spool/postfix/authentication_milter/authentication_milter.sock unix:/var/spool/postfix/spamassassin/spamass-milter.sock unix:/var/spool/postfix/rspamd/rspamd-milter.sock
 non_smtpd_milters = $smtpd_milters
 
 # SPF policy checking

docker/rspamd/local.d/actions.conf

@@ -0,0 +1,5 @@
+no_action = 0;
+reject = null;
+add_header = null;
+rewrite_subject = null;
+greylist = null;

docker/rspamd/local.d/milter_headers.conf

@@ -0,0 +1,5 @@
+# Add "extended Rspamd headers"
+extended_spam_headers = true;
+
+skip_local = false;
+skip_authenticated = false;

docker/rspamd/local.d/options.inc

@@ -0,0 +1,3 @@
+# rspamd options for happyDeliver
+# Disable Bayes learning to keep the setup stateless
+use_redis = false;

docker/rspamd/local.d/worker-proxy.inc

@@ -0,0 +1,6 @@
+# Enable rspamd milter proxy worker via Unix socket for Postfix integration
+bind_socket = "/var/spool/postfix/rspamd/rspamd-milter.sock mode=0660 owner=rspamd group=mail";
+upstream "local" {
+  default = yes;
+  self_scan = yes;
+}

docker/spamassassin/local.cf

@@ -48,3 +48,14 @@ rbl_timeout 5
 # Don't use user-specific rules
 user_scores_dsn_timeout 3
 user_scores_sql_override 0
+
+# Disable Validity network rules
+dns_query_restriction deny sa-trusted.bondedsender.org
+dns_query_restriction deny sa-accredit.habeas.com
+dns_query_restriction deny bl.score.senderscore.com
+score RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0
+score RCVD_IN_VALIDITY_RPBL_BLOCKED 0
+score RCVD_IN_VALIDITY_SAFE_BLOCKED 0
+score RCVD_IN_VALIDITY_CERTIFIED 0
+score RCVD_IN_VALIDITY_RPBL 0
+score RCVD_IN_VALIDITY_SAFE 0

docker/supervisor/supervisord.conf

@@ -33,6 +33,16 @@ stderr_logfile=/var/log/happydeliver/authentication_milter.log
 user=mail
 group=mail
 
+# rspamd spam filter
+[program:rspamd]
+command=/usr/bin/rspamd -f -u rspamd -g mail
+autostart=true
+autorestart=true
+priority=11
+stdout_logfile=/var/log/happydeliver/rspamd.log
+stderr_logfile=/var/log/happydeliver/rspamd_error.log
+user=root
+
 # SpamAssassin daemon
 [program:spamd]
 command=/usr/sbin/spamd --max-children 5 --helper-home-dir /var/lib/spamassassin --syslog stderr --pidfile /var/run/spamd.pid

generate.go

@@ -21,5 +21,5 @@
 
 package main
 
-//go:generate go tool oapi-codegen -config api/config-models.yaml api/openapi.yaml
+//go:generate go tool oapi-codegen -config api/config-models.yaml api/schemas.yaml
 //go:generate go tool oapi-codegen -config api/config-server.yaml api/openapi.yaml

go.mod

@@ -1,15 +1,15 @@
 module git.happydns.org/happyDeliver
 
-go 1.24.6
+go 1.25.0
 
 require (
 	github.com/JGLTechnologies/gin-rate-limit v1.5.6
 	github.com/emersion/go-smtp v0.24.0
 	github.com/getkin/kin-openapi v0.133.0
-	github.com/gin-gonic/gin v1.11.0
+	github.com/gin-gonic/gin v1.12.0
 	github.com/google/uuid v1.6.0
-	github.com/oapi-codegen/runtime v1.1.2
+	github.com/oapi-codegen/runtime v1.3.0
-	golang.org/x/net v0.49.0
+	golang.org/x/net v0.52.0
 	gorm.io/driver/postgres v1.6.0
 	gorm.io/driver/sqlite v1.6.0
 	gorm.io/gorm v1.31.1
@@ -64,14 +64,14 @@ require (
 	github.com/ugorji/go/codec v1.3.1 // indirect
 	github.com/vmware-labs/yaml-jsonpath v0.3.2 // indirect
 	github.com/woodsbury/decimal128 v1.4.0 // indirect
-	go.uber.org/mock v0.6.0 // indirect
+	go.mongodb.org/mongo-driver/v2 v2.5.0 // indirect
 	golang.org/x/arch v0.23.0 // indirect
-	golang.org/x/crypto v0.47.0 // indirect
+	golang.org/x/crypto v0.49.0 // indirect
-	golang.org/x/mod v0.31.0 // indirect
+	golang.org/x/mod v0.33.0 // indirect
-	golang.org/x/sync v0.19.0 // indirect
+	golang.org/x/sync v0.20.0 // indirect
-	golang.org/x/sys v0.40.0 // indirect
+	golang.org/x/sys v0.42.0 // indirect
-	golang.org/x/text v0.33.0 // indirect
+	golang.org/x/text v0.35.0 // indirect
-	golang.org/x/tools v0.40.0 // indirect
+	golang.org/x/tools v0.42.0 // indirect
 	google.golang.org/protobuf v1.36.11 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect

go.sum

@@ -10,12 +10,8 @@ github.com/bsm/gomega v1.27.10 h1:yeMWxP2pV2fG3FgAODIY8EiRE3dy0aeFYt4l7wh6yKA=
 github.com/bsm/gomega v1.27.10/go.mod h1:JyEr/xRbxbtgWNi8tIEVPUYZ5Dzef52k01W3YH0H+O0=
 github.com/bytedance/gopkg v0.1.3 h1:TPBSwH8RsouGCBcMBktLt1AymVo2TVsBVCY4b6TnZ/M=
 github.com/bytedance/gopkg v0.1.3/go.mod h1:576VvJ+eJgyCzdjS+c4+77QF3p7ubbtiKARP3TxducM=
-github.com/bytedance/sonic v1.14.2 h1:k1twIoe97C1DtYUo+fZQy865IuHia4PR5RPiuGPPIIE=
-github.com/bytedance/sonic v1.14.2/go.mod h1:T80iDELeHiHKSc0C9tubFygiuXoGzrkjKzX2quAx980=
 github.com/bytedance/sonic v1.15.0 h1:/PXeWFaR5ElNcVE84U0dOHjiMHQOwNIx3K4ymzh/uSE=
 github.com/bytedance/sonic v1.15.0/go.mod h1:tFkWrPz0/CUCLEF4ri4UkHekCIcdnkqXw9VduqpJh0k=
-github.com/bytedance/sonic/loader v0.4.0 h1:olZ7lEqcxtZygCK9EKYKADnpQoYkRQxaeY2NYzevs+o=
-github.com/bytedance/sonic/loader v0.4.0/go.mod h1:AR4NYCk5DdzZizZ5djGqQ92eEhCCcdf5x77udYiSJRo=
 github.com/bytedance/sonic/loader v0.5.0 h1:gXH3KVnatgY7loH5/TkeVyXPfESoqSBSBEiDd5VjlgE=
 github.com/bytedance/sonic/loader v0.5.0/go.mod h1:AR4NYCk5DdzZizZ5djGqQ92eEhCCcdf5x77udYiSJRo=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
@@ -40,22 +36,16 @@ github.com/emersion/go-smtp v0.24.0/go.mod h1:ZtRRkbTyp2XTHCA+BmyTFTrj8xY4I+b4Mc
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
 github.com/fsnotify/fsnotify v1.4.9 h1:hsms1Qyu0jgnwNXIxa+/V/PDsU6CfLf6CNO8H7IWoS4=
 github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
-github.com/gabriel-vasile/mimetype v1.4.11 h1:AQvxbp830wPhHTqc1u7nzoLT+ZFxGY7emj5DR5DYFik=
-github.com/gabriel-vasile/mimetype v1.4.11/go.mod h1:d+9Oxyo1wTzWdyVUPMmXFvp4F9tea18J8ufA774AB3s=
 github.com/gabriel-vasile/mimetype v1.4.12 h1:e9hWvmLYvtp846tLHam2o++qitpguFiYCKbn0w9jyqw=
 github.com/gabriel-vasile/mimetype v1.4.12/go.mod h1:d+9Oxyo1wTzWdyVUPMmXFvp4F9tea18J8ufA774AB3s=
 github.com/getkin/kin-openapi v0.133.0 h1:pJdmNohVIJ97r4AUFtEXRXwESr8b0bD721u/Tz6k8PQ=
 github.com/getkin/kin-openapi v0.133.0/go.mod h1:boAciF6cXk5FhPqe/NQeBTeenbjqU4LhWBf09ILVvWE=
 github.com/gin-contrib/sse v1.1.0 h1:n0w2GMuUpWDVp7qSpvze6fAu9iRxJY4Hmj6AmBOU05w=
 github.com/gin-contrib/sse v1.1.0/go.mod h1:hxRZ5gVpWMT7Z0B0gSNYqqsSCNIJMjzvm6fqCz9vjwM=
-github.com/gin-gonic/gin v1.11.0 h1:OW/6PLjyusp2PPXtyxKHU0RbX6I/l28FTdDlae5ueWk=
+github.com/gin-gonic/gin v1.12.0 h1:b3YAbrZtnf8N//yjKeU2+MQsh2mY5htkZidOM7O0wG8=
-github.com/gin-gonic/gin v1.11.0/go.mod h1:+iq/FyxlGzII0KHiBGjuNn4UNENUlKbGlNmc+W50Dls=
+github.com/gin-gonic/gin v1.12.0/go.mod h1:VxccKfsSllpKshkBWgVgRniFFAzFb9csfngsqANjnLc=
-github.com/go-openapi/jsonpointer v0.22.2 h1:JDQEe4B9j6K3tQ7HQQTZfjR59IURhjjLxet2FB4KHyg=
-github.com/go-openapi/jsonpointer v0.22.2/go.mod h1:0lBbqeRsQ5lIanv3LHZBrmRGHLHcQoOXQnf88fHlGWo=
 github.com/go-openapi/jsonpointer v0.22.4 h1:dZtK82WlNpVLDW2jlA1YCiVJFVqkED1MegOUy9kR5T4=
 github.com/go-openapi/jsonpointer v0.22.4/go.mod h1:elX9+UgznpFhgBuaMQ7iu4lvvX1nvNsesQ3oxmYTw80=
-github.com/go-openapi/swag/jsonname v0.25.1 h1:Sgx+qbwa4ej6AomWC6pEfXrA6uP2RkaNjA9BR8a1RJU=
-github.com/go-openapi/swag/jsonname v0.25.1/go.mod h1:71Tekow6UOLBD3wS7XhdT98g5J5GR13NOTQ9/6Q11Zo=
 github.com/go-openapi/swag/jsonname v0.25.4 h1:bZH0+MsS03MbnwBXYhuTttMOqk+5KcQ9869Vye1bNHI=
 github.com/go-openapi/swag/jsonname v0.25.4/go.mod h1:GPVEk9CWVhNvWhZgrnvRA6utbAltopbKwDu8mXNUMag=
 github.com/go-openapi/testify/v2 v2.0.2 h1:X999g3jeLcoY8qctY/c/Z8iBHTbwLz7R2WXd6Ub6wls=
@@ -66,8 +56,6 @@ github.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/o
 github.com/go-playground/locales v0.14.1/go.mod h1:hxrqLVvrK65+Rwrd5Fc6F2O76J/NuW9t0sjnWqG1slY=
 github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJnYK9S473LQFuzCbDbfSFY=
 github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY=
-github.com/go-playground/validator/v10 v10.28.0 h1:Q7ibns33JjyW48gHkuFT91qX48KG0ktULL6FgHdG688=
-github.com/go-playground/validator/v10 v10.28.0/go.mod h1:GoI6I1SjPBh9p7ykNE/yj3fFYbyDOpwMn5KXd+m2hUU=
 github.com/go-playground/validator/v10 v10.30.1 h1:f3zDSN/zOma+w6+1Wswgd9fLkdwy06ntQJp0BBvFG0w=
 github.com/go-playground/validator/v10 v10.30.1/go.mod h1:oSuBIQzuJxL//3MelwSLD5hc2Tu889bF0Idm9Dg26cM=
 github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE=
@@ -75,8 +63,6 @@ github.com/go-test/deep v1.0.8 h1:TDsG77qcSprGbC6vTN8OuXp5g+J+b5Pcguhf7Zt61VM=
 github.com/go-test/deep v1.0.8/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE=
 github.com/goccy/go-json v0.10.5 h1:Fq85nIqj+gXn/S5ahsiTlK3TmC85qgirsdTP/+DeaC4=
 github.com/goccy/go-json v0.10.5/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
-github.com/goccy/go-yaml v1.18.0 h1:8W7wMFS12Pcas7KU+VVkaiCng+kG8QiFeFwzFb+rwuw=
-github.com/goccy/go-yaml v1.18.0/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=
 github.com/goccy/go-yaml v1.19.2 h1:PmFC1S6h8ljIz6gMRBopkjP1TVT7xuwrButHID66PoM=
 github.com/goccy/go-yaml v1.19.2/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
@@ -104,8 +90,6 @@ github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsI
 github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg=
 github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 h1:iCEnooe7UlwOQYpKFhBabPMi4aNAfoODPEFNiAnClxo=
 github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM=
-github.com/jackc/pgx/v5 v5.7.6 h1:rWQc5FwZSPX58r1OQmkuaNicxdmExaEz5A2DO2hUuTk=
-github.com/jackc/pgx/v5 v5.7.6/go.mod h1:aruU7o91Tc2q2cFp5h4uP3f6ztExVpyVv88Xl/8Vl8M=
 github.com/jackc/pgx/v5 v5.8.0 h1:TYPDoleBBme0xGSAX3/+NujXXtpZn9HBONkQC7IEZSo=
 github.com/jackc/pgx/v5 v5.8.0/go.mod h1:QVeDInX2m9VyzvNeiCJVjCkNFqzsNb43204HshNSZKw=
 github.com/jackc/puddle/v2 v2.2.2 h1:PR8nw+E/1w0GLuRFSmiioY6UooMp6KJv0/61nB7icHo=
@@ -134,8 +118,6 @@ github.com/mailru/easyjson v0.9.1 h1:LbtsOm5WAswyWbvTEOqhypdPeZzHavpZx96/n553mR8
 github.com/mailru/easyjson v0.9.1/go.mod h1:1+xMtQp2MRNVL/V1bOzuP3aP8VNwRW55fQUto+XFtTU=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
-github.com/mattn/go-sqlite3 v1.14.32 h1:JD12Ag3oLy1zQA+BNn74xRgaBbdhbNIDYvQUEuuErjs=
-github.com/mattn/go-sqlite3 v1.14.32/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
 github.com/mattn/go-sqlite3 v1.14.33 h1:A5blZ5ulQo2AtayQ9/limgHEkFreKj1Dv226a1K73s0=
 github.com/mattn/go-sqlite3 v1.14.33/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
@@ -150,8 +132,8 @@ github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE=
 github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU=
 github.com/oapi-codegen/oapi-codegen/v2 v2.5.1 h1:5vHNY1uuPBRBWqB2Dp0G7YB03phxLQZupZTIZaeorjc=
 github.com/oapi-codegen/oapi-codegen/v2 v2.5.1/go.mod h1:ro0npU1BWkcGpCgGD9QwPp44l5OIZ94tB3eabnT7DjQ=
-github.com/oapi-codegen/runtime v1.1.2 h1:P2+CubHq8fO4Q6fV1tqDBZHCwpVpvPg7oKiYzQgXIyI=
+github.com/oapi-codegen/runtime v1.3.0 h1:vyK1zc0gDWWXgk2xoQa4+X4RNNc5SL2RbTpJS/4vMYA=
-github.com/oapi-codegen/runtime v1.1.2/go.mod h1:SK9X900oXmPWilYR5/WKPzt3Kqxn/uS/+lbpREv+eCg=
+github.com/oapi-codegen/runtime v1.3.0/go.mod h1:kOdeacKy7t40Rclb1je37ZLFboFxh+YLy0zaPCMibPY=
 github.com/oasdiff/yaml v0.0.0-20250309154309-f31be36b4037 h1:G7ERwszslrBzRxj//JalHPu/3yz+De2J+4aLtSRlHiY=
 github.com/oasdiff/yaml v0.0.0-20250309154309-f31be36b4037/go.mod h1:2bpvgLBZEtENV5scfDFEtB/5+1M4hkQhDQrccEJ/qGw=
 github.com/oasdiff/yaml3 v0.0.0-20250309153720-d2182401db90 h1:bQx3WeLcUWy+RletIKwUIt4x3t8n2SxavmoclizMb8c=
@@ -176,12 +158,8 @@ github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZb
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/quic-go/qpack v0.6.0 h1:g7W+BMYynC1LbYLSqRt8PBg5Tgwxn214ZZR34VIOjz8=
 github.com/quic-go/qpack v0.6.0/go.mod h1:lUpLKChi8njB4ty2bFLX2x4gzDqXwUpaO1DP9qMDZII=
-github.com/quic-go/quic-go v0.57.0 h1:AsSSrrMs4qI/hLrKlTH/TGQeTMY0ib1pAOX7vA3AdqE=
-github.com/quic-go/quic-go v0.57.0/go.mod h1:ly4QBAjHA2VhdnxhojRsCUOeJwKYg+taDlos92xb1+s=
 github.com/quic-go/quic-go v0.59.0 h1:OLJkp1Mlm/aS7dpKgTc6cnpynnD2Xg7C1pwL6vy/SAw=
 github.com/quic-go/quic-go v0.59.0/go.mod h1:upnsH4Ju1YkqpLXC305eW3yDZ4NfnNbmQRCMWS58IKU=
-github.com/redis/go-redis/v9 v9.16.0 h1:OotgqgLSRCmzfqChbQyG1PHC3tLNR89DG4jdOERSEP4=
-github.com/redis/go-redis/v9 v9.16.0/go.mod h1:u410H11HMLoB+TP67dz8rL9s6QW2j76l0//kSOd3370=
 github.com/redis/go-redis/v9 v9.17.2 h1:P2EGsA4qVIM3Pp+aPocCJ7DguDHhqrXNhVcEp4ViluI=
 github.com/redis/go-redis/v9 v9.17.2/go.mod h1:u410H11HMLoB+TP67dz8rL9s6QW2j76l0//kSOd3370=
 github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
@@ -216,6 +194,8 @@ github.com/vmware-labs/yaml-jsonpath v0.3.2/go.mod h1:U6whw1z03QyqgWdgXxvVnQ90zN
 github.com/woodsbury/decimal128 v1.4.0 h1:xJATj7lLu4f2oObouMt2tgGiElE5gO6mSWUjQsBgUlc=
 github.com/woodsbury/decimal128 v1.4.0/go.mod h1:BP46FUrVjVhdTbKT+XuQh2xfQaGki9LMIRJSFuh6THU=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+go.mongodb.org/mongo-driver/v2 v2.5.0 h1:yXUhImUjjAInNcpTcAlPHiT7bIXhshCTL3jVBkF3xaE=
+go.mongodb.org/mongo-driver/v2 v2.5.0/go.mod h1:yOI9kBsufol30iFsl1slpdq1I0eHPzybRWdyYUs8K/0=
 go.uber.org/mock v0.6.0 h1:hyF9dfmbgIX5EfOdasqLsWD6xqpNZlXblLB/Dbnwv3Y=
 go.uber.org/mock v0.6.0/go.mod h1:KiVJ4BqZJaMj4svdfmHM0AUx4NJYO8ZNpPnZn1Z+BBU=
 golang.org/x/arch v0.23.0 h1:lKF64A2jF6Zd8L0knGltUnegD62JMFBiCPBmQpToHhg=
@@ -223,11 +203,11 @@ golang.org/x/arch v0.23.0/go.mod h1:dNHoOeKiyja7GTvF9NJS1l3Z2yntpQNzgrjh1cU103A=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.47.0 h1:V6e3FRj+n4dbpw86FJ8Fv7XVOql7TEwpHapKoMJ/GO8=
+golang.org/x/crypto v0.49.0 h1:+Ng2ULVvLHnJ/ZFEq4KdcDd/cfjrrjjNSXNzxg0Y4U4=
-golang.org/x/crypto v0.47.0/go.mod h1:ff3Y9VzzKbwSSEzWqJsJVBnWmRwRSHt/6Op5n9bQc4A=
+golang.org/x/crypto v0.49.0/go.mod h1:ErX4dUh2UM+CFYiXZRTcMpEcN8b/1gxEuv3nODoYtCA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.31.0 h1:HaW9xtz0+kOcWKwli0ZXy79Ix+UW/vOfmWI5QVd2tgI=
+golang.org/x/mod v0.33.0 h1:tHFzIWbBifEmbwtGz65eaWyGiGZatSrT9prnU8DbVL8=
-golang.org/x/mod v0.31.0/go.mod h1:43JraMp9cGx1Rx3AqioxrbrhNsLl2l/iNAvuBkrezpg=
+golang.org/x/mod v0.33.0/go.mod h1:swjeQEj+6r7fODbD2cqrnje9PnziFuw4bmLbBZFrQ5w=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
@@ -235,13 +215,13 @@ golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20210428140749-89ef3d95e781/go.mod h1:OJAsFXCWl8Ukc7SiCT/9KSuxbyM7479/AVlXFRxuMCk=
 golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
-golang.org/x/net v0.49.0 h1:eeHFmOGUTtaaPSGNmjBKpbng9MulQsJURQUAfUwY++o=
+golang.org/x/net v0.52.0 h1:He/TN1l0e4mmR3QqHMT2Xab3Aj3L9qjbhRm78/6jrW0=
-golang.org/x/net v0.49.0/go.mod h1:/ysNB2EvaqvesRkuLAyjI1ycPZlQHM3q01F02UY/MV8=
+golang.org/x/net v0.52.0/go.mod h1:R1MAz7uMZxVMualyPXb+VaqGSa3LIaUqk0eEt3w36Sw=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
+golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
-golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -257,24 +237,21 @@ golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.40.0 h1:DBZZqJ2Rkml6QMQsZywtnjnnGvHza6BTfYFWY9kjEWQ=
+golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo=
-golang.org/x/sys v0.40.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.33.0 h1:B3njUFyqtHDUI5jMn1YIr5B0IE2U0qck04r6d4KPAxE=
+golang.org/x/text v0.35.0 h1:JOVx6vVDFokkpaq1AEptVzLTpDe9KGpj5tR4/X+ybL8=
-golang.org/x/text v0.33.0/go.mod h1:LuMebE6+rBincTi9+xWTY8TztLzKHc/9C1uBCG27+q8=
+golang.org/x/text v0.35.0/go.mod h1:khi/HExzZJ2pGnjenulevKNX1W67CUy0AsXcNubPGCA=
-golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
-golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE=
-golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.40.0 h1:yLkxfA+Qnul4cs9QA3KnlFu0lVmd8JJfoq+E41uSutA=
+golang.org/x/tools v0.42.0 h1:uNgphsn75Tdz5Ji2q36v/nsFSfR/9BRFvqhGBaJGd5k=
-golang.org/x/tools v0.40.0/go.mod h1:Ik/tzLRlbscWpqqMRjyWYDisX8bG13FrdXp3o4Sr9lc=
+golang.org/x/tools v0.42.0/go.mod h1:Ma6lCIwGZvHK6XtgbswSoWroEkhugApmsXyrUmBhfr0=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -287,8 +264,6 @@ google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzi
 google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.36.10 h1:AYd7cD/uASjIL6Q9LiTjz8JLcrh/88q5UObnmY3aOOE=
-google.golang.org/protobuf v1.36.10/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
 google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
 google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=

internal/api/handlers.go

@@ -31,6 +31,7 @@ import (
 	openapi_types "github.com/oapi-codegen/runtime/types"
 
 	"git.happydns.org/happyDeliver/internal/config"
+	"git.happydns.org/happyDeliver/internal/model"
 	"git.happydns.org/happyDeliver/internal/storage"
 	"git.happydns.org/happyDeliver/internal/utils"
 	"git.happydns.org/happyDeliver/internal/version"
@@ -40,8 +41,8 @@ import (
 // This interface breaks the circular dependency with pkg/analyzer
 type EmailAnalyzer interface {
 	AnalyzeEmailBytes(rawEmail []byte, testID uuid.UUID) (reportJSON []byte, err error)
-	AnalyzeDomain(domain string) (dnsResults *DNSResults, score int, grade string)
+	AnalyzeDomain(domain string) (dnsResults *model.DNSResults, score int, grade string)
-	CheckBlacklistIP(ip string) (checks []BlacklistCheck, listedCount int, score int, grade string, err error)
+	CheckBlacklistIP(ip string) (checks []model.BlacklistCheck, whitelists []model.BlacklistCheck, listedCount int, score int, grade string, err error)
 }
 
 // APIHandler implements the ServerInterface for handling API requests
@@ -79,11 +80,11 @@ func (h *APIHandler) CreateTest(c *gin.Context) {
 	)
 
 	// Return response
-	c.JSON(http.StatusCreated, TestResponse{
+	c.JSON(http.StatusCreated, model.TestResponse{
 		Id:      base32ID,
 		Email:   openapi_types.Email(email),
-		Status:  TestResponseStatusPending,
+		Status:  model.TestResponseStatusPending,
-		Message: stringPtr("Send your test email to the given address"),
+		Message: utils.PtrTo("Send your test email to the given address"),
 	})
 }
 
@@ -93,10 +94,10 @@ func (h *APIHandler) GetTest(c *gin.Context, id string) {
 	// Convert base32 ID to UUID
 	testUUID, err := utils.Base32ToUUID(id)
 	if err != nil {
-		c.JSON(http.StatusBadRequest, Error{
+		c.JSON(http.StatusBadRequest, model.Error{
 			Error:   "invalid_id",
 			Message: "Invalid test ID format",
-			Details: stringPtr(err.Error()),
+			Details: utils.PtrTo(err.Error()),
 		})
 		return
 	}
@@ -104,20 +105,20 @@ func (h *APIHandler) GetTest(c *gin.Context, id string) {
 	// Check if a report exists for this test ID
 	reportExists, err := h.storage.ReportExists(testUUID)
 	if err != nil {
-		c.JSON(http.StatusInternalServerError, Error{
+		c.JSON(http.StatusInternalServerError, model.Error{
 			Error:   "internal_error",
 			Message: "Failed to check test status",
-			Details: stringPtr(err.Error()),
+			Details: utils.PtrTo(err.Error()),
 		})
 		return
 	}
 
 	// Determine status based on report existence
-	var apiStatus TestStatus
+	var apiStatus model.TestStatus
 	if reportExists {
-		apiStatus = TestStatusAnalyzed
+		apiStatus = model.TestStatusAnalyzed
 	} else {
-		apiStatus = TestStatusPending
+		apiStatus = model.TestStatusPending
 	}
 
 	// Generate test email address using Base32-encoded UUID
@@ -127,7 +128,7 @@ func (h *APIHandler) GetTest(c *gin.Context, id string) {
 		h.config.Email.Domain,
 	)
 
-	c.JSON(http.StatusOK, Test{
+	c.JSON(http.StatusOK, model.Test{
 		Id:     id,
 		Email:  openapi_types.Email(email),
 		Status: apiStatus,
@@ -140,10 +141,10 @@ func (h *APIHandler) GetReport(c *gin.Context, id string) {
 	// Convert base32 ID to UUID
 	testUUID, err := utils.Base32ToUUID(id)
 	if err != nil {
-		c.JSON(http.StatusBadRequest, Error{
+		c.JSON(http.StatusBadRequest, model.Error{
 			Error:   "invalid_id",
 			Message: "Invalid test ID format",
-			Details: stringPtr(err.Error()),
+			Details: utils.PtrTo(err.Error()),
 		})
 		return
 	}
@@ -151,16 +152,16 @@ func (h *APIHandler) GetReport(c *gin.Context, id string) {
 	reportJSON, _, err := h.storage.GetReport(testUUID)
 	if err != nil {
 		if err == storage.ErrNotFound {
-			c.JSON(http.StatusNotFound, Error{
+			c.JSON(http.StatusNotFound, model.Error{
 				Error:   "not_found",
 				Message: "Report not found",
 			})
 			return
 		}
-		c.JSON(http.StatusInternalServerError, Error{
+		c.JSON(http.StatusInternalServerError, model.Error{
 			Error:   "internal_error",
 			Message: "Failed to retrieve report",
-			Details: stringPtr(err.Error()),
+			Details: utils.PtrTo(err.Error()),
 		})
 		return
 	}
@@ -175,10 +176,10 @@ func (h *APIHandler) GetRawEmail(c *gin.Context, id string) {
 	// Convert base32 ID to UUID
 	testUUID, err := utils.Base32ToUUID(id)
 	if err != nil {
-		c.JSON(http.StatusBadRequest, Error{
+		c.JSON(http.StatusBadRequest, model.Error{
 			Error:   "invalid_id",
 			Message: "Invalid test ID format",
-			Details: stringPtr(err.Error()),
+			Details: utils.PtrTo(err.Error()),
 		})
 		return
 	}
@@ -186,16 +187,16 @@ func (h *APIHandler) GetRawEmail(c *gin.Context, id string) {
 	_, rawEmail, err := h.storage.GetReport(testUUID)
 	if err != nil {
 		if err == storage.ErrNotFound {
-			c.JSON(http.StatusNotFound, Error{
+			c.JSON(http.StatusNotFound, model.Error{
 				Error:   "not_found",
 				Message: "Email not found",
 			})
 			return
 		}
-		c.JSON(http.StatusInternalServerError, Error{
+		c.JSON(http.StatusInternalServerError, model.Error{
 			Error:   "internal_error",
 			Message: "Failed to retrieve raw email",
-			Details: stringPtr(err.Error()),
+			Details: utils.PtrTo(err.Error()),
 		})
 		return
 	}
@@ -209,10 +210,10 @@ func (h *APIHandler) ReanalyzeReport(c *gin.Context, id string) {
 	// Convert base32 ID to UUID
 	testUUID, err := utils.Base32ToUUID(id)
 	if err != nil {
-		c.JSON(http.StatusBadRequest, Error{
+		c.JSON(http.StatusBadRequest, model.Error{
 			Error:   "invalid_id",
 			Message: "Invalid test ID format",
-			Details: stringPtr(err.Error()),
+			Details: utils.PtrTo(err.Error()),
 		})
 		return
 	}
@@ -221,16 +222,16 @@ func (h *APIHandler) ReanalyzeReport(c *gin.Context, id string) {
 	_, rawEmail, err := h.storage.GetReport(testUUID)
 	if err != nil {
 		if err == storage.ErrNotFound {
-			c.JSON(http.StatusNotFound, Error{
+			c.JSON(http.StatusNotFound, model.Error{
 				Error:   "not_found",
 				Message: "Email not found",
 			})
 			return
 		}
-		c.JSON(http.StatusInternalServerError, Error{
+		c.JSON(http.StatusInternalServerError, model.Error{
 			Error:   "internal_error",
 			Message: "Failed to retrieve email",
-			Details: stringPtr(err.Error()),
+			Details: utils.PtrTo(err.Error()),
 		})
 		return
 	}
@@ -238,20 +239,20 @@ func (h *APIHandler) ReanalyzeReport(c *gin.Context, id string) {
 	// Re-analyze the email using the current analyzer
 	reportJSON, err := h.analyzer.AnalyzeEmailBytes(rawEmail, testUUID)
 	if err != nil {
-		c.JSON(http.StatusInternalServerError, Error{
+		c.JSON(http.StatusInternalServerError, model.Error{
 			Error:   "analysis_error",
 			Message: "Failed to re-analyze email",
-			Details: stringPtr(err.Error()),
+			Details: utils.PtrTo(err.Error()),
 		})
 		return
 	}
 
 	// Update the report in storage
 	if err := h.storage.UpdateReport(testUUID, reportJSON); err != nil {
-		c.JSON(http.StatusInternalServerError, Error{
+		c.JSON(http.StatusInternalServerError, model.Error{
 			Error:   "internal_error",
 			Message: "Failed to update report",
-			Details: stringPtr(err.Error()),
+			Details: utils.PtrTo(err.Error()),
 		})
 		return
 	}
@@ -267,24 +268,24 @@ func (h *APIHandler) GetStatus(c *gin.Context) {
 	uptime := int(time.Since(h.startTime).Seconds())
 
 	// Check database connectivity by trying to check if a report exists
-	dbStatus := StatusComponentsDatabaseUp
+	dbStatus := model.StatusComponentsDatabaseUp
 	if _, err := h.storage.ReportExists(uuid.New()); err != nil {
-		dbStatus = StatusComponentsDatabaseDown
+		dbStatus = model.StatusComponentsDatabaseDown
 	}
 
 	// Determine overall status
-	overallStatus := Healthy
+	overallStatus := model.Healthy
-	if dbStatus == StatusComponentsDatabaseDown {
+	if dbStatus == model.StatusComponentsDatabaseDown {
-		overallStatus = Unhealthy
+		overallStatus = model.Unhealthy
 	}
 
-	mtaStatus := StatusComponentsMtaUp
+	mtaStatus := model.StatusComponentsMtaUp
-	c.JSON(http.StatusOK, Status{
+	c.JSON(http.StatusOK, model.Status{
 		Status:  overallStatus,
 		Version: version.Version,
 		Components: &struct {
-			Database *StatusComponentsDatabase `json:"database,omitempty"`
+			Database *model.StatusComponentsDatabase `json:"database,omitempty"`
-			Mta      *StatusComponentsMta      `json:"mta,omitempty"`
+			Mta      *model.StatusComponentsMta      `json:"mta,omitempty"`
 		}{
 			Database: &dbStatus,
 			Mta:      &mtaStatus,
@@ -296,14 +297,14 @@ func (h *APIHandler) GetStatus(c *gin.Context) {
 // TestDomain performs synchronous domain analysis
 // (POST /domain)
 func (h *APIHandler) TestDomain(c *gin.Context) {
-	var request DomainTestRequest
+	var request model.DomainTestRequest
 
 	// Bind and validate request
 	if err := c.ShouldBindJSON(&request); err != nil {
-		c.JSON(http.StatusBadRequest, Error{
+		c.JSON(http.StatusBadRequest, model.Error{
 			Error:   "invalid_request",
 			Message: "Invalid request body",
-			Details: stringPtr(err.Error()),
+			Details: utils.PtrTo(err.Error()),
 		})
 		return
 	}
@@ -312,28 +313,28 @@ func (h *APIHandler) TestDomain(c *gin.Context) {
 	dnsResults, score, grade := h.analyzer.AnalyzeDomain(request.Domain)
 
 	// Convert grade string to DomainTestResponseGrade enum
-	var responseGrade DomainTestResponseGrade
+	var responseGrade model.DomainTestResponseGrade
 	switch grade {
 	case "A+":
-		responseGrade = DomainTestResponseGradeA
+		responseGrade = model.DomainTestResponseGradeA
 	case "A":
-		responseGrade = DomainTestResponseGradeA1
+		responseGrade = model.DomainTestResponseGradeA1
 	case "B":
-		responseGrade = DomainTestResponseGradeB
+		responseGrade = model.DomainTestResponseGradeB
 	case "C":
-		responseGrade = DomainTestResponseGradeC
+		responseGrade = model.DomainTestResponseGradeC
 	case "D":
-		responseGrade = DomainTestResponseGradeD
+		responseGrade = model.DomainTestResponseGradeD
 	case "E":
-		responseGrade = DomainTestResponseGradeE
+		responseGrade = model.DomainTestResponseGradeE
 	case "F":
-		responseGrade = DomainTestResponseGradeF
+		responseGrade = model.DomainTestResponseGradeF
 	default:
-		responseGrade = DomainTestResponseGradeF
+		responseGrade = model.DomainTestResponseGradeF
 	}
 
 	// Build response
-	response := DomainTestResponse{
+	response := model.DomainTestResponse{
 		Domain:     request.Domain,
 		Score:      score,
 		Grade:      responseGrade,
@@ -346,37 +347,79 @@ func (h *APIHandler) TestDomain(c *gin.Context) {
 // CheckBlacklist checks an IP address against DNS blacklists
 // (POST /blacklist)
 func (h *APIHandler) CheckBlacklist(c *gin.Context) {
-	var request BlacklistCheckRequest
+	var request model.BlacklistCheckRequest
 
 	// Bind and validate request
 	if err := c.ShouldBindJSON(&request); err != nil {
-		c.JSON(http.StatusBadRequest, Error{
+		c.JSON(http.StatusBadRequest, model.Error{
 			Error:   "invalid_request",
 			Message: "Invalid request body",
-			Details: stringPtr(err.Error()),
+			Details: utils.PtrTo(err.Error()),
 		})
 		return
 	}
 
 	// Perform blacklist check using analyzer
-	checks, listedCount, score, grade, err := h.analyzer.CheckBlacklistIP(request.Ip)
+	checks, whitelists, listedCount, score, grade, err := h.analyzer.CheckBlacklistIP(request.Ip)
 	if err != nil {
-		c.JSON(http.StatusBadRequest, Error{
+		c.JSON(http.StatusBadRequest, model.Error{
 			Error:   "invalid_ip",
 			Message: "Invalid IP address",
-			Details: stringPtr(err.Error()),
+			Details: utils.PtrTo(err.Error()),
 		})
 		return
 	}
 
