dmarc: refactor parseDMARCRecord to use shared tag parser and eliminate helper methods

Replace per-field regex extractor methods with a single parseDKIMTags call,
removing eight redundant private methods and unifying DMARC tag parsing with
the existing DKIM tag parser. Tests are updated to drive through parseDMARCRecord
instead of the removed helpers, and the NP scoring logic is corrected to award
+15/−15 symmetrically like the SP scoring path.

.drone.yml

@@ -9,7 +9,7 @@ platform:
 
 steps:
 - name: frontend
-  image: node:22-alpine
+  image: node:24-alpine
   commands:
   - cd web
   - npm install --network-timeout=100000

.gitignore

@@ -26,5 +26,5 @@ logs/
 *.sqlite3
 
 # OpenAPI generated files
-internal/api/models.gen.go
 internal/api/server.gen.go
+internal/model/types.gen.go

Dockerfile

@@ -1,6 +1,6 @@
 # Multi-stage Dockerfile for happyDeliver with integrated MTA
 # Stage 1: Build the Svelte application
-FROM node:22-alpine AS nodebuild
+FROM node:24-alpine AS nodebuild
 
 WORKDIR /build
 
@@ -34,7 +34,7 @@ RUN go generate ./... && \
 # Stage 3: Prepare perl and spamass-milt
 FROM alpine:3 AS pl
 
-RUN echo "@testing https://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories && \
+RUN echo "@edge https://dl-cdn.alpinelinux.org/alpine/edge/community" >> /etc/apk/repositories && \
     apk add --no-cache \
     build-base \
     libmilter-dev \
@@ -49,13 +49,14 @@ RUN echo "@testing https://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/a
     perl-crypt-openssl-random \
     perl-crypt-openssl-verify \
     perl-crypt-openssl-x509 \
+    perl-cryptx \
     perl-dbd-sqlite \
     perl-dbi \
     perl-email-address-xs \
     perl-json-xs \
     perl-list-moreutils \
     perl-moose \
-    perl-net-idn-encode@testing \
+    perl-net-idn-encode@edge \
     perl-net-ssleay \
     perl-netaddr-ip \
     perl-package-stash \
@@ -75,6 +76,7 @@ RUN echo "@testing https://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/a
     ln -s /usr/bin/ld /bin/ld
 
 RUN cpanm --notest Mail::SPF && \
+    cpanm --notest Mail::DKIM && \
     cpanm --notest Mail::Milter::Authentication
 
 RUN wget https://download.savannah.nongnu.org/releases/spamass-milt/spamass-milter-0.4.0.tar.gz && \
@@ -86,7 +88,7 @@ RUN wget https://download.savannah.nongnu.org/releases/spamass-milt/spamass-milt
 FROM alpine:3
 
 # Install all required packages
-RUN echo "@testing https://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories && \
+RUN echo "@edge https://dl-cdn.alpinelinux.org/alpine/edge/community" >> /etc/apk/repositories && \
     apk add --no-cache \
     bash \
     ca-certificates \
@@ -100,13 +102,14 @@ RUN echo "@testing https://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/a
     perl-crypt-openssl-random \
     perl-crypt-openssl-verify \
     perl-crypt-openssl-x509 \
+    perl-cryptx \
     perl-dbd-sqlite \
     perl-dbi \
     perl-email-address-xs \
     perl-json-xs \
     perl-list-moreutils \
     perl-moose \
-    perl-net-idn-encode@testing \
+    perl-net-idn-encode@edge \
     perl-net-ssleay \
     perl-netaddr-ip \
     perl-package-stash \
@@ -121,6 +124,7 @@ RUN echo "@testing https://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/a
     perl-xml-libxml \
     postfix \
     postfix-pcre \
+    rspamd \
     spamassassin \
     spamassassin-client \
     supervisor \
@@ -143,8 +147,11 @@ RUN mkdir -p /etc/happydeliver \
     /var/lib/authentication_milter \
     /var/spool/postfix/authentication_milter \
     /var/spool/postfix/spamassassin \
+    /var/spool/postfix/rspamd \
     && chown -R happydeliver:happydeliver /var/lib/happydeliver /var/log/happydeliver \
-    && chown -R mail:mail /var/spool/postfix/authentication_milter /var/spool/postfix/spamassassin
+    && chown -R mail:mail /var/spool/postfix/authentication_milter /var/spool/postfix/spamassassin \
+    && chown rspamd:mail /var/spool/postfix/rspamd \
+    && chmod 750 /var/spool/postfix/rspamd
 