 	// Build response
-	response := BlacklistCheckResponse{
+	response := model.BlacklistCheckResponse{
 		Ip:          request.Ip,
-		Checks:      checks,
+		Blacklists:  checks,
+		Whitelists:  &whitelists,
 		ListedCount: listedCount,
 		Score:       score,
-		Grade:       BlacklistCheckResponseGrade(grade),
+		Grade:       model.BlacklistCheckResponseGrade(grade),
 	}
 
 	c.JSON(http.StatusOK, response)
 }
+
+// ListTests returns a paginated list of test summaries
+// (GET /tests)
+func (h *APIHandler) ListTests(c *gin.Context, params ListTestsParams) {
+	if h.config.DisableTestList {
+		c.JSON(http.StatusForbidden, model.Error{
+			Error:   "feature_disabled",
+			Message: "Test listing is disabled on this instance",
+		})
+		return
+	}
+
+	offset := 0
+	limit := 20
+	if params.Offset != nil {
+		offset = *params.Offset
+	}
+	if params.Limit != nil {
+		limit = *params.Limit
+		if limit > 100 {
+			limit = 100
+		}
+	}
+
+	tests, total, err := h.storage.ListReportSummaries(offset, limit)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, model.Error{
+			Error:   "internal_error",
+			Message: "Failed to list tests",
+			Details: utils.PtrTo(err.Error()),
+		})
+		return
+	}
+
+	c.JSON(http.StatusOK, model.TestListResponse{
+		Tests:  tests,
+		Total:  int(total),
+		Offset: offset,
+		Limit:  limit,
+	})
+}

internal/config/cli.go

@@ -34,14 +34,17 @@ func declareFlags(o *Config) {
 	flag.StringVar(&o.Email.Domain, "domain", o.Email.Domain, "Domain used to receive emails")
 	flag.StringVar(&o.Email.TestAddressPrefix, "address-prefix", o.Email.TestAddressPrefix, "Expected email adress prefix (deny address that doesn't start with this prefix)")
 	flag.StringVar(&o.Email.LMTPAddr, "lmtp-addr", o.Email.LMTPAddr, "LMTP server listen address")
+	flag.StringVar(&o.Email.ReceiverHostname, "receiver-hostname", o.Email.ReceiverHostname, "Hostname used to filter Authentication-Results headers (defaults to os.Hostname())")
 	flag.DurationVar(&o.Analysis.DNSTimeout, "dns-timeout", o.Analysis.DNSTimeout, "Timeout when performing DNS query")
 	flag.DurationVar(&o.Analysis.HTTPTimeout, "http-timeout", o.Analysis.HTTPTimeout, "Timeout when performing HTTP query")
 	flag.Var(&StringArray{&o.Analysis.RBLs}, "rbl", "Append a RBL (use this option multiple time to append multiple RBLs)")
 	flag.BoolVar(&o.Analysis.CheckAllIPs, "check-all-ips", o.Analysis.CheckAllIPs, "Check all IPs found in email headers against RBLs (not just the first one)")
+	flag.StringVar(&o.Analysis.RspamdAPIURL, "rspamd-api-url", o.Analysis.RspamdAPIURL, "rspamd API URL for symbol descriptions (default: use embedded list)")
 	flag.DurationVar(&o.ReportRetention, "report-retention", o.ReportRetention, "How long to keep reports (e.g., 720h, 30d). 0 = keep forever")
 	flag.UintVar(&o.RateLimit, "rate-limit", o.RateLimit, "API rate limit (requests per second per IP)")
 	flag.Var(&URL{&o.SurveyURL}, "survey-url", "URL for user feedback survey")
 	flag.StringVar(&o.CustomLogoURL, "custom-logo-url", o.CustomLogoURL, "URL for custom logo image in the web UI")
+	flag.BoolVar(&o.DisableTestList, "disable-test-list", o.DisableTestList, "Disable the public test listing endpoint")
 
 	// Others flags are declared in some other files likes sources, storages, ... when they need specials configurations
 }

internal/config/config.go

@@ -34,6 +34,11 @@ import (
 	openapi_types "github.com/oapi-codegen/runtime/types"
 )
 
+func getHostname() string {
+	h, _ := os.Hostname()
+	return h
+}
+
 // Config represents the application configuration
 type Config struct {
 	DevProxy        string
@@ -45,6 +50,7 @@ type Config struct {
 	RateLimit       uint          // API rate limit (requests per second per IP)
 	SurveyURL       url.URL       // URL for user feedback survey
 	CustomLogoURL   string        // URL for custom logo image in the web UI
+	DisableTestList bool          // Disable the public test listing endpoint
 }
 
 // DatabaseConfig contains database connection settings
@@ -58,6 +64,7 @@ type EmailConfig struct {
 	Domain            string
 	TestAddressPrefix string
 	LMTPAddr          string
+	ReceiverHostname  string
 }
 
 // AnalysisConfig contains timeout and behavior settings for email analysis
@@ -65,7 +72,9 @@ type AnalysisConfig struct {
 	DNSTimeout   time.Duration
 	HTTPTimeout  time.Duration
 	RBLs         []string
-	CheckAllIPs  bool // Check all IPs found in headers, not just the first one
+	DNSWLs       []string
+	CheckAllIPs  bool   // Check all IPs found in headers, not just the first one
+	RspamdAPIURL string // rspamd API URL for fetching symbol descriptions (empty = use embedded list)
 }
 
 // DefaultConfig returns a configuration with sensible defaults
@@ -83,11 +92,13 @@ func DefaultConfig() *Config {
 			Domain:            "happydeliver.local",
 			TestAddressPrefix: "test-",
 			LMTPAddr:          "127.0.0.1:2525",
+			ReceiverHostname:  getHostname(),
 		},
 		Analysis: AnalysisConfig{
 			DNSTimeout:  5 * time.Second,
 			HTTPTimeout: 10 * time.Second,
 			RBLs:        []string{},
+			DNSWLs:      []string{},
 			CheckAllIPs: false, // By default, only check the first IP
 		},
 	}

internal/receiver/receiver.go

@@ -98,6 +98,17 @@ func (r *EmailReceiver) ProcessEmailBytes(rawEmail []byte, recipientEmail string
 
 	log.Printf("Analysis complete. Grade: %s. Score: %d/100", result.Report.Grade, result.Report.Score)
 
+	// Warn if the last Received hop doesn't match the expected receiver hostname
+	if r.config.Email.ReceiverHostname != "" &&
+		result.Report.HeaderAnalysis != nil &&
+		result.Report.HeaderAnalysis.ReceivedChain != nil &&
+		len(*result.Report.HeaderAnalysis.ReceivedChain) > 0 {
+		lastHop := (*result.Report.HeaderAnalysis.ReceivedChain)[0]
+		if lastHop.By != nil && *lastHop.By != r.config.Email.ReceiverHostname {
+			log.Printf("WARNING: Last Received hop 'by' field (%s) does not match expected receiver hostname (%s): check your RECEIVER_HOSTNAME config as authentication results will be false", *lastHop.By, r.config.Email.ReceiverHostname)
+		}
+	}
+
 	// Marshal report to JSON
 	reportJSON, err := json.Marshal(result.Report)
 	if err != nil {

internal/storage/storage.go

@@ -30,6 +30,9 @@ import (
 	"gorm.io/driver/postgres"
 	"gorm.io/driver/sqlite"
 	"gorm.io/gorm"
+
+	"git.happydns.org/happyDeliver/internal/model"
+	"git.happydns.org/happyDeliver/internal/utils"
 )
 
 var (
@@ -45,6 +48,7 @@ type Storage interface {
 	ReportExists(testID uuid.UUID) (bool, error)
 	UpdateReport(testID uuid.UUID, reportJSON []byte) error
 	DeleteOldReports(olderThan time.Time) (int64, error)
+	ListReportSummaries(offset, limit int) ([]model.TestSummary, int64, error)
 
 	// Close closes the database connection
 	Close() error
@@ -139,6 +143,72 @@ func (s *DBStorage) DeleteOldReports(olderThan time.Time) (int64, error) {
 	return result.RowsAffected, nil
 }
 
+// reportSummaryRow is used internally to scan SQL results before converting to model.TestSummary
+type reportSummaryRow struct {
+	TestID     uuid.UUID
+	Score      int
+	Grade      string
+	FromDomain string
+	CreatedAt  time.Time
+}
+
+// ListReportSummaries returns a paginated list of lightweight report summaries
+func (s *DBStorage) ListReportSummaries(offset, limit int) ([]model.TestSummary, int64, error) {
+	var total int64
+	if err := s.db.Model(&Report{}).Count(&total).Error; err != nil {
+		return nil, 0, fmt.Errorf("failed to count reports: %w", err)
+	}
+
+	if total == 0 {
+		return []model.TestSummary{}, 0, nil
+	}
+
+	var selectExpr string
+	switch s.db.Dialector.Name() {
+	case "postgres":
+		selectExpr = `test_id, ` +
+			`(convert_from(report_json, 'UTF8')::jsonb->>'score')::int as score, ` +
+			`convert_from(report_json, 'UTF8')::jsonb->>'grade' as grade, ` +
+			`convert_from(report_json, 'UTF8')::jsonb->'dns_results'->>'from_domain' as from_domain, ` +
+			`created_at`
+	case "sqlite":
+		selectExpr = `test_id, ` +
+			`json_extract(report_json, '$.score') as score, ` +
+			`json_extract(report_json, '$.grade') as grade, ` +
+			`json_extract(report_json, '$.dns_results.from_domain') as from_domain, ` +
+			`created_at`
+	default:
+		return nil, 0, fmt.Errorf("history tests list not implemented in this database dialect")
+	}
+
+	var rows []reportSummaryRow
+	err := s.db.Model(&Report{}).
+		Select(selectExpr).
+		Order("created_at DESC").
+		Offset(offset).
+		Limit(limit).
+		Scan(&rows).Error
+	if err != nil {
+		return nil, 0, fmt.Errorf("failed to list report summaries: %w", err)
+	}
+
+	summaries := make([]model.TestSummary, 0, len(rows))
+	for _, r := range rows {
+		s := model.TestSummary{
+			TestId:    utils.UUIDToBase32(r.TestID),
+			Score:     r.Score,
+			Grade:     model.TestSummaryGrade(r.Grade),
+			CreatedAt: r.CreatedAt,
+		}
+		if r.FromDomain != "" {
+			s.FromDomain = utils.PtrTo(r.FromDomain)
+		}
+		summaries = append(summaries, s)
+	}
+
+	return summaries, total, nil
+}
+
 // Close closes the database connection
 func (s *DBStorage) Close() error {
 	sqlDB, err := s.db.DB()

internal/utils/ptr.go

@@ -1,5 +1,5 @@
 // This file is part of the happyDeliver (R) project.
-// Copyright (c) 2025 happyDomain
+// Copyright (c) 2026 happyDomain
 // Authors: Pierre-Olivier Mercier, et al.
 //
 // This program is offered under a commercial and under the AGPL license.
@@ -19,11 +19,7 @@
 // You should have received a copy of the GNU Affero General Public License
 // along with this program.  If not, see <https://www.gnu.org/licenses/>.
 
-package api
+package utils
-
-func stringPtr(s string) *string {
-	return &s
-}
 
 // PtrTo returns a pointer to the provided value
 func PtrTo[T any](v T) *T {

pkg/analyzer/analyzer.go

@@ -28,7 +28,7 @@ import (
 
 	"github.com/google/uuid"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
 	"git.happydns.org/happyDeliver/internal/config"
 )
 
@@ -41,10 +41,13 @@ type EmailAnalyzer struct {
 // NewEmailAnalyzer creates a new email analyzer with the given configuration
 func NewEmailAnalyzer(cfg *config.Config) *EmailAnalyzer {
 	generator := NewReportGenerator(
+		cfg.Email.ReceiverHostname,
 		cfg.Analysis.DNSTimeout,
 		cfg.Analysis.HTTPTimeout,
 		cfg.Analysis.RBLs,
+		cfg.Analysis.DNSWLs,
 		cfg.Analysis.CheckAllIPs,
+		cfg.Analysis.RspamdAPIURL,
 	)
 
 	return &EmailAnalyzer{
@@ -56,7 +59,7 @@ func NewEmailAnalyzer(cfg *config.Config) *EmailAnalyzer {
 type AnalysisResult struct {
 	Email   *EmailMessage
 	Results *AnalysisResults
-	Report  *api.Report
+	Report  *model.Report
 }
 
 // AnalyzeEmailBytes performs complete email analysis from raw bytes
@@ -110,7 +113,7 @@ func (a *APIAdapter) AnalyzeEmailBytes(rawEmail []byte, testID uuid.UUID) ([]byt
 }
 
 // AnalyzeDomain performs DNS analysis for a domain and returns the results
-func (a *APIAdapter) AnalyzeDomain(domain string) (*api.DNSResults, int, string) {
+func (a *APIAdapter) AnalyzeDomain(domain string) (*model.DNSResults, int, string) {
 	// Perform DNS analysis
 	dnsResults := a.analyzer.generator.dnsAnalyzer.AnalyzeDomainOnly(domain)
 
@@ -120,22 +123,28 @@ func (a *APIAdapter) AnalyzeDomain(domain string) (*api.DNSResults, int, string)
 	return dnsResults, score, grade
 }
 
-// CheckBlacklistIP checks a single IP address against DNS blacklists
+// CheckBlacklistIP checks a single IP address against DNS blacklists and whitelists
-func (a *APIAdapter) CheckBlacklistIP(ip string) ([]api.BlacklistCheck, int, int, string, error) {
+func (a *APIAdapter) CheckBlacklistIP(ip string) ([]model.BlacklistCheck, []model.BlacklistCheck, int, int, string, error) {
 	// Check the IP against all configured RBLs
 	checks, listedCount, err := a.analyzer.generator.rblChecker.CheckIP(ip)
 	if err != nil {
-		return nil, 0, 0, "", err
+		return nil, nil, 0, 0, "", err
 	}
 
 	// Calculate score using the existing function
 	// Create a minimal RBLResults structure for scoring
-	results := &RBLResults{
+	results := &DNSListResults{
-		Checks:      map[string][]api.BlacklistCheck{ip: checks},
+		Checks:      map[string][]model.BlacklistCheck{ip: checks},
 		IPsChecked:  []string{ip},
 		ListedCount: listedCount,
 	}
-	score, grade := a.analyzer.generator.rblChecker.CalculateRBLScore(results)
+	score, grade := a.analyzer.generator.rblChecker.CalculateScore(results, false)
 
-	return checks, listedCount, score, grade, nil
+	// Check the IP against all configured DNSWLs (informational only)
+	whitelists, _, err := a.analyzer.generator.dnswlChecker.CheckIP(ip)
+	if err != nil {
+		whitelists = nil
+	}
+
+	return checks, whitelists, listedCount, score, grade, nil
 }

pkg/analyzer/authentication.go

@@ -24,23 +24,25 @@ package analyzer
 import (
 	"strings"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
 )
 
 // AuthenticationAnalyzer analyzes email authentication results
-type AuthenticationAnalyzer struct{}
+type AuthenticationAnalyzer struct {
+	receiverHostname string
+}
 
 // NewAuthenticationAnalyzer creates a new authentication analyzer
-func NewAuthenticationAnalyzer() *AuthenticationAnalyzer {
+func NewAuthenticationAnalyzer(receiverHostname string) *AuthenticationAnalyzer {
-	return &AuthenticationAnalyzer{}
+	return &AuthenticationAnalyzer{receiverHostname: receiverHostname}
 }
 
 // AnalyzeAuthentication extracts and analyzes authentication results from email headers
-func (a *AuthenticationAnalyzer) AnalyzeAuthentication(email *EmailMessage) *api.AuthenticationResults {
+func (a *AuthenticationAnalyzer) AnalyzeAuthentication(email *EmailMessage) *model.AuthenticationResults {
-	results := &api.AuthenticationResults{}
+	results := &model.AuthenticationResults{}
 
 	// Parse Authentication-Results headers
-	authHeaders := email.GetAuthenticationResults()
+	authHeaders := email.GetAuthenticationResults(a.receiverHostname)
 	for _, header := range authHeaders {
 		a.parseAuthenticationResultsHeader(header, results)
 	}
@@ -63,7 +65,7 @@ func (a *AuthenticationAnalyzer) AnalyzeAuthentication(email *EmailMessage) *api
 
 // parseAuthenticationResultsHeader parses an Authentication-Results header
 // Format: example.com; spf=pass smtp.mailfrom=sender@example.com; dkim=pass header.d=example.com
-func (a *AuthenticationAnalyzer) parseAuthenticationResultsHeader(header string, results *api.AuthenticationResults) {
+func (a *AuthenticationAnalyzer) parseAuthenticationResultsHeader(header string, results *model.AuthenticationResults) {
 	// Split by semicolon to get individual results
 	parts := strings.Split(header, ";")
 	if len(parts) < 2 {
@@ -89,7 +91,7 @@ func (a *AuthenticationAnalyzer) parseAuthenticationResultsHeader(header string,
 			dkimResult := a.parseDKIMResult(part)
 			if dkimResult != nil {
 				if results.Dkim == nil {
-					dkimList := []api.AuthResult{*dkimResult}
+					dkimList := []model.AuthResult{*dkimResult}
 					results.Dkim = &dkimList
 				} else {
 					*results.Dkim = append(*results.Dkim, *dkimResult)
@@ -143,34 +145,39 @@ func (a *AuthenticationAnalyzer) parseAuthenticationResultsHeader(header string,
 
 // CalculateAuthenticationScore calculates the authentication score from auth results
 // Returns a score from 0-100 where higher is better
-func (a *AuthenticationAnalyzer) CalculateAuthenticationScore(results *api.AuthenticationResults) (int, string) {
+func (a *AuthenticationAnalyzer) CalculateAuthenticationScore(results *model.AuthenticationResults) (int, string) {
 	if results == nil {
 		return 0, ""
 	}
 
 	score := 0
 
-	// IPRev (15 points)
+	// Core authentication (90 points total)
-	score += 15 * a.calculateIPRevScore(results) / 100
+	// SPF (30 points)
+	score += 30 * a.calculateSPFScore(results) / 100
 
-	// SPF (25 points)
+	// DKIM (30 points)
-	score += 25 * a.calculateSPFScore(results) / 100
+	score += 30 * a.calculateDKIMScore(results) / 100
 
-	// DKIM (23 points)
+	// DMARC (30 points)
-	score += 23 * a.calculateDKIMScore(results) / 100
+	score += 30 * a.calculateDMARCScore(results) / 100
-
-	// X-Google-DKIM (optional) - penalty if failed
-	score += 12 * a.calculateXGoogleDKIMScore(results) / 100
-
-	// X-Aligned-From
-	score += 2 * a.calculateXAlignedFromScore(results) / 100
-
-	// DMARC (25 points)
-	score += 25 * a.calculateDMARCScore(results) / 100
 
 	// BIMI (10 points)
 	score += 10 * a.calculateBIMIScore(results) / 100
 
+	// Penalty-only: IPRev (up to -7 points on failure)
+	if iprevScore := a.calculateIPRevScore(results); iprevScore < 100 {
+		score += 7 * (iprevScore - 100) / 100
+	}
+
+	// Penalty-only: X-Google-DKIM (up to -12 points on failure)
+	score += 12 * a.calculateXGoogleDKIMScore(results) / 100
+
+	// Penalty-only: X-Aligned-From (up to -5 points on failure)
+	if xAlignedScore := a.calculateXAlignedFromScore(results); xAlignedScore < 100 {
+		score += 5 * (xAlignedScore - 100) / 100
+	}
+
 	// Ensure score doesn't exceed 100
 	if score > 100 {
 		score = 100

pkg/analyzer/authentication_arc.go

@@ -27,7 +27,8 @@ import (
 	"slices"
 	"strings"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
+	"git.happydns.org/happyDeliver/internal/utils"
 )
 
 // textprotoCanonical converts a header name to canonical form
@@ -52,24 +53,24 @@ func pluralize(count int) string {
 
 // parseARCResult parses ARC result from Authentication-Results
 // Example: arc=pass
-func (a *AuthenticationAnalyzer) parseARCResult(part string) *api.ARCResult {
+func (a *AuthenticationAnalyzer) parseARCResult(part string) *model.ARCResult {
-	result := &api.ARCResult{}
+	result := &model.ARCResult{}
 
 	// Extract result (pass, fail, none)
 	re := regexp.MustCompile(`arc=(\w+)`)
 	if matches := re.FindStringSubmatch(part); len(matches) > 1 {
 		resultStr := strings.ToLower(matches[1])
-		result.Result = api.ARCResultResult(resultStr)
+		result.Result = model.ARCResultResult(resultStr)
 	}
 
-	result.Details = api.PtrTo(strings.TrimPrefix(part, "arc="))
+	result.Details = utils.PtrTo(strings.TrimPrefix(part, "arc="))
 
 	return result
 }
 
 // parseARCHeaders parses ARC headers from email message
 // ARC consists of three headers per hop: ARC-Authentication-Results, ARC-Message-Signature, ARC-Seal
-func (a *AuthenticationAnalyzer) parseARCHeaders(email *EmailMessage) *api.ARCResult {
+func (a *AuthenticationAnalyzer) parseARCHeaders(email *EmailMessage) *model.ARCResult {
 	// Get all ARC-related headers
 	arcAuthResults := email.Header[textprotoCanonical("ARC-Authentication-Results")]
 	arcMessageSig := email.Header[textprotoCanonical("ARC-Message-Signature")]
@@ -80,8 +81,8 @@ func (a *AuthenticationAnalyzer) parseARCHeaders(email *EmailMessage) *api.ARCRe
 		return nil
 	}
 
-	result := &api.ARCResult{
+	result := &model.ARCResult{
-		Result: api.ARCResultResultNone,
+		Result: model.ARCResultResultNone,
 	}
 
 	// Count the ARC chain length (number of sets)
@@ -94,15 +95,15 @@ func (a *AuthenticationAnalyzer) parseARCHeaders(email *EmailMessage) *api.ARCRe
 
 	// Determine overall result
 	if chainLength == 0 {
-		result.Result = api.ARCResultResultNone
+		result.Result = model.ARCResultResultNone
 		details := "No ARC chain present"
 		result.Details = &details
 	} else if !chainValid {
-		result.Result = api.ARCResultResultFail
+		result.Result = model.ARCResultResultFail
 		details := fmt.Sprintf("ARC chain validation failed (chain length: %d)", chainLength)
 		result.Details = &details
 	} else {
-		result.Result = api.ARCResultResultPass
+		result.Result = model.ARCResultResultPass
 		details := fmt.Sprintf("ARC chain valid with %d intermediar%s", chainLength, pluralize(chainLength))
 		result.Details = &details
 	}
@@ -111,7 +112,7 @@ func (a *AuthenticationAnalyzer) parseARCHeaders(email *EmailMessage) *api.ARCRe
 }
 
 // enhanceARCResult enhances an existing ARC result with chain information
-func (a *AuthenticationAnalyzer) enhanceARCResult(email *EmailMessage, arcResult *api.ARCResult) {
+func (a *AuthenticationAnalyzer) enhanceARCResult(email *EmailMessage, arcResult *model.ARCResult) {
 	if arcResult == nil {
 		return
 	}

pkg/analyzer/authentication_arc_test.go

@@ -24,33 +24,33 @@ package analyzer
 import (
 	"testing"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
 )
 
 func TestParseARCResult(t *testing.T) {
 	tests := []struct {
 		name           string
 		part           string
-		expectedResult api.ARCResultResult
+		expectedResult model.ARCResultResult
 	}{
 		{
 			name:           "ARC pass",
 			part:           "arc=pass",
-			expectedResult: api.ARCResultResultPass,
+			expectedResult: model.ARCResultResultPass,
 		},
 		{
 			name:           "ARC fail",
 			part:           "arc=fail",
-			expectedResult: api.ARCResultResultFail,
+			expectedResult: model.ARCResultResultFail,
 		},
 		{
 			name:           "ARC none",
 			part:           "arc=none",
-			expectedResult: api.ARCResultResultNone,
+			expectedResult: model.ARCResultResultNone,
 		},
 	}
 
-	analyzer := NewAuthenticationAnalyzer()
+	analyzer := NewAuthenticationAnalyzer("")
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -136,7 +136,7 @@ func TestValidateARCChain(t *testing.T) {
 		},
 	}
 
-	analyzer := NewAuthenticationAnalyzer()
+	analyzer := NewAuthenticationAnalyzer("")
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

pkg/analyzer/authentication_bimi.go

@@ -25,19 +25,20 @@ import (
 	"regexp"
 	"strings"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
+	"git.happydns.org/happyDeliver/internal/utils"
 )
 
 // parseBIMIResult parses BIMI result from Authentication-Results
 // Example: bimi=pass header.d=example.com header.selector=default
-func (a *AuthenticationAnalyzer) parseBIMIResult(part string) *api.AuthResult {
+func (a *AuthenticationAnalyzer) parseBIMIResult(part string) *model.AuthResult {
-	result := &api.AuthResult{}
+	result := &model.AuthResult{}
 
 	// Extract result (pass, fail, etc.)
 	re := regexp.MustCompile(`bimi=(\w+)`)
 	if matches := re.FindStringSubmatch(part); len(matches) > 1 {
 		resultStr := strings.ToLower(matches[1])
-		result.Result = api.AuthResultResult(resultStr)
+		result.Result = model.AuthResultResult(resultStr)
 	}
 
 	// Extract domain (header.d or d)
@@ -54,17 +55,17 @@ func (a *AuthenticationAnalyzer) parseBIMIResult(part string) *api.AuthResult {
 		result.Selector = &selector
 	}
 
-	result.Details = api.PtrTo(strings.TrimPrefix(part, "bimi="))
+	result.Details = utils.PtrTo(strings.TrimPrefix(part, "bimi="))
 
 	return result
 }
 
-func (a *AuthenticationAnalyzer) calculateBIMIScore(results *api.AuthenticationResults) (score int) {
+func (a *AuthenticationAnalyzer) calculateBIMIScore(results *model.AuthenticationResults) (score int) {
 	if results.Bimi != nil {
 		switch results.Bimi.Result {
-		case api.AuthResultResultPass:
+		case model.AuthResultResultPass:
 			return 100
-		case api.AuthResultResultDeclined:
+		case model.AuthResultResultDeclined:
 			return 59
 		default: // fail
 			return 0

pkg/analyzer/authentication_bimi_test.go

@@ -24,47 +24,47 @@ package analyzer
 import (
 	"testing"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
 )
 
 func TestParseBIMIResult(t *testing.T) {
 	tests := []struct {
 		name             string
 		part             string
-		expectedResult   api.AuthResultResult
+		expectedResult   model.AuthResultResult
 		expectedDomain   string
 		expectedSelector string
 	}{
 		{
 			name:             "BIMI pass with domain and selector",
 			part:             "bimi=pass header.d=example.com header.selector=default",
-			expectedResult:   api.AuthResultResultPass,
+			expectedResult:   model.AuthResultResultPass,
 			expectedDomain:   "example.com",
 			expectedSelector: "default",
 		},
 		{
 			name:             "BIMI fail",
 			part:             "bimi=fail header.d=example.com header.selector=default",
-			expectedResult:   api.AuthResultResultFail,
+			expectedResult:   model.AuthResultResultFail,
 			expectedDomain:   "example.com",
 			expectedSelector: "default",
 		},
 		{
 			name:             "BIMI with short form (d= and selector=)",
 			part:             "bimi=pass d=example.com selector=v1",
-			expectedResult:   api.AuthResultResultPass,
+			expectedResult:   model.AuthResultResultPass,
 			expectedDomain:   "example.com",
 			expectedSelector: "v1",
 		},
 		{
 			name:           "BIMI none",
 			part:           "bimi=none header.d=example.com",
-			expectedResult: api.AuthResultResultNone,
+			expectedResult: model.AuthResultResultNone,
 			expectedDomain: "example.com",
 		},
 	}
 
-	analyzer := NewAuthenticationAnalyzer()
+	analyzer := NewAuthenticationAnalyzer("")
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

pkg/analyzer/authentication_dkim.go

@@ -25,19 +25,20 @@ import (
 	"regexp"
 	"strings"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
+	"git.happydns.org/happyDeliver/internal/utils"
 )
 
 // parseDKIMResult parses DKIM result from Authentication-Results
 // Example: dkim=pass header.d=example.com header.s=selector1
-func (a *AuthenticationAnalyzer) parseDKIMResult(part string) *api.AuthResult {
+func (a *AuthenticationAnalyzer) parseDKIMResult(part string) *model.AuthResult {
-	result := &api.AuthResult{}
+	result := &model.AuthResult{}
 
 	// Extract result (pass, fail, etc.)
 	re := regexp.MustCompile(`dkim=(\w+)`)
 	if matches := re.FindStringSubmatch(part); len(matches) > 1 {
 		resultStr := strings.ToLower(matches[1])
-		result.Result = api.AuthResultResult(resultStr)
+		result.Result = model.AuthResultResult(resultStr)
 	}
 
 	// Extract domain (header.d or d)
@@ -54,18 +55,18 @@ func (a *AuthenticationAnalyzer) parseDKIMResult(part string) *api.AuthResult {
 		result.Selector = &selector
 	}
 
-	result.Details = api.PtrTo(strings.TrimPrefix(part, "dkim="))
+	result.Details = utils.PtrTo(strings.TrimPrefix(part, "dkim="))
 
 	return result
 }
 
-func (a *AuthenticationAnalyzer) calculateDKIMScore(results *api.AuthenticationResults) (score int) {
+func (a *AuthenticationAnalyzer) calculateDKIMScore(results *model.AuthenticationResults) (score int) {
 	// Expect at least one passing signature
 	if results.Dkim != nil && len(*results.Dkim) > 0 {
 		hasPass := false
 		hasNonPass := false
 		for _, dkim := range *results.Dkim {
-			if dkim.Result == api.AuthResultResultPass {
+			if dkim.Result == model.AuthResultResultPass {
 				hasPass = true
 			} else {
 				hasNonPass = true

pkg/analyzer/authentication_dkim_test.go

@@ -24,41 +24,41 @@ package analyzer
 import (
 	"testing"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
 )
 
 func TestParseDKIMResult(t *testing.T) {
 	tests := []struct {
 		name             string
 		part             string
-		expectedResult   api.AuthResultResult
+		expectedResult   model.AuthResultResult
 		expectedDomain   string
 		expectedSelector string
 	}{
 		{
 			name:             "DKIM pass with domain and selector",
 			part:             "dkim=pass header.d=example.com header.s=default",
-			expectedResult:   api.AuthResultResultPass,
+			expectedResult:   model.AuthResultResultPass,
 			expectedDomain:   "example.com",
 			expectedSelector: "default",
 		},
 		{
 			name:             "DKIM fail",
 			part:             "dkim=fail header.d=example.com header.s=selector1",
-			expectedResult:   api.AuthResultResultFail,
+			expectedResult:   model.AuthResultResultFail,
 			expectedDomain:   "example.com",
 			expectedSelector: "selector1",
 		},
 		{
 			name:             "DKIM with short form (d= and s=)",
 			part:             "dkim=pass d=example.com s=default",
-			expectedResult:   api.AuthResultResultPass,
+			expectedResult:   model.AuthResultResultPass,
 			expectedDomain:   "example.com",
 			expectedSelector: "default",
 		},
 	}
 
-	analyzer := NewAuthenticationAnalyzer()
+	analyzer := NewAuthenticationAnalyzer("")
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

pkg/analyzer/authentication_dmarc.go

@@ -25,19 +25,20 @@ import (
 	"regexp"
 	"strings"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
+	"git.happydns.org/happyDeliver/internal/utils"
 )
 
 // parseDMARCResult parses DMARC result from Authentication-Results
 // Example: dmarc=pass action=none header.from=example.com
-func (a *AuthenticationAnalyzer) parseDMARCResult(part string) *api.AuthResult {
+func (a *AuthenticationAnalyzer) parseDMARCResult(part string) *model.AuthResult {
-	result := &api.AuthResult{}
+	result := &model.AuthResult{}
 
 	// Extract result (pass, fail, etc.)
 	re := regexp.MustCompile(`dmarc=(\w+)`)
 	if matches := re.FindStringSubmatch(part); len(matches) > 1 {
 		resultStr := strings.ToLower(matches[1])
-		result.Result = api.AuthResultResult(resultStr)
+		result.Result = model.AuthResultResult(resultStr)
 	}
 
 	// Extract domain (header.from)
@@ -47,17 +48,17 @@ func (a *AuthenticationAnalyzer) parseDMARCResult(part string) *api.AuthResult {
 		result.Domain = &domain
 	}
 
-	result.Details = api.PtrTo(strings.TrimPrefix(part, "dmarc="))
+	result.Details = utils.PtrTo(strings.TrimPrefix(part, "dmarc="))
 
 	return result
 }
 
-func (a *AuthenticationAnalyzer) calculateDMARCScore(results *api.AuthenticationResults) (score int) {
+func (a *AuthenticationAnalyzer) calculateDMARCScore(results *model.AuthenticationResults) (score int) {
 	if results.Dmarc != nil {
 		switch results.Dmarc.Result {
-		case api.AuthResultResultPass:
+		case model.AuthResultResultPass:
 			return 100
-		case api.AuthResultResultNone:
+		case model.AuthResultResultNone:
 			return 33
 		default: // fail
 			return 0

pkg/analyzer/authentication_dmarc_test.go

@@ -24,31 +24,31 @@ package analyzer
 import (
 	"testing"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
 )
 
 func TestParseDMARCResult(t *testing.T) {
 	tests := []struct {
 		name           string
 		part           string
-		expectedResult api.AuthResultResult
+		expectedResult model.AuthResultResult
 		expectedDomain string
 	}{
 		{
 			name:           "DMARC pass",
 			part:           "dmarc=pass action=none header.from=example.com",
-			expectedResult: api.AuthResultResultPass,
+			expectedResult: model.AuthResultResultPass,
 			expectedDomain: "example.com",
 		},
 		{
 			name:           "DMARC fail",
 			part:           "dmarc=fail action=quarantine header.from=example.com",
-			expectedResult: api.AuthResultResultFail,
+			expectedResult: model.AuthResultResultFail,
 			expectedDomain: "example.com",
 		},
 	}
 
-	analyzer := NewAuthenticationAnalyzer()
+	analyzer := NewAuthenticationAnalyzer("")
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

pkg/analyzer/authentication_iprev.go

@@ -25,19 +25,20 @@ import (
 	"regexp"
 	"strings"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
+	"git.happydns.org/happyDeliver/internal/utils"
 )
 
 // parseIPRevResult parses IP reverse lookup result from Authentication-Results
 // Example: iprev=pass smtp.remote-ip=195.110.101.58 (authsmtp74.register.it)
-func (a *AuthenticationAnalyzer) parseIPRevResult(part string) *api.IPRevResult {
+func (a *AuthenticationAnalyzer) parseIPRevResult(part string) *model.IPRevResult {
-	result := &api.IPRevResult{}
+	result := &model.IPRevResult{}
 
 	// Extract result (pass, fail, temperror, permerror, none)
 	re := regexp.MustCompile(`iprev=(\w+)`)
 	if matches := re.FindStringSubmatch(part); len(matches) > 1 {
 		resultStr := strings.ToLower(matches[1])
-		result.Result = api.IPRevResultResult(resultStr)
+		result.Result = model.IPRevResultResult(resultStr)
 	}
 
 	// Extract IP address (smtp.remote-ip or remote-ip)
@@ -54,20 +55,20 @@ func (a *AuthenticationAnalyzer) parseIPRevResult(part string) *api.IPRevResult
 		result.Hostname = &hostname
 	}
 
-	result.Details = api.PtrTo(strings.TrimPrefix(part, "iprev="))
+	result.Details = utils.PtrTo(strings.TrimPrefix(part, "iprev="))
 
 	return result
 }
 
-func (a *AuthenticationAnalyzer) calculateIPRevScore(results *api.AuthenticationResults) (score int) {
+func (a *AuthenticationAnalyzer) calculateIPRevScore(results *model.AuthenticationResults) (score int) {
 	if results.Iprev != nil {
 		switch results.Iprev.Result {
-		case api.Pass:
+		case model.Pass:
 			return 100
 		default: // fail, temperror, permerror
 			return 0
 		}
 	}
 
-	return 0
+	return 100
 }

pkg/analyzer/authentication_iprev_test.go

@@ -24,76 +24,77 @@ package analyzer
 import (
 	"testing"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
+	"git.happydns.org/happyDeliver/internal/utils"
 )
 
 func TestParseIPRevResult(t *testing.T) {
 	tests := []struct {
 		name             string
 		part             string
-		expectedResult   api.IPRevResultResult
+		expectedResult   model.IPRevResultResult
 		expectedIP       *string
 		expectedHostname *string
 	}{
 		{
 			name:             "IPRev pass with IP and hostname",
 			part:             "iprev=pass smtp.remote-ip=195.110.101.58 (authsmtp74.register.it)",
-			expectedResult:   api.Pass,
+			expectedResult:   model.Pass,
-			expectedIP:       api.PtrTo("195.110.101.58"),
+			expectedIP:       utils.PtrTo("195.110.101.58"),
-			expectedHostname: api.PtrTo("authsmtp74.register.it"),
+			expectedHostname: utils.PtrTo("authsmtp74.register.it"),
 		},
 		{
 			name:             "IPRev pass without smtp prefix",
 			part:             "iprev=pass remote-ip=192.0.2.1 (mail.example.com)",
-			expectedResult:   api.Pass,
+			expectedResult:   model.Pass,
-			expectedIP:       api.PtrTo("192.0.2.1"),
+			expectedIP:       utils.PtrTo("192.0.2.1"),
-			expectedHostname: api.PtrTo("mail.example.com"),
+			expectedHostname: utils.PtrTo("mail.example.com"),
 		},
 		{
 			name:             "IPRev fail",
 			part:             "iprev=fail smtp.remote-ip=198.51.100.42 (unknown.host.com)",
-			expectedResult:   api.Fail,
+			expectedResult:   model.Fail,
-			expectedIP:       api.PtrTo("198.51.100.42"),
+			expectedIP:       utils.PtrTo("198.51.100.42"),
-			expectedHostname: api.PtrTo("unknown.host.com"),
+			expectedHostname: utils.PtrTo("unknown.host.com"),
 		},
 		{
 			name:             "IPRev temperror",
 			part:             "iprev=temperror smtp.remote-ip=203.0.113.1",
-			expectedResult:   api.Temperror,
+			expectedResult:   model.Temperror,
-			expectedIP:       api.PtrTo("203.0.113.1"),
+			expectedIP:       utils.PtrTo("203.0.113.1"),
 			expectedHostname: nil,
 		},
 		{
 			name:             "IPRev permerror",
 			part:             "iprev=permerror smtp.remote-ip=192.0.2.100",
-			expectedResult:   api.Permerror,
+			expectedResult:   model.Permerror,
-			expectedIP:       api.PtrTo("192.0.2.100"),
+			expectedIP:       utils.PtrTo("192.0.2.100"),
 			expectedHostname: nil,
 		},
 		{
 			name:             "IPRev with IPv6",
 			part:             "iprev=pass smtp.remote-ip=2001:db8::1 (ipv6.example.com)",
-			expectedResult:   api.Pass,
+			expectedResult:   model.Pass,
-			expectedIP:       api.PtrTo("2001:db8::1"),
+			expectedIP:       utils.PtrTo("2001:db8::1"),
-			expectedHostname: api.PtrTo("ipv6.example.com"),
+			expectedHostname: utils.PtrTo("ipv6.example.com"),
 		},
 		{
 			name:             "IPRev with subdomain hostname",
 			part:             "iprev=pass smtp.remote-ip=192.0.2.50 (mail.subdomain.example.com)",
-			expectedResult:   api.Pass,
+			expectedResult:   model.Pass,
-			expectedIP:       api.PtrTo("192.0.2.50"),
+			expectedIP:       utils.PtrTo("192.0.2.50"),
-			expectedHostname: api.PtrTo("mail.subdomain.example.com"),
+			expectedHostname: utils.PtrTo("mail.subdomain.example.com"),
 		},
 		{
 			name:             "IPRev pass without parentheses",
 			part:             "iprev=pass smtp.remote-ip=192.0.2.200",
-			expectedResult:   api.Pass,
+			expectedResult:   model.Pass,
-			expectedIP:       api.PtrTo("192.0.2.200"),
+			expectedIP:       utils.PtrTo("192.0.2.200"),
 			expectedHostname: nil,
 		},
 	}
 
-	analyzer := NewAuthenticationAnalyzer()
+	analyzer := NewAuthenticationAnalyzer("")
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -142,29 +143,29 @@ func TestParseAuthenticationResultsHeader_IPRev(t *testing.T) {
 	tests := []struct {
 		name                string
 		header              string
-		expectedIPRevResult *api.IPRevResultResult
+		expectedIPRevResult *model.IPRevResultResult
 		expectedIP          *string
 		expectedHostname    *string
 	}{
 		{
 			name:                "IPRev pass in Authentication-Results",
 			header:              "mx.google.com; iprev=pass smtp.remote-ip=195.110.101.58 (authsmtp74.register.it)",
-			expectedIPRevResult: api.PtrTo(api.Pass),
+			expectedIPRevResult: utils.PtrTo(model.Pass),
-			expectedIP:          api.PtrTo("195.110.101.58"),
+			expectedIP:          utils.PtrTo("195.110.101.58"),
-			expectedHostname:    api.PtrTo("authsmtp74.register.it"),
+			expectedHostname:    utils.PtrTo("authsmtp74.register.it"),
 		},
 		{
 			name:                "IPRev with other authentication methods",
 			header:              "mx.google.com; spf=pass smtp.mailfrom=sender@example.com; iprev=pass smtp.remote-ip=192.0.2.1 (mail.example.com); dkim=pass header.d=example.com",
-			expectedIPRevResult: api.PtrTo(api.Pass),
+			expectedIPRevResult: utils.PtrTo(model.Pass),
-			expectedIP:          api.PtrTo("192.0.2.1"),
+			expectedIP:          utils.PtrTo("192.0.2.1"),
-			expectedHostname:    api.PtrTo("mail.example.com"),
+			expectedHostname:    utils.PtrTo("mail.example.com"),
 		},
 		{
 			name:                "IPRev fail",
 			header:              "mx.google.com; iprev=fail smtp.remote-ip=198.51.100.42",
-			expectedIPRevResult: api.PtrTo(api.Fail),
+			expectedIPRevResult: utils.PtrTo(model.Fail),
-			expectedIP:          api.PtrTo("198.51.100.42"),
+			expectedIP:          utils.PtrTo("198.51.100.42"),
 			expectedHostname:    nil,
 		},
 		{
@@ -175,17 +176,17 @@ func TestParseAuthenticationResultsHeader_IPRev(t *testing.T) {
 		{
 			name:                "Multiple IPRev results - only first is parsed",
 			header:              "mx.google.com; iprev=pass smtp.remote-ip=192.0.2.1 (first.com); iprev=fail smtp.remote-ip=192.0.2.2 (second.com)",
-			expectedIPRevResult: api.PtrTo(api.Pass),
+			expectedIPRevResult: utils.PtrTo(model.Pass),
-			expectedIP:          api.PtrTo("192.0.2.1"),
+			expectedIP:          utils.PtrTo("192.0.2.1"),
-			expectedHostname:    api.PtrTo("first.com"),
+			expectedHostname:    utils.PtrTo("first.com"),
 		},
 	}
 
-	analyzer := NewAuthenticationAnalyzer()
+	analyzer := NewAuthenticationAnalyzer("")
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			results := &api.AuthenticationResults{}
+			results := &model.AuthenticationResults{}
 			analyzer.parseAuthenticationResultsHeader(tt.header, results)
 
 			// Check IPRev

pkg/analyzer/authentication_spf.go

@@ -25,19 +25,20 @@ import (
 	"regexp"
 	"strings"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
+	"git.happydns.org/happyDeliver/internal/utils"
 )
 
 // parseSPFResult parses SPF result from Authentication-Results
 // Example: spf=pass smtp.mailfrom=sender@example.com
-func (a *AuthenticationAnalyzer) parseSPFResult(part string) *api.AuthResult {
+func (a *AuthenticationAnalyzer) parseSPFResult(part string) *model.AuthResult {
-	result := &api.AuthResult{}
+	result := &model.AuthResult{}
 
 	// Extract result (pass, fail, etc.)
 	re := regexp.MustCompile(`spf=(\w+)`)
 	if matches := re.FindStringSubmatch(part); len(matches) > 1 {
 		resultStr := strings.ToLower(matches[1])
-		result.Result = api.AuthResultResult(resultStr)
+		result.Result = model.AuthResultResult(resultStr)
 	}
 
 	// Extract domain
@@ -51,25 +52,35 @@ func (a *AuthenticationAnalyzer) parseSPFResult(part string) *api.AuthResult {
 		}
 	}
 
-	result.Details = api.PtrTo(strings.TrimPrefix(part, "spf="))
+	result.Details = utils.PtrTo(strings.TrimPrefix(part, "spf="))
 
 	return result
 }
 
 // parseLegacySPF attempts to parse SPF from Received-SPF header
-func (a *AuthenticationAnalyzer) parseLegacySPF(email *EmailMessage) *api.AuthResult {
+func (a *AuthenticationAnalyzer) parseLegacySPF(email *EmailMessage) *model.AuthResult {
 	receivedSPF := email.Header.Get("Received-SPF")
 	if receivedSPF == "" {
 		return nil
 	}
 
-	result := &api.AuthResult{}
+	// Verify receiver matches our hostname
+	if a.receiverHostname != "" {
+		receiverRe := regexp.MustCompile(`receiver=([^\s;]+)`)
+		if matches := receiverRe.FindStringSubmatch(receivedSPF); len(matches) > 1 {
+			if matches[1] != a.receiverHostname {
+				return nil
+			}
+		}
+	}
+
+	result := &model.AuthResult{}
 
 	// Extract result (first word)
 	parts := strings.Fields(receivedSPF)
 	if len(parts) > 0 {
 		resultStr := strings.ToLower(parts[0])
-		result.Result = api.AuthResultResult(resultStr)
+		result.Result = model.AuthResultResult(resultStr)
 	}
 
 	result.Details = &receivedSPF
@@ -87,14 +98,14 @@ func (a *AuthenticationAnalyzer) parseLegacySPF(email *EmailMessage) *api.AuthRe
 	return result
 }
 
-func (a *AuthenticationAnalyzer) calculateSPFScore(results *api.AuthenticationResults) (score int) {
+func (a *AuthenticationAnalyzer) calculateSPFScore(results *model.AuthenticationResults) (score int) {
 	if results.Spf != nil {
 		switch results.Spf.Result {
-		case api.AuthResultResultPass:
+		case model.AuthResultResultPass:
 			return 100
-		case api.AuthResultResultNeutral, api.AuthResultResultNone:
+		case model.AuthResultResultNeutral, model.AuthResultResultNone:
 			return 50
-		case api.AuthResultResultSoftfail:
+		case model.AuthResultResultSoftfail:
 			return 17
 		default: // fail, temperror, permerror
 			return 0

pkg/analyzer/authentication_spf_test.go

@@ -24,43 +24,44 @@ package analyzer
 import (
 	"testing"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
+	"git.happydns.org/happyDeliver/internal/utils"
 )
 
 func TestParseSPFResult(t *testing.T) {
 	tests := []struct {
 		name           string
 		part           string
-		expectedResult api.AuthResultResult
+		expectedResult model.AuthResultResult
 		expectedDomain string
 	}{
 		{
 			name:           "SPF pass with domain",
 			part:           "spf=pass smtp.mailfrom=sender@example.com",
-			expectedResult: api.AuthResultResultPass,
+			expectedResult: model.AuthResultResultPass,
 			expectedDomain: "example.com",
 		},
 		{
 			name:           "SPF fail",
 			part:           "spf=fail smtp.mailfrom=sender@example.com",
-			expectedResult: api.AuthResultResultFail,
+			expectedResult: model.AuthResultResultFail,
 			expectedDomain: "example.com",
 		},
 		{
 			name:           "SPF neutral",
 			part:           "spf=neutral smtp.mailfrom=sender@example.com",
-			expectedResult: api.AuthResultResultNeutral,
+			expectedResult: model.AuthResultResultNeutral,
 			expectedDomain: "example.com",
 		},
 		{
 			name:           "SPF softfail",
 			part:           "spf=softfail smtp.mailfrom=sender@example.com",
-			expectedResult: api.AuthResultResultSoftfail,
+			expectedResult: model.AuthResultResultSoftfail,
 			expectedDomain: "example.com",
 		},
 	}
 
-	analyzer := NewAuthenticationAnalyzer()
+	analyzer := NewAuthenticationAnalyzer("")
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -84,7 +85,7 @@ func TestParseLegacySPF(t *testing.T) {
 	tests := []struct {
 		name           string
 		receivedSPF    string
-		expectedResult api.AuthResultResult
+		expectedResult model.AuthResultResult
 		expectedDomain *string
 		expectNil      bool
 	}{
@@ -97,8 +98,8 @@ func TestParseLegacySPF(t *testing.T) {
     envelope-from="user@example.com";
     helo=smtp.example.com;
     client-ip=192.0.2.10`,
-			expectedResult: api.AuthResultResultPass,
+			expectedResult: model.AuthResultResultPass,
-			expectedDomain: api.PtrTo("example.com"),
+			expectedDomain: utils.PtrTo("example.com"),
 		},
 		{
 			name: "SPF fail with sender",
@@ -109,43 +110,43 @@ func TestParseLegacySPF(t *testing.T) {
     sender="sender@test.com";
     helo=smtp.test.com;
     client-ip=192.0.2.20`,
-			expectedResult: api.AuthResultResultFail,
+			expectedResult: model.AuthResultResultFail,
-			expectedDomain: api.PtrTo("test.com"),
+			expectedDomain: utils.PtrTo("test.com"),
 		},
 		{
 			name:           "SPF softfail",
 			receivedSPF:    "softfail (example.com: transitioning domain of admin@example.org does not designate 192.0.2.30 as permitted sender) envelope-from=\"admin@example.org\"",
-			expectedResult: api.AuthResultResultSoftfail,
+			expectedResult: model.AuthResultResultSoftfail,
-			expectedDomain: api.PtrTo("example.org"),
+			expectedDomain: utils.PtrTo("example.org"),
 		},
 		{
 			name:           "SPF neutral",
 			receivedSPF:    "neutral (example.com: 192.0.2.40 is neither permitted nor denied by domain of info@domain.net) envelope-from=\"info@domain.net\"",
-			expectedResult: api.AuthResultResultNeutral,
+			expectedResult: model.AuthResultResultNeutral,
-			expectedDomain: api.PtrTo("domain.net"),
+			expectedDomain: utils.PtrTo("domain.net"),
 		},
 		{
 			name:           "SPF none",
 			receivedSPF:    "none (example.com: domain of noreply@company.io has no SPF record) envelope-from=\"noreply@company.io\"",
-			expectedResult: api.AuthResultResultNone,
+			expectedResult: model.AuthResultResultNone,
-			expectedDomain: api.PtrTo("company.io"),
+			expectedDomain: utils.PtrTo("company.io"),
 		},
 		{
 			name:           "SPF temperror",
 			receivedSPF:    "temperror (example.com: error in processing SPF record) envelope-from=\"support@shop.example\"",
-			expectedResult: api.AuthResultResultTemperror,
+			expectedResult: model.AuthResultResultTemperror,
-			expectedDomain: api.PtrTo("shop.example"),
+			expectedDomain: utils.PtrTo("shop.example"),
 		},
 		{
 			name:           "SPF permerror",
 			receivedSPF:    "permerror (example.com: domain of contact@invalid.test has invalid SPF record) envelope-from=\"contact@invalid.test\"",
-			expectedResult: api.AuthResultResultPermerror,
+			expectedResult: model.AuthResultResultPermerror,
-			expectedDomain: api.PtrTo("invalid.test"),
+			expectedDomain: utils.PtrTo("invalid.test"),
 		},
 		{
 			name:           "SPF pass without domain extraction",
 			receivedSPF:    "pass (example.com: 192.0.2.50 is authorized)",
-			expectedResult: api.AuthResultResultPass,
+			expectedResult: model.AuthResultResultPass,
 			expectedDomain: nil,
 		},
 		{
@@ -156,12 +157,12 @@ func TestParseLegacySPF(t *testing.T) {
 		{
 			name:           "SPF with unquoted envelope-from",
 			receivedSPF:    "pass (example.com: sender SPF authorized) envelope-from=postmaster@mail.example.net",
-			expectedResult: api.AuthResultResultPass,
+			expectedResult: model.AuthResultResultPass,
-			expectedDomain: api.PtrTo("mail.example.net"),
+			expectedDomain: utils.PtrTo("mail.example.net"),
 		},
 	}
 
-	analyzer := NewAuthenticationAnalyzer()
+	analyzer := NewAuthenticationAnalyzer("")
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

pkg/analyzer/authentication_test.go

@@ -24,83 +24,84 @@ package analyzer
 import (
 	"testing"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
+	"git.happydns.org/happyDeliver/internal/utils"
 )
 
 func TestGetAuthenticationScore(t *testing.T) {
 	tests := []struct {
 		name          string
-		results       *api.AuthenticationResults
+		results       *model.AuthenticationResults
 		expectedScore int
 	}{
 		{
 			name: "Perfect authentication (SPF + DKIM + DMARC)",
-			results: &api.AuthenticationResults{
+			results: &model.AuthenticationResults{
-				Spf: &api.AuthResult{
+				Spf: &model.AuthResult{
-					Result: api.AuthResultResultPass,
+					Result: model.AuthResultResultPass,
 				},
-				Dkim: &[]api.AuthResult{
+				Dkim: &[]model.AuthResult{
-					{Result: api.AuthResultResultPass},
+					{Result: model.AuthResultResultPass},
 				},
-				Dmarc: &api.AuthResult{
+				Dmarc: &model.AuthResult{
-					Result: api.AuthResultResultPass,
+					Result: model.AuthResultResultPass,
 				},
 			},
 			expectedScore: 73, // SPF=25 + DKIM=23 + DMARC=25
 		},
 		{
 			name: "SPF and DKIM only",
-			results: &api.AuthenticationResults{
+			results: &model.AuthenticationResults{
-				Spf: &api.AuthResult{
+				Spf: &model.AuthResult{
-					Result: api.AuthResultResultPass,
+					Result: model.AuthResultResultPass,
 				},
-				Dkim: &[]api.AuthResult{
+				Dkim: &[]model.AuthResult{
-					{Result: api.AuthResultResultPass},
+					{Result: model.AuthResultResultPass},
 				},
 			},
 			expectedScore: 48, // SPF=25 + DKIM=23
 		},
 		{
 			name: "SPF fail, DKIM pass",
-			results: &api.AuthenticationResults{
+			results: &model.AuthenticationResults{
-				Spf: &api.AuthResult{
+				Spf: &model.AuthResult{
-					Result: api.AuthResultResultFail,
+					Result: model.AuthResultResultFail,
 				},
-				Dkim: &[]api.AuthResult{
+				Dkim: &[]model.AuthResult{
-					{Result: api.AuthResultResultPass},
+					{Result: model.AuthResultResultPass},
 				},
 			},
 			expectedScore: 23, // SPF=0 + DKIM=23
 		},
 		{
 			name: "SPF softfail",
-			results: &api.AuthenticationResults{
+			results: &model.AuthenticationResults{
-				Spf: &api.AuthResult{
+				Spf: &model.AuthResult{
-					Result: api.AuthResultResultSoftfail,
+					Result: model.AuthResultResultSoftfail,
 				},
 			},
 			expectedScore: 4,
 		},
 		{
 			name:          "No authentication",
-			results:       &api.AuthenticationResults{},
+			results:       &model.AuthenticationResults{},
 			expectedScore: 0,
 		},
 		{
 			name: "BIMI adds to score",
-			results: &api.AuthenticationResults{
+			results: &model.AuthenticationResults{
-				Spf: &api.AuthResult{
+				Spf: &model.AuthResult{
-					Result: api.AuthResultResultPass,
+					Result: model.AuthResultResultPass,
 				},
-				Bimi: &api.AuthResult{
+				Bimi: &model.AuthResult{
-					Result: api.AuthResultResultPass,
+					Result: model.AuthResultResultPass,
 				},
 			},
 			expectedScore: 35, // SPF (25) + BIMI (10)
 		},
 	}
 
-	scorer := NewAuthenticationAnalyzer()
+	scorer := NewAuthenticationAnalyzer("")
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -117,30 +118,30 @@ func TestParseAuthenticationResultsHeader(t *testing.T) {
 	tests := []struct {
 		name                string
 		header              string
-		expectedSPFResult   *api.AuthResultResult
+		expectedSPFResult   *model.AuthResultResult
 		expectedSPFDomain   *string
 		expectedDKIMCount   int
-		expectedDKIMResult  *api.AuthResultResult
+		expectedDKIMResult  *model.AuthResultResult
-		expectedDMARCResult *api.AuthResultResult
+		expectedDMARCResult *model.AuthResultResult
 		expectedDMARCDomain *string
-		expectedBIMIResult  *api.AuthResultResult
+		expectedBIMIResult  *model.AuthResultResult
-		expectedARCResult   *api.ARCResultResult
+		expectedARCResult   *model.ARCResultResult
 	}{
 		{
 			name:                "Complete authentication results",
 			header:              "mx.google.com; spf=pass smtp.mailfrom=sender@example.com; dkim=pass header.d=example.com header.s=default; dmarc=pass action=none header.from=example.com",
-			expectedSPFResult:   api.PtrTo(api.AuthResultResultPass),
+			expectedSPFResult:   utils.PtrTo(model.AuthResultResultPass),
-			expectedSPFDomain:   api.PtrTo("example.com"),
+			expectedSPFDomain:   utils.PtrTo("example.com"),
 			expectedDKIMCount:   1,
-			expectedDKIMResult:  api.PtrTo(api.AuthResultResultPass),
+			expectedDKIMResult:  utils.PtrTo(model.AuthResultResultPass),
-			expectedDMARCResult: api.PtrTo(api.AuthResultResultPass),
+			expectedDMARCResult: utils.PtrTo(model.AuthResultResultPass),
-			expectedDMARCDomain: api.PtrTo("example.com"),
+			expectedDMARCDomain: utils.PtrTo("example.com"),
 		},
 		{
 			name:                "SPF only",
 			header:              "mail.example.com; spf=pass smtp.mailfrom=user@domain.com",
-			expectedSPFResult:   api.PtrTo(api.AuthResultResultPass),
+			expectedSPFResult:   utils.PtrTo(model.AuthResultResultPass),
-			expectedSPFDomain:   api.PtrTo("domain.com"),
+			expectedSPFDomain:   utils.PtrTo("domain.com"),
 			expectedDKIMCount:   0,
 			expectedDMARCResult: nil,
 		},
@@ -149,68 +150,68 @@ func TestParseAuthenticationResultsHeader(t *testing.T) {
 			header:             "mail.example.com; dkim=pass header.d=example.com header.s=selector1",
 			expectedSPFResult:  nil,
 			expectedDKIMCount:  1,
-			expectedDKIMResult: api.PtrTo(api.AuthResultResultPass),
+			expectedDKIMResult: utils.PtrTo(model.AuthResultResultPass),
 		},
 		{
 			name:                "Multiple DKIM signatures",
 			header:              "mail.example.com; dkim=pass header.d=example.com header.s=s1; dkim=pass header.d=example.com header.s=s2",
 			expectedSPFResult:   nil,
 			expectedDKIMCount:   2,
-			expectedDKIMResult:  api.PtrTo(api.AuthResultResultPass),
+			expectedDKIMResult:  utils.PtrTo(model.AuthResultResultPass),
 			expectedDMARCResult: nil,
 		},
 		{
 			name:                "SPF fail with DKIM pass",
 			header:              "mail.example.com; spf=fail smtp.mailfrom=sender@example.com; dkim=pass header.d=example.com header.s=default",
-			expectedSPFResult:   api.PtrTo(api.AuthResultResultFail),
+			expectedSPFResult:   utils.PtrTo(model.AuthResultResultFail),
-			expectedSPFDomain:   api.PtrTo("example.com"),
+			expectedSPFDomain:   utils.PtrTo("example.com"),
 			expectedDKIMCount:   1,
-			expectedDKIMResult:  api.PtrTo(api.AuthResultResultPass),
+			expectedDKIMResult:  utils.PtrTo(model.AuthResultResultPass),
 			expectedDMARCResult: nil,
 		},
 		{
 			name:                "SPF softfail",
 			header:              "mail.example.com; spf=softfail smtp.mailfrom=sender@example.com",
-			expectedSPFResult:   api.PtrTo(api.AuthResultResultSoftfail),
+			expectedSPFResult:   utils.PtrTo(model.AuthResultResultSoftfail),
-			expectedSPFDomain:   api.PtrTo("example.com"),
+			expectedSPFDomain:   utils.PtrTo("example.com"),
 			expectedDKIMCount:   0,
 			expectedDMARCResult: nil,
 		},
 		{
 			name:                "DMARC fail",
 			header:              "mail.example.com; spf=pass smtp.mailfrom=sender@example.com; dkim=pass header.d=example.com header.s=default; dmarc=fail action=quarantine header.from=example.com",
-			expectedSPFResult:   api.PtrTo(api.AuthResultResultPass),
+			expectedSPFResult:   utils.PtrTo(model.AuthResultResultPass),
 			expectedDKIMCount:   1,
-			expectedDKIMResult:  api.PtrTo(api.AuthResultResultPass),
+			expectedDKIMResult:  utils.PtrTo(model.AuthResultResultPass),
-			expectedDMARCResult: api.PtrTo(api.AuthResultResultFail),
+			expectedDMARCResult: utils.PtrTo(model.AuthResultResultFail),
-			expectedDMARCDomain: api.PtrTo("example.com"),
+			expectedDMARCDomain: utils.PtrTo("example.com"),
 		},
 		{
 			name:               "BIMI pass",
 			header:             "mail.example.com; spf=pass smtp.mailfrom=sender@example.com; bimi=pass header.d=example.com header.selector=default",
-			expectedSPFResult:  api.PtrTo(api.AuthResultResultPass),
+			expectedSPFResult:  utils.PtrTo(model.AuthResultResultPass),
-			expectedSPFDomain:  api.PtrTo("example.com"),
+			expectedSPFDomain:  utils.PtrTo("example.com"),
 			expectedDKIMCount:  0,
-			expectedBIMIResult: api.PtrTo(api.AuthResultResultPass),
+			expectedBIMIResult: utils.PtrTo(model.AuthResultResultPass),
 		},
 		{
 			name:              "ARC pass",
 			header:            "mail.example.com; arc=pass",
 			expectedSPFResult: nil,
 			expectedDKIMCount: 0,
-			expectedARCResult: api.PtrTo(api.ARCResultResultPass),
+			expectedARCResult: utils.PtrTo(model.ARCResultResultPass),
 		},
 		{
 			name:                "All authentication methods",
 			header:              "mx.google.com; spf=pass smtp.mailfrom=sender@example.com; dkim=pass header.d=example.com header.s=default; dmarc=pass action=none header.from=example.com; bimi=pass header.d=example.com header.selector=v1; arc=pass",
-			expectedSPFResult:   api.PtrTo(api.AuthResultResultPass),
+			expectedSPFResult:   utils.PtrTo(model.AuthResultResultPass),
-			expectedSPFDomain:   api.PtrTo("example.com"),
+			expectedSPFDomain:   utils.PtrTo("example.com"),
 			expectedDKIMCount:   1,
-			expectedDKIMResult:  api.PtrTo(api.AuthResultResultPass),
+			expectedDKIMResult:  utils.PtrTo(model.AuthResultResultPass),
-			expectedDMARCResult: api.PtrTo(api.AuthResultResultPass),
+			expectedDMARCResult: utils.PtrTo(model.AuthResultResultPass),
-			expectedDMARCDomain: api.PtrTo("example.com"),
+			expectedDMARCDomain: utils.PtrTo("example.com"),
-			expectedBIMIResult:  api.PtrTo(api.AuthResultResultPass),
+			expectedBIMIResult:  utils.PtrTo(model.AuthResultResultPass),
-			expectedARCResult:   api.PtrTo(api.ARCResultResultPass),
+			expectedARCResult:   utils.PtrTo(model.ARCResultResultPass),
 		},
 		{
 			name:              "Empty header (authserv-id only)",
@@ -221,8 +222,8 @@ func TestParseAuthenticationResultsHeader(t *testing.T) {
 		{
 			name:              "Empty parts with semicolons",
 			header:            "mx.google.com; ; ; spf=pass smtp.mailfrom=sender@example.com; ;",
-			expectedSPFResult: api.PtrTo(api.AuthResultResultPass),
+			expectedSPFResult: utils.PtrTo(model.AuthResultResultPass),
-			expectedSPFDomain: api.PtrTo("example.com"),
+			expectedSPFDomain: utils.PtrTo("example.com"),
 			expectedDKIMCount: 0,
 		},
 		{
@@ -230,28 +231,28 @@ func TestParseAuthenticationResultsHeader(t *testing.T) {
 			header:             "mail.example.com; dkim=pass d=example.com s=selector1",
 			expectedSPFResult:  nil,
 			expectedDKIMCount:  1,
-			expectedDKIMResult: api.PtrTo(api.AuthResultResultPass),
+			expectedDKIMResult: utils.PtrTo(model.AuthResultResultPass),
 		},
 		{
 			name:              "SPF neutral",
 			header:            "mail.example.com; spf=neutral smtp.mailfrom=sender@example.com",
-			expectedSPFResult: api.PtrTo(api.AuthResultResultNeutral),
+			expectedSPFResult: utils.PtrTo(model.AuthResultResultNeutral),
-			expectedSPFDomain: api.PtrTo("example.com"),
+			expectedSPFDomain: utils.PtrTo("example.com"),
 			expectedDKIMCount: 0,
 		},
 		{
 			name:              "SPF none",
 			header:            "mail.example.com; spf=none",
-			expectedSPFResult: api.PtrTo(api.AuthResultResultNone),
+			expectedSPFResult: utils.PtrTo(model.AuthResultResultNone),
 			expectedDKIMCount: 0,
 		},
 	}
 
-	analyzer := NewAuthenticationAnalyzer()
+	analyzer := NewAuthenticationAnalyzer("")
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			results := &api.AuthenticationResults{}
+			results := &model.AuthenticationResults{}
 			analyzer.parseAuthenticationResultsHeader(tt.header, results)
 
 			// Check SPF
@@ -353,17 +354,17 @@ func TestParseAuthenticationResultsHeader(t *testing.T) {
 
 func TestParseAuthenticationResultsHeader_OnlyFirstResultParsed(t *testing.T) {
 	// This test verifies that only the first occurrence of each auth method is parsed
-	analyzer := NewAuthenticationAnalyzer()
+	analyzer := NewAuthenticationAnalyzer("")
 
 	t.Run("Multiple SPF results - only first is parsed", func(t *testing.T) {
 		header := "mail.example.com; spf=pass smtp.mailfrom=first@example.com; spf=fail smtp.mailfrom=second@example.com"
-		results := &api.AuthenticationResults{}
+		results := &model.AuthenticationResults{}
 		analyzer.parseAuthenticationResultsHeader(header, results)
 
 		if results.Spf == nil {
 			t.Fatal("Expected SPF result, got nil")
 		}
-		if results.Spf.Result != api.AuthResultResultPass {
+		if results.Spf.Result != model.AuthResultResultPass {
 			t.Errorf("Expected first SPF result (pass), got %v", results.Spf.Result)
 		}
 		if results.Spf.Domain == nil || *results.Spf.Domain != "example.com" {
@@ -373,13 +374,13 @@ func TestParseAuthenticationResultsHeader_OnlyFirstResultParsed(t *testing.T) {
 
 	t.Run("Multiple DMARC results - only first is parsed", func(t *testing.T) {
 		header := "mail.example.com; dmarc=pass header.from=first.com; dmarc=fail header.from=second.com"
-		results := &api.AuthenticationResults{}
+		results := &model.AuthenticationResults{}
 		analyzer.parseAuthenticationResultsHeader(header, results)
 
 		if results.Dmarc == nil {
 			t.Fatal("Expected DMARC result, got nil")
 		}
-		if results.Dmarc.Result != api.AuthResultResultPass {
+		if results.Dmarc.Result != model.AuthResultResultPass {
 			t.Errorf("Expected first DMARC result (pass), got %v", results.Dmarc.Result)
 		}
 		if results.Dmarc.Domain == nil || *results.Dmarc.Domain != "first.com" {
@@ -389,26 +390,26 @@ func TestParseAuthenticationResultsHeader_OnlyFirstResultParsed(t *testing.T) {
 
 	t.Run("Multiple ARC results - only first is parsed", func(t *testing.T) {
 		header := "mail.example.com; arc=pass; arc=fail"
-		results := &api.AuthenticationResults{}
+		results := &model.AuthenticationResults{}
 		analyzer.parseAuthenticationResultsHeader(header, results)
 
 		if results.Arc == nil {
 			t.Fatal("Expected ARC result, got nil")
 		}
-		if results.Arc.Result != api.ARCResultResultPass {
+		if results.Arc.Result != model.ARCResultResultPass {
 			t.Errorf("Expected first ARC result (pass), got %v", results.Arc.Result)
 		}
 	})
 
 	t.Run("Multiple BIMI results - only first is parsed", func(t *testing.T) {
 		header := "mail.example.com; bimi=pass header.d=first.com; bimi=fail header.d=second.com"
-		results := &api.AuthenticationResults{}
+		results := &model.AuthenticationResults{}
 		analyzer.parseAuthenticationResultsHeader(header, results)
 
 		if results.Bimi == nil {
 			t.Fatal("Expected BIMI result, got nil")
 		}
-		if results.Bimi.Result != api.AuthResultResultPass {
+		if results.Bimi.Result != model.AuthResultResultPass {
 			t.Errorf("Expected first BIMI result (pass), got %v", results.Bimi.Result)
 		}
 		if results.Bimi.Domain == nil || *results.Bimi.Domain != "first.com" {
@@ -419,7 +420,7 @@ func TestParseAuthenticationResultsHeader_OnlyFirstResultParsed(t *testing.T) {
 	t.Run("Multiple DKIM results - all are parsed", func(t *testing.T) {
 		// DKIM is special - multiple signatures should all be collected
 		header := "mail.example.com; dkim=pass header.d=first.com header.s=s1; dkim=fail header.d=second.com header.s=s2"
-		results := &api.AuthenticationResults{}
+		results := &model.AuthenticationResults{}
 		analyzer.parseAuthenticationResultsHeader(header, results)
 
 		if results.Dkim == nil {
@@ -428,10 +429,10 @@ func TestParseAuthenticationResultsHeader_OnlyFirstResultParsed(t *testing.T) {
 		if len(*results.Dkim) != 2 {
 			t.Errorf("Expected 2 DKIM results, got %d", len(*results.Dkim))
 		}
-		if (*results.Dkim)[0].Result != api.AuthResultResultPass {
+		if (*results.Dkim)[0].Result != model.AuthResultResultPass {
 			t.Errorf("Expected first DKIM result to be pass, got %v", (*results.Dkim)[0].Result)
 		}
-		if (*results.Dkim)[1].Result != api.AuthResultResultFail {
+		if (*results.Dkim)[1].Result != model.AuthResultResultFail {
 			t.Errorf("Expected second DKIM result to be fail, got %v", (*results.Dkim)[1].Result)
 		}
 	})

pkg/analyzer/authentication_x_aligned_from.go

@@ -25,34 +25,35 @@ import (
 	"regexp"
 	"strings"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
+	"git.happydns.org/happyDeliver/internal/utils"
 )
 
 // parseXAlignedFromResult parses X-Aligned-From result from Authentication-Results
 // Example: x-aligned-from=pass (Address match)
-func (a *AuthenticationAnalyzer) parseXAlignedFromResult(part string) *api.AuthResult {
+func (a *AuthenticationAnalyzer) parseXAlignedFromResult(part string) *model.AuthResult {
-	result := &api.AuthResult{}
+	result := &model.AuthResult{}
 
 	// Extract result (pass, fail, etc.)
 	re := regexp.MustCompile(`x-aligned-from=([\w]+)`)
 	if matches := re.FindStringSubmatch(part); len(matches) > 1 {
 		resultStr := strings.ToLower(matches[1])
-		result.Result = api.AuthResultResult(resultStr)
+		result.Result = model.AuthResultResult(resultStr)
 	}
 
 	// Extract details (everything after the result)
-	result.Details = api.PtrTo(strings.TrimPrefix(part, "x-aligned-from="))
+	result.Details = utils.PtrTo(strings.TrimPrefix(part, "x-aligned-from="))
 
 	return result
 }
 
-func (a *AuthenticationAnalyzer) calculateXAlignedFromScore(results *api.AuthenticationResults) (score int) {
+func (a *AuthenticationAnalyzer) calculateXAlignedFromScore(results *model.AuthenticationResults) (score int) {
 	if results.XAlignedFrom != nil {
 		switch results.XAlignedFrom.Result {
-		case api.AuthResultResultPass:
+		case model.AuthResultResultPass:
 			// pass: positive contribution
 			return 100
-		case api.AuthResultResultFail:
+		case model.AuthResultResultFail:
 			// fail: negative contribution
 			return 0
 		default:
@@ -61,5 +62,5 @@ func (a *AuthenticationAnalyzer) calculateXAlignedFromScore(results *api.Authent
 		}
 	}
 
-	return 0
+	return 100
 }

pkg/analyzer/authentication_x_aligned_from_test.go

@@ -24,49 +24,49 @@ package analyzer
 import (
 	"testing"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
 )
 
 func TestParseXAlignedFromResult(t *testing.T) {
 	tests := []struct {
 		name           string
 		part           string
-		expectedResult api.AuthResultResult
+		expectedResult model.AuthResultResult
 		expectedDetail string
 	}{
 		{
 			name:           "x-aligned-from pass with details",
 			part:           "x-aligned-from=pass (Address match)",
-			expectedResult: api.AuthResultResultPass,
+			expectedResult: model.AuthResultResultPass,
 			expectedDetail: "pass (Address match)",
 		},
 		{
 			name:           "x-aligned-from fail with reason",
 			part:           "x-aligned-from=fail (Address mismatch)",
-			expectedResult: api.AuthResultResultFail,
+			expectedResult: model.AuthResultResultFail,
 			expectedDetail: "fail (Address mismatch)",
 		},
 		{
 			name:           "x-aligned-from pass minimal",
 			part:           "x-aligned-from=pass",
-			expectedResult: api.AuthResultResultPass,
+			expectedResult: model.AuthResultResultPass,
 			expectedDetail: "pass",
 		},
 		{
 			name:           "x-aligned-from neutral",
 			part:           "x-aligned-from=neutral (No alignment check performed)",
-			expectedResult: api.AuthResultResultNeutral,
+			expectedResult: model.AuthResultResultNeutral,
 			expectedDetail: "neutral (No alignment check performed)",
 		},
 		{
 			name:           "x-aligned-from none",
 			part:           "x-aligned-from=none",
-			expectedResult: api.AuthResultResultNone,
+			expectedResult: model.AuthResultResultNone,
 			expectedDetail: "none",
 		},
 	}
 