 # Copy the built application
 COPY --from=builder /build/happyDeliver /usr/local/bin/happyDeliver
@@ -154,6 +161,7 @@ RUN chmod +x /usr/local/bin/happyDeliver
 COPY docker/postfix/ /etc/postfix/
 COPY docker/authentication_milter/authentication_milter.json /etc/authentication_milter.json
 COPY docker/spamassassin/ /etc/mail/spamassassin/
+COPY docker/rspamd/local.d/ /etc/rspamd/local.d/
 COPY docker/supervisor/ /etc/supervisor/
 COPY docker/entrypoint.sh /entrypoint.sh
 
@@ -165,11 +173,21 @@ RUN chmod +x /entrypoint.sh
 EXPOSE 25 8080
 
 # Default configuration
-ENV HAPPYDELIVER_DATABASE_TYPE=sqlite HAPPYDELIVER_DATABASE_DSN=/var/lib/happydeliver/happydeliver.db HAPPYDELIVER_DOMAIN=happydeliver.local HAPPYDELIVER_ADDRESS_PREFIX=test- HAPPYDELIVER_DNS_TIMEOUT=5s HAPPYDELIVER_HTTP_TIMEOUT=10s HAPPYDELIVER_RBL=zen.spamhaus.org,bl.spamcop.net,b.barracudacentral.org,dnsbl.sorbs.net,dnsbl-1.uceprotect.net,bl.mailspike.net
+ENV HAPPYDELIVER_DATABASE_TYPE=sqlite \
+    HAPPYDELIVER_DATABASE_DSN=/var/lib/happydeliver/happydeliver.db \
+    HAPPYDELIVER_DOMAIN=happydeliver.local \
+    HAPPYDELIVER_ADDRESS_PREFIX=test- \
+    HAPPYDELIVER_DNS_TIMEOUT=5s \
+    HAPPYDELIVER_HTTP_TIMEOUT=10s \
+    HAPPYDELIVER_RSPAMD_API_URL=http://127.0.0.1:11334
 
 # Volume for persistent data
 VOLUME ["/var/lib/happydeliver", "/var/log/happydeliver"]
 
+# Health check
+HEALTHCHECK --interval=30s --timeout=10s --start-period=40s --retries=3 \
+    CMD wget --quiet --tries=1 --spider http://localhost:8080/api/status || exit 1
+
 # Set entrypoint
 ENTRYPOINT ["/entrypoint.sh"]
 CMD ["supervisord", "-c", "/etc/supervisor/supervisord.conf"]

README.md

@@ -6,7 +6,7 @@ An open-source email deliverability testing platform that analyzes test emails a
 
 ## Features
 
-- **Complete Email Analysis**: Analyzes SPF, DKIM, DMARC, BIMI, ARC, SpamAssassin scores, DNS records, blacklist status, content quality, and more
+- **Complete Email Analysis**: Analyzes SPF, DKIM, DMARC, BIMI, ARC, SpamAssassin and rspamd scores, DNS records, blacklist status, content quality, and more
 - **REST API**: Full-featured API for creating tests and retrieving reports
 - **LMTP Server**: Built-in LMTP server for seamless MTA integration
 - **Scoring System**: Gives A to F grades and scoring with weighted factors across dns, authentication, spam, blacklists, content, and headers
@@ -26,6 +26,7 @@ The easiest way to run happyDeliver is using the all-in-one Docker container tha
 - **Postfix MTA**: Receives emails on port 25
 - **authentication_milter**: Entreprise grade email authentication
 - **SpamAssassin**: Spam scoring and analysis
+- **rspamd**: Second spam filter for cross-validated scoring
 - **happyDeliver API**: REST API server on port 8080
 - **SQLite Database**: Persistent storage for tests and reports
 
@@ -37,7 +38,7 @@ git clone https://git.nemunai.re/happyDomain/happyDeliver.git
 cd happydeliver
 
 # Edit docker-compose.yml to set your domain
-# Change HAPPYDELIVER_DOMAIN and HOSTNAME environment variables
+# Change HAPPYDELIVER_DOMAIN environment variable and hostname
 