-	analyzer := NewAuthenticationAnalyzer()
+	analyzer := NewAuthenticationAnalyzer("")
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -88,34 +88,34 @@ func TestParseXAlignedFromResult(t *testing.T) {
 func TestCalculateXAlignedFromScore(t *testing.T) {
 	tests := []struct {
 		name          string
-		result        *api.AuthResult
+		result        *model.AuthResult
 		expectedScore int
 	}{
 		{
 			name: "pass result gives positive score",
-			result: &api.AuthResult{
+			result: &model.AuthResult{
-				Result: api.AuthResultResultPass,
+				Result: model.AuthResultResultPass,
 			},
 			expectedScore: 100,
 		},
 		{
 			name: "fail result gives zero score",
-			result: &api.AuthResult{
+			result: &model.AuthResult{
-				Result: api.AuthResultResultFail,
+				Result: model.AuthResultResultFail,
 			},
 			expectedScore: 0,
 		},
 		{
 			name: "neutral result gives zero score",
-			result: &api.AuthResult{
+			result: &model.AuthResult{
-				Result: api.AuthResultResultNeutral,
+				Result: model.AuthResultResultNeutral,
 			},
 			expectedScore: 0,
 		},
 		{
 			name: "none result gives zero score",
-			result: &api.AuthResult{
+			result: &model.AuthResult{
-				Result: api.AuthResultResultNone,
+				Result: model.AuthResultResultNone,
 			},
 			expectedScore: 0,
 		},
@@ -126,11 +126,11 @@ func TestCalculateXAlignedFromScore(t *testing.T) {
 		},
 	}
 
-	analyzer := NewAuthenticationAnalyzer()
+	analyzer := NewAuthenticationAnalyzer("")
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			results := &api.AuthenticationResults{
+			results := &model.AuthenticationResults{
 				XAlignedFrom: tt.result,
 			}
 

pkg/analyzer/authentication_x_google_dkim.go

@@ -25,19 +25,20 @@ import (
 	"regexp"
 	"strings"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
+	"git.happydns.org/happyDeliver/internal/utils"
 )
 
 // parseXGoogleDKIMResult parses Google DKIM result from Authentication-Results
 // Example: x-google-dkim=pass (2048-bit rsa key) header.d=1e100.net header.i=@1e100.net header.b=fauiPVZ6
-func (a *AuthenticationAnalyzer) parseXGoogleDKIMResult(part string) *api.AuthResult {
+func (a *AuthenticationAnalyzer) parseXGoogleDKIMResult(part string) *model.AuthResult {
-	result := &api.AuthResult{}
+	result := &model.AuthResult{}
 
 	// Extract result (pass, fail, etc.)
 	re := regexp.MustCompile(`x-google-dkim=(\w+)`)
 	if matches := re.FindStringSubmatch(part); len(matches) > 1 {
 		resultStr := strings.ToLower(matches[1])
-		result.Result = api.AuthResultResult(resultStr)
+		result.Result = model.AuthResultResult(resultStr)
 	}
 
 	// Extract domain (header.d or d)
@@ -54,15 +55,15 @@ func (a *AuthenticationAnalyzer) parseXGoogleDKIMResult(part string) *api.AuthRe
 		result.Selector = &selector
 	}
 
-	result.Details = api.PtrTo(strings.TrimPrefix(part, "x-google-dkim="))
+	result.Details = utils.PtrTo(strings.TrimPrefix(part, "x-google-dkim="))
 
 	return result
 }
 
-func (a *AuthenticationAnalyzer) calculateXGoogleDKIMScore(results *api.AuthenticationResults) (score int) {
+func (a *AuthenticationAnalyzer) calculateXGoogleDKIMScore(results *model.AuthenticationResults) (score int) {
 	if results.XGoogleDkim != nil {
 		switch results.XGoogleDkim.Result {
-		case api.AuthResultResultPass:
+		case model.AuthResultResultPass:
 			// pass: don't alter the score
 		default: // fail
 			return -100

pkg/analyzer/authentication_x_google_dkim_test.go

@@ -24,43 +24,43 @@ package analyzer
 import (
 	"testing"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
 )
 
 func TestParseXGoogleDKIMResult(t *testing.T) {
 	tests := []struct {
 		name             string
 		part             string
-		expectedResult   api.AuthResultResult
+		expectedResult   model.AuthResultResult
 		expectedDomain   string
 		expectedSelector string
 	}{
 		{
 			name:           "x-google-dkim pass with domain",
 			part:           "x-google-dkim=pass (2048-bit rsa key) header.d=1e100.net header.i=@1e100.net header.b=fauiPVZ6",
-			expectedResult: api.AuthResultResultPass,
+			expectedResult: model.AuthResultResultPass,
 			expectedDomain: "1e100.net",
 		},
 		{
 			name:           "x-google-dkim pass with short form",
 			part:           "x-google-dkim=pass d=gmail.com",
-			expectedResult: api.AuthResultResultPass,
+			expectedResult: model.AuthResultResultPass,
 			expectedDomain: "gmail.com",
 		},
 		{
 			name:           "x-google-dkim fail",
 			part:           "x-google-dkim=fail header.d=example.com",
-			expectedResult: api.AuthResultResultFail,
+			expectedResult: model.AuthResultResultFail,
 			expectedDomain: "example.com",
 		},
 		{
 			name:           "x-google-dkim with minimal info",
 			part:           "x-google-dkim=pass",
-			expectedResult: api.AuthResultResultPass,
+			expectedResult: model.AuthResultResultPass,
 		},
 	}
 
-	analyzer := NewAuthenticationAnalyzer()
+	analyzer := NewAuthenticationAnalyzer("")
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

pkg/analyzer/content.go

@@ -32,15 +32,17 @@ import (
 	"time"
 	"unicode"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
+	"git.happydns.org/happyDeliver/internal/utils"
 	"golang.org/x/net/html"
 )
 
 // ContentAnalyzer analyzes email content (HTML, links, images)
 type ContentAnalyzer struct {
-	Timeout             time.Duration
+	Timeout                time.Duration
-	httpClient          *http.Client
+	httpClient             *http.Client
-	listUnsubscribeURLs []string // URLs from List-Unsubscribe header
+	listUnsubscribeURLs    []string // URLs from List-Unsubscribe header
+	hasOneClickUnsubscribe bool     // True if List-Unsubscribe-Post: List-Unsubscribe=One-Click
 }
 
 // NewContentAnalyzer creates a new content analyzer with configurable timeout
@@ -115,6 +117,10 @@ func (c *ContentAnalyzer) AnalyzeContent(email *EmailMessage) *ContentResults {
 	// Parse List-Unsubscribe header URLs for use in link detection
 	c.listUnsubscribeURLs = email.GetListUnsubscribeURLs()
 
+	// Check for one-click unsubscribe support
+	listUnsubscribePost := email.Header.Get("List-Unsubscribe-Post")
+	c.hasOneClickUnsubscribe = strings.EqualFold(strings.TrimSpace(listUnsubscribePost), "List-Unsubscribe=One-Click")
+
 	// Get HTML and text parts
 	htmlParts := email.GetHTMLParts()
 	textParts := email.GetTextParts()
@@ -723,15 +729,16 @@ func (c *ContentAnalyzer) normalizeText(text string) string {
 }
 
 // GenerateContentAnalysis creates structured content analysis from results
-func (c *ContentAnalyzer) GenerateContentAnalysis(results *ContentResults) *api.ContentAnalysis {
+func (c *ContentAnalyzer) GenerateContentAnalysis(results *ContentResults) *model.ContentAnalysis {
 	if results == nil {
 		return nil
 	}
 
-	analysis := &api.ContentAnalysis{
+	analysis := &model.ContentAnalysis{
-		HasHtml:            api.PtrTo(results.HTMLContent != ""),
+		HasHtml:            utils.PtrTo(results.HTMLContent != ""),
-		HasPlaintext:       api.PtrTo(results.TextContent != ""),
+		HasPlaintext:       utils.PtrTo(results.TextContent != ""),
-		HasUnsubscribeLink: api.PtrTo(results.HasUnsubscribe),
+		HasUnsubscribeLink: utils.PtrTo(results.HasUnsubscribe),
+		UnsubscribeMethods: &[]model.ContentAnalysisUnsubscribeMethods{},
 	}
 
 	// Calculate text-to-image ratio (inverse of image-to-text)
@@ -744,16 +751,16 @@ func (c *ContentAnalyzer) GenerateContentAnalysis(results *ContentResults) *api.
 	}
 
 	// Build HTML issues
-	htmlIssues := []api.ContentIssue{}
+	htmlIssues := []model.ContentIssue{}
 
 	// Add HTML parsing errors
 	if !results.HTMLValid && len(results.HTMLErrors) > 0 {
 		for _, errMsg := range results.HTMLErrors {
-			htmlIssues = append(htmlIssues, api.ContentIssue{
+			htmlIssues = append(htmlIssues, model.ContentIssue{
-				Type:     api.BrokenHtml,
+				Type:     model.BrokenHtml,
-				Severity: api.ContentIssueSeverityHigh,
+				Severity: model.ContentIssueSeverityHigh,
 				Message:  errMsg,
-				Advice:   api.PtrTo("Fix HTML structure errors to improve email rendering across clients"),
+				Advice:   utils.PtrTo("Fix HTML structure errors to improve email rendering across clients"),
 			})
 		}
 	}
@@ -767,53 +774,53 @@ func (c *ContentAnalyzer) GenerateContentAnalysis(results *ContentResults) *api.
 			}
 		}
 		if missingAltCount > 0 {
-			htmlIssues = append(htmlIssues, api.ContentIssue{
+			htmlIssues = append(htmlIssues, model.ContentIssue{
-				Type:     api.MissingAlt,
+				Type:     model.MissingAlt,
-				Severity: api.ContentIssueSeverityMedium,
+				Severity: model.ContentIssueSeverityMedium,
 				Message:  fmt.Sprintf("%d image(s) missing alt attributes", missingAltCount),
-				Advice:   api.PtrTo("Add descriptive alt text to all images for better accessibility and deliverability"),
+				Advice:   utils.PtrTo("Add descriptive alt text to all images for better accessibility and deliverability"),
 			})
 		}
 	}
 
 	// Add excessive images issue
 	if results.ImageTextRatio > 10.0 {
-		htmlIssues = append(htmlIssues, api.ContentIssue{
+		htmlIssues = append(htmlIssues, model.ContentIssue{
-			Type:     api.ExcessiveImages,
+			Type:     model.ExcessiveImages,
-			Severity: api.ContentIssueSeverityMedium,
+			Severity: model.ContentIssueSeverityMedium,
 			Message:  "Email is excessively image-heavy",
-			Advice:   api.PtrTo("Reduce the number of images relative to text content"),
+			Advice:   utils.PtrTo("Reduce the number of images relative to text content"),
 		})
 	}
 
 	// Add suspicious URL issues
 	for _, suspURL := range results.SuspiciousURLs {
-		htmlIssues = append(htmlIssues, api.ContentIssue{
+		htmlIssues = append(htmlIssues, model.ContentIssue{
-			Type:     api.SuspiciousLink,
+			Type:     model.SuspiciousLink,
-			Severity: api.ContentIssueSeverityHigh,
+			Severity: model.ContentIssueSeverityHigh,
 			Message:  "Suspicious URL detected",
 			Location: &suspURL,
-			Advice:   api.PtrTo("Avoid URL shorteners, IP addresses, and obfuscated URLs in emails"),
+			Advice:   utils.PtrTo("Avoid URL shorteners, IP addresses, and obfuscated URLs in emails"),
 		})
 	}
 
 	// Add harmful HTML tag issues
 	for _, harmfulIssue := range results.HarmfullIssues {
-		htmlIssues = append(htmlIssues, api.ContentIssue{
+		htmlIssues = append(htmlIssues, model.ContentIssue{
-			Type:     api.DangerousHtml,
+			Type:     model.DangerousHtml,
-			Severity: api.ContentIssueSeverityCritical,
+			Severity: model.ContentIssueSeverityCritical,
 			Message:  harmfulIssue,
-			Advice:   api.PtrTo("Remove dangerous HTML tags like <script>, <iframe>, <object>, <embed>, <applet>, <form>, and <base> from email content"),
+			Advice:   utils.PtrTo("Remove dangerous HTML tags like <script>, <iframe>, <object>, <embed>, <applet>, <form>, and <base> from email content"),
 		})
 	}
 
 	// Add general content issues (like external stylesheets)
 	for _, contentIssue := range results.ContentIssues {
-		htmlIssues = append(htmlIssues, api.ContentIssue{
+		htmlIssues = append(htmlIssues, model.ContentIssue{
-			Type:     api.BrokenHtml,
+			Type:     model.BrokenHtml,
-			Severity: api.ContentIssueSeverityLow,
+			Severity: model.ContentIssueSeverityLow,
 			Message:  contentIssue,
-			Advice:   api.PtrTo("Use inline CSS instead of external stylesheets for better email compatibility"),
+			Advice:   utils.PtrTo("Use inline CSS instead of external stylesheets for better email compatibility"),
 		})
 	}
 
@@ -823,31 +830,31 @@ func (c *ContentAnalyzer) GenerateContentAnalysis(results *ContentResults) *api.
 
 	// Convert links
 	if len(results.Links) > 0 {
-		links := make([]api.LinkCheck, 0, len(results.Links))
+		links := make([]model.LinkCheck, 0, len(results.Links))
 		for _, link := range results.Links {
-			status := api.Valid
+			status := model.Valid
 			if link.Status >= 400 {
-				status = api.Broken
+				status = model.Broken
 			} else if !link.IsSafe {
-				status = api.Suspicious
+				status = model.Suspicious
 			} else if link.Warning != "" {
-				status = api.Timeout
+				status = model.Timeout
 			}
 
-			apiLink := api.LinkCheck{
+			apiLink := model.LinkCheck{
 				Url:    link.URL,
 				Status: status,
 			}
 
 			if link.Status > 0 {
-				apiLink.HttpCode = api.PtrTo(link.Status)
+				apiLink.HttpCode = utils.PtrTo(link.Status)
 			}
 
 			// Check if it's a URL shortener
 			parsedURL, err := url.Parse(link.URL)
 			if err == nil {
 				isShortened := c.isSuspiciousURL(link.URL, parsedURL)
-				apiLink.IsShortened = api.PtrTo(isShortened)
+				apiLink.IsShortened = utils.PtrTo(isShortened)
 			}
 
 			links = append(links, apiLink)
@@ -857,9 +864,9 @@ func (c *ContentAnalyzer) GenerateContentAnalysis(results *ContentResults) *api.
 
 	// Convert images
 	if len(results.Images) > 0 {
-		images := make([]api.ImageCheck, 0, len(results.Images))
+		images := make([]model.ImageCheck, 0, len(results.Images))
 		for _, img := range results.Images {
-			apiImg := api.ImageCheck{
+			apiImg := model.ImageCheck{
 				HasAlt: img.HasAlt,
 			}
 			if img.Src != "" {
@@ -869,7 +876,7 @@ func (c *ContentAnalyzer) GenerateContentAnalysis(results *ContentResults) *api.
 				apiImg.AltText = &img.AltText
 			}
 			// Simple heuristic: tracking pixels are typically 1x1
-			apiImg.IsTrackingPixel = api.PtrTo(false)
+			apiImg.IsTrackingPixel = utils.PtrTo(false)
 
 			images = append(images, apiImg)
 		}
@@ -878,8 +885,19 @@ func (c *ContentAnalyzer) GenerateContentAnalysis(results *ContentResults) *api.
 
 	// Unsubscribe methods
 	if results.HasUnsubscribe {
-		methods := []api.ContentAnalysisUnsubscribeMethods{api.Link}
+		*analysis.UnsubscribeMethods = append(*analysis.UnsubscribeMethods, model.Link)
-		analysis.UnsubscribeMethods = &methods
+	}
+
+	for _, url := range c.listUnsubscribeURLs {
+		if strings.HasPrefix(url, "mailto:") {
+			*analysis.UnsubscribeMethods = append(*analysis.UnsubscribeMethods, model.Mailto)
+		} else if strings.HasPrefix(url, "http:") || strings.HasPrefix(url, "https:") {
+			*analysis.UnsubscribeMethods = append(*analysis.UnsubscribeMethods, model.ListUnsubscribeHeader)
+		}
+	}
+
+	if slices.Contains(*analysis.UnsubscribeMethods, model.ListUnsubscribeHeader) && c.hasOneClickUnsubscribe {
+		*analysis.UnsubscribeMethods = append(*analysis.UnsubscribeMethods, model.OneClick)
 	}
 
 	return analysis

pkg/analyzer/content_test.go

@@ -144,6 +144,74 @@ func TestIsUnsubscribeLink(t *testing.T) {
 			linkText: "Read more",
 			expected: false,
 		},
+		// Multilingual keyword detection - URL path
+		{
+			name:     "German abmelden in URL",
+			href:     "https://example.com/abmelden?id=42",
+			linkText: "Click here",
+			expected: true,
+		},
+		{
+			name:     "French se-desabonner slug in URL (no accent/space - not detected by keyword)",
+			href:     "https://example.com/se-desabonner?id=42",
+			linkText: "Click here",
+			expected: false,
+		},
+		// Multilingual keyword detection - link text
+		{
+			name:     "German Abmelden in link text",
+			href:     "https://example.com/manage?id=42&lang=de",
+			linkText: "Abmelden",
+			expected: true,
+		},
+		{
+			name:     "French Se désabonner in link text",
+			href:     "https://example.com/manage?id=42&lang=fr",
+			linkText: "Se désabonner",
+			expected: true,
+		},
+		{
+			name:     "Russian Отписаться in link text",
+			href:     "https://example.com/manage?id=42&lang=ru",
+			linkText: "Отписаться",
+			expected: true,
+		},
+		{
+			name:     "Chinese 退订 in link text",
+			href:     "https://example.com/manage?id=42&lang=zh",
+			linkText: "退订",
+			expected: true,
+		},
+		{
+			name:     "Japanese 登録を取り消す in link text",
+			href:     "https://example.com/manage?id=42&lang=ja",
+			linkText: "登録を取り消す",
+			expected: true,
+		},
+		{
+			name:     "Korean 구독 해지 in link text",
+			href:     "https://example.com/manage?id=42&lang=ko",
+			linkText: "구독 해지",
+			expected: true,
+		},
+		{
+			name:     "Dutch Uitschrijven in link text",
+			href:     "https://example.com/manage?id=42&lang=nl",
+			linkText: "Uitschrijven",
+			expected: true,
+		},
+		{
+			name:     "Polish Odsubskrybuj in link text",
+			href:     "https://example.com/manage?id=42&lang=pl",
+			linkText: "Odsubskrybuj",
+			expected: true,
+		},
+		{
+			name:     "Turkish Üyeliği sonlandır in link text",
+			href:     "https://example.com/manage?id=42&lang=tr",
+			linkText: "Üyeliği sonlandır",
+			expected: true,
+		},
 	}
 
 	analyzer := NewContentAnalyzer(5 * time.Second)

pkg/analyzer/dns.go

@@ -24,7 +24,7 @@ package analyzer
 import (
 	"time"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
 )
 
 // DNSAnalyzer analyzes DNS records for email domains
@@ -54,16 +54,16 @@ func NewDNSAnalyzerWithResolver(timeout time.Duration, resolver DNSResolver) *DN
 }
 
 // AnalyzeDNS performs DNS validation for the email's domain
-func (d *DNSAnalyzer) AnalyzeDNS(email *EmailMessage, authResults *api.AuthenticationResults, headersResults *api.HeaderAnalysis) *api.DNSResults {
+func (d *DNSAnalyzer) AnalyzeDNS(email *EmailMessage, headersResults *model.HeaderAnalysis) *model.DNSResults {
 	// Extract domain from From address
 	if headersResults.DomainAlignment.FromDomain == nil || *headersResults.DomainAlignment.FromDomain == "" {
-		return &api.DNSResults{
+		return &model.DNSResults{
 			Errors: &[]string{"Unable to extract domain from email"},
 		}
 	}
 	fromDomain := *headersResults.DomainAlignment.FromDomain
 
-	results := &api.DNSResults{
+	results := &model.DNSResults{
 		FromDomain: fromDomain,
 		RpDomain:   headersResults.DomainAlignment.ReturnPathDomain,
 	}
@@ -104,19 +104,14 @@ func (d *DNSAnalyzer) AnalyzeDNS(email *EmailMessage, authResults *api.Authentic
 	// SPF validates the MAIL FROM command, which corresponds to Return-Path
 	results.SpfRecords = d.checkSPFRecords(spfDomain)
 
-	// Check DKIM records (from authentication results)
+	// Check DKIM records by parsing DKIM-Signature headers directly
-	// DKIM can be for any domain, but typically the From domain
+	for _, sig := range parseDKIMSignatures(email.Header["Dkim-Signature"]) {
-	if authResults != nil && authResults.Dkim != nil {
+		dkimRecord := d.checkDKIMRecord(sig.Domain, sig.Selector)
-		for _, dkim := range *authResults.Dkim {
+		if dkimRecord != nil {
-			if dkim.Domain != nil && dkim.Selector != nil {
+			if results.DkimRecords == nil {
-				dkimRecord := d.checkDKIMRecord(*dkim.Domain, *dkim.Selector)
+				results.DkimRecords = new([]model.DKIMRecord)
-				if dkimRecord != nil {
-					if results.DkimRecords == nil {
-						results.DkimRecords = new([]api.DKIMRecord)
-					}
-					*results.DkimRecords = append(*results.DkimRecords, *dkimRecord)
-				}
 			}
+			*results.DkimRecords = append(*results.DkimRecords, *dkimRecord)
 		}
 	}
 
@@ -132,8 +127,8 @@ func (d *DNSAnalyzer) AnalyzeDNS(email *EmailMessage, authResults *api.Authentic
 
 // AnalyzeDomainOnly performs DNS validation for a domain without email context
 // This is useful for checking domain configuration without sending an actual email
-func (d *DNSAnalyzer) AnalyzeDomainOnly(domain string) *api.DNSResults {
+func (d *DNSAnalyzer) AnalyzeDomainOnly(domain string) *model.DNSResults {
-	results := &api.DNSResults{
+	results := &model.DNSResults{
 		FromDomain: domain,
 	}
 
@@ -155,7 +150,7 @@ func (d *DNSAnalyzer) AnalyzeDomainOnly(domain string) *api.DNSResults {
 // CalculateDomainOnlyScore calculates the DNS score for domain-only tests
 // Returns a score from 0-100 where higher is better
 // This version excludes PTR and DKIM checks since they require email context
-func (d *DNSAnalyzer) CalculateDomainOnlyScore(results *api.DNSResults) (int, string) {
+func (d *DNSAnalyzer) CalculateDomainOnlyScore(results *model.DNSResults) (int, string) {
 	if results == nil {
 		return 0, ""
 	}
@@ -197,7 +192,7 @@ func (d *DNSAnalyzer) CalculateDomainOnlyScore(results *api.DNSResults) (int, st
 // CalculateDNSScore calculates the DNS score from records results
 // Returns a score from 0-100 where higher is better
 // senderIP is the original sender IP address used for FCrDNS verification
-func (d *DNSAnalyzer) CalculateDNSScore(results *api.DNSResults, senderIP string) (int, string) {
+func (d *DNSAnalyzer) CalculateDNSScore(results *model.DNSResults, senderIP string) (int, string) {
 	if results == nil {
 		return 0, ""
 	}

pkg/analyzer/dns_bimi.go

@@ -27,11 +27,12 @@ import (
 	"regexp"
 	"strings"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
+	"git.happydns.org/happyDeliver/internal/utils"
 )
 
 // checkBIMIRecord looks up and validates BIMI record for a domain and selector
-func (d *DNSAnalyzer) checkBIMIRecord(domain, selector string) *api.BIMIRecord {
+func (d *DNSAnalyzer) checkBIMIRecord(domain, selector string) *model.BIMIRecord {
 	// BIMI records are at: selector._bimi.domain
 	bimiDomain := fmt.Sprintf("%s._bimi.%s", selector, domain)
 
@@ -40,20 +41,20 @@ func (d *DNSAnalyzer) checkBIMIRecord(domain, selector string) *api.BIMIRecord {
 
 	txtRecords, err := d.resolver.LookupTXT(ctx, bimiDomain)
 	if err != nil {
-		return &api.BIMIRecord{
+		return &model.BIMIRecord{
 			Selector: selector,
 			Domain:   domain,
 			Valid:    false,
-			Error:    api.PtrTo(fmt.Sprintf("Failed to lookup BIMI record: %v", err)),
+			Error:    utils.PtrTo(fmt.Sprintf("Failed to lookup BIMI record: %v", err)),
 		}
 	}
 
 	if len(txtRecords) == 0 {
-		return &api.BIMIRecord{
+		return &model.BIMIRecord{
 			Selector: selector,
 			Domain:   domain,
 			Valid:    false,
-			Error:    api.PtrTo("No BIMI record found"),
+			Error:    utils.PtrTo("No BIMI record found"),
 		}
 	}
 
@@ -66,18 +67,18 @@ func (d *DNSAnalyzer) checkBIMIRecord(domain, selector string) *api.BIMIRecord {
 
 	// Basic validation - should contain "v=BIMI1" and "l=" (logo URL)
 	if !d.validateBIMI(bimiRecord) {
-		return &api.BIMIRecord{
+		return &model.BIMIRecord{
 			Selector: selector,
 			Domain:   domain,
 			Record:   &bimiRecord,
 			LogoUrl:  &logoURL,
 			VmcUrl:   &vmcURL,
 			Valid:    false,
-			Error:    api.PtrTo("BIMI record appears malformed"),
+			Error:    utils.PtrTo("BIMI record appears malformed"),
 		}
 	}
 
-	return &api.BIMIRecord{
+	return &model.BIMIRecord{
 		Selector: selector,
 		Domain:   domain,
 		Record:   &bimiRecord,

pkg/analyzer/dns_dkim.go

@@ -26,11 +26,44 @@ import (
 	"fmt"
 	"strings"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
+	"git.happydns.org/happyDeliver/internal/utils"
 )
 
-// checkapi.DKIMRecord looks up and validates DKIM record for a domain and selector
+// DKIMHeader holds the domain and selector extracted from a DKIM-Signature header.
-func (d *DNSAnalyzer) checkDKIMRecord(domain, selector string) *api.DKIMRecord {
+type DKIMHeader struct {
+	Domain   string
+	Selector string
+}
+
+// parseDKIMSignatures extracts domain and selector from DKIM-Signature header values.
+func parseDKIMSignatures(signatures []string) []DKIMHeader {
+	var results []DKIMHeader
+	for _, sig := range signatures {
+		var domain, selector string
+		for _, part := range strings.Split(sig, ";") {
+			kv := strings.SplitN(strings.TrimSpace(part), "=", 2)
+			if len(kv) != 2 {
+				continue
+			}
+			key := strings.TrimSpace(kv[0])
+			val := strings.TrimSpace(kv[1])
+			switch key {
+			case "d":
+				domain = val
+			case "s":
+				selector = val
+			}
+		}
+		if domain != "" && selector != "" {
+			results = append(results, DKIMHeader{Domain: domain, Selector: selector})
+		}
+	}
+	return results
+}
+
+// checkmodel.DKIMRecord looks up and validates DKIM record for a domain and selector
+func (d *DNSAnalyzer) checkDKIMRecord(domain, selector string) *model.DKIMRecord {
 	// DKIM records are at: selector._domainkey.domain
 	dkimDomain := fmt.Sprintf("%s._domainkey.%s", selector, domain)
 
@@ -39,20 +72,20 @@ func (d *DNSAnalyzer) checkDKIMRecord(domain, selector string) *api.DKIMRecord {
 
 	txtRecords, err := d.resolver.LookupTXT(ctx, dkimDomain)
 	if err != nil {
-		return &api.DKIMRecord{
+		return &model.DKIMRecord{
 			Selector: selector,
 			Domain:   domain,
 			Valid:    false,
-			Error:    api.PtrTo(fmt.Sprintf("Failed to lookup DKIM record: %v", err)),
+			Error:    utils.PtrTo(fmt.Sprintf("Failed to lookup DKIM record: %v", err)),
 		}
 	}
 
 	if len(txtRecords) == 0 {
-		return &api.DKIMRecord{
+		return &model.DKIMRecord{
 			Selector: selector,
 			Domain:   domain,
 			Valid:    false,
-			Error:    api.PtrTo("No DKIM record found"),
+			Error:    utils.PtrTo("No DKIM record found"),
 		}
 	}
 
@@ -61,16 +94,16 @@ func (d *DNSAnalyzer) checkDKIMRecord(domain, selector string) *api.DKIMRecord {
 
 	// Basic validation - should contain "v=DKIM1" and "p=" (public key)
 	if !d.validateDKIM(dkimRecord) {
-		return &api.DKIMRecord{
+		return &model.DKIMRecord{
 			Selector: selector,
 			Domain:   domain,
-			Record:   api.PtrTo(dkimRecord),
+			Record:   utils.PtrTo(dkimRecord),
 			Valid:    false,
-			Error:    api.PtrTo("DKIM record appears malformed"),
+			Error:    utils.PtrTo("DKIM record appears malformed"),
 		}
 	}
 
-	return &api.DKIMRecord{
+	return &model.DKIMRecord{
 		Selector: selector,
 		Domain:   domain,
 		Record:   &dkimRecord,
@@ -94,7 +127,7 @@ func (d *DNSAnalyzer) validateDKIM(record string) bool {
 	return true
 }
 
-func (d *DNSAnalyzer) calculateDKIMScore(results *api.DNSResults) (score int) {
+func (d *DNSAnalyzer) calculateDKIMScore(results *model.DNSResults) (score int) {
 	// DKIM provides strong email authentication
 	if results.DkimRecords != nil && len(*results.DkimRecords) > 0 {
 		hasValidDKIM := false

pkg/analyzer/dns_dkim_test.go

@@ -26,6 +26,220 @@ import (
 	"time"
 )
 
+func TestParseDKIMSignatures(t *testing.T) {
+	tests := []struct {
+		name       string
+		signatures []string
+		expected   []DKIMHeader
+	}{
+		{
+			name:       "Empty input",
+			signatures: nil,
+			expected:   nil,
+		},
+		{
+			name:       "Empty string",
+			signatures: []string{""},
+			expected:   nil,
+		},
+		{
+			name: "Simple Gmail-style",
+			signatures: []string{
+				`v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:subject:date:message-id; bh=abcdef1234567890=; b=SIGNATURE_DATA_HERE==`,
+			},
+			expected: []DKIMHeader{{Domain: "gmail.com", Selector: "20210112"}},
+		},
+		{
+			name: "Microsoft 365 style",
+			signatures: []string{
+				`v=1; a=rsa-sha256; c=relaxed/relaxed; d=contoso.com; s=selector1; h=From:Date:Subject:Message-ID; bh=UErATeHehIIPIXPeUA==; b=SIGNATURE_DATA==`,
+			},
+			expected: []DKIMHeader{{Domain: "contoso.com", Selector: "selector1"}},
+		},
+		{
+			name: "Tab-folded multiline (Postfix-style)",
+			signatures: []string{
+				"v=1; a=rsa-sha256; c=relaxed/simple; d=nemunai.re; s=thot;\r\n\tt=1760866834; bh=YNB7c8Qgm8YGn9X1FAXTcdpO7t4YSZFiMrmpCfD/3zw=;\r\n\th=From:To:Subject;\r\n\tb=T4TFaypMpsHGYCl3PGLwmzOYRF11rYjC7lF8V5VFU+ldvG8WBpFn==",
+			},
+			expected: []DKIMHeader{{Domain: "nemunai.re", Selector: "thot"}},
+		},
+		{
+			name: "Space-folded multiline (RFC-style)",
+			signatures: []string{
+				"v=1; a=rsa-sha256; c=relaxed/relaxed;\r\n d=football.example.com; i=@football.example.com;\r\n q=dns/txt; s=test; t=1528637909; h=from:to:subject;\r\n bh=2jUSOH9NhtVGCQWNr9BrIAPreKQjO6Sn7XIkfJVOzv8=;\r\n b=F45dVWDfMbQDGHJFlXUNB2HKfbCeLRyhDXgFpEL8Gwps==",
+			},
+			expected: []DKIMHeader{{Domain: "football.example.com", Selector: "test"}},
+		},
+		{
+			name: "d= and s= on separate continuation lines",
+			signatures: []string{
+				"v=1; a=rsa-sha256;\r\n\tc=relaxed/relaxed;\r\n\td=mycompany.com;\r\n\ts=selector1;\r\n\tbh=hash=;\r\n\tb=sig==",
+			},
+			expected: []DKIMHeader{{Domain: "mycompany.com", Selector: "selector1"}},
+		},
+		{
+			name: "No space after semicolons",
+			signatures: []string{
+				`v=1;a=rsa-sha256;c=relaxed/relaxed;d=example.net;s=mail;h=from:to:subject;bh=abc=;b=xyz==`,
+			},
+			expected: []DKIMHeader{{Domain: "example.net", Selector: "mail"}},
+		},
+		{
+			name: "Multiple spaces after semicolons",
+			signatures: []string{
+				`v=1;  a=rsa-sha256;  c=relaxed/relaxed;  d=example.com;  s=myselector;  bh=hash=;  b=sig==`,
+			},
+			expected: []DKIMHeader{{Domain: "example.com", Selector: "myselector"}},
+		},
+		{
+			name: "Ed25519 signature (RFC 8463)",
+			signatures: []string{
+				"v=1; a=ed25519-sha256; c=relaxed/relaxed;\r\n d=football.example.com; i=@football.example.com;\r\n q=dns/txt; s=brisbane; t=1528637909; h=from:to:subject;\r\n bh=2jUSOH9NhtVGCQWNr9BrIAPreKQjO6Sn7XIkfJVOzv8=;\r\n b=/gCrinpcQOoIfuHNQIbq4pgh9kyIK3AQ==",
+			},
+			expected: []DKIMHeader{{Domain: "football.example.com", Selector: "brisbane"}},
+		},
+		{
+			name: "Multiple signatures (ESP double-signing)",
+			signatures: []string{
+				`v=1; a=rsa-sha256; c=relaxed/relaxed; d=mydomain.com; s=mail; h=from:to:subject; bh=hash1=; b=sig1==`,
+				`v=1; a=rsa-sha256; c=relaxed/relaxed; d=sendib.com; s=mail; h=from:to:subject; bh=hash1=; b=sig2==`,
+			},
+			expected: []DKIMHeader{
+				{Domain: "mydomain.com", Selector: "mail"},
+				{Domain: "sendib.com", Selector: "mail"},
+			},
+		},
+		{
+			name: "Dual-algorithm signing (Ed25519 + RSA, same domain, different selectors)",
+			signatures: []string{
+				`v=1; a=ed25519-sha256; c=relaxed/relaxed; d=football.example.com; s=brisbane; h=from:to:subject; bh=hash=; b=edSig==`,
+				`v=1; a=rsa-sha256; c=relaxed/relaxed; d=football.example.com; s=test; h=from:to:subject; bh=hash=; b=rsaSig==`,
+			},
+			expected: []DKIMHeader{
+				{Domain: "football.example.com", Selector: "brisbane"},
+				{Domain: "football.example.com", Selector: "test"},
+			},
+		},
+		{
+			name: "Amazon SES long selectors",
+			signatures: []string{
+				`v=1; a=rsa-sha256; c=relaxed/simple; d=amazonses.com; s=224i4yxa5dv7c2xz3womw6peuabd; h=from:to:subject; bh=sesHash=; b=sesSig==`,
+				`v=1; a=rsa-sha256; c=relaxed/simple; d=customerdomain.io; s=ug7nbtf4gccmlpwj322ax3p6ow6fovbt; h=from:to:subject; bh=sesHash=; b=customSig==`,
+			},
+			expected: []DKIMHeader{
+				{Domain: "amazonses.com", Selector: "224i4yxa5dv7c2xz3womw6peuabd"},
+				{Domain: "customerdomain.io", Selector: "ug7nbtf4gccmlpwj322ax3p6ow6fovbt"},
+			},
+		},
+		{
+			name: "Subdomain in d=",
+			signatures: []string{
+				`v=1; a=rsa-sha256; c=relaxed/relaxed; d=mail.example.co.uk; s=dkim2025; h=from:to:subject; bh=hash=; b=sig==`,
+			},
+			expected: []DKIMHeader{{Domain: "mail.example.co.uk", Selector: "dkim2025"}},
+		},
+		{
+			name: "Deeply nested subdomain",
+			signatures: []string{
+				`v=1; a=rsa-sha256; c=relaxed/relaxed; d=bounce.transactional.mail.example.com; s=s2048; h=from:to:subject; bh=hash=; b=sig==`,
+			},
+			expected: []DKIMHeader{{Domain: "bounce.transactional.mail.example.com", Selector: "s2048"}},
+		},
+		{
+			name: "Selector with hyphens (Microsoft 365 custom domain style)",
+			signatures: []string{
+				`v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com; s=selector1-contoso-com; h=from:to:subject; bh=hash=; b=sig==`,
+			},
+			expected: []DKIMHeader{{Domain: "example.com", Selector: "selector1-contoso-com"}},
+		},
+		{
+			name: "Selector with dots",
+			signatures: []string{
+				`v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com; s=smtp.mail; h=from:to:subject; bh=hash=; b=sig==`,
+			},
+			expected: []DKIMHeader{{Domain: "example.com", Selector: "smtp.mail"}},
+		},
+		{
+			name: "Single-character selector",
+			signatures: []string{
+				`v=1; a=rsa-sha256; c=relaxed/relaxed; d=tiny.io; s=x; h=from:to:subject; bh=hash=; b=sig==`,
+			},
+			expected: []DKIMHeader{{Domain: "tiny.io", Selector: "x"}},
+		},
+		{
+			name: "Postmark-style timestamp selector, s= before d=",
+			signatures: []string{
+				`v=1; a=rsa-sha1; c=relaxed/relaxed; s=20130519032151pm; d=postmarkapp.com; h=From:Date:Subject; bh=vYFvy46eesUDGJ45hyBTH30JfN4=; b=iHeFQ+7rCiSQs3DPjR2eUSZSv4i==`,
+			},
+			expected: []DKIMHeader{{Domain: "postmarkapp.com", Selector: "20130519032151pm"}},
+		},
+		{
+			name: "d= and s= at the very end",
+			signatures: []string{
+				`v=1; a=rsa-sha256; c=relaxed/relaxed; h=from:to:subject; bh=hash=; b=sig==; d=example.net; s=trailing`,
+			},
+			expected: []DKIMHeader{{Domain: "example.net", Selector: "trailing"}},
+		},
+		{
+			name: "Full tag set",
+			signatures: []string{
+				`v=1; a=rsa-sha256; d=example.com; s=selector1; c=relaxed/simple; q=dns/txt; i=user@example.com; t=1255993973; x=1256598773; h=From:Sender:Reply-To:Subject:Date:Message-Id:To:Cc; bh=+7qxGePcmmrtZAIVQAtkSSGHfQ/ftNuvUTWJ3vXC9Zc=; b=dB85+qM+If1KGQmqMLNpqLgNtUaG5dhGjYjQD6/QXtXmViJx8tf9gLEjcHr+musLCAvr0Fsn1DA3ZLLlUxpf4AR==`,
+			},
+			expected: []DKIMHeader{{Domain: "example.com", Selector: "selector1"}},
+		},
+		{
+			name: "Missing d= tag",
+			signatures: []string{
+				`v=1; a=rsa-sha256; c=relaxed/relaxed; s=selector1; h=from:to; bh=hash=; b=sig==`,
+			},
+			expected: nil,
+		},
+		{
+			name: "Missing s= tag",
+			signatures: []string{
+				`v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com; h=from:to; bh=hash=; b=sig==`,
+			},
+			expected: nil,
+		},
+		{
+			name: "Missing both d= and s= tags",
+			signatures: []string{
+				`v=1; a=rsa-sha256; c=relaxed/relaxed; h=from:to; bh=hash=; b=sig==`,
+			},
+			expected: nil,
+		},
+		{
+			name: "Mix of valid and invalid signatures",
+			signatures: []string{
+				`v=1; a=rsa-sha256; c=relaxed/relaxed; d=good.com; s=sel1; h=from:to; bh=hash=; b=sig==`,
+				`v=1; a=rsa-sha256; c=relaxed/relaxed; s=orphan; h=from:to; bh=hash=; b=sig==`,
+				`v=1; a=rsa-sha256; c=relaxed/relaxed; d=also-good.com; s=sel2; h=from:to; bh=hash=; b=sig==`,
+			},
+			expected: []DKIMHeader{
+				{Domain: "good.com", Selector: "sel1"},
+				{Domain: "also-good.com", Selector: "sel2"},
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := parseDKIMSignatures(tt.signatures)
+			if len(result) != len(tt.expected) {
+				t.Fatalf("parseDKIMSignatures() returned %d results, want %d\n  got:  %+v\n  want: %+v", len(result), len(tt.expected), result, tt.expected)
+			}
+			for i := range tt.expected {
+				if result[i].Domain != tt.expected[i].Domain {
+					t.Errorf("result[%d].Domain = %q, want %q", i, result[i].Domain, tt.expected[i].Domain)
+				}
+				if result[i].Selector != tt.expected[i].Selector {
+					t.Errorf("result[%d].Selector = %q, want %q", i, result[i].Selector, tt.expected[i].Selector)
+				}
+			}
+		})
+	}
+}
+
 func TestValidateDKIM(t *testing.T) {
 	tests := []struct {
 		name     string

pkg/analyzer/dns_dmarc.go

@@ -27,11 +27,12 @@ import (
 	"regexp"
 	"strings"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
+	"git.happydns.org/happyDeliver/internal/utils"
 )
 
-// checkapi.DMARCRecord looks up and validates DMARC record for a domain
+// checkmodel.DMARCRecord looks up and validates DMARC record for a domain
-func (d *DNSAnalyzer) checkDMARCRecord(domain string) *api.DMARCRecord {
+func (d *DNSAnalyzer) checkDMARCRecord(domain string) *model.DMARCRecord {
 	// DMARC records are at: _dmarc.domain
 	dmarcDomain := fmt.Sprintf("_dmarc.%s", domain)
 
@@ -40,9 +41,9 @@ func (d *DNSAnalyzer) checkDMARCRecord(domain string) *api.DMARCRecord {
 
 	txtRecords, err := d.resolver.LookupTXT(ctx, dmarcDomain)
 	if err != nil {
-		return &api.DMARCRecord{
+		return &model.DMARCRecord{
 			Valid: false,
-			Error: api.PtrTo(fmt.Sprintf("Failed to lookup DMARC record: %v", err)),
+			Error: utils.PtrTo(fmt.Sprintf("Failed to lookup DMARC record: %v", err)),
 		}
 	}
 
@@ -56,9 +57,9 @@ func (d *DNSAnalyzer) checkDMARCRecord(domain string) *api.DMARCRecord {
 	}
 
 	if dmarcRecord == "" {
-		return &api.DMARCRecord{
+		return &model.DMARCRecord{
 			Valid: false,
-			Error: api.PtrTo("No DMARC record found"),
+			Error: utils.PtrTo("No DMARC record found"),
 		}
 	}
 
@@ -77,21 +78,21 @@ func (d *DNSAnalyzer) checkDMARCRecord(domain string) *api.DMARCRecord {
 
 	// Basic validation
 	if !d.validateDMARC(dmarcRecord) {
-		return &api.DMARCRecord{
+		return &model.DMARCRecord{
 			Record:          &dmarcRecord,
-			Policy:          api.PtrTo(api.DMARCRecordPolicy(policy)),
+			Policy:          utils.PtrTo(model.DMARCRecordPolicy(policy)),
 			SubdomainPolicy: subdomainPolicy,
 			Percentage:      percentage,
 			SpfAlignment:    spfAlignment,
 			DkimAlignment:   dkimAlignment,
 			Valid:           false,
-			Error:           api.PtrTo("DMARC record appears malformed"),
+			Error:           utils.PtrTo("DMARC record appears malformed"),
 		}
 	}
 
-	return &api.DMARCRecord{
+	return &model.DMARCRecord{
 		Record:          &dmarcRecord,
-		Policy:          api.PtrTo(api.DMARCRecordPolicy(policy)),
+		Policy:          utils.PtrTo(model.DMARCRecordPolicy(policy)),
 		SubdomainPolicy: subdomainPolicy,
 		Percentage:      percentage,
 		SpfAlignment:    spfAlignment,
@@ -113,44 +114,44 @@ func (d *DNSAnalyzer) extractDMARCPolicy(record string) string {
 
 // extractDMARCSPFAlignment extracts SPF alignment mode from a DMARC record
 // Returns "relaxed" (default) or "strict"
-func (d *DNSAnalyzer) extractDMARCSPFAlignment(record string) *api.DMARCRecordSpfAlignment {
+func (d *DNSAnalyzer) extractDMARCSPFAlignment(record string) *model.DMARCRecordSpfAlignment {
 	// Look for aspf=s (strict) or aspf=r (relaxed)
 	re := regexp.MustCompile(`aspf=(r|s)`)
 	matches := re.FindStringSubmatch(record)
 	if len(matches) > 1 {
 		if matches[1] == "s" {
-			return api.PtrTo(api.DMARCRecordSpfAlignmentStrict)
+			return utils.PtrTo(model.DMARCRecordSpfAlignmentStrict)
 		}
-		return api.PtrTo(api.DMARCRecordSpfAlignmentRelaxed)
+		return utils.PtrTo(model.DMARCRecordSpfAlignmentRelaxed)
 	}
 	// Default is relaxed if not specified
-	return api.PtrTo(api.DMARCRecordSpfAlignmentRelaxed)
+	return utils.PtrTo(model.DMARCRecordSpfAlignmentRelaxed)
 }
 
 // extractDMARCDKIMAlignment extracts DKIM alignment mode from a DMARC record
 // Returns "relaxed" (default) or "strict"
-func (d *DNSAnalyzer) extractDMARCDKIMAlignment(record string) *api.DMARCRecordDkimAlignment {
+func (d *DNSAnalyzer) extractDMARCDKIMAlignment(record string) *model.DMARCRecordDkimAlignment {
 	// Look for adkim=s (strict) or adkim=r (relaxed)
 	re := regexp.MustCompile(`adkim=(r|s)`)
 	matches := re.FindStringSubmatch(record)
 	if len(matches) > 1 {
 		if matches[1] == "s" {
-			return api.PtrTo(api.DMARCRecordDkimAlignmentStrict)
+			return utils.PtrTo(model.DMARCRecordDkimAlignmentStrict)
 		}
-		return api.PtrTo(api.DMARCRecordDkimAlignmentRelaxed)
+		return utils.PtrTo(model.DMARCRecordDkimAlignmentRelaxed)
 	}
 	// Default is relaxed if not specified
-	return api.PtrTo(api.DMARCRecordDkimAlignmentRelaxed)
+	return utils.PtrTo(model.DMARCRecordDkimAlignmentRelaxed)
 }
 
 // extractDMARCSubdomainPolicy extracts subdomain policy from a DMARC record
 // Returns the sp tag value or nil if not specified (defaults to main policy)
-func (d *DNSAnalyzer) extractDMARCSubdomainPolicy(record string) *api.DMARCRecordSubdomainPolicy {
+func (d *DNSAnalyzer) extractDMARCSubdomainPolicy(record string) *model.DMARCRecordSubdomainPolicy {
 	// Look for sp=none, sp=quarantine, or sp=reject
 	re := regexp.MustCompile(`sp=(none|quarantine|reject)`)
 	matches := re.FindStringSubmatch(record)
 	if len(matches) > 1 {
-		return api.PtrTo(api.DMARCRecordSubdomainPolicy(matches[1]))
+		return utils.PtrTo(model.DMARCRecordSubdomainPolicy(matches[1]))
 	}
 	// If sp is not specified, it defaults to the main policy (p tag)
 	// Return nil to indicate it's using the default
@@ -191,7 +192,7 @@ func (d *DNSAnalyzer) validateDMARC(record string) bool {
 	return true
 }
 
-func (d *DNSAnalyzer) calculateDMARCScore(results *api.DNSResults) (score int) {
+func (d *DNSAnalyzer) calculateDMARCScore(results *model.DNSResults) (score int) {
 	// DMARC ties SPF and DKIM together and provides policy
 	if results.DmarcRecord != nil {
 		if results.DmarcRecord.Valid {
@@ -210,10 +211,10 @@ func (d *DNSAnalyzer) calculateDMARCScore(results *api.DNSResults) (score int) {
 				}
 			}
 			// Bonus points for strict alignment modes (2 points each)
-			if results.DmarcRecord.SpfAlignment != nil && *results.DmarcRecord.SpfAlignment == api.DMARCRecordSpfAlignmentStrict {
+			if results.DmarcRecord.SpfAlignment != nil && *results.DmarcRecord.SpfAlignment == model.DMARCRecordSpfAlignmentStrict {
 				score += 5
 			}
-			if results.DmarcRecord.DkimAlignment != nil && *results.DmarcRecord.DkimAlignment == api.DMARCRecordDkimAlignmentStrict {
+			if results.DmarcRecord.DkimAlignment != nil && *results.DmarcRecord.DkimAlignment == model.DMARCRecordDkimAlignmentStrict {
 				score += 5
 			}
 			// Subdomain policy scoring (sp tag)

pkg/analyzer/dns_dmarc_test.go

@@ -25,7 +25,8 @@ import (
 	"testing"
 	"time"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
+	"git.happydns.org/happyDeliver/internal/utils"
 )
 
 func TestExtractDMARCPolicy(t *testing.T) {
@@ -228,17 +229,17 @@ func TestExtractDMARCSubdomainPolicy(t *testing.T) {
 		{
 			name:           "Subdomain policy - none",
 			record:         "v=DMARC1; p=quarantine; sp=none",
-			expectedPolicy: api.PtrTo("none"),
+			expectedPolicy: utils.PtrTo("none"),
 		},
 		{
 			name:           "Subdomain policy - quarantine",
 			record:         "v=DMARC1; p=reject; sp=quarantine",
-			expectedPolicy: api.PtrTo("quarantine"),
+			expectedPolicy: utils.PtrTo("quarantine"),
 		},
 		{
 			name:           "Subdomain policy - reject",
 			record:         "v=DMARC1; p=quarantine; sp=reject",
-			expectedPolicy: api.PtrTo("reject"),
+			expectedPolicy: utils.PtrTo("reject"),
 		},
 		{
 			name:           "No subdomain policy specified (defaults to main policy)",
@@ -248,7 +249,7 @@ func TestExtractDMARCSubdomainPolicy(t *testing.T) {
 		{
 			name:           "Complex record with subdomain policy",
 			record:         "v=DMARC1; p=reject; sp=quarantine; rua=mailto:dmarc@example.com; pct=100",
-			expectedPolicy: api.PtrTo("quarantine"),
+			expectedPolicy: utils.PtrTo("quarantine"),
 		},
 	}
 
@@ -282,22 +283,22 @@ func TestExtractDMARCPercentage(t *testing.T) {
 		{
 			name:               "Percentage - 100",
 			record:             "v=DMARC1; p=quarantine; pct=100",
-			expectedPercentage: api.PtrTo(100),
+			expectedPercentage: utils.PtrTo(100),
 		},
 		{
 			name:               "Percentage - 50",
 			record:             "v=DMARC1; p=quarantine; pct=50",
-			expectedPercentage: api.PtrTo(50),
+			expectedPercentage: utils.PtrTo(50),
 		},
 		{
 			name:               "Percentage - 25",
 			record:             "v=DMARC1; p=reject; pct=25",
-			expectedPercentage: api.PtrTo(25),
+			expectedPercentage: utils.PtrTo(25),
 		},
 		{
 			name:               "Percentage - 0",
 			record:             "v=DMARC1; p=none; pct=0",
-			expectedPercentage: api.PtrTo(0),
+			expectedPercentage: utils.PtrTo(0),
 		},
 		{
 			name:               "No percentage specified (defaults to 100)",
@@ -307,7 +308,7 @@ func TestExtractDMARCPercentage(t *testing.T) {
 		{
 			name:               "Complex record with percentage",
 			record:             "v=DMARC1; p=reject; sp=quarantine; rua=mailto:dmarc@example.com; pct=75",
-			expectedPercentage: api.PtrTo(75),
+			expectedPercentage: utils.PtrTo(75),
 		},
 		{
 			name:               "Invalid percentage > 100 (ignored)",

pkg/analyzer/dns_fcr.go

@@ -24,7 +24,7 @@ package analyzer
 import (
 	"context"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
 )
 
 // checkPTRAndForward performs reverse DNS lookup (PTR) and forward confirmation (A/AAAA)
@@ -63,7 +63,7 @@ func (d *DNSAnalyzer) checkPTRAndForward(ip string) ([]string, []string) {
 }
 
 // Proper reverse DNS (PTR) and forward-confirmed reverse DNS (FCrDNS) is important for deliverability
-func (d *DNSAnalyzer) calculatePTRScore(results *api.DNSResults, senderIP string) (score int) {
+func (d *DNSAnalyzer) calculatePTRScore(results *model.DNSResults, senderIP string) (score int) {
 	if results.PtrRecords != nil && len(*results.PtrRecords) > 0 {
 		// 50 points for having PTR records
 		score += 50

pkg/analyzer/dns_mx.go

@@ -25,36 +25,37 @@ import (
 	"context"
 	"fmt"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
+	"git.happydns.org/happyDeliver/internal/utils"
 )
 
 // checkMXRecords looks up MX records for a domain
-func (d *DNSAnalyzer) checkMXRecords(domain string) *[]api.MXRecord {
+func (d *DNSAnalyzer) checkMXRecords(domain string) *[]model.MXRecord {
 	ctx, cancel := context.WithTimeout(context.Background(), d.Timeout)
 	defer cancel()
 
 	mxRecords, err := d.resolver.LookupMX(ctx, domain)
 	if err != nil {
-		return &[]api.MXRecord{
+		return &[]model.MXRecord{
 			{
 				Valid: false,
-				Error: api.PtrTo(fmt.Sprintf("Failed to lookup MX records: %v", err)),
+				Error: utils.PtrTo(fmt.Sprintf("Failed to lookup MX records: %v", err)),
 			},
 		}
 	}
 
 	if len(mxRecords) == 0 {
-		return &[]api.MXRecord{
+		return &[]model.MXRecord{
 			{
 				Valid: false,
-				Error: api.PtrTo("No MX records found"),
+				Error: utils.PtrTo("No MX records found"),
 			},
 		}
 	}
 
-	var results []api.MXRecord
+	var results []model.MXRecord
 	for _, mx := range mxRecords {
-		results = append(results, api.MXRecord{
+		results = append(results, model.MXRecord{
 			Host:     mx.Host,
 			Priority: mx.Pref,
 			Valid:    true,
@@ -64,7 +65,7 @@ func (d *DNSAnalyzer) checkMXRecords(domain string) *[]api.MXRecord {
 	return &results
 }
 
-func (d *DNSAnalyzer) calculateMXScore(results *api.DNSResults) (score int) {
+func (d *DNSAnalyzer) calculateMXScore(results *model.DNSResults) (score int) {
 	// Having valid MX records is critical for email deliverability
 	// From domain MX records (half points) - needed for replies
 	if results.FromMxRecords != nil && len(*results.FromMxRecords) > 0 {

pkg/analyzer/dns_spf.go

@@ -27,33 +27,34 @@ import (
 	"regexp"
 	"strings"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
+	"git.happydns.org/happyDeliver/internal/utils"
 )
 
 // checkSPFRecords looks up and validates SPF records for a domain, including resolving include: directives
-func (d *DNSAnalyzer) checkSPFRecords(domain string) *[]api.SPFRecord {
+func (d *DNSAnalyzer) checkSPFRecords(domain string) *[]model.SPFRecord {
 	visited := make(map[string]bool)
 	return d.resolveSPFRecords(domain, visited, 0, true)
 }
 
 // resolveSPFRecords recursively resolves SPF records including include: directives
 // isMainRecord indicates if this is the primary domain's record (not an included one)
-func (d *DNSAnalyzer) resolveSPFRecords(domain string, visited map[string]bool, depth int, isMainRecord bool) *[]api.SPFRecord {
+func (d *DNSAnalyzer) resolveSPFRecords(domain string, visited map[string]bool, depth int, isMainRecord bool) *[]model.SPFRecord {
 	const maxDepth = 10 // Prevent infinite recursion
 
 	if depth > maxDepth {
-		return &[]api.SPFRecord{
+		return &[]model.SPFRecord{
 			{
 				Domain: &domain,
 				Valid:  false,
-				Error:  api.PtrTo("Maximum SPF include depth exceeded"),
+				Error:  utils.PtrTo("Maximum SPF include depth exceeded"),
 			},
 		}
 	}
 
 	// Prevent circular references
 	if visited[domain] {
-		return &[]api.SPFRecord{}
+		return &[]model.SPFRecord{}
 	}
 	visited[domain] = true
 
@@ -62,11 +63,11 @@ func (d *DNSAnalyzer) resolveSPFRecords(domain string, visited map[string]bool,
 
 	txtRecords, err := d.resolver.LookupTXT(ctx, domain)
 	if err != nil {
-		return &[]api.SPFRecord{
+		return &[]model.SPFRecord{
 			{
 				Domain: &domain,
 				Valid:  false,
-				Error:  api.PtrTo(fmt.Sprintf("Failed to lookup TXT records: %v", err)),
+				Error:  utils.PtrTo(fmt.Sprintf("Failed to lookup TXT records: %v", err)),
 			},
 		}
 	}
@@ -82,23 +83,23 @@ func (d *DNSAnalyzer) resolveSPFRecords(domain string, visited map[string]bool,
 	}
 
 	if spfCount == 0 {
-		return &[]api.SPFRecord{
+		return &[]model.SPFRecord{
 			{
 				Domain: &domain,
 				Valid:  false,
-				Error:  api.PtrTo("No SPF record found"),
+				Error:  utils.PtrTo("No SPF record found"),
 			},
 		}
 	}
 
-	var results []api.SPFRecord
+	var results []model.SPFRecord
 
 	if spfCount > 1 {
-		results = append(results, api.SPFRecord{
+		results = append(results, model.SPFRecord{
 			Domain: &domain,
 			Record: &spfRecord,
 			Valid:  false,
-			Error:  api.PtrTo("Multiple SPF records found (RFC violation)"),
+			Error:  utils.PtrTo("Multiple SPF records found (RFC violation)"),
 		})
 		return &results
 	}
@@ -107,28 +108,28 @@ func (d *DNSAnalyzer) resolveSPFRecords(domain string, visited map[string]bool,
 	validationErr := d.validateSPF(spfRecord, isMainRecord)
 
 	// Extract the "all" mechanism qualifier
-	var allQualifier *api.SPFRecordAllQualifier
+	var allQualifier *model.SPFRecordAllQualifier
 	var errMsg *string
 
 	if validationErr != nil {
-		errMsg = api.PtrTo(validationErr.Error())
+		errMsg = utils.PtrTo(validationErr.Error())
 	} else {
 		// Extract qualifier from the "all" mechanism
 		if strings.HasSuffix(spfRecord, " -all") {
-			allQualifier = api.PtrTo(api.SPFRecordAllQualifier("-"))
+			allQualifier = utils.PtrTo(model.SPFRecordAllQualifier("-"))
 		} else if strings.HasSuffix(spfRecord, " ~all") {
-			allQualifier = api.PtrTo(api.SPFRecordAllQualifier("~"))
+			allQualifier = utils.PtrTo(model.SPFRecordAllQualifier("~"))
 		} else if strings.HasSuffix(spfRecord, " +all") {
-			allQualifier = api.PtrTo(api.SPFRecordAllQualifier("+"))
+			allQualifier = utils.PtrTo(model.SPFRecordAllQualifier("+"))
 		} else if strings.HasSuffix(spfRecord, " ?all") {
-			allQualifier = api.PtrTo(api.SPFRecordAllQualifier("?"))
+			allQualifier = utils.PtrTo(model.SPFRecordAllQualifier("?"))
 		} else if strings.HasSuffix(spfRecord, " all") {
 			// Implicit + qualifier (default)
-			allQualifier = api.PtrTo(api.SPFRecordAllQualifier("+"))
+			allQualifier = utils.PtrTo(model.SPFRecordAllQualifier("+"))
 		}
 	}
 
-	results = append(results, api.SPFRecord{
+	results = append(results, model.SPFRecord{
 		Domain:       &domain,
 		Record:       &spfRecord,
 		Valid:        validationErr == nil,
@@ -301,7 +302,7 @@ func (d *DNSAnalyzer) hasSPFStrictFail(record string) bool {
 	return strings.HasSuffix(record, " -all")
 }
 
-func (d *DNSAnalyzer) calculateSPFScore(results *api.DNSResults) (score int) {
+func (d *DNSAnalyzer) calculateSPFScore(results *model.DNSResults) (score int) {
 	// SPF is essential for email authentication
 	if results.SpfRecords != nil && len(*results.SpfRecords) > 0 {
 		// Find the main SPF record by skipping redirects

pkg/analyzer/headers.go

@@ -31,7 +31,8 @@ import (
 
 	"golang.org/x/net/publicsuffix"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
+	"git.happydns.org/happyDeliver/internal/utils"
 )
 
 // HeaderAnalyzer analyzes email header quality and structure
@@ -43,7 +44,7 @@ func NewHeaderAnalyzer() *HeaderAnalyzer {
 }
 
 // CalculateHeaderScore evaluates email structural quality from header analysis
-func (h *HeaderAnalyzer) CalculateHeaderScore(analysis *api.HeaderAnalysis) (int, rune) {
+func (h *HeaderAnalyzer) CalculateHeaderScore(analysis *model.HeaderAnalysis) (int, rune) {
 	if analysis == nil || analysis.Headers == nil {
 		return 0, ' '
 	}
@@ -109,6 +110,13 @@ func (h *HeaderAnalyzer) CalculateHeaderScore(analysis *api.HeaderAnalysis) (int
 		maxGrade -= 1
 	}
 
+	// Check MIME-Version header (-5 points if present but not "1.0")
+	if check, exists := headers["mime-version"]; exists && check.Present {
+		if check.Valid != nil && !*check.Valid {
+			score -= 5
+		}
+	}
+
 	// Check Message-ID format (10 points)
 	if check, exists := headers["message-id"]; exists && check.Present {
 		// If Valid is set and true, award points
@@ -180,7 +188,7 @@ func (h *HeaderAnalyzer) parseEmailDate(dateStr string) (time.Time, error) {
 }
 
 // isNoReplyAddress checks if a header check represents a no-reply email address
-func (h *HeaderAnalyzer) isNoReplyAddress(headerCheck api.HeaderCheck) bool {
+func (h *HeaderAnalyzer) isNoReplyAddress(headerCheck model.HeaderCheck) bool {
 	if !headerCheck.Present || headerCheck.Value == nil {
 		return false
 	}
@@ -236,18 +244,18 @@ func (h *HeaderAnalyzer) formatAddress(addr *mail.Address) string {
 }
 
 // GenerateHeaderAnalysis creates structured header analysis from email
-func (h *HeaderAnalyzer) GenerateHeaderAnalysis(email *EmailMessage, authResults *api.AuthenticationResults) *api.HeaderAnalysis {
+func (h *HeaderAnalyzer) GenerateHeaderAnalysis(email *EmailMessage, authResults *model.AuthenticationResults) *model.HeaderAnalysis {
 	if email == nil {
 		return nil
 	}
 
-	analysis := &api.HeaderAnalysis{}
+	analysis := &model.HeaderAnalysis{}
 
 	// Check for proper MIME structure
-	analysis.HasMimeStructure = api.PtrTo(len(email.Parts) > 0)
+	analysis.HasMimeStructure = utils.PtrTo(len(email.Parts) > 0)
 
 	// Initialize headers map
-	headers := make(map[string]api.HeaderCheck)
+	headers := make(map[string]model.HeaderCheck)
 
 	// Check required headers
 	requiredHeaders := []string{"From", "To", "Date", "Message-ID", "Subject"}
@@ -266,6 +274,10 @@ func (h *HeaderAnalyzer) GenerateHeaderAnalysis(email *EmailMessage, authResults
 		headers[strings.ToLower(headerName)] = *check
 	}
 
+	// Check MIME-Version header (recommended but absence is not penalized)
+	mimeVersionCheck := h.checkHeader(email, "MIME-Version", "recommended")
+	headers[strings.ToLower("MIME-Version")] = *mimeVersionCheck
+
 	// Check optional headers
 	optionalHeaders := []string{"List-Unsubscribe", "List-Unsubscribe-Post"}
 	for _, headerName := range optionalHeaders {
@@ -297,12 +309,12 @@ func (h *HeaderAnalyzer) GenerateHeaderAnalysis(email *EmailMessage, authResults
 }
 
 // checkHeader checks if a header is present and valid
-func (h *HeaderAnalyzer) checkHeader(email *EmailMessage, headerName string, importance string) *api.HeaderCheck {
+func (h *HeaderAnalyzer) checkHeader(email *EmailMessage, headerName string, importance string) *model.HeaderCheck {
 	value := email.GetHeaderValue(headerName)
 	present := email.HasHeader(headerName) && value != ""
 
-	importanceEnum := api.HeaderCheckImportance(importance)
+	importanceEnum := model.HeaderCheckImportance(importance)
-	check := &api.HeaderCheck{
+	check := &model.HeaderCheck{
 		Present:    present,
 		Importance: &importanceEnum,
 	}
@@ -320,12 +332,21 @@ func (h *HeaderAnalyzer) checkHeader(email *EmailMessage, headerName string, imp
 				valid = false
 				headerIssues = append(headerIssues, "Invalid Message-ID format (should be <id@domain>)")
 			}
+			if len(email.Header["Message-Id"]) > 1 {
+				valid = false
+				headerIssues = append(headerIssues, fmt.Sprintf("Multiple Message-ID headers found (%d); only one is allowed", len(email.Header["Message-Id"])))
+			}
 		case "Date":
 			// Validate date format
 			if _, err := h.parseEmailDate(value); err != nil {
 				valid = false
 				headerIssues = append(headerIssues, fmt.Sprintf("Invalid date format: %v", err))
 			}
+		case "MIME-Version":
+			if value != "1.0" {
+				valid = false
+				headerIssues = append(headerIssues, fmt.Sprintf("MIME-Version should be '1.0', got '%s'", value))
+			}
 		case "From", "To", "Cc", "Bcc", "Reply-To", "Sender", "Resent-From", "Resent-To", "Return-Path":
 			// Parse address header using net/mail and get normalized address
 			if normalizedAddr, err := h.validateAddressHeader(value); err != nil {
@@ -354,10 +375,10 @@ func (h *HeaderAnalyzer) checkHeader(email *EmailMessage, headerName string, imp
 }
 
 // analyzeDomainAlignment checks domain alignment between headers and DKIM signatures
-func (h *HeaderAnalyzer) analyzeDomainAlignment(email *EmailMessage, authResults *api.AuthenticationResults) *api.DomainAlignment {
+func (h *HeaderAnalyzer) analyzeDomainAlignment(email *EmailMessage, authResults *model.AuthenticationResults) *model.DomainAlignment {
-	alignment := &api.DomainAlignment{
+	alignment := &model.DomainAlignment{
-		Aligned:        api.PtrTo(true),
+		Aligned:        utils.PtrTo(true),
-		RelaxedAligned: api.PtrTo(true),
+		RelaxedAligned: utils.PtrTo(true),
 	}
 
 	// Extract From domain
@@ -385,13 +406,13 @@ func (h *HeaderAnalyzer) analyzeDomainAlignment(email *EmailMessage, authResults
 	}
 
 	// Extract DKIM domains from authentication results
-	var dkimDomains []api.DKIMDomainInfo
+	var dkimDomains []model.DKIMDomainInfo
 	if authResults != nil && authResults.Dkim != nil {
 		for _, dkim := range *authResults.Dkim {
 			if dkim.Domain != nil && *dkim.Domain != "" {
 				domain := *dkim.Domain
 				orgDomain := h.getOrganizationalDomain(domain)
-				dkimDomains = append(dkimDomains, api.DKIMDomainInfo{
+				dkimDomains = append(dkimDomains, model.DKIMDomainInfo{
 					Domain:    domain,
 					OrgDomain: orgDomain,
 				})
@@ -540,18 +561,18 @@ func (h *HeaderAnalyzer) getOrganizationalDomain(domain string) string {
 }
 
 // findHeaderIssues identifies issues with headers
-func (h *HeaderAnalyzer) findHeaderIssues(email *EmailMessage) []api.HeaderIssue {
+func (h *HeaderAnalyzer) findHeaderIssues(email *EmailMessage) []model.HeaderIssue {
-	var issues []api.HeaderIssue
+	var issues []model.HeaderIssue
 
 	// Check for missing required headers
 	requiredHeaders := []string{"From", "Date", "Message-ID"}
 	for _, header := range requiredHeaders {
 		if !email.HasHeader(header) || email.GetHeaderValue(header) == "" {
-			issues = append(issues, api.HeaderIssue{
+			issues = append(issues, model.HeaderIssue{
 				Header:   header,
-				Severity: api.HeaderIssueSeverityCritical,
+				Severity: model.HeaderIssueSeverityCritical,
 				Message:  fmt.Sprintf("Required header '%s' is missing", header),
-				Advice:   api.PtrTo(fmt.Sprintf("Add the %s header to ensure RFC 5322 compliance", header)),
+				Advice:   utils.PtrTo(fmt.Sprintf("Add the %s header to ensure RFC 5322 compliance", header)),
 			})
 		}
 	}
@@ -559,11 +580,11 @@ func (h *HeaderAnalyzer) findHeaderIssues(email *EmailMessage) []api.HeaderIssue
 	// Check Message-ID format
 	messageID := email.GetHeaderValue("Message-ID")
 	if messageID != "" && !h.isValidMessageID(messageID) {
-		issues = append(issues, api.HeaderIssue{
+		issues = append(issues, model.HeaderIssue{
 			Header:   "Message-ID",
-			Severity: api.HeaderIssueSeverityMedium,
+			Severity: model.HeaderIssueSeverityMedium,
 			Message:  "Message-ID format is invalid",
-			Advice:   api.PtrTo("Use proper Message-ID format: <unique-id@domain.com>"),
+			Advice:   utils.PtrTo("Use proper Message-ID format: <unique-id@domain.com>"),
 		})
 	}
 
@@ -571,7 +592,7 @@ func (h *HeaderAnalyzer) findHeaderIssues(email *EmailMessage) []api.HeaderIssue
 }
 
 // parseReceivedChain extracts the chain of Received headers from an email
-func (h *HeaderAnalyzer) parseReceivedChain(email *EmailMessage) []api.ReceivedHop {
+func (h *HeaderAnalyzer) parseReceivedChain(email *EmailMessage) []model.ReceivedHop {
 	if email == nil || email.Header == nil {
 		return nil
 	}
@@ -581,7 +602,7 @@ func (h *HeaderAnalyzer) parseReceivedChain(email *EmailMessage) []api.ReceivedH
 		return nil
 	}
 
-	var chain []api.ReceivedHop
+	var chain []model.ReceivedHop
 
 	for _, receivedValue := range receivedHeaders {
 		hop := h.parseReceivedHeader(receivedValue)
@@ -594,8 +615,8 @@ func (h *HeaderAnalyzer) parseReceivedChain(email *EmailMessage) []api.ReceivedH
 }
 
 // parseReceivedHeader parses a single Received header value
-func (h *HeaderAnalyzer) parseReceivedHeader(receivedValue string) *api.ReceivedHop {
+func (h *HeaderAnalyzer) parseReceivedHeader(receivedValue string) *model.ReceivedHop {
-	hop := &api.ReceivedHop{}
+	hop := &model.ReceivedHop{}
 
 	// Normalize whitespace - Received headers can span multiple lines
 	normalized := strings.Join(strings.Fields(receivedValue), " ")

pkg/analyzer/headers_test.go

@@ -27,7 +27,7 @@ import (
 	"strings"
 	"testing"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
 )
 
 func TestCalculateHeaderScore(t *testing.T) {
@@ -404,7 +404,7 @@ func TestParseReceivedChain(t *testing.T) {
 		name            string
 		receivedHeaders []string
 		expectedHops    int
-		validateFirst   func(*testing.T, *EmailMessage, []api.ReceivedHop)
+		validateFirst   func(*testing.T, *EmailMessage, []model.ReceivedHop)
 	}{
 		{
 			name:            "No Received headers",
@@ -417,7 +417,7 @@ func TestParseReceivedChain(t *testing.T) {
 				"from mail.example.com (mail.example.com [192.0.2.1]) by mx.receiver.com (Postfix) with ESMTPS id ABC123 for <user@receiver.com>; Mon, 01 Jan 2024 12:00:00 +0000",
 			},
 			expectedHops: 1,
-			validateFirst: func(t *testing.T, email *EmailMessage, hops []api.ReceivedHop) {
+			validateFirst: func(t *testing.T, email *EmailMessage, hops []model.ReceivedHop) {
 				if len(hops) == 0 {
 					t.Fatal("Expected at least one hop")
 				}
@@ -450,7 +450,7 @@ func TestParseReceivedChain(t *testing.T) {
 				"from mail2.example.com (mail2.example.com [192.0.2.2]) by mx2.receiver.com with SMTP id 222; Mon, 01 Jan 2024 11:59:00 +0000",
 			},
 			expectedHops: 2,
-			validateFirst: func(t *testing.T, email *EmailMessage, hops []api.ReceivedHop) {
+			validateFirst: func(t *testing.T, email *EmailMessage, hops []model.ReceivedHop) {
 				if len(hops) != 2 {
 					t.Fatalf("Expected 2 hops, got %d", len(hops))
 				}
@@ -472,7 +472,7 @@ func TestParseReceivedChain(t *testing.T) {
 				"from mail.example.com (unknown [IPv6:2607:5300:203:2818::1]) by mx.receiver.com with ESMTPS; Sun, 19 Oct 2025 09:40:33 +0000 (UTC)",
 			},
 			expectedHops: 1,
-			validateFirst: func(t *testing.T, email *EmailMessage, hops []api.ReceivedHop) {
+			validateFirst: func(t *testing.T, email *EmailMessage, hops []model.ReceivedHop) {
 				if len(hops) == 0 {
 					t.Fatal("Expected at least one hop")
 				}
@@ -499,7 +499,7 @@ func TestParseReceivedChain(t *testing.T) {
 	for <test-9a9ce364-c394-4fa9-acef-d46ff2f482bf@deliver.happydomain.org>; Sun, 19 Oct 2025 09:40:33 +0000 (UTC)`,
 			},
 			expectedHops: 1,
-			validateFirst: func(t *testing.T, email *EmailMessage, hops []api.ReceivedHop) {
+			validateFirst: func(t *testing.T, email *EmailMessage, hops []model.ReceivedHop) {
 				if len(hops) == 0 {
 					t.Fatal("Expected at least one hop")
 				}
@@ -527,7 +527,7 @@ func TestParseReceivedChain(t *testing.T) {
 				"from unknown by localhost",
 			},
 			expectedHops: 1,
-			validateFirst: func(t *testing.T, email *EmailMessage, hops []api.ReceivedHop) {
+			validateFirst: func(t *testing.T, email *EmailMessage, hops []model.ReceivedHop) {
 				if len(hops) == 0 {
 					t.Fatal("Expected at least one hop")
 				}
@@ -1012,16 +1012,16 @@ func TestAnalyzeDomainAlignment_WithDKIM(t *testing.T) {
 			}
 