 # Build and start
 docker-compose up -d
@@ -63,13 +64,54 @@ docker run -d \
   -p 25:25 \
   -p 8080:8080 \
   -e HAPPYDELIVER_DOMAIN=yourdomain.com \
-  -e HOSTNAME=mail.yourdomain.com \
+  --hostname mail.yourdomain.com \
   -v $(pwd)/data:/var/lib/happydeliver \
   -v $(pwd)/logs:/var/log/happydeliver \
   happydeliver:latest
 ```
 
-#### 3. Configure Network and DNS
+#### 3. Configure TLS Certificates (Optional but Recommended)
+
+To enable TLS encryption for incoming SMTP connections, you can configure Postfix to use your SSL/TLS certificates. This is highly recommended for production deployments.
+
+##### Using docker-compose
+
+Add the certificate paths to your `docker-compose.yml`:
+
+```yaml
+environment:
+  - POSTFIX_CERT_FILE=/etc/ssl/certs/mail.yourdomain.com.crt
+  - POSTFIX_KEY_FILE=/etc/ssl/private/mail.yourdomain.com.key
+volumes:
+  - /path/to/your/certificate.crt:/etc/ssl/certs/mail.yourdomain.com.crt:ro
+  - /path/to/your/private.key:/etc/ssl/private/mail.yourdomain.com.key:ro
+```
+
+##### Using docker run
+
+```bash
+docker run -d \
+  --name happydeliver \
+  -p 25:25 \
+  -p 8080:8080 \
+  -e HAPPYDELIVER_DOMAIN=yourdomain.com \
+  -e POSTFIX_CERT_FILE=/etc/ssl/certs/mail.yourdomain.com.crt \
+  -e POSTFIX_KEY_FILE=/etc/ssl/private/mail.yourdomain.com.key \
+  --hostname mail.yourdomain.com \
+  -v /path/to/your/certificate.crt:/etc/ssl/certs/mail.yourdomain.com.crt:ro \
+  -v /path/to/your/private.key:/etc/ssl/private/mail.yourdomain.com.key:ro \
+  -v $(pwd)/data:/var/lib/happydeliver \
+  -v $(pwd)/logs:/var/log/happydeliver \
+  happydeliver:latest
+```
+
+**Notes:**
+- The certificate file should contain the full certificate chain (certificate + intermediate CAs)
+- The private key file must be readable by the postfix user inside the container
+- TLS is configured with `smtpd_tls_security_level = may`, which means it's opportunistic (STARTTLS supported but not required)
+- If both environment variables are not set, Postfix will run without TLS support
+
+#### 4. Configure Network and DNS
 
 ##### Open SMTP Port
 
@@ -121,10 +163,27 @@ The server will start on `http://localhost:8080` by default.
 
 #### 3. Integrate with your existing e-mail setup
 
-It is expected your setup annotate the email with eg. opendkim, spamassassin, ...
+It is expected your setup annotate the email with eg. opendkim, spamassassin, rspamd, ...
 happyDeliver will not perform thoses checks, it relies instead on standard software to have real world annotations.
 
-Choose one of the following way to integrate happyDeliver in your existing setup:
+#### Receiver Hostname
+
+happyDeliver filters `Authentication-Results` headers by hostname to only trust headers added by your MTA (and not headers that may have been injected by the sender). By default, it uses the system hostname (`os.Hostname()`).
+
+If your MTA's `authserv-id` (the hostname at the beginning of `Authentication-Results` headers) differs from the machine running happyDeliver, you must set it explicitly:
+
+```bash
+./happyDeliver server -receiver-hostname mail.example.com
+```
+
+Or via environment variable:
+```bash
+HAPPYDELIVER_RECEIVER_HOSTNAME=mail.example.com ./happyDeliver server
+```
+
+**How to find the correct value:** look at the `Authentication-Results` headers in a received email. They start with the authserv-id, e.g. `Authentication-Results: mail.example.com; spf=pass ...` — in this case, use `mail.example.com`.
+
+If the value is misconfigured, happyDeliver will log a warning when the last `Received` hop doesn't match the expected hostname.
 
 #### Postfix LMTP Transport
 
@@ -220,6 +279,33 @@ cat email.eml | ./happyDeliver analyze -recipient test-uuid@yourdomain.com
 
 **Note:** In production, emails are delivered via LMTP (see integration instructions above).
 
+## Use with happyDomain
+
+happyDeliver can be driven by [happyDomain](https://happydomain.org) through
+the [`checker-happydeliver`](https://git.nemunai.re/happyDomain/checker-happydeliver)
+plugin, so the deliverability of a domain you manage is monitored alongside
+its DNS and inbound SMTP posture.