 			// Create authentication results with DKIM signatures
-			var authResults *api.AuthenticationResults
+			var authResults *model.AuthenticationResults
 			if len(tt.dkimDomains) > 0 {
-				dkimResults := make([]api.AuthResult, 0, len(tt.dkimDomains))
+				dkimResults := make([]model.AuthResult, 0, len(tt.dkimDomains))
 				for _, domain := range tt.dkimDomains {
-					dkimResults = append(dkimResults, api.AuthResult{
+					dkimResults = append(dkimResults, model.AuthResult{
-						Result: api.AuthResultResultPass,
+						Result: model.AuthResultResultPass,
 						Domain: &domain,
 					})
 				}
-				authResults = &api.AuthenticationResults{
+				authResults = &model.AuthenticationResults{
 					Dkim: &dkimResults,
 				}
 			}

pkg/analyzer/parser.go

@@ -28,16 +28,9 @@ import (
 	"mime/multipart"
 	"net/mail"
 	"net/textproto"
-	"os"
 	"strings"
 )
 
-var hostname = ""
-
-func init() {
-	hostname, _ = os.Hostname()
-}
-
 // EmailMessage represents a parsed email message
 type EmailMessage struct {
 	Header     mail.Header
@@ -218,18 +211,18 @@ func buildRawHeaders(header mail.Header) string {
 }
 
 // GetAuthenticationResults extracts Authentication-Results headers
-// If hostname is provided, only returns headers that begin with that hostname
+// If receiverHostname is provided, only returns headers that begin with that hostname
-func (e *EmailMessage) GetAuthenticationResults() []string {
+func (e *EmailMessage) GetAuthenticationResults(receiverHostname string) []string {
 	allResults := e.Header[textproto.CanonicalMIMEHeaderKey("Authentication-Results")]
 
 	// If no hostname specified, return all results
-	if hostname == "" {
+	if receiverHostname == "" {
 		return allResults
 	}
 
 	// Filter results that begin with the specified hostname
 	var filtered []string
-	prefix := hostname + ";"
+	prefix := receiverHostname + ";"
 	for _, result := range allResults {
 		// Trim whitespace and check if it starts with hostname;
 		trimmed := strings.TrimSpace(result)
@@ -256,6 +249,33 @@ func (e *EmailMessage) GetSpamAssassinHeaders() map[string]string {
 	}
 
 	for _, headerName := range saHeaders {
+		if values, ok := e.Header[headerName]; ok && len(values) > 0 {
+			for _, value := range values {
+				if strings.TrimSpace(value) != "" {
+					headers[headerName] = value
+					break
+				}
+			}
+		} else if value := e.Header.Get(headerName); value != "" {
+			headers[headerName] = value
+		}
+	}
+
+	return headers
+}
+
+// GetRspamdHeaders extracts rspamd-related headers
+func (e *EmailMessage) GetRspamdHeaders() map[string]string {
+	headers := make(map[string]string)
+
+	rspamdHeaders := []string{
+		"X-Spamd-Result",
+		"X-Rspamd-Score",
+		"X-Rspamd-Action",
+		"X-Rspamd-Server",
+	}
+
+	for _, headerName := range rspamdHeaders {
 		if value := e.Header.Get(headerName); value != "" {
 			headers[headerName] = value
 		}

pkg/analyzer/parser_test.go

@@ -106,9 +106,6 @@ Content-Type: text/html; charset=utf-8
 }
 
 func TestGetAuthenticationResults(t *testing.T) {
-	// Force hostname
-	hostname = "example.com"
-
 	rawEmail := `From: sender@example.com
 To: recipient@example.com
 Subject: Test Email
@@ -123,7 +120,7 @@ Body content.
 		t.Fatalf("Failed to parse email: %v", err)
 	}
 
-	authResults := email.GetAuthenticationResults()
+	authResults := email.GetAuthenticationResults("example.com")
 	if len(authResults) != 2 {
 		t.Errorf("Expected 2 Authentication-Results headers, got: %d", len(authResults))
 	}

pkg/analyzer/rbl.go

@@ -27,17 +27,22 @@ import (
 	"net"
 	"regexp"
 	"strings"
+	"sync"
 	"time"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
+	"git.happydns.org/happyDeliver/internal/utils"
 )
 
-// RBLChecker checks IP addresses against DNS-based blacklists
+// DNSListChecker checks IP addresses against DNS-based block/allow lists.
-type RBLChecker struct {
+// It handles both RBL (blacklist) and DNSWL (whitelist) semantics via flags.
-	Timeout     time.Duration
+type DNSListChecker struct {
-	RBLs        []string
+	Timeout          time.Duration
-	CheckAllIPs bool // Check all IPs found in headers, not just the first one
+	Lists            []string
-	resolver    *net.Resolver
+	CheckAllIPs      bool // Check all IPs found in headers, not just the first one
+	filterErrorCodes bool // When true (RBL mode), treat 127.255.255.253/254/255 as operational errors
+	resolver         *net.Resolver
+	informationalSet map[string]bool // Lists whose hits don't count toward the score
 }
 
 // DefaultRBLs is a list of commonly used RBL providers
@@ -48,40 +53,83 @@ var DefaultRBLs = []string{
 	"b.barracudacentral.org", // Barracuda
 	"cbl.abuseat.org",        // CBL (Composite Blocking List)
 	"dnsbl-1.uceprotect.net", // UCEPROTECT Level 1
+	"dnsbl-2.uceprotect.net", // UCEPROTECT Level 2 (informational)
+	"dnsbl-3.uceprotect.net", // UCEPROTECT Level 3 (informational)
+	"psbl.surriel.com",       // PSBL
+	"dnsbl.dronebl.org",      // DroneBL
+	"bl.mailspike.net",       // Mailspike BL
+	"z.mailspike.net",        // Mailspike Z
+	"bl.rbl-dns.com",         // RBL-DNS
+	"bl.nszones.com",         // NSZones
+}
+
+// DefaultInformationalRBLs lists RBLs that are checked but not counted in the score.
+// These are typically broader lists where being listed is less definitive.
+var DefaultInformationalRBLs = []string{
+	"dnsbl-2.uceprotect.net", // UCEPROTECT Level 2: entire netblocks, may cause false positives
+	"dnsbl-3.uceprotect.net", // UCEPROTECT Level 3: entire ASes, too broad for scoring
+}
+
+// DefaultDNSWLs is a list of commonly used DNSWL providers
+var DefaultDNSWLs = []string{
+	"list.dnswl.org",   // DNSWL.org — the main DNS whitelist
+	"swl.spamhaus.org", // Spamhaus Safe Whitelist
 }
 
 // NewRBLChecker creates a new RBL checker with configurable timeout and RBL list
-func NewRBLChecker(timeout time.Duration, rbls []string, checkAllIPs bool) *RBLChecker {
+func NewRBLChecker(timeout time.Duration, rbls []string, checkAllIPs bool) *DNSListChecker {
 	if timeout == 0 {
-		timeout = 5 * time.Second // Default timeout
+		timeout = 5 * time.Second
 	}
 	if len(rbls) == 0 {
 		rbls = DefaultRBLs
 	}
-	return &RBLChecker{
+	informationalSet := make(map[string]bool, len(DefaultInformationalRBLs))
-		Timeout:     timeout,
+	for _, rbl := range DefaultInformationalRBLs {
-		RBLs:        rbls,
+		informationalSet[rbl] = true
-		CheckAllIPs: checkAllIPs,
+	}
-		resolver: &net.Resolver{
+	return &DNSListChecker{
-			PreferGo: true,
+		Timeout:          timeout,
-		},
+		Lists:            rbls,
+		CheckAllIPs:      checkAllIPs,
+		filterErrorCodes: true,
+		resolver:         &net.Resolver{PreferGo: true},
+		informationalSet: informationalSet,
 	}
 }
 
-// RBLResults represents the results of RBL checks
+// NewDNSWLChecker creates a new DNSWL checker with configurable timeout and DNSWL list
-type RBLResults struct {
+func NewDNSWLChecker(timeout time.Duration, dnswls []string, checkAllIPs bool) *DNSListChecker {
-	Checks      map[string][]api.BlacklistCheck // Map of IP -> list of RBL checks for that IP
+	if timeout == 0 {
-	IPsChecked  []string
+		timeout = 5 * time.Second
-	ListedCount int
+	}
+	if len(dnswls) == 0 {
+		dnswls = DefaultDNSWLs
+	}
+	return &DNSListChecker{
+		Timeout:          timeout,
+		Lists:            dnswls,
+		CheckAllIPs:      checkAllIPs,
+		filterErrorCodes: false,
+		resolver:         &net.Resolver{PreferGo: true},
+		informationalSet: make(map[string]bool),
+	}
 }
 
-// CheckEmail checks all IPs found in the email headers against RBLs
+// DNSListResults represents the results of DNS list checks
-func (r *RBLChecker) CheckEmail(email *EmailMessage) *RBLResults {
+type DNSListResults struct {
-	results := &RBLResults{
+	Checks              map[string][]model.BlacklistCheck // Map of IP -> list of checks for that IP
-		Checks: make(map[string][]api.BlacklistCheck),
+	IPsChecked          []string
+	ListedCount         int // Total listings including informational entries
+	RelevantListedCount int // Listings on scoring (non-informational) lists only
+}
+
+// CheckEmail checks all IPs found in the email headers against the configured lists
+func (r *DNSListChecker) CheckEmail(email *EmailMessage) *DNSListResults {
+	results := &DNSListResults{
+		Checks: make(map[string][]model.BlacklistCheck),
 	}
 
-	// Extract IPs from Received headers
 	ips := r.extractIPs(email)
 	if len(ips) == 0 {
 		return results
@@ -89,17 +137,18 @@ func (r *RBLChecker) CheckEmail(email *EmailMessage) *RBLResults {
 
 	results.IPsChecked = ips
 
-	// Check each IP against all RBLs
 	for _, ip := range ips {
-		for _, rbl := range r.RBLs {
+		for _, list := range r.Lists {
-			check := r.checkIP(ip, rbl)
+			check := r.checkIP(ip, list)
 			results.Checks[ip] = append(results.Checks[ip], check)
 			if check.Listed {
 				results.ListedCount++
+				if !r.informationalSet[list] {
+					results.RelevantListedCount++
+				}
 			}
 		}
 
-		// Only check the first IP unless CheckAllIPs is enabled
 		if !r.CheckAllIPs {
 			break
 		}
@@ -108,20 +157,26 @@ func (r *RBLChecker) CheckEmail(email *EmailMessage) *RBLResults {
 	return results
 }
 
-// CheckIP checks a single IP address against all configured RBLs
+// CheckIP checks a single IP address against all configured lists in parallel
-func (r *RBLChecker) CheckIP(ip string) ([]api.BlacklistCheck, int, error) {
+func (r *DNSListChecker) CheckIP(ip string) ([]model.BlacklistCheck, int, error) {
-	// Validate that it's a valid IP address
 	if !r.isPublicIP(ip) {
 		return nil, 0, fmt.Errorf("invalid or non-public IP address: %s", ip)
 	}
 
-	var checks []api.BlacklistCheck
+	checks := make([]model.BlacklistCheck, len(r.Lists))
-	listedCount := 0
+	var wg sync.WaitGroup
 
-	// Check the IP against all RBLs
+	for i, list := range r.Lists {
-	for _, rbl := range r.RBLs {
+		wg.Add(1)
-		check := r.checkIP(ip, rbl)
+		go func(i int, list string) {
-		checks = append(checks, check)
+			defer wg.Done()
+			checks[i] = r.checkIP(ip, list)
+		}(i, list)
+	}
+	wg.Wait()
+
+	listedCount := 0
+	for _, check := range checks {
 		if check.Listed {
 			listedCount++
 		}
@@ -131,27 +186,19 @@ func (r *RBLChecker) CheckIP(ip string) ([]api.BlacklistCheck, int, error) {
 }
 
 // extractIPs extracts IP addresses from Received headers
-func (r *RBLChecker) extractIPs(email *EmailMessage) []string {
+func (r *DNSListChecker) extractIPs(email *EmailMessage) []string {
 	var ips []string
 	seenIPs := make(map[string]bool)
 
-	// Get all Received headers
 	receivedHeaders := email.Header["Received"]
-
-	// Regex patterns for IP addresses
-	// Match IPv4: xxx.xxx.xxx.xxx
 	ipv4Pattern := regexp.MustCompile(`\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b`)
 
-	// Look for IPs in Received headers
 	for _, received := range receivedHeaders {
-		// Find all IPv4 addresses
 		matches := ipv4Pattern.FindAllString(received, -1)
 		for _, match := range matches {
-			// Skip private/reserved IPs
 			if !r.isPublicIP(match) {
 				continue
 			}
-			// Avoid duplicates
 			if !seenIPs[match] {
 				ips = append(ips, match)
 				seenIPs[match] = true
@@ -159,13 +206,10 @@ func (r *RBLChecker) extractIPs(email *EmailMessage) []string {
 		}
 	}
 
-	// If no IPs found in Received headers, try X-Originating-IP
 	if len(ips) == 0 {
 		originatingIP := email.Header.Get("X-Originating-IP")
 		if originatingIP != "" {
-			// Extract IP from formats like "[192.0.2.1]" or "192.0.2.1"
 			cleanIP := strings.TrimSuffix(strings.TrimPrefix(originatingIP, "["), "]")
-			// Remove any whitespace
 			cleanIP = strings.TrimSpace(cleanIP)
 			matches := ipv4Pattern.FindString(cleanIP)
 			if matches != "" && r.isPublicIP(matches) {
@@ -178,19 +222,16 @@ func (r *RBLChecker) extractIPs(email *EmailMessage) []string {
 }
 
 // isPublicIP checks if an IP address is public (not private, loopback, or reserved)
-func (r *RBLChecker) isPublicIP(ipStr string) bool {
+func (r *DNSListChecker) isPublicIP(ipStr string) bool {
 	ip := net.ParseIP(ipStr)
 	if ip == nil {
 		return false
 	}
 
-	// Check if it's a private network
 	if ip.IsPrivate() || ip.IsLoopback() || ip.IsLinkLocalUnicast() || ip.IsLinkLocalMulticast() {
 		return false
 	}
 
-	// Additional checks for reserved ranges
-	// 0.0.0.0/8, 192.0.0.0/24, 192.0.2.0/24 (TEST-NET-1), 198.51.100.0/24 (TEST-NET-2), 203.0.113.0/24 (TEST-NET-3)
 	if ip.IsUnspecified() {
 		return false
 	}
@@ -198,51 +239,43 @@ func (r *RBLChecker) isPublicIP(ipStr string) bool {
 	return true
 }
 
-// checkIP checks a single IP against a single RBL
+// checkIP checks a single IP against a single DNS list
-func (r *RBLChecker) checkIP(ip, rbl string) api.BlacklistCheck {
+func (r *DNSListChecker) checkIP(ip, list string) model.BlacklistCheck {
-	check := api.BlacklistCheck{
+	check := model.BlacklistCheck{
-		Rbl: rbl,
+		Rbl: list,
 	}
 
-	// Reverse the IP for DNSBL query
 	reversedIP := r.reverseIP(ip)
 	if reversedIP == "" {
-		check.Error = api.PtrTo("Failed to reverse IP address")
+		check.Error = utils.PtrTo("Failed to reverse IP address")
 		return check
 	}
 
-	// Construct DNSBL query: reversed-ip.rbl-domain
+	query := fmt.Sprintf("%s.%s", reversedIP, list)
-	query := fmt.Sprintf("%s.%s", reversedIP, rbl)
 
-	// Perform DNS lookup with timeout
 	ctx, cancel := context.WithTimeout(context.Background(), r.Timeout)
 	defer cancel()
 
 	addrs, err := r.resolver.LookupHost(ctx, query)
 	if err != nil {
-		// Most likely not listed (NXDOMAIN)
 		if dnsErr, ok := err.(*net.DNSError); ok {
 			if dnsErr.IsNotFound {
 				check.Listed = false
 				return check
 			}
 		}
-		// Other DNS errors
+		check.Error = utils.PtrTo(fmt.Sprintf("DNS lookup failed: %v", err))
-		check.Error = api.PtrTo(fmt.Sprintf("DNS lookup failed: %v", err))
 		return check
 	}
 
-	// If we got a response, check the return code
 	if len(addrs) > 0 {
-		check.Response = api.PtrTo(addrs[0]) // Return code (e.g., 127.0.0.2)
+		check.Response = utils.PtrTo(addrs[0])
 
-		// Check for RBL error codes: 127.255.255.253, 127.255.255.254, 127.255.255.255
+		// In RBL mode, 127.255.255.253/254/255 indicate operational errors, not real listings.
-		// These indicate RBL operational issues, not actual listings
+		if r.filterErrorCodes && (addrs[0] == "127.255.255.253" || addrs[0] == "127.255.255.254" || addrs[0] == "127.255.255.255") {
-		if addrs[0] == "127.255.255.253" || addrs[0] == "127.255.255.254" || addrs[0] == "127.255.255.255" {
 			check.Listed = false
-			check.Error = api.PtrTo(fmt.Sprintf("RBL %s returned error code %s (RBL operational issue)", rbl, addrs[0]))
+			check.Error = utils.PtrTo(fmt.Sprintf("RBL %s returned error code %s (RBL operational issue)", list, addrs[0]))
 		} else {
-			// Normal listing response
 			check.Listed = true
 		}
 	}
@@ -250,44 +283,58 @@ func (r *RBLChecker) checkIP(ip, rbl string) api.BlacklistCheck {
 	return check
 }
 
-// reverseIP reverses an IPv4 address for DNSBL queries
+// reverseIP reverses an IPv4 address for DNSBL/DNSWL queries
 // Example: 192.0.2.1 -> 1.2.0.192
-func (r *RBLChecker) reverseIP(ipStr string) string {
+func (r *DNSListChecker) reverseIP(ipStr string) string {
 	ip := net.ParseIP(ipStr)
 	if ip == nil {
 		return ""
 	}
 
-	// Convert to IPv4
 	ipv4 := ip.To4()
 	if ipv4 == nil {
 		return "" // IPv6 not supported yet
 	}
 
-	// Reverse the octets
 	return fmt.Sprintf("%d.%d.%d.%d", ipv4[3], ipv4[2], ipv4[1], ipv4[0])
 }
 
-// CalculateRBLScore calculates the blacklist contribution to deliverability
+// CalculateScore calculates the list contribution to deliverability.
-func (r *RBLChecker) CalculateRBLScore(results *RBLResults) (int, string) {
+// Informational lists are not counted in the score.
+func (r *DNSListChecker) CalculateScore(results *DNSListResults, forWhitelist bool) (int, string) {
+	scoringListCount := len(r.Lists) - len(r.informationalSet)
+
+	if forWhitelist {
+		if results.ListedCount >= scoringListCount {
+			return 100, "A++"
+		} else if results.ListedCount > 0 {
+			return 100, "A+"
+		} else {
+			return 95, "A"
+		}
+	}
+
 	if results == nil || len(results.IPsChecked) == 0 {
-		// No IPs to check, give benefit of doubt
 		return 100, ""
 	}
 
-	percentage := 100 - results.ListedCount*100/len(r.RBLs)
+	if results.ListedCount <= 0 {
+		return 100, "A+"
+	}
+
+	percentage := 100 - results.RelevantListedCount*100/scoringListCount
 	return percentage, ScoreToGrade(percentage)
 }
 
-// GetUniqueListedIPs returns a list of unique IPs that are listed on at least one RBL
+// GetUniqueListedIPs returns a list of unique IPs that are listed on at least one entry
-func (r *RBLChecker) GetUniqueListedIPs(results *RBLResults) []string {
+func (r *DNSListChecker) GetUniqueListedIPs(results *DNSListResults) []string {
 	var listedIPs []string
 
-	for ip, rblChecks := range results.Checks {
+	for ip, checks := range results.Checks {
-		for _, check := range rblChecks {
+		for _, check := range checks {
 			if check.Listed {
 				listedIPs = append(listedIPs, ip)
-				break // Only add the IP once
+				break
 			}
 		}
 	}
@@ -295,17 +342,17 @@ func (r *RBLChecker) GetUniqueListedIPs(results *RBLResults) []string {
 	return listedIPs
 }
 
-// GetRBLsForIP returns all RBLs that list a specific IP
+// GetListsForIP returns all lists that match a specific IP
-func (r *RBLChecker) GetRBLsForIP(results *RBLResults, ip string) []string {
+func (r *DNSListChecker) GetListsForIP(results *DNSListResults, ip string) []string {
-	var rbls []string
+	var lists []string
 
-	if rblChecks, exists := results.Checks[ip]; exists {
+	if checks, exists := results.Checks[ip]; exists {
-		for _, check := range rblChecks {
+		for _, check := range checks {
 			if check.Listed {
-				rbls = append(rbls, check.Rbl)
+				lists = append(lists, check.Rbl)
 			}
 		}
 	}
 
-	return rbls
+	return lists
 }

pkg/analyzer/rbl_test.go

@@ -26,7 +26,7 @@ import (
 	"testing"
 	"time"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
 )
 
 func TestNewRBLChecker(t *testing.T) {
@@ -59,8 +59,8 @@ func TestNewRBLChecker(t *testing.T) {
 			if checker.Timeout != tt.expectedTimeout {
 				t.Errorf("Timeout = %v, want %v", checker.Timeout, tt.expectedTimeout)
 			}
-			if len(checker.RBLs) != tt.expectedRBLs {
+			if len(checker.Lists) != tt.expectedRBLs {
-				t.Errorf("RBLs count = %d, want %d", len(checker.RBLs), tt.expectedRBLs)
+				t.Errorf("RBLs count = %d, want %d", len(checker.Lists), tt.expectedRBLs)
 			}
 			if checker.resolver == nil {
 				t.Error("Resolver should not be nil")
@@ -265,7 +265,7 @@ func TestExtractIPs(t *testing.T) {
 func TestGetBlacklistScore(t *testing.T) {
 	tests := []struct {
 		name          string
-		results       *RBLResults
+		results       *DNSListResults
 		expectedScore int
 	}{
 		{
@@ -275,14 +275,14 @@ func TestGetBlacklistScore(t *testing.T) {
 		},
 		{
 			name: "No IPs checked",
-			results: &RBLResults{
+			results: &DNSListResults{
 				IPsChecked: []string{},
 			},
 			expectedScore: 100,
 		},
 		{
 			name: "Not listed on any RBL",
-			results: &RBLResults{
+			results: &DNSListResults{
 				IPsChecked:  []string{"198.51.100.1"},
 				ListedCount: 0,
 			},
@@ -290,7 +290,7 @@ func TestGetBlacklistScore(t *testing.T) {
 		},
 		{
 			name: "Listed on 1 RBL",
-			results: &RBLResults{
+			results: &DNSListResults{
 				IPsChecked:  []string{"198.51.100.1"},
 				ListedCount: 1,
 			},
@@ -298,7 +298,7 @@ func TestGetBlacklistScore(t *testing.T) {
 		},
 		{
 			name: "Listed on 2 RBLs",
-			results: &RBLResults{
+			results: &DNSListResults{
 				IPsChecked:  []string{"198.51.100.1"},
 				ListedCount: 2,
 			},
@@ -306,7 +306,7 @@ func TestGetBlacklistScore(t *testing.T) {
 		},
 		{
 			name: "Listed on 3 RBLs",
-			results: &RBLResults{
+			results: &DNSListResults{
 				IPsChecked:  []string{"198.51.100.1"},
 				ListedCount: 3,
 			},
@@ -314,7 +314,7 @@ func TestGetBlacklistScore(t *testing.T) {
 		},
 		{
 			name: "Listed on 4+ RBLs",
-			results: &RBLResults{
+			results: &DNSListResults{
 				IPsChecked:  []string{"198.51.100.1"},
 				ListedCount: 4,
 			},
@@ -326,7 +326,7 @@ func TestGetBlacklistScore(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			score, _ := checker.CalculateRBLScore(tt.results)
+			score, _ := checker.CalculateScore(tt.results)
 			if score != tt.expectedScore {
 				t.Errorf("GetBlacklistScore() = %v, want %v", score, tt.expectedScore)
 			}
@@ -335,8 +335,8 @@ func TestGetBlacklistScore(t *testing.T) {
 }
 
 func TestGetUniqueListedIPs(t *testing.T) {
-	results := &RBLResults{
+	results := &DNSListResults{
-		Checks: map[string][]api.BlacklistCheck{
+		Checks: map[string][]model.BlacklistCheck{
 			"198.51.100.1": {
 				{Rbl: "zen.spamhaus.org", Listed: true},
 				{Rbl: "bl.spamcop.net", Listed: true},
@@ -363,8 +363,8 @@ func TestGetUniqueListedIPs(t *testing.T) {
 }
 
 func TestGetRBLsForIP(t *testing.T) {
-	results := &RBLResults{
+	results := &DNSListResults{
-		Checks: map[string][]api.BlacklistCheck{
+		Checks: map[string][]model.BlacklistCheck{
 			"198.51.100.1": {
 				{Rbl: "zen.spamhaus.org", Listed: true},
 				{Rbl: "bl.spamcop.net", Listed: true},
@@ -402,7 +402,7 @@ func TestGetRBLsForIP(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			rbls := checker.GetRBLsForIP(results, tt.ip)
+			rbls := checker.GetListsForIP(results, tt.ip)
 
 			if len(rbls) != len(tt.expectedRBLs) {
 				t.Errorf("Got %d RBLs, want %d", len(rbls), len(tt.expectedRBLs))

pkg/analyzer/report.go

@@ -24,7 +24,7 @@ package analyzer
 import (
 	"time"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
 	"git.happydns.org/happyDeliver/internal/utils"
 	"github.com/google/uuid"
 )
@@ -33,24 +33,31 @@ import (
 type ReportGenerator struct {
 	authAnalyzer    *AuthenticationAnalyzer
 	spamAnalyzer    *SpamAssassinAnalyzer
+	rspamdAnalyzer  *RspamdAnalyzer
 	dnsAnalyzer     *DNSAnalyzer
-	rblChecker      *RBLChecker
+	rblChecker      *DNSListChecker
+	dnswlChecker    *DNSListChecker
 	contentAnalyzer *ContentAnalyzer
 	headerAnalyzer  *HeaderAnalyzer
 }
 
 // NewReportGenerator creates a new report generator
 func NewReportGenerator(
+	receiverHostname string,
 	dnsTimeout time.Duration,
 	httpTimeout time.Duration,
 	rbls []string,
+	dnswls []string,
 	checkAllIPs bool,
+	rspamdAPIURL string,
 ) *ReportGenerator {
 	return &ReportGenerator{
-		authAnalyzer:    NewAuthenticationAnalyzer(),
+		authAnalyzer:    NewAuthenticationAnalyzer(receiverHostname),
 		spamAnalyzer:    NewSpamAssassinAnalyzer(),
+		rspamdAnalyzer:  NewRspamdAnalyzer(LoadRspamdSymbols(rspamdAPIURL)),
 		dnsAnalyzer:     NewDNSAnalyzer(dnsTimeout),
 		rblChecker:      NewRBLChecker(dnsTimeout, rbls, checkAllIPs),
+		dnswlChecker:    NewDNSWLChecker(dnsTimeout, dnswls, checkAllIPs),
 		contentAnalyzer: NewContentAnalyzer(httpTimeout),
 		headerAnalyzer:  NewHeaderAnalyzer(),
 	}
@@ -59,12 +66,14 @@ func NewReportGenerator(
 // AnalysisResults contains all intermediate analysis results
 type AnalysisResults struct {
 	Email          *EmailMessage
-	Authentication *api.AuthenticationResults
+	Authentication *model.AuthenticationResults
 	Content        *ContentResults
-	DNS            *api.DNSResults
+	DNS            *model.DNSResults
-	Headers        *api.HeaderAnalysis
+	Headers        *model.HeaderAnalysis
-	RBL            *RBLResults
+	RBL            *DNSListResults
-	SpamAssassin   *api.SpamAssassinResult
+	DNSWL          *DNSListResults
+	SpamAssassin   *model.SpamAssassinResult
+	Rspamd         *model.RspamdResult
 }
 
 // AnalyzeEmail performs complete email analysis
@@ -76,20 +85,22 @@ func (r *ReportGenerator) AnalyzeEmail(email *EmailMessage) *AnalysisResults {
 	// Run all analyzers
 	results.Authentication = r.authAnalyzer.AnalyzeAuthentication(email)
 	results.Headers = r.headerAnalyzer.GenerateHeaderAnalysis(email, results.Authentication)
-	results.DNS = r.dnsAnalyzer.AnalyzeDNS(email, results.Authentication, results.Headers)
+	results.DNS = r.dnsAnalyzer.AnalyzeDNS(email, results.Headers)
 	results.RBL = r.rblChecker.CheckEmail(email)
+	results.DNSWL = r.dnswlChecker.CheckEmail(email)
 	results.SpamAssassin = r.spamAnalyzer.AnalyzeSpamAssassin(email)
+	results.Rspamd = r.rspamdAnalyzer.AnalyzeRspamd(email)
 	results.Content = r.contentAnalyzer.AnalyzeContent(email)
 
 	return results
 }
 
 // GenerateReport creates a complete API report from analysis results
-func (r *ReportGenerator) GenerateReport(testID uuid.UUID, results *AnalysisResults) *api.Report {
+func (r *ReportGenerator) GenerateReport(testID uuid.UUID, results *AnalysisResults) *model.Report {
 	reportID := uuid.New()
 	now := time.Now()
 
-	report := &api.Report{
+	report := &model.Report{
 		Id:        utils.UUIDToBase32(reportID),
 		TestId:    utils.UUIDToBase32(testID),
 		CreatedAt: now,
@@ -130,29 +141,47 @@ func (r *ReportGenerator) GenerateReport(testID uuid.UUID, results *AnalysisResu
 
 	blacklistScore := 0
 	var blacklistGrade string
+	var whitelistGrade string
 	if results.RBL != nil {
-		blacklistScore, blacklistGrade = r.rblChecker.CalculateRBLScore(results.RBL)
+		blacklistScore, blacklistGrade = r.rblChecker.CalculateScore(results.RBL, false)
+		_, whitelistGrade = r.dnswlChecker.CalculateScore(results.DNSWL, true)
 	}
 
-	spamScore := 0
+	saScore, saGrade := r.spamAnalyzer.CalculateSpamAssassinScore(results.SpamAssassin)
+	rspamdScore, rspamdGrade := r.rspamdAnalyzer.CalculateRspamdScore(results.Rspamd)
+
+	// Combine SpamAssassin and rspamd scores 50/50.
+	// If only one filter ran (the other returns "" grade), use that filter's score alone.
+	var spamScore int
 	var spamGrade string
-	if results.SpamAssassin != nil {
+	switch {
-		spamScore, spamGrade = r.spamAnalyzer.CalculateSpamAssassinScore(results.SpamAssassin)
+	case saGrade == "" && rspamdGrade == "":
+		spamScore = 0
+		spamGrade = ""
+	case saGrade == "":
+		spamScore = rspamdScore
+		spamGrade = rspamdGrade
+	case rspamdGrade == "":
+		spamScore = saScore
+		spamGrade = saGrade
+	default:
+		spamScore = (saScore + rspamdScore) / 2
+		spamGrade = MinGrade(saGrade, rspamdGrade)
 	}
 
-	report.Summary = &api.ScoreSummary{
+	report.Summary = &model.ScoreSummary{
 		DnsScore:            dnsScore,
-		DnsGrade:            api.ScoreSummaryDnsGrade(dnsGrade),
+		DnsGrade:            model.ScoreSummaryDnsGrade(dnsGrade),
 		AuthenticationScore: authScore,
-		AuthenticationGrade: api.ScoreSummaryAuthenticationGrade(authGrade),
+		AuthenticationGrade: model.ScoreSummaryAuthenticationGrade(authGrade),
 		BlacklistScore:      blacklistScore,
-		BlacklistGrade:      api.ScoreSummaryBlacklistGrade(blacklistGrade),
+		BlacklistGrade:      model.ScoreSummaryBlacklistGrade(MinGrade(blacklistGrade, whitelistGrade)),
 		ContentScore:        contentScore,
-		ContentGrade:        api.ScoreSummaryContentGrade(contentGrade),
+		ContentGrade:        model.ScoreSummaryContentGrade(contentGrade),
 		HeaderScore:         headerScore,
-		HeaderGrade:         api.ScoreSummaryHeaderGrade(headerGrade),
+		HeaderGrade:         model.ScoreSummaryHeaderGrade(headerGrade),
 		SpamScore:           spamScore,
-		SpamGrade:           api.ScoreSummarySpamGrade(spamGrade),
+		SpamGrade:           model.ScoreSummarySpamGrade(spamGrade),
 	}
 
 	// Add authentication results
@@ -177,9 +206,27 @@ func (r *ReportGenerator) GenerateReport(testID uuid.UUID, results *AnalysisResu
 		report.Blacklists = &results.RBL.Checks
 	}
 
-	// Add SpamAssassin result
+	// Add whitelist checks as a map of IP -> array of BlacklistCheck (informational only)
+	if results.DNSWL != nil && len(results.DNSWL.Checks) > 0 {
+		report.Whitelists = &results.DNSWL.Checks
+	}
+
+	// Add SpamAssassin result with individual deliverability score
+	if results.SpamAssassin != nil {
+		saGradeTyped := model.SpamAssassinResultDeliverabilityGrade(saGrade)
+		results.SpamAssassin.DeliverabilityScore = utils.PtrTo(saScore)
+		results.SpamAssassin.DeliverabilityGrade = &saGradeTyped
+	}
 	report.Spamassassin = results.SpamAssassin
 
+	// Add rspamd result with individual deliverability score
+	if results.Rspamd != nil {
+		rspamdGradeTyped := model.RspamdResultDeliverabilityGrade(rspamdGrade)
+		results.Rspamd.DeliverabilityScore = utils.PtrTo(rspamdScore)
+		results.Rspamd.DeliverabilityGrade = &rspamdGradeTyped
+	}
+	report.Rspamd = results.Rspamd
+
 	// Add raw headers
 	if results.Email != nil && results.Email.RawHeaders != "" {
 		report.RawHeaders = &results.Email.RawHeaders
@@ -241,7 +288,7 @@ func (r *ReportGenerator) GenerateReport(testID uuid.UUID, results *AnalysisResu
 		}
 
 		if minusGrade < 255 {
-			report.Grade = api.ReportGrade(string([]byte{'A' + minusGrade}))
+			report.Grade = model.ReportGrade(string([]byte{'A' + minusGrade}))
 		}
 	}
 

pkg/analyzer/report_test.go

@@ -32,7 +32,7 @@ import (
 )
 
 func TestNewReportGenerator(t *testing.T) {
-	gen := NewReportGenerator(10*time.Second, 10*time.Second, DefaultRBLs, false)
+	gen := NewReportGenerator("", 10*time.Second, 10*time.Second, DefaultRBLs, DefaultDNSWLs, false, "")
 	if gen == nil {
 		t.Fatal("Expected report generator, got nil")
 	}
@@ -55,7 +55,7 @@ func TestNewReportGenerator(t *testing.T) {
 }
 
 func TestAnalyzeEmail(t *testing.T) {
-	gen := NewReportGenerator(10*time.Second, 10*time.Second, DefaultRBLs, false)
+	gen := NewReportGenerator("", 10*time.Second, 10*time.Second, DefaultRBLs, DefaultDNSWLs, false, "")
 
 	email := createTestEmail()
 
@@ -75,7 +75,7 @@ func TestAnalyzeEmail(t *testing.T) {
 }
 
 func TestGenerateReport(t *testing.T) {
-	gen := NewReportGenerator(10*time.Second, 10*time.Second, DefaultRBLs, false)
+	gen := NewReportGenerator("", 10*time.Second, 10*time.Second, DefaultRBLs, DefaultDNSWLs, false, "")
 	testID := uuid.New()
 
 	email := createTestEmail()
@@ -130,7 +130,7 @@ func TestGenerateReport(t *testing.T) {
 }
 
 func TestGenerateReportWithSpamAssassin(t *testing.T) {
-	gen := NewReportGenerator(10*time.Second, 10*time.Second, DefaultRBLs, false)
+	gen := NewReportGenerator("", 10*time.Second, 10*time.Second, DefaultRBLs, DefaultDNSWLs, false, "")
 	testID := uuid.New()
 
 	email := createTestEmailWithSpamAssassin()
@@ -150,7 +150,7 @@ func TestGenerateReportWithSpamAssassin(t *testing.T) {
 }
 
 func TestGenerateRawEmail(t *testing.T) {
-	gen := NewReportGenerator(10*time.Second, 10*time.Second, DefaultRBLs, false)
+	gen := NewReportGenerator("", 10*time.Second, 10*time.Second, DefaultRBLs, DefaultDNSWLs, false, "")
 
 	tests := []struct {
 		name     string

pkg/analyzer/rspamd-symbols-README.md

@@ -0,0 +1,21 @@
+# rspamd-symbols.json
+
+This file contains rspamd symbol descriptions, embedded into the binary at compile time as a fallback when no rspamd API URL is configured.
+
+## How to update
+
+Fetch the latest symbols from a running rspamd instance:
+
+```sh
+curl http://127.0.0.1:11334/symbols > rspamd-symbols.json
+```
+
+Or with docker:
+
+```sh
+docker run --rm --name rspamd --pull always rspamd/rspamd
+docker exec -u 0 rspamd apt install -y curl
+docker exec rspamd curl http://127.0.0.1:11334/symbols > rspamd-symbols.json
+```
+
+Then rebuild the project.

pkg/analyzer/rspamd.go

@@ -0,0 +1,174 @@
+// This file is part of the happyDeliver (R) project.
+// Copyright (c) 2026 happyDomain
+// Authors: Pierre-Olivier Mercier, et al.
+//
+// This program is offered under a commercial and under the AGPL license.
+// For commercial licensing, contact us at <contact@happydomain.org>.
+//
+// For AGPL licensing:
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+package analyzer
+
+import (
+	"math"
+	"regexp"
+	"strconv"
+	"strings"
+
+	"git.happydns.org/happyDeliver/internal/model"
+)
+
+// Default rspamd action thresholds (rspamd built-in defaults)
+const (
+	rspamdDefaultRejectThreshold    float32 = 15
+	rspamdDefaultAddHeaderThreshold float32 = 6
+)
+
+// RspamdAnalyzer analyzes rspamd results from email headers
+type RspamdAnalyzer struct {
+	symbols map[string]string
+}
+
+// NewRspamdAnalyzer creates a new rspamd analyzer with optional symbol descriptions
+func NewRspamdAnalyzer(symbols map[string]string) *RspamdAnalyzer {
+	return &RspamdAnalyzer{symbols: symbols}
+}
+
+// AnalyzeRspamd extracts and analyzes rspamd results from email headers
+func (a *RspamdAnalyzer) AnalyzeRspamd(email *EmailMessage) *model.RspamdResult {
+	headers := email.GetRspamdHeaders()
+	if len(headers) == 0 {
+		return nil
+	}
+
+	// Require at least X-Spamd-Result or X-Rspamd-Score to produce a meaningful report
+	_, hasSpamdResult := headers["X-Spamd-Result"]
+	_, hasRspamdScore := headers["X-Rspamd-Score"]
+	if !hasSpamdResult && !hasRspamdScore {
+		return nil
+	}
+
+	result := &model.RspamdResult{
+		Symbols: make(map[string]model.SpamTestDetail),
+	}
+
+	// Parse X-Spamd-Result header (primary source for score, threshold, and symbols)
+	// Format: "default: False [-3.91 / 15.00];\n\tSYMBOL(score)[params]; ..."
+	if spamdResult, ok := headers["X-Spamd-Result"]; ok {
+		report := strings.ReplaceAll(spamdResult, "; ", ";\n")
+		result.Report = &report
+		a.parseSpamdResult(spamdResult, result)
+	}
+
+	// Parse X-Rspamd-Score as override/fallback for score
+	if scoreHeader, ok := headers["X-Rspamd-Score"]; ok {
+		if score, err := strconv.ParseFloat(strings.TrimSpace(scoreHeader), 64); err == nil {
+			result.Score = float32(score)
+		}
+	}
+
+	// Parse X-Rspamd-Server
+	if serverHeader, ok := headers["X-Rspamd-Server"]; ok {
+		server := strings.TrimSpace(serverHeader)
+		result.Server = &server
+	}
+
+	// Populate symbol descriptions from the lookup map
+	if a.symbols != nil {
+		for name, sym := range result.Symbols {
+			if desc, ok := a.symbols[name]; ok {
+				sym.Description = &desc
+				result.Symbols[name] = sym
+			}
+		}
+	}
+
+	// Derive IsSpam from score vs reject threshold.
+	if result.Threshold > 0 {
+		result.IsSpam = result.Score >= result.Threshold
+	} else {
+		result.IsSpam = result.Score >= rspamdDefaultAddHeaderThreshold
+	}
+
+	return result
+}
+
+// parseSpamdResult parses the X-Spamd-Result header
+// Format: "default: False [-3.91 / 15.00];\n\tSYMBOL(score)[params]; ..."
+func (a *RspamdAnalyzer) parseSpamdResult(header string, result *model.RspamdResult) {
+	// Extract score and threshold from the first line
+	// e.g. "default: False [-3.91 / 15.00]"
+	scoreRe := regexp.MustCompile(`\[\s*(-?\d+\.?\d*)\s*/\s*(-?\d+\.?\d*)\s*\]`)
+	if matches := scoreRe.FindStringSubmatch(header); len(matches) > 2 {
+		if score, err := strconv.ParseFloat(matches[1], 64); err == nil {
+			result.Score = float32(score)
+		}
+		if threshold, err := strconv.ParseFloat(matches[2], 64); err == nil {
+			result.Threshold = float32(threshold)
+
+			// No threshold? use default AddHeaderThreshold
+			if result.Threshold <= 0 {
+				result.Threshold = rspamdDefaultAddHeaderThreshold
+			}
+		}
+	}
+
+	// Parse is_spam from header (before we may get action from X-Rspamd-Action)
+	firstLine := strings.SplitN(header, ";", 2)[0]
+	if strings.Contains(firstLine, ": True") || strings.Contains(firstLine, ": true") {
+		result.IsSpam = true
+	}
+
+	// Parse symbols: SYMBOL(score)[params]
+	// Each symbol entry is separated by ";", so within each part we use a
+	// greedy match to capture params that may contain nested brackets.
+	symbolRe := regexp.MustCompile(`(\w+)\((-?\d+\.?\d*)\)(?:\[(.*)\])?`)
+	for _, part := range strings.Split(header, ";") {
+		part = strings.TrimSpace(part)
+		matches := symbolRe.FindStringSubmatch(part)
+		if len(matches) > 2 {
+			name := matches[1]
+			score, _ := strconv.ParseFloat(matches[2], 64)
+			sym := model.SpamTestDetail{
+				Name:  name,
+				Score: float32(score),
+			}
+			if len(matches) > 3 && matches[3] != "" {
+				params := matches[3]
+				sym.Params = &params
+			}
+			result.Symbols[name] = sym
+		}
+	}
+}
+
+// CalculateRspamdScore calculates the rspamd contribution to deliverability (0-100 scale)
+func (a *RspamdAnalyzer) CalculateRspamdScore(result *model.RspamdResult) (int, string) {
+	if result == nil {
+		return 100, "" // rspamd not installed
+	}
+
+	threshold := result.Threshold
+	percentage := 100 - int(math.Round(float64(result.Score*100/(2*threshold))))
+
+	if percentage > 100 {
+		return 100, "A+"
+	} else if percentage < 0 {
+		return 0, "F"
+	}
+
+	// Linear scale between 0 and threshold
+	return percentage, ScoreToGrade(percentage)
+}

pkg/analyzer/rspamd_symbols.go

@@ -0,0 +1,105 @@
+// This file is part of the happyDeliver (R) project.
+// Copyright (c) 2026 happyDomain
+// Authors: Pierre-Olivier Mercier, et al.
+//
+// This program is offered under a commercial and under the AGPL license.
+// For commercial licensing, contact us at <contact@happydomain.org>.
+//
+// For AGPL licensing:
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+package analyzer
+
+import (
+	_ "embed"
+	"encoding/json"
+	"io"
+	"log"
+	"net/http"
+	"strings"
+	"time"
+)
+
+//go:embed rspamd-symbols.json
+var embeddedRspamdSymbols []byte
+
+// rspamdSymbolGroup represents a group of rspamd symbols from the API/embedded JSON.
+type rspamdSymbolGroup struct {
+	Group string              `json:"group"`
+	Rules []rspamdSymbolEntry `json:"rules"`
+}
+
+// rspamdSymbolEntry represents a single rspamd symbol entry.
+type rspamdSymbolEntry struct {
+	Symbol      string  `json:"symbol"`
+	Description string  `json:"description"`
+	Weight      float64 `json:"weight"`
+}
+
+// parseRspamdSymbolsJSON parses the rspamd symbols JSON into a name->description map.
+func parseRspamdSymbolsJSON(data []byte) map[string]string {
+	var groups []rspamdSymbolGroup
+	if err := json.Unmarshal(data, &groups); err != nil {
+		log.Printf("Failed to parse rspamd symbols JSON: %v", err)
+		return nil
+	}
+
+	symbols := make(map[string]string, len(groups)*10)
+	for _, g := range groups {
+		for _, r := range g.Rules {
+			if r.Description != "" {
+				symbols[r.Symbol] = r.Description
+			}
+		}
+	}
+	return symbols
+}
+
+// LoadRspamdSymbols loads rspamd symbol descriptions.
+// If apiURL is non-empty, it fetches from the rspamd API first, falling back to the embedded list on error.
+func LoadRspamdSymbols(apiURL string) map[string]string {
+	if apiURL != "" {
+		if symbols := fetchRspamdSymbols(apiURL); symbols != nil {
+			return symbols
+		}
+		log.Printf("Failed to fetch rspamd symbols from %s, using embedded list", apiURL)
+	}
+	return parseRspamdSymbolsJSON(embeddedRspamdSymbols)
+}
+
+// fetchRspamdSymbols fetches symbol descriptions from the rspamd API.
+func fetchRspamdSymbols(apiURL string) map[string]string {
+	url := strings.TrimRight(apiURL, "/") + "/symbols"
+
+	client := &http.Client{Timeout: 10 * time.Second}
+	resp, err := client.Get(url)
+	if err != nil {
+		log.Printf("Error fetching rspamd symbols: %v", err)
+		return nil
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		log.Printf("rspamd API returned status %d", resp.StatusCode)
+		return nil
+	}
+
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		log.Printf("Error reading rspamd symbols response: %v", err)
+		return nil
+	}
+
+	return parseRspamdSymbolsJSON(body)
+}

pkg/analyzer/rspamd_test.go

@@ -0,0 +1,414 @@
+// This file is part of the happyDeliver (R) project.
+// Copyright (c) 2026 happyDomain
+// Authors: Pierre-Olivier Mercier, et al.
+//
+// This program is offered under a commercial and under the AGPL license.
+// For commercial licensing, contact us at <contact@happydomain.org>.
+//
+// For AGPL licensing:
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+package analyzer
+
+import (
+	"bytes"
+	"net/mail"
+	"testing"
+
+	"git.happydns.org/happyDeliver/internal/model"
+)
+
+func TestAnalyzeRspamdNoHeaders(t *testing.T) {
+	analyzer := NewRspamdAnalyzer(nil)
+	email := &EmailMessage{Header: make(mail.Header)}
+
+	result := analyzer.AnalyzeRspamd(email)
+
+	if result != nil {
+		t.Errorf("Expected nil for email without rspamd headers, got %+v", result)
+	}
+}
+
+func TestParseSpamdResult(t *testing.T) {
+	tests := []struct {
+		name               string
+		header             string
+		expectedScore      float32
+		expectedThreshold  float32
+		expectedIsSpam     bool
+		expectedSymbols    map[string]float32
+		expectedSymParams  map[string]string
+	}{
+		{
+			name:              "Clean email negative score",
+			header:            "default: False [-3.91 / 15.00];\n\tDATE_IN_PAST(0.10); ALL_TRUSTED(-1.00)[trusted]",
+			expectedScore:     -3.91,
+			expectedThreshold: 15.00,
+			expectedIsSpam:    false,
+			expectedSymbols: map[string]float32{
+				"DATE_IN_PAST": 0.10,
+				"ALL_TRUSTED":  -1.00,
+			},
+			expectedSymParams: map[string]string{
+				"ALL_TRUSTED": "trusted",
+			},
+		},
+		{
+			name:              "Spam email True flag",
+			header:            "default: True [16.50 / 15.00];\n\tBAYES_99(5.00)[1.00]; SPOOFED_SENDER(3.50)",
+			expectedScore:     16.50,
+			expectedThreshold: 15.00,
+			expectedIsSpam:    true,
+			expectedSymbols: map[string]float32{
+				"BAYES_99":        5.00,
+				"SPOOFED_SENDER":  3.50,
+			},
+			expectedSymParams: map[string]string{
+				"BAYES_99": "1.00",
+			},
+		},
+		{
+			name:              "Zero threshold uses default",
+			header:            "default: False [1.00 / 0.00]",
+			expectedScore:     1.00,
+			expectedThreshold: rspamdDefaultAddHeaderThreshold,
+			expectedIsSpam:    false,
+			expectedSymbols:   map[string]float32{},
+		},
+		{
+			name:              "Symbol without params",
+			header:            "default: False [2.00 / 15.00];\n\tMISSING_DATE(1.00)",
+			expectedScore:     2.00,
+			expectedThreshold: 15.00,
+			expectedIsSpam:    false,
+			expectedSymbols: map[string]float32{
+				"MISSING_DATE": 1.00,
+			},
+		},
+		{
+			name:              "Case-insensitive true flag",
+			header:            "default: true [8.00 / 6.00]",
+			expectedScore:     8.00,
+			expectedThreshold: 6.00,
+			expectedIsSpam:    true,
+			expectedSymbols:   map[string]float32{},
+		},
+		{
+			name: "Zero threshold with symbols containing nested brackets in params",
+			header: "default: False [0.90 / 0.00];\n" +
+				"\tARC_REJECT(1.00)[cannot verify 1 of 1 signatures: {[1] = sig:mail-tester.local:signature has incorrect length: 12}];\n" +
+				"\tMIME_GOOD(-0.10)[multipart/alternative,text/plain];\n" +
+				"\tMIME_TRACE(0.00)[0:+,1:+,2:~]",
+			expectedScore:     0.90,
+			expectedThreshold: rspamdDefaultAddHeaderThreshold,
+			expectedIsSpam:    false,
+			expectedSymbols: map[string]float32{
+				"ARC_REJECT": 1.00,
+				"MIME_GOOD":  -0.10,
+				"MIME_TRACE": 0.00,
+			},
+			expectedSymParams: map[string]string{
+				"ARC_REJECT": "cannot verify 1 of 1 signatures: {[1] = sig:mail-tester.local:signature has incorrect length: 12}",
+				"MIME_GOOD":  "multipart/alternative,text/plain",
+				"MIME_TRACE": "0:+,1:+,2:~",
+			},
+		},
+	}
+
+	analyzer := NewRspamdAnalyzer(nil)
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := &model.RspamdResult{
+				Symbols: make(map[string]model.SpamTestDetail),
+			}
+			analyzer.parseSpamdResult(tt.header, result)
+
+			if result.Score != tt.expectedScore {
+				t.Errorf("Score = %v, want %v", result.Score, tt.expectedScore)
+			}
+			if result.Threshold != tt.expectedThreshold {
+				t.Errorf("Threshold = %v, want %v", result.Threshold, tt.expectedThreshold)
+			}
+			if result.IsSpam != tt.expectedIsSpam {
+				t.Errorf("IsSpam = %v, want %v", result.IsSpam, tt.expectedIsSpam)
+			}
+			for symName, expectedScore := range tt.expectedSymbols {
+				sym, ok := result.Symbols[symName]
+				if !ok {
+					t.Errorf("Symbol %s not found", symName)
+					continue
+				}
+				if sym.Score != expectedScore {
+					t.Errorf("Symbol %s score = %v, want %v", symName, sym.Score, expectedScore)
+				}
+			}
+			for symName, expectedParam := range tt.expectedSymParams {
+				sym, ok := result.Symbols[symName]
+				if !ok {
+					t.Errorf("Symbol %s not found for params check", symName)
+					continue
+				}
+				if sym.Params == nil {
+					t.Errorf("Symbol %s params = nil, want %q", symName, expectedParam)
+				} else if *sym.Params != expectedParam {
+					t.Errorf("Symbol %s params = %q, want %q", symName, *sym.Params, expectedParam)
+				}
+			}
+		})
+	}
+}
+
+func TestAnalyzeRspamd(t *testing.T) {
+	tests := []struct {
+		name              string
+		headers           map[string]string
+		expectedScore     float32
+		expectedThreshold float32
+		expectedIsSpam    bool
+		expectedServer    *string
+		expectedSymCount  int
+	}{
+		{
+			name: "Full headers clean email",
+			headers: map[string]string{
+				"X-Spamd-Result": "default: False [-3.91 / 15.00];\n\tALL_TRUSTED(-1.00)[local]",
+				"X-Rspamd-Score": "-3.91",
+				"X-Rspamd-Server": "mail.example.com",
+			},
+			expectedScore:     -3.91,
+			expectedThreshold: 15.00,
+			expectedIsSpam:    false,
+			expectedServer:    func() *string { s := "mail.example.com"; return &s }(),
+			expectedSymCount:  1,
+		},
+		{
+			name: "X-Rspamd-Score overrides spamd result score",
+			headers: map[string]string{
+				"X-Spamd-Result": "default: False [2.00 / 15.00]",
+				"X-Rspamd-Score": "3.50",
+			},
+			expectedScore:     3.50,
+			expectedThreshold: 15.00,
+			expectedIsSpam:    false,
+		},
+		{
+			name: "Spam email above threshold",
+			headers: map[string]string{
+				"X-Spamd-Result": "default: True [16.00 / 15.00];\n\tBAYES_99(5.00)",
+				"X-Rspamd-Score": "16.00",
+			},
+			expectedScore:     16.00,
+			expectedThreshold: 15.00,
+			expectedIsSpam:    true,
+			expectedSymCount:  1,
+		},
+		{
+			name: "No X-Spamd-Result, only X-Rspamd-Score below default threshold",
+			headers: map[string]string{
+				"X-Rspamd-Score": "2.00",
+			},
+			expectedScore:  2.00,
+			expectedIsSpam: false,
+		},
+		{
+			name: "No X-Spamd-Result, X-Rspamd-Score above default add-header threshold",
+			headers: map[string]string{
+				"X-Rspamd-Score": "7.00",
+			},
+			expectedScore:  7.00,
+			expectedIsSpam: true,
+		},
+		{
+			name: "Server header is trimmed",
+			headers: map[string]string{
+				"X-Rspamd-Score":  "1.00",
+				"X-Rspamd-Server": "  rspamd-01  ",
+			},
+			expectedScore:  1.00,
+			expectedServer: func() *string { s := "rspamd-01"; return &s }(),
+		},
+	}
+
+	analyzer := NewRspamdAnalyzer(nil)
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			email := &EmailMessage{Header: make(mail.Header)}
+			for k, v := range tt.headers {
+				email.Header[k] = []string{v}
+			}
+
+			result := analyzer.AnalyzeRspamd(email)
+
+			if result == nil {
+				t.Fatal("Expected non-nil result")
+			}
+			if result.Score != tt.expectedScore {
+				t.Errorf("Score = %v, want %v", result.Score, tt.expectedScore)
+			}
+			if tt.expectedThreshold > 0 && result.Threshold != tt.expectedThreshold {
+				t.Errorf("Threshold = %v, want %v", result.Threshold, tt.expectedThreshold)
+			}
+			if result.IsSpam != tt.expectedIsSpam {
+				t.Errorf("IsSpam = %v, want %v", result.IsSpam, tt.expectedIsSpam)
+			}
+			if tt.expectedServer != nil {
+				if result.Server == nil {
+					t.Errorf("Server = nil, want %q", *tt.expectedServer)
+				} else if *result.Server != *tt.expectedServer {
+					t.Errorf("Server = %q, want %q", *result.Server, *tt.expectedServer)
+				}
+			}
+			if tt.expectedSymCount > 0 && len(result.Symbols) != tt.expectedSymCount {
+				t.Errorf("Symbol count = %d, want %d", len(result.Symbols), tt.expectedSymCount)
+			}
+		})
+	}
+}
+
+func TestCalculateRspamdScore(t *testing.T) {
+	tests := []struct {
+		name          string
+		result        *model.RspamdResult
+		expectedScore int
+		expectedGrade string
+	}{
+		{
+			name:          "Nil result (rspamd not installed)",
+			result:        nil,
+			expectedScore: 100,
+			expectedGrade: "",
+		},
+		{
+			name: "Score well below threshold",
+			result: &model.RspamdResult{
+				Score:     -3.91,
+				Threshold: 15.00,
+			},
+			expectedScore: 100,
+			expectedGrade: "A+",
+		},
+		{
+			name: "Score at zero",
+			result: &model.RspamdResult{
+				Score:     0,
+				Threshold: 15.00,
+			},
+			// 100 - round(0*100/30) = 100 → hits ScoreToGrade(100) = "A"
+			expectedScore: 100,
+			expectedGrade: "A",
+		},
+		{
+			name: "Score at threshold (half of 2*threshold)",
+			result: &model.RspamdResult{
+				Score:     15.00,
+				Threshold: 15.00,
+			},
+			// 100 - round(15*100/(2*15)) = 100 - 50 = 50
+			expectedScore: 50,
+		},
+		{
+			name: "Score above 2*threshold",
+			result: &model.RspamdResult{
+				Score:     31.00,
+				Threshold: 15.00,
+			},
+			expectedScore: 0,
+			expectedGrade: "F",
+		},
+		{
+			name: "Score exactly at 2*threshold",
+			result: &model.RspamdResult{
+				Score:     30.00,
+				Threshold: 15.00,
+			},
+			// 100 - round(30*100/30) = 100 - 100 = 0
+			expectedScore: 0,
+			expectedGrade: "F",
+		},
+	}
+
+	analyzer := NewRspamdAnalyzer(nil)
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			score, grade := analyzer.CalculateRspamdScore(tt.result)
+
+			if score != tt.expectedScore {
+				t.Errorf("Score = %d, want %d", score, tt.expectedScore)
+			}
+			if tt.expectedGrade != "" && grade != tt.expectedGrade {
+				t.Errorf("Grade = %q, want %q", grade, tt.expectedGrade)
+			}
+		})
+	}
+}
+
+const sampleEmailWithRspamdHeaders = `X-Spamd-Result: default: False [-3.91 / 15.00];
+	BAYES_HAM(-3.00)[99%];
+	RCVD_IN_DNSWL_MED(-0.01)[1.2.3.4:from];
+	R_DKIM_ALLOW(-0.20)[example.com:s=dkim];
+	FROM_HAS_DN(0.00)[];
+	MIME_GOOD(-0.10)[text/plain];
+X-Rspamd-Score: -3.91
+X-Rspamd-Server: rspamd-01.example.com
+Date: Mon, 09 Mar 2026 10:00:00 +0000
+From: sender@example.com
+To: test@happydomain.org
+Subject: Test email
+Message-ID: <test123@example.com>
+MIME-Version: 1.0
+Content-Type: text/plain
+
+Hello world`
+
+func TestAnalyzeRspamdRealEmail(t *testing.T) {
+	email, err := ParseEmail(bytes.NewBufferString(sampleEmailWithRspamdHeaders))
+	if err != nil {
+		t.Fatalf("Failed to parse email: %v", err)
+	}
+
+	analyzer := NewRspamdAnalyzer(nil)
+	result := analyzer.AnalyzeRspamd(email)
+
+	if result == nil {
+		t.Fatal("Expected non-nil result")
+	}
+	if result.IsSpam {
+		t.Error("Expected IsSpam=false")
+	}
+	if result.Score != -3.91 {
+		t.Errorf("Score = %v, want -3.91", result.Score)
+	}
+	if result.Threshold != 15.00 {
+		t.Errorf("Threshold = %v, want 15.00", result.Threshold)
+	}
+	if result.Server == nil || *result.Server != "rspamd-01.example.com" {
+		t.Errorf("Server = %v, want \"rspamd-01.example.com\"", result.Server)
+	}
+
+	expectedSymbols := []string{"BAYES_HAM", "RCVD_IN_DNSWL_MED", "R_DKIM_ALLOW", "FROM_HAS_DN", "MIME_GOOD"}
+	for _, sym := range expectedSymbols {
+		if _, ok := result.Symbols[sym]; !ok {
+			t.Errorf("Symbol %s not found", sym)
+		}
+	}
+
+	score, _ := analyzer.CalculateRspamdScore(result)
+	if score != 100 {
+		t.Errorf("CalculateRspamdScore = %d, want 100", score)
+	}
+}
+

pkg/analyzer/scoring.go

@@ -22,7 +22,7 @@
 package analyzer
 
 import (
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
 )
 
 // ScoreToGrade converts a percentage score (0-100) to a letter grade
@@ -65,7 +65,37 @@ func ScoreToGradeKind(score int) string {
 	}
 }
 
-// ScoreToReportGrade converts a percentage score to an api.ReportGrade
+// ScoreToReportGrade converts a percentage score to an model.ReportGrade
-func ScoreToReportGrade(score int) api.ReportGrade {
+func ScoreToReportGrade(score int) model.ReportGrade {
-	return api.ReportGrade(ScoreToGrade(score))
+	return model.ReportGrade(ScoreToGrade(score))
+}
+
+// gradeRank returns a numeric rank for a grade (lower = worse)
+func gradeRank(grade string) int {
+	switch grade {
+	case "A++":
+		return 7
+	case "A+":
+		return 6
+	case "A":
+		return 5
+	case "B":
+		return 4
+	case "C":
+		return 3
+	case "D":
+		return 2
+	case "E":
+		return 1
+	default:
+		return 0
+	}
+}
+
+// MinGrade returns the minimal (worse) grade between the two given grades
+func MinGrade(a, b string) string {
+	if gradeRank(a) <= gradeRank(b) {
+		return a
+	}
+	return b
 }

pkg/analyzer/spamassassin.go

@@ -27,7 +27,8 @@ import (
 	"strconv"
 	"strings"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
+	"git.happydns.org/happyDeliver/internal/utils"
 )
 
 // SpamAssassinAnalyzer analyzes SpamAssassin results from email headers
@@ -39,18 +40,26 @@ func NewSpamAssassinAnalyzer() *SpamAssassinAnalyzer {
 }
 
 // AnalyzeSpamAssassin extracts and analyzes SpamAssassin results from email headers
-func (a *SpamAssassinAnalyzer) AnalyzeSpamAssassin(email *EmailMessage) *api.SpamAssassinResult {
+func (a *SpamAssassinAnalyzer) AnalyzeSpamAssassin(email *EmailMessage) *model.SpamAssassinResult {
 	headers := email.GetSpamAssassinHeaders()
 	if len(headers) == 0 {
 		return nil
 	}
 
-	result := &api.SpamAssassinResult{
+	// Require at least X-Spam-Status, X-Spam-Score, or X-Spam-Flag to produce a meaningful report
-		TestDetails: make(map[string]api.SpamTestDetail),
+	_, hasStatus := headers["X-Spam-Status"]
+	_, hasScore := headers["X-Spam-Score"]
+	_, hasFlag := headers["X-Spam-Flag"]
+	if !hasStatus && !hasScore && !hasFlag {
+		return nil
+	}
+
+	result := &model.SpamAssassinResult{
+		TestDetails: make(map[string]model.SpamTestDetail),
 	}
 
 	// Parse X-Spam-Status header
-	if statusHeader, ok := headers["X-Spam-Status"]; ok {
+	if statusHeader, ok := headers["X-Spam-Status"]; ok && statusHeader != "" {
 		a.parseSpamStatus(statusHeader, result)
 	}
 
@@ -68,13 +77,13 @@ func (a *SpamAssassinAnalyzer) AnalyzeSpamAssassin(email *EmailMessage) *api.Spa
 
 	// Parse X-Spam-Report header for detailed test results
 	if reportHeader, ok := headers["X-Spam-Report"]; ok {
-		result.Report = api.PtrTo(strings.Replace(reportHeader, " * ", "\n* ", -1))
+		result.Report = utils.PtrTo(strings.Replace(reportHeader, " * ", "\n* ", -1))
 		a.parseSpamReport(reportHeader, result)
 	}
 
 	// Parse X-Spam-Checker-Version
 	if versionHeader, ok := headers["X-Spam-Checker-Version"]; ok {
-		result.Version = api.PtrTo(strings.TrimSpace(versionHeader))
+		result.Version = utils.PtrTo(strings.TrimSpace(versionHeader))
 	}
 
 	return result
@@ -82,7 +91,7 @@ func (a *SpamAssassinAnalyzer) AnalyzeSpamAssassin(email *EmailMessage) *api.Spa
 
 // parseSpamStatus parses the X-Spam-Status header
 // Format: Yes/No, score=5.5 required=5.0 tests=TEST1,TEST2,TEST3 autolearn=no
-func (a *SpamAssassinAnalyzer) parseSpamStatus(header string, result *api.SpamAssassinResult) {
+func (a *SpamAssassinAnalyzer) parseSpamStatus(header string, result *model.SpamAssassinResult) {
 	// Check if spam (first word)
 	parts := strings.SplitN(header, ",", 2)
 	if len(parts) > 0 {
@@ -126,7 +135,7 @@ func (a *SpamAssassinAnalyzer) parseSpamStatus(header string, result *api.SpamAs
 // *  0.0 TEST_NAME Description line 1
 // *      continuation line 2
 // *      continuation line 3
-func (a *SpamAssassinAnalyzer) parseSpamReport(report string, result *api.SpamAssassinResult) {
+func (a *SpamAssassinAnalyzer) parseSpamReport(report string, result *model.SpamAssassinResult) {
 	segments := strings.Split(report, "*")
 
 	// Regex to match test lines: score TEST_NAME Description
@@ -148,7 +157,7 @@ func (a *SpamAssassinAnalyzer) parseSpamReport(report string, result *api.SpamAs
 			// Save previous test if exists
 			if currentTestName != "" {
 				description := strings.TrimSpace(currentDescription.String())
-				detail := api.SpamTestDetail{
+				detail := model.SpamTestDetail{
 					Name:        currentTestName,
 					Score:       result.TestDetails[currentTestName].Score,
 					Description: &description,
@@ -166,7 +175,7 @@ func (a *SpamAssassinAnalyzer) parseSpamReport(report string, result *api.SpamAs
 			currentDescription.WriteString(description)
 
 			// Initialize with score
-			result.TestDetails[testName] = api.SpamTestDetail{
+			result.TestDetails[testName] = model.SpamTestDetail{
 				Name:  testName,
 				Score: float32(score),
 			}
@@ -183,7 +192,7 @@ func (a *SpamAssassinAnalyzer) parseSpamReport(report string, result *api.SpamAs
 	// Save the last test if exists
 	if currentTestName != "" {
 		description := strings.TrimSpace(currentDescription.String())
-		detail := api.SpamTestDetail{
+		detail := model.SpamTestDetail{
 			Name:        currentTestName,
 			Score:       result.TestDetails[currentTestName].Score,
 			Description: &description,
@@ -193,7 +202,7 @@ func (a *SpamAssassinAnalyzer) parseSpamReport(report string, result *api.SpamAs
 }
 
 // CalculateSpamAssassinScore calculates the SpamAssassin contribution to deliverability
-func (a *SpamAssassinAnalyzer) CalculateSpamAssassinScore(result *api.SpamAssassinResult) (int, string) {
+func (a *SpamAssassinAnalyzer) CalculateSpamAssassinScore(result *model.SpamAssassinResult) (int, string) {
 	if result == nil {
 		return 100, "" // No spam scan results, assume good
 	}

pkg/analyzer/spamassassin_test.go

@@ -27,7 +27,8 @@ import (
 	"strings"
 	"testing"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
+	"git.happydns.org/happyDeliver/internal/utils"
 )
 
 func TestParseSpamStatus(t *testing.T) {
@@ -77,8 +78,8 @@ func TestParseSpamStatus(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			result := &api.SpamAssassinResult{
+			result := &model.SpamAssassinResult{
-				TestDetails: make(map[string]api.SpamTestDetail),
+				TestDetails: make(map[string]model.SpamTestDetail),
 			}
 			analyzer.parseSpamStatus(tt.header, result)
 
@@ -115,27 +116,27 @@ func TestParseSpamReport(t *testing.T) {
 `
 
 	analyzer := NewSpamAssassinAnalyzer()
-	result := &api.SpamAssassinResult{
+	result := &model.SpamAssassinResult{
-		TestDetails: make(map[string]api.SpamTestDetail),
+		TestDetails: make(map[string]model.SpamTestDetail),
 	}
 
 	analyzer.parseSpamReport(report, result)
 
-	expectedTests := map[string]api.SpamTestDetail{
+	expectedTests := map[string]model.SpamTestDetail{
 		"BAYES_99": {
 			Name:        "BAYES_99",
 			Score:       5.0,
-			Description: api.PtrTo("Bayes spam probability is 99 to 100%"),
+			Description: utils.PtrTo("Bayes spam probability is 99 to 100%"),
 		},
 		"SPOOFED_SENDER": {
 			Name:        "SPOOFED_SENDER",
 			Score:       3.5,
-			Description: api.PtrTo("From address doesn't match envelope sender"),
+			Description: utils.PtrTo("From address doesn't match envelope sender"),
 		},
 		"ALL_TRUSTED": {
 			Name:        "ALL_TRUSTED",
 			Score:       -1.0,
-			Description: api.PtrTo("All mail servers are trusted"),
+			Description: utils.PtrTo("All mail servers are trusted"),
 		},
 	}
 
@@ -157,7 +158,7 @@ func TestParseSpamReport(t *testing.T) {
 func TestGetSpamAssassinScore(t *testing.T) {
 	tests := []struct {
 		name          string
-		result        *api.SpamAssassinResult
+		result        *model.SpamAssassinResult
 		expectedScore int
 		minScore      int
 		maxScore      int
@@ -169,7 +170,7 @@ func TestGetSpamAssassinScore(t *testing.T) {
 		},
 		{
 			name: "Excellent score (negative)",
-			result: &api.SpamAssassinResult{
+			result: &model.SpamAssassinResult{
 				Score:         -2.5,
 				RequiredScore: 5.0,
 			},
@@ -177,7 +178,7 @@ func TestGetSpamAssassinScore(t *testing.T) {
 		},
 		{
 			name: "Good score (below threshold)",
-			result: &api.SpamAssassinResult{
+			result: &model.SpamAssassinResult{
 				Score:         2.0,
 				RequiredScore: 5.0,
 			},
@@ -185,7 +186,7 @@ func TestGetSpamAssassinScore(t *testing.T) {
 		},
 		{
 			name: "Score at threshold",
-			result: &api.SpamAssassinResult{
+			result: &model.SpamAssassinResult{
 				Score:         5.0,
 				RequiredScore: 5.0,
 			},
@@ -193,7 +194,7 @@ func TestGetSpamAssassinScore(t *testing.T) {
 		},
 		{
 			name: "Above threshold (spam)",
-			result: &api.SpamAssassinResult{
+			result: &model.SpamAssassinResult{
 				Score:         6.0,
 				RequiredScore: 5.0,
 			},
@@ -201,7 +202,7 @@ func TestGetSpamAssassinScore(t *testing.T) {
 		},
 		{
 			name: "High spam score",
-			result: &api.SpamAssassinResult{
+			result: &model.SpamAssassinResult{
 				Score:         12.0,
 				RequiredScore: 5.0,
 			},
@@ -209,7 +210,7 @@ func TestGetSpamAssassinScore(t *testing.T) {
 		},
 		{
 			name: "Very high spam score",
-			result: &api.SpamAssassinResult{
+			result: &model.SpamAssassinResult{
 				Score:         20.0,
 				RequiredScore: 5.0,
 			},

web/package.json

@@ -17,13 +17,13 @@
     },
     "devDependencies": {
         "@eslint/compat": "^2.0.0",
-        "@eslint/js": "^9.36.0",
+        "@eslint/js": "^10.0.0",
         "@hey-api/openapi-ts": "0.86.10",
         "@sveltejs/adapter-static": "^3.0.9",
         "@sveltejs/kit": "^2.43.2",
-        "@sveltejs/vite-plugin-svelte": "^6.2.0",
+        "@sveltejs/vite-plugin-svelte": "^7.0.0",
         "@types/node": "^24.0.0",
-        "eslint": "^9.38.0",
+        "eslint": "^10.0.0",
         "eslint-config-prettier": "^10.1.8",
         "eslint-plugin-svelte": "^3.12.4",
         "globals": "^17.0.0",
@@ -33,7 +33,7 @@
         "svelte-check": "^4.3.2",
         "typescript": "^5.9.2",
         "typescript-eslint": "^8.44.1",
-        "vite": "^7.1.10",
+        "vite": "^8.0.0",
         "vitest": "^3.2.4"
     },
     "dependencies": {

web/routes.go

@@ -70,6 +70,10 @@ func DeclareRoutes(cfg *config.Config, router *gin.Engine) {
 		appConfig["custom_logo_url"] = cfg.CustomLogoURL
 	}
 
+	if !cfg.DisableTestList {
+		appConfig["test_list_enabled"] = true
+	}
+
 	if appcfg, err := json.MarshalIndent(appConfig, "", "  "); err != nil {
 		log.Println("Unable to generate JSON config to inject in web application")
 	} else {
@@ -95,6 +99,7 @@ func DeclareRoutes(cfg *config.Config, router *gin.Engine) {
 	router.GET("/domain/:domain", serveOrReverse("/", cfg))
 	router.GET("/test/", serveOrReverse("/", cfg))
 	router.GET("/test/:testid", serveOrReverse("/", cfg))
+	router.GET("/history/", serveOrReverse("/", cfg))
 	router.GET("/favicon.png", func(c *gin.Context) { c.Writer.Header().Set("Cache-Control", "public, max-age=604800, immutable") }, serveOrReverse("", cfg))
 	router.GET("/img/*path", serveOrReverse("", cfg))
 

web/src/lib/components/AuthenticationCard.svelte

@@ -13,12 +13,19 @@
 
     let { authentication, authenticationGrade, authenticationScore, dnsResults }: Props = $props();
 