+
+How it works:
+
+1. Attach the **Outbound deliverability** checker to the mail service of a zone
+   in happyDomain. Point it at a happyDeliver instance via `happydeliver_url`;
+   operators can configure a default instance globally.
+2. On each run, the checker calls `POST /api/test` to allocate a fresh
+   recipient address, prompts the user (or an automated sender) to mail it from
+   the tested domain, then polls `GET /api/test/{id}` until the report is
+   ready.
+3. The structured report from `GET /api/report/{id}` is translated into
+   happyDomain rule states: CRIT/WARN/INFO on SPF, DKIM, DMARC, alignment, spam
+   score, blacklists and headers, plus an overall score threshold
+   (`min_score`/`warn_score`).
+4. Runs repeat on a configurable interval so a regression in deliverability (a
+   new RBL listing, a DKIM key rotation gone wrong, a broken SPF include, ...)
+   surfaces as a domain-level alert in happyDomain.
+
+See the [`checker-happydeliver` repository](https://git.nemunai.re/happyDomain/checker-happydeliver)
+for build instructions and the full list of run options.
+
 ## Scoring System
 
 The deliverability score is calculated from A to F based on:
@@ -228,7 +314,7 @@ The deliverability score is calculated from A to F based on:
 - **Authentication**: IPRev, SPF, DKIM, DMARC, BIMI and ARC validation
 - **Blacklist**: RBL/DNSBL checks
 - **Headers**: Required headers, MIME structure, Domain alignment
-- **Spam**: SpamAssassin score
+- **Spam**: SpamAssassin and rspamd scores (combined 50/50)
 - **Content**: HTML quality, links, images, unsubscribe
 
 ## Funding

api/config-models.yaml

@@ -1,5 +1,9 @@
-package: api
+package: model
 generate:
   models: true
-  embedded-spec: false
-output: internal/api/models.gen.go
+  embedded-spec: true
+output: internal/model/types.gen.go
+output-options:
+  skip-prune: true
+import-mapping:
+  ./schemas.yaml: "-"

api/config-server.yaml

@@ -1,5 +1,8 @@
 package: api
 generate:
   gin-server: true
+  models: true
   embedded-spec: true
 output: internal/api/server.gen.go
+import-mapping:
+  ./schemas.yaml: git.happydns.org/happyDeliver/internal/model

cmd/happyDeliver/main.go

@@ -33,8 +33,8 @@ import (
 )
 
 func main() {
-	fmt.Println("happyDeliver - Email Deliverability Testing Platform")
-	fmt.Printf("Version: %s\n", version.Version)
+	fmt.Fprintln(os.Stderr, "happyDeliver - Email Deliverability Testing Platform")
+	fmt.Fprintf(os.Stderr, "Version: %s\n", version.Version)
 
 	cfg, err := config.ConsolidateConfig()
 	if err != nil {
@@ -52,6 +52,18 @@ func main() {
 		if err := app.RunAnalyzer(cfg, flag.Args()[1:], os.Stdin, os.Stdout); err != nil {
 			log.Fatalf("Analyzer error: %v", err)
 		}
+	case "backup":
+		if err := app.RunBackup(cfg); err != nil {
+			log.Fatalf("Backup error: %v", err)
+		}
+	case "restore":
+		inputFile := ""
+		if len(flag.Args()) >= 2 {
+			inputFile = flag.Args()[1]
+		}
+		if err := app.RunRestore(cfg, inputFile); err != nil {
+			log.Fatalf("Restore error: %v", err)
+		}
 	case "version":
 		fmt.Println(version.Version)
 	default:
@@ -63,9 +75,11 @@ func main() {
 
 func printUsage() {
 	fmt.Println("\nCommand availables:")
-	fmt.Println("  happyDeliver server          - Start the API server")
-	fmt.Println("  happyDeliver analyze [-json] - Analyze email from stdin and output results to terminal")
-	fmt.Println("  happyDeliver version         - Print version information")
+	fmt.Println("  happyDeliver server            - Start the API server")
+	fmt.Println("  happyDeliver analyze [-json]   - Analyze email from stdin and output results to terminal")
+	fmt.Println("  happyDeliver backup            - Backup database to stdout as JSON")
+	fmt.Println("  happyDeliver restore [file]    - Restore database from JSON file or stdin")
+	fmt.Println("  happyDeliver version           - Print version information")
 	fmt.Println("")
 	flag.Usage()
 }

docker-compose.yml

@@ -1,16 +1,30 @@
 services:
+  unbound:
+    image: alpinelinux/unbound
+    restart: unless-stopped
+
+    configs:
+      - source: unbound_conf
+        target: /etc/unbound