+    let allRequiredMissing = $derived(
+        !authentication.spf &&
+            (!authentication.dkim || authentication.dkim.length === 0) &&
+            !authentication.dmarc,
+    );
+
     function getAuthResultClass(result: string, noneIsFail: boolean): string {
         switch (result) {
             case "pass":
             case "domain_pass":
             case "orgdomain_pass":
                 return "text-success";
+            case "permerror":
             case "error":
             case "fail":
             case "missing":
@@ -51,6 +58,7 @@
             case "neutral":
             case "invalid":
             case "null":
+            case "permerror":
             case "error":
             case "null_smtp":
             case "null_header":
@@ -95,6 +103,28 @@
             </span>
         </h4>
     </div>
+    {#if allRequiredMissing}
+        <div class="card-body border-bottom">
+            <div class="alert alert-warning mb-0">
+                <i class="bi bi-exclamation-triangle-fill me-2"></i>
+                <strong>No authentication results found.</strong>
+                <p class="mb-0 mt-1">
+                    This usually means either:
+                </p>
+                <ul class="mb-0 mt-1">
+                    <li>
+                        The receiving mail server is not configured to verify email authentication
+                        (no <code>Authentication-Results</code> header was found in the message).
+                    </li>
+                    <li>
+                        The <code>Authentication-Results</code> header exists but the receiver
+                        hostname does not match the configured
+                        <code>--receiver-hostname</code> value.
+                    </li>
+                </ul>
+            </div>
+        </div>
+    {/if}
     <div class="list-group list-group-flush">
         <!-- IPREV -->
         {#if authentication.iprev}

web/src/lib/components/BlacklistCard.svelte

@@ -1,23 +1,21 @@
 <script lang="ts">
-    import type { BlacklistCheck, ReceivedHop } from "$lib/api/types.gen";
+    import type { BlacklistCheck } from "$lib/api/types.gen";
     import { getScoreColorClass } from "$lib/score";
     import { theme } from "$lib/stores/theme";
-    import EmailPathCard from "./EmailPathCard.svelte";
     import GradeDisplay from "./GradeDisplay.svelte";
 
     interface Props {
         blacklists: Record<string, BlacklistCheck[]>;
         blacklistGrade?: string;
         blacklistScore?: number;
-        receivedChain?: ReceivedHop[];
     }
 
-    let { blacklists, blacklistGrade, blacklistScore, receivedChain }: Props = $props();
+    let { blacklists, blacklistGrade, blacklistScore }: Props = $props();
 </script>
 
 <div class="card shadow-sm" id="rbl-details">
     <div class="card-header" class:bg-white={$theme === "light"} class:bg-dark={$theme !== "light"}>
-        <h4 class="mb-0 d-flex justify-content-between align-items-center">
+        <h4 class="mb-0 d-flex flex-wrap justify-content-between align-items-center">
             <span>
                 <i class="bi bi-shield-exclamation me-2"></i>
                 Blacklist Checks
@@ -35,11 +33,7 @@
         </h4>
     </div>
     <div class="card-body">
-        {#if receivedChain}
+        <div class="row row-cols-1 row-cols-lg-2 overflow-auto">
-            <EmailPathCard {receivedChain} />
-        {/if}
-
-        <div class="row row-cols-1 row-cols-lg-2">
             {#each Object.entries(blacklists) as [ip, checks]}
                 <div class="col mb-3">
                     <h5 class="text-muted">

web/src/lib/components/EmailPathCard.svelte

@@ -1,5 +1,6 @@
 <script lang="ts">
     import type { ReceivedHop } from "$lib/api/types.gen";
+    import { theme } from "$lib/stores/theme";
 
     interface Props {
         receivedChain: ReceivedHop[];
@@ -9,9 +10,18 @@
 </script>
 
 {#if receivedChain && receivedChain.length > 0}
-    <div class="mb-3" id="email-path">
+    <div class="card shadow-sm" id="email-path">
-        <h5>Email Path (Received Chain)</h5>
+        <div
-        <div class="list-group">
+            class="card-header"
+            class:bg-white={$theme === "light"}
+            class:bg-dark={$theme !== "light"}
+        >
+            <h4 class="mb-0">
+                <i class="bi bi-pin-map me-2"></i>
+                Email Path
+            </h4>
+        </div>
+        <div class="list-group list-group-flush">
             {#each receivedChain as hop, i}
                 <div class="list-group-item">
                     <div class="d-flex w-100 justify-content-between">
@@ -30,7 +40,7 @@
                                 : "-"}
                         </small>
                     </div>
-                    {#if hop.with || hop.id}
+                    {#if hop.with || hop.id || hop.from}
                         <p class="mb-1 small d-flex gap-3">
                             {#if hop.with}
                                 <span>

web/src/lib/components/HeaderAnalysisCard.svelte

@@ -11,7 +11,7 @@
         headerScore?: number;
     }
 
-    let { dmarcRecord, headerAnalysis, headerGrade, headerScore, xAlignedFrom }: Props = $props();
+    let { dmarcRecord, headerAnalysis, headerGrade, headerScore }: Props = $props();
 </script>
 
 <div class="card shadow-sm" id="header-details">

web/src/lib/components/HistoryTable.svelte

@@ -0,0 +1,72 @@
+<script lang="ts">
+    import { goto } from "$app/navigation";
+
+    import type { TestSummary } from "$lib/api/types.gen";
+    import GradeDisplay from "./GradeDisplay.svelte";
+
+    interface Props {
+        tests: TestSummary[];
+    }
+
+    let { tests }: Props = $props();
+
+    function formatDate(dateStr: string): string {
+        const date = new Date(dateStr);
+        return date.toLocaleDateString(undefined, {
+            year: "numeric",
+            month: "short",
+            day: "numeric",
+            hour: "2-digit",
+            minute: "2-digit",
+        });
+    }
+</script>
+
+<div class="table-responsive shadow-sm">
+    <table class="table table-hover mb-0 align-middle">
+        <thead>
+            <tr>
+                <th class="ps-4" style="width: 80px;">Grade</th>
+                <th style="width: 80px;">Score</th>
+                <th>Domain</th>
+                <th>Date</th>
+                <th style="width: 50px;"></th>
+            </tr>
+        </thead>
+        <tbody>
+            {#each tests as test}
+                <tr class="cursor-pointer" onclick={() => goto(`/test/${test.test_id}`)}>
+                    <td class="ps-4">
+                        <GradeDisplay grade={test.grade} size="small" />
+                    </td>
+                    <td>
+                        <span class="badge bg-secondary">{test.score}%</span>
+                    </td>
+                    <td>
+                        {#if test.from_domain}
+                            <code>{test.from_domain}</code>
+                        {:else}
+                            <span class="text-muted">-</span>
+                        {/if}
+                    </td>
+                    <td class="text-muted">
+                        {formatDate(test.created_at)}
+                    </td>
+                    <td>
+                        <i class="bi bi-chevron-right text-muted"></i>
+                    </td>
+                </tr>
+            {/each}
+        </tbody>
+    </table>
+</div>
+
+<style>
+    .cursor-pointer {
+        cursor: pointer;
+    }
+
+    .cursor-pointer:hover td {
+        background-color: var(--bs-tertiary-bg);
+    }
+</style>

web/src/lib/components/PtrForwardRecordsDisplay.svelte

@@ -21,6 +21,11 @@
     );
 
     const hasForwardRecords = $derived(ptrForwardRecords && ptrForwardRecords.length > 0);
+
+    let showDifferent = $state(false);
+    const differentCount = $derived(
+        ptrForwardRecords ? ptrForwardRecords.filter((ip) => ip !== senderIp).length : 0,
+    );
 </script>
 
 {#if ptrRecords && ptrRecords.length > 0}
@@ -63,15 +68,31 @@
                     <div class="mb-2">
                         <strong>Forward Resolution (A/AAAA):</strong>
                         {#each ptrForwardRecords as ip}
-                            <div class="d-flex gap-2 align-items-center mt-1">
+                            {#if ip === senderIp || !fcrDnsIsValid || showDifferent}
-                                {#if senderIp && ip === senderIp}
+                                <div class="d-flex gap-2 align-items-center mt-1">
-                                    <span class="badge bg-success">Match</span>
+                                    {#if senderIp && ip === senderIp}
-                                {:else}
+                                        <span class="badge bg-success">Match</span>
-                                    <span class="badge bg-warning">Different</span>
+                                    {:else}
-                                {/if}
+                                        <span class="badge bg-secondary">Different</span>
-                                <code>{ip}</code>
+                                    {/if}
-                            </div>
+                                    <code>{ip}</code>
+                                </div>
+                            {/if}
                         {/each}
+                        {#if fcrDnsIsValid && differentCount > 0}
+                            <div class="mt-1">
+                                <button
+                                    class="btn btn-link btn-sm p-0 text-muted"
+                                    onclick={() => (showDifferent = !showDifferent)}
+                                >
+                                    {#if showDifferent}
+                                        Hide other IPs
+                                    {:else}
+                                        Show {differentCount} other IP{differentCount > 1 ? 's' : ''} (not the sender)
+                                    {/if}
+                                </button>
+                            </div>
+                        {/if}
                     </div>
                     {#if fcrDnsIsValid}
                         <div class="alert alert-success mb-0 mt-2">

web/src/lib/components/RspamdCard.svelte

@@ -0,0 +1,153 @@
+<script lang="ts">
+    import type { RspamdResult } from "$lib/api/types.gen";
+    import { getScoreColorClass } from "$lib/score";
+    import { theme } from "$lib/stores/theme";
+    import GradeDisplay from "./GradeDisplay.svelte";
+
+    interface Props {
+        rspamd: RspamdResult;
+    }
+
+    let { rspamd }: Props = $props();
+
+    // Derive effective action from score vs known rspamd default thresholds.
+    // The action header is unreliable in milter setups (always "no action").
+    const RSPAMD_GREYLIST_THRESHOLD = 4;
+    const RSPAMD_ADD_HEADER_THRESHOLD = 6;
+
+    const effectiveAction = $derived.by(() => {
+        const rejectThreshold = rspamd.threshold > 0 ? rspamd.threshold : 15;
+        if (rspamd.score >= rejectThreshold) return { label: "Reject", cls: "bg-danger" };
+        if (rspamd.score >= RSPAMD_ADD_HEADER_THRESHOLD)
+            return { label: "Add header", cls: "bg-warning text-dark" };
+        if (rspamd.score >= RSPAMD_GREYLIST_THRESHOLD)
+            return { label: "Greylist", cls: "bg-warning text-dark" };
+        return { label: "No action", cls: "bg-success" };
+    });
+</script>
+
+<div class="card shadow-sm" id="rspamd-details">
+    <div class="card-header {$theme === 'light' ? 'bg-white' : 'bg-dark'}">
+        <h4 class="mb-0 d-flex justify-content-between align-items-center">
+            <span>
+                <i class="bi bi-bug me-2"></i>
+                rspamd Analysis
+            </span>
+            <span>
+                {#if rspamd.deliverability_score !== undefined}
+                    <span class="badge bg-{getScoreColorClass(rspamd.deliverability_score)}">
+                        {rspamd.deliverability_score}%
+                    </span>
+                {/if}
+                {#if rspamd.deliverability_grade !== undefined}
+                    <GradeDisplay grade={rspamd.deliverability_grade} size="small" />
+                {/if}
+            </span>
+        </h4>
+    </div>
+    <div class="card-body">
+        <div class="row mb-3">
+            <div class="col-md-4">
+                <strong>Score:</strong>
+                <span class={rspamd.is_spam ? "text-danger" : "text-success"}>
+                    {rspamd.score.toFixed(2)} / {rspamd.threshold.toFixed(1)}
+                </span>
+            </div>
+            <div class="col-md-4">
+                <strong>Classified as:</strong>
+                <span class="badge {rspamd.is_spam ? 'bg-danger' : 'bg-success'} ms-2">
+                    {rspamd.is_spam ? "SPAM" : "HAM"}
+                </span>
+            </div>
+            <div class="col-md-4">
+                <strong>Action:</strong>
+                <span class="badge {effectiveAction.cls} ms-2">
+                    {effectiveAction.label}
+                </span>
+            </div>
+        </div>
+
+        {#if rspamd.symbols && Object.keys(rspamd.symbols).length > 0}
+            <div class="mb-3">
+                <div class="table-responsive mt-2">
+                    <table class="table table-sm table-hover">
+                        <thead>
+                            <tr>
+                                <th>Symbol</th>
+                                <th class="text-end">Score</th>
+                                <th>Description</th>
+                            </tr>
+                        </thead>
+                        <tbody>
+                            {#each Object.entries(rspamd.symbols).sort(([, a], [, b]) => b.score - a.score) as [symbolName, symbol]}
+                                <tr
+                                    class={symbol.score > 0
+                                        ? "table-warning"
+                                        : symbol.score < 0
+                                          ? "table-success"
+                                          : ""}
+                                >
+                                    <td>
+                                        <span class="font-monospace">{symbolName}</span>
+                                        {#if symbol.params}
+                                            <small class="d-block text-muted">
+                                                {symbol.params}
+                                            </small>
+                                        {/if}
+                                    </td>
+                                    <td class="text-end">
+                                        <span
+                                            class={symbol.score > 0
+                                                ? "text-danger fw-bold"
+                                                : symbol.score < 0
+                                                  ? "text-success fw-bold"
+                                                  : "text-muted"}
+                                        >
+                                            {symbol.score > 0 ? "+" : ""}{symbol.score.toFixed(2)}
+                                        </span>
+                                    </td>
+                                    <td class="small text-muted">{symbol.description ?? ""}</td>
+                                </tr>
+                            {/each}
+                        </tbody>
+                    </table>
+                </div>
+            </div>
+        {/if}
+
+        {#if rspamd.report}
+            <details class="mt-3">
+                <summary class="cursor-pointer fw-bold">Raw Report</summary>
+                <pre
+                    class="mt-2 small {$theme === 'light'
+                        ? 'bg-light'
+                        : 'bg-secondary'} p-3 rounded">{rspamd.report}</pre>
+            </details>
+        {/if}
+    </div>
+</div>
+
+<style>
+    .cursor-pointer {
+        cursor: pointer;
+    }
+
+    details summary {
+        user-select: none;
+    }
+
+    details summary:hover {
+        color: var(--bs-primary);
+    }
+
+    /* Darker table colors in dark mode */
+    :global([data-bs-theme="dark"]) .table-warning {
+        --bs-table-bg: rgba(255, 193, 7, 0.2);
+        --bs-table-border-color: rgba(255, 193, 7, 0.3);
+    }
+
+    :global([data-bs-theme="dark"]) .table-success {
+        --bs-table-bg: rgba(25, 135, 84, 0.2);
+        --bs-table-border-color: rgba(25, 135, 84, 0.3);
+    }
+</style>

web/src/lib/components/SpamAssassinCard.svelte

@@ -6,11 +6,9 @@
 
     interface Props {
         spamassassin: SpamAssassinResult;
-        spamGrade?: string;
-        spamScore?: number;
     }
 
-    let { spamassassin, spamGrade, spamScore }: Props = $props();
+    let { spamassassin }: Props = $props();
 </script>
 
 <div class="card shadow-sm" id="spam-details">
@@ -21,13 +19,13 @@
                 SpamAssassin Analysis
             </span>
             <span>
-                {#if spamScore !== undefined}
+                {#if spamassassin.deliverability_score !== undefined}
-                    <span class="badge bg-{getScoreColorClass(spamScore)}">
+                    <span class="badge bg-{getScoreColorClass(spamassassin.deliverability_score)}">
-                        {spamScore}%
+                        {spamassassin.deliverability_score}%
                     </span>
                 {/if}
-                {#if spamGrade !== undefined}
+                {#if spamassassin.deliverability_grade !== undefined}
-                    <GradeDisplay grade={spamGrade} size="small" />
+                    <GradeDisplay grade={spamassassin.deliverability_grade} size="small" />
                 {/if}
             </span>
         </h4>

web/src/lib/components/SummaryCard.svelte

@@ -25,16 +25,32 @@
 
         // Email sender information
         const mailFrom = report.header_analysis?.headers?.from?.value || "an unknown sender";
-        const hasDkim = report.authentication?.dkim && report.authentication?.dkim.length > 0;
+        const hasDkim =
-        const dkimPassed = hasDkim && report.authentication?.dkim?.some((d) => d.result === "pass");
+            report.dns_results?.dkim_records && report.dns_results?.dkim_records?.length > 0;
+        const dkimPassed =
+            report.authentication?.dkim &&
+            report.authentication?.dkim.length > 0 &&
+            report.authentication?.dkim?.some((d) => d.result === "pass");
 
         segments.push({ text: "Received a " });
         segments.push({
-            text: dkimPassed ? "DKIM-signed" : "non-DKIM-signed",
+            text: hasDkim ? "DKIM-signed" : "non-DKIM-signed",
-            highlight: { color: dkimPassed ? "good" : "danger", bold: true },
+            highlight: {
-            link: "#authentication-dkim",
+                color: hasDkim ? (dkimPassed ? "good" : "warning") : "danger",
+                bold: true,
+            },
+            link: hasDkim && dkimPassed ? "#authentication-dkim" : "#dns-details",
         });
-        segments.push({ text: " email from " });
+        segments.push({ text: " email" });
+        if (hasDkim && !dkimPassed) {
+            segments.push({ text: " with " });
+            segments.push({
+                text: "an invalid signature",
+                highlight: { color: "danger", bold: true },
+                link: "#authentication-dkim",
+            });
+        }
+        segments.push({ text: " from " });
         segments.push({
             text: mailFrom,
             highlight: { emphasis: true },
@@ -113,7 +129,7 @@
             } else if (spfResult === "temperror" || spfResult === "permerror") {
                 segments.push({
                     text: "encountered an error",
-                    highlight: { color: "warning", bold: true },
+                    highlight: { color: "danger", bold: true },
                     link: "#authentication-spf",
                 });
                 segments.push({ text: ", check your SPF record configuration" });
@@ -331,7 +347,7 @@
                     highlight: { color: "good", bold: true },
                     link: "#dns-bimi",
                 });
-                if (bimiResult.details && bimiResult.details.indexOf("declined") == 0) {
+                if (bimiResult?.details && bimiResult.details.indexOf("declined") == 0) {
                     segments.push({ text: " declined to participate" });
                 } else if (bimiResult?.result === "fail") {
                     segments.push({ text: " but " });
@@ -422,6 +438,17 @@
             });
         }
 
+        // One-click unsubscribe check
+        const unsubscribeMethods = report.content_analysis?.unsubscribe_methods;
+        if (unsubscribeMethods && unsubscribeMethods.length > 0 && !unsubscribeMethods.includes("one-click")) {
+            segments.push({ text: ". This email could benefit from " });
+            segments.push({
+                text: "one-click unsubscribe",
+                highlight: { color: "warning", bold: true },
+                link: "#content-details",
+            });
+        }
+
         // Content/spam assessment
         const spamAssassin = report.spamassassin;
         const contentScore = report.summary?.content_score || 0;

web/src/lib/components/WhitelistCard.svelte

@@ -0,0 +1,62 @@
+<script lang="ts">
+    import type { BlacklistCheck } from "$lib/api/types.gen";
+    import { theme } from "$lib/stores/theme";
+
+    interface Props {
+        whitelists: Record<string, BlacklistCheck[]>;
+    }
+
+    let { whitelists }: Props = $props();
+</script>
+
+<div class="card shadow-sm" id="dnswl-details">
+    <div class="card-header" class:bg-white={$theme === "light"} class:bg-dark={$theme !== "light"}>
+        <h4 class="mb-0 d-flex flex-wrap justify-content-between align-items-center">
+            <span>
+                <i class="bi bi-shield-check me-2"></i>
+                Whitelist Checks
+            </span>
+            <span class="badge bg-info text-white">Informational</span>
+        </h4>
+    </div>
+    <div class="card-body">
+        <p class="text-muted small mb-3">
+            DNS whitelists identify trusted senders. Being listed here is a positive signal, but has
+            no impact on the overall score.
+        </p>
+
+        <div class="row row-cols-1 row-cols-lg-2 overflow-auto">
+            {#each Object.entries(whitelists) as [ip, checks]}
+                <div class="col mb-3">
+                    <h5 class="text-muted">
+                        <i class="bi bi-hdd-network me-1"></i>
+                        {ip}
+                    </h5>
+                    <table class="table table-sm table-striped table-hover mb-0">
+                        <tbody>
+                            {#each checks as check}
+                                <tr>
+                                    <td title={check.response || "-"}>
+                                        <span
+                                            class="badge"
+                                            class:bg-success={check.listed}
+                                            class:bg-dark={check.error}
+                                            class:bg-secondary={!check.listed && !check.error}
+                                        >
+                                            {check.error
+                                                ? "Error"
+                                                : check.listed
+                                                  ? "Listed"
+                                                  : "Not listed"}
+                                        </span>
+                                    </td>
+                                    <td><code>{check.rbl}</code></td>
+                                </tr>
+                            {/each}
+                        </tbody>
+                    </table>
+                </div>
+            {/each}
+        </div>
+    </div>
+</div>

web/src/lib/components/index.ts

@@ -19,7 +19,10 @@ export { default as PendingState } from "./PendingState.svelte";
 export { default as PtrForwardRecordsDisplay } from "./PtrForwardRecordsDisplay.svelte";
 export { default as PtrRecordsDisplay } from "./PtrRecordsDisplay.svelte";
 export { default as ScoreCard } from "./ScoreCard.svelte";
+export { default as RspamdCard } from "./RspamdCard.svelte";
 export { default as SpamAssassinCard } from "./SpamAssassinCard.svelte";
 export { default as SpfRecordsDisplay } from "./SpfRecordsDisplay.svelte";
 export { default as SummaryCard } from "./SummaryCard.svelte";
+export { default as HistoryTable } from "./HistoryTable.svelte";
 export { default as TinySurvey } from "./TinySurvey.svelte";
+export { default as WhitelistCard } from "./WhitelistCard.svelte";

web/src/lib/stores/config.ts

@@ -25,6 +25,8 @@ interface AppConfig {
     report_retention?: number;
     survey_url?: string;
     custom_logo_url?: string;
+    rbls?: string[];
+    test_list_enabled?: boolean;
 }
 
 const defaultConfig: AppConfig = {

web/src/lib/stores/theme.ts

@@ -26,7 +26,7 @@ const getInitialTheme = () => {
     if (!browser) return "light";
 
     const stored = localStorage.getItem("theme");
-    if (stored) return stored;
+    if (stored === "light" || stored === "dark") return stored;
 
     return window.matchMedia("(prefers-color-scheme: dark)").matches ? "dark" : "light";
 };

web/src/routes/+layout.svelte

@@ -40,7 +40,17 @@
                     <Logo color={$theme === "light" ? "black" : "white"} />
                 {/if}
             </a>
-            <div>
+            {#if $appConfig.test_list_enabled}
+                <ul class="navbar-nav me-auto">
+                    <li class="nav-item">
+                        <a class="nav-link" href="/history/">
+                            <i class="bi bi-clock-history me-1"></i>
+                            History
+                        </a>
+                    </li>
+                </ul>
+            {/if}
+            <div class="d-flex align-items-center">
                 <span class="d-none d-md-inline navbar-text text-primary small">
                     Open-Source Email Deliverability Tester
                 </span>

web/src/routes/+page.svelte

@@ -1,12 +1,30 @@
 <script lang="ts">
     import { goto } from "$app/navigation";
 
-    import { createTest as apiCreateTest } from "$lib/api";
+    import { createTest as apiCreateTest, listTests } from "$lib/api";
-    import { FeatureCard, HowItWorksStep } from "$lib/components";
+    import type { TestSummary } from "$lib/api/types.gen";
+    import { FeatureCard, HowItWorksStep, HistoryTable } from "$lib/components";
     import { appConfig } from "$lib/stores/config";
 
     let loading = $state(false);
     let error = $state<string | null>(null);
+    let recentTests = $state<TestSummary[]>([]);
+
+    async function loadRecentTests() {
+        if (!$appConfig.test_list_enabled) return;
+        try {
+            const response = await listTests({ query: { offset: 0, limit: 5 } });
+            if (response.data) {
+                recentTests = response.data.tests;
+            }
+        } catch {
+            // Silently ignore — this is a non-critical section
+        }
+    }
+
+    $effect(() => {
+        loadRecentTests();
+    });
 
     async function createTest() {
         loading = true;
@@ -176,6 +194,32 @@
     </div>
 </section>
 
+<!-- Recently Tested -->
+{#if $appConfig.test_list_enabled && recentTests.length > 0}
+    <section class="py-5 border-bottom border-3" id="recent">
+        <div class="container py-4">
+            <div class="row text-center mb-5">
+                <div class="col-lg-8 mx-auto">
+                    <h2 class="display-5 fw-bold mb-3">Recently Tested</h2>
+                    <p class="text-muted">Latest deliverability reports from this instance</p>
+                </div>
+            </div>
+
+            <div class="row">
+                <div class="col-lg-10 mx-auto">
+                    <HistoryTable tests={recentTests} />
+                    <div class="text-center mt-4">
+                        <a href="/history/" class="btn btn-outline-primary">
+                            <i class="bi bi-clock-history me-2"></i>
+                            View All Tests
+                        </a>
+                    </div>
+                </div>
+            </div>
+        </div>
+    </section>
+{/if}
+
 <!-- Features Section -->
 <section class="py-5" id="features">
     <div class="container py-4">

web/src/routes/blacklist/[ip]/+page.svelte

@@ -3,7 +3,7 @@
     import { onMount } from "svelte";
     import { checkBlacklist } from "$lib/api";
     import type { BlacklistCheckResponse } from "$lib/api/types.gen";
-    import { BlacklistCard, GradeDisplay, TinySurvey } from "$lib/components";
+    import { BlacklistCard, GradeDisplay, TinySurvey, WhitelistCard } from "$lib/components";
     import { theme } from "$lib/stores/theme";
 
     let ip = $derived($page.params.ip);
@@ -28,7 +28,7 @@
             });
 
             if (response.response.ok) {
-                result = response.data;
+                result = response.data ?? null;
             } else if (response.error) {
                 error = response.error.message || "Failed to check IP address";
             }
@@ -122,8 +122,8 @@
                                             >
                                             <p class="mb-0 mt-1 small">
                                                 This IP address is listed on {result.listed_count} of
-                                                {result.checks.length} checked blacklist{result
+                                                {result.blacklists.length} checked blacklist{result
-                                                    .checks.length > 1
+                                                    .blacklists.length > 1
                                                     ? "s"
                                                     : ""}.
                                             </p>
@@ -150,12 +150,23 @@
                         </div>
                     </div>
 
-                    <!-- Blacklist Results Card -->
+                    <div class="row">
-                    <BlacklistCard
+                        <!-- Blacklist Results Card -->
-                        blacklists={{ [result.ip]: result.checks }}
+                        <div class="col col-lg-6">
-                        blacklistScore={result.score}
+                            <BlacklistCard
-                        blacklistGrade={result.grade}
+                                blacklists={{ [result.ip]: result.blacklists }}
-                    />
+                                blacklistScore={result.score}
+                                blacklistGrade={result.grade}
+                            />
+                        </div>
+
+                        <!-- Whitelist Results Card -->
+                        {#if result.whitelists && result.whitelists.length > 0}
+                            <div class="col col-lg-6">
+                                <WhitelistCard whitelists={{ [result.ip]: result.whitelists }} />
+                            </div>
+                        {/if}
+                    </div>
 
                     <!-- Information Card -->
                     <div class="card shadow-sm mt-4">

web/src/routes/domain/[domain]/+page.svelte

@@ -130,7 +130,7 @@
                             <div class="d-flex justify-content-end me-lg-5 mt-3">
                                 <TinySurvey
                                     class="bg-primary-subtle rounded-4 p-3 text-center"
-                                    source={"rbl-" + result.ip}
+                                    source={"domain-" + result.domain}
                                 />
                             </div>
                         </div>

web/src/routes/history/+page.svelte

@@ -0,0 +1,189 @@
+<script lang="ts">
+    import { goto } from "$app/navigation";
+
+    import { listTests, createTest as apiCreateTest } from "$lib/api";
+    import type { TestSummary } from "$lib/api/types.gen";
+    import { HistoryTable } from "$lib/components";
+
+    let tests = $state<TestSummary[]>([]);
+    let total = $state(0);
+    let offset = $state(0);
+    let limit = $state(20);
+    let loading = $state(true);
+    let error = $state<string | null>(null);
+    let creatingTest = $state(false);
+
+    async function loadTests() {
+        loading = true;
+        error = null;
+
+        try {
+            const response = await listTests({ query: { offset, limit } });
+            if (response.data) {
+                tests = response.data.tests;
+                total = response.data.total;
+            } else if (response.error) {
+                if (
+                    response.error &&
+                    typeof response.error === "object" &&
+                    "error" in response.error &&
+                    response.error.error === "feature_disabled"
+                ) {
+                    error = "Test listing is disabled on this instance.";
+                } else {
+                    error = "Failed to load tests.";
+                }
+            }
+        } catch (err) {
+            error = err instanceof Error ? err.message : "Failed to load tests.";
+        } finally {
+            loading = false;
+        }
+    }
+
+    $effect(() => {
+        loadTests();
+    });
+
+    function goToPage(newOffset: number) {
+        offset = newOffset;
+        loadTests();
+    }
+
+    async function createTest() {
+        creatingTest = true;
+        try {
+            const response = await apiCreateTest();
+            if (response.data) {
+                goto(`/test/${response.data.id}`);
+            }
+        } catch (err) {
+            error = err instanceof Error ? err.message : "Failed to create test";
+        } finally {
+            creatingTest = false;
+        }
+    }
+
+    let totalPages = $derived(Math.ceil(total / limit));
+    let currentPage = $derived(Math.floor(offset / limit) + 1);
+</script>
+
+<svelte:head>
+    <title>Test History - happyDeliver</title>
+</svelte:head>
+
+<div class="container py-5">
+    <div class="row">
+        <div class="col-lg-10 mx-auto">
+            <div class="d-flex justify-content-between align-items-center mb-4">
+                <h1 class="display-6 fw-bold mb-0">
+                    <i class="bi bi-clock-history me-2"></i>
+                    Test History
+                </h1>
+                <button
+                    class="btn btn-primary"
+                    onclick={createTest}
+                    disabled={creatingTest}
+                >
+                    {#if creatingTest}
+                        <span
+                            class="spinner-border spinner-border-sm me-2"
+                            role="status"
+                        ></span>
+                    {:else}
+                        <i class="bi bi-plus-lg me-1"></i>
+                    {/if}
+                    New Test
+                </button>
+            </div>
+
+            {#if loading}
+                <div class="text-center py-5">
+                    <div
+                        class="spinner-border text-primary"
+                        role="status"
+                        style="width: 3rem; height: 3rem;"
+                    >
+                        <span class="visually-hidden">Loading...</span>
+                    </div>
+                    <p class="mt-3 text-muted">Loading tests...</p>
+                </div>
+            {:else if error}
+                <div class="alert alert-warning text-center" role="alert">
+                    <i class="bi bi-exclamation-triangle me-2"></i>
+                    {error}
+                </div>
+            {:else if tests.length === 0}
+                <div class="text-center py-5">
+                    <i
+                        class="bi bi-inbox display-1 text-muted mb-3 d-block"
+                    ></i>
+                    <h2 class="h4 text-muted mb-3">No tests yet</h2>
+                    <p class="text-muted mb-4">
+                        Send a test email to get your first deliverability
+                        report.
+                    </p>
+                    <button
+                        class="btn btn-primary btn-lg"
+                        onclick={createTest}
+                        disabled={creatingTest}
+                    >
+                        <i class="bi bi-envelope-plus me-2"></i>
+                        Start Your First Test
+                    </button>
+                </div>
+            {:else}
+                <HistoryTable {tests} />
+
+                <!-- Pagination -->
+                {#if totalPages > 1}
+                    <nav class="mt-4 d-flex justify-content-between align-items-center">
+                        <small class="text-muted">
+                            Showing {offset + 1}-{Math.min(
+                                offset + limit,
+                                total,
+                            )} of {total} tests
+                        </small>
+                        <ul class="pagination mb-0">
+                            <li
+                                class="page-item"
+                                class:disabled={currentPage === 1}
+                            >
+                                <button
+                                    class="page-link"
+                                    onclick={() =>
+                                        goToPage(
+                                            Math.max(0, offset - limit),
+                                        )}
+                                    disabled={currentPage === 1}
+                                >
+                                    <i class="bi bi-chevron-left"></i>
+                                    Previous
+                                </button>
+                            </li>
+                            <li class="page-item disabled">
+                                <span class="page-link">
+                                    Page {currentPage} of {totalPages}
+                                </span>
+                            </li>
+                            <li
+                                class="page-item"
+                                class:disabled={currentPage === totalPages}
+                            >
+                                <button
+                                    class="page-link"
+                                    onclick={() =>
+                                        goToPage(offset + limit)}
+                                    disabled={currentPage === totalPages}
+                                >
+                                    Next
+                                    <i class="bi bi-chevron-right"></i>
+                                </button>
+                            </li>
+                        </ul>
+                    </nav>
+                {/if}
+            {/if}
+        </div>
+    </div>
+</div>

web/src/routes/test/[test]/+page.svelte

@@ -3,21 +3,26 @@
     import { onDestroy } from "svelte";
 
     import { getReport, getTest, reanalyzeReport } from "$lib/api";
-    import type { Report, Test } from "$lib/api/types.gen";
+    import type { BlacklistCheck, Report, Test } from "$lib/api/types.gen";
     import {
         AuthenticationCard,
         BlacklistCard,
         ContentAnalysisCard,
         DnsRecordsCard,
+        EmailPathCard,
         ErrorDisplay,
         HeaderAnalysisCard,
         PendingState,
+        RspamdCard,
         ScoreCard,
         SpamAssassinCard,
         SummaryCard,
         TinySurvey,
+        WhitelistCard,
     } from "$lib/components";
 
+    type BlacklistRecords = Record<string, BlacklistCheck[]>;
+
     let testId = $derived(page.params.test);
     let test = $state<Test | null>(null);
     let report = $state<Report | null>(null);
@@ -290,6 +295,15 @@
                 </div>
             </div>
 
+            <!-- Received Chain -->
+            {#if report.header_analysis?.received_chain && report.header_analysis.received_chain.length > 0}
+                <div class="row mb-4" id="received-chain">
+                    <div class="col-12">
+                        <EmailPathCard receivedChain={report.header_analysis.received_chain} />
+                    </div>
+                </div>
+            {/if}
+
             <!-- DNS Records -->
             {#if report.dns_results}
                 <div class="row mb-4" id="dns">
@@ -320,17 +334,45 @@
             {/if}
 
             <!-- Blacklist Checks -->
-            {#if report.blacklists && Object.keys(report.blacklists).length > 0}
+            {#snippet blacklistChecks(blacklists: BlacklistRecords, report: Report)}
-                <div class="row mb-4" id="blacklist">
+                <BlacklistCard
-                    <div class="col-12">
+                    {blacklists}
-                        <BlacklistCard
+                    blacklistGrade={report.summary?.blacklist_grade}
-                            blacklists={report.blacklists}
+                    blacklistScore={report.summary?.blacklist_score}
-                            blacklistGrade={report.summary?.blacklist_grade}
+                />
-                            blacklistScore={report.summary?.blacklist_score}
+            {/snippet}
-                            receivedChain={report.header_analysis?.received_chain}
+
-                        />
+            <!-- Whitelist Checks -->
+            {#snippet whitelistChecks(whitelists: BlacklistRecords)}
+                <WhitelistCard {whitelists} />
+            {/snippet}
+
+            <!-- Blacklist & Whitelist Checks -->
+            {#if report.blacklists && report.whitelists && Object.keys(report.blacklists).length == 1 && Object.keys(report.whitelists).length == 1}
+                <div class="row mb-4">
+                    <div class="col-6" id="blacklist">
+                        {@render blacklistChecks(report.blacklists, report)}
+                    </div>
+                    <div class="col-6" id="whitelist">
+                        {@render whitelistChecks(report.whitelists)}
                     </div>
                 </div>
+            {:else}
+                {#if report.blacklists && Object.keys(report.blacklists).length > 0}
+                    <div class="row mb-4" id="blacklist">
+                        <div class="col-12">
+                            {@render blacklistChecks(report.blacklists, report)}
+                        </div>
+                    </div>
+                {/if}
+
+                {#if report.whitelists && Object.keys(report.whitelists).length > 0}
+                    <div class="row mb-4" id="whitelist">
+                        <div class="col-12">
+                            {@render whitelistChecks(report.whitelists)}
+                        </div>
+                    </div>
+                {/if}
             {/if}
 
             <!-- Header Analysis -->
@@ -347,16 +389,19 @@
                 </div>
             {/if}
 
-            <!-- Additional Information -->
+            <!-- Spam filter analysis -->
-            {#if report.spamassassin}
+            {#if report.spamassassin || report.rspamd}
                 <div class="row mb-4" id="spam">
-                    <div class="col-12">
+                    {#if report.spamassassin}
-                        <SpamAssassinCard
+                        <div class={report.rspamd ? "col col-lg-6 mb-4 mb-lg-0" : "col-12"}>
-                            spamassassin={report.spamassassin}
+                            <SpamAssassinCard spamassassin={report.spamassassin} />
-                            spamGrade={report.summary?.spam_grade}
+                        </div>
-                            spamScore={report.summary?.spam_score}
+                    {/if}
-                        />
+                    {#if report.rspamd}
-                    </div>
+                        <div class={report.spamassassin ? "col col-lg-6" : "col-12"}>
+                            <RspamdCard rspamd={report.rspamd} />
+                        </div>
+                    {/if}
                 </div>
             {/if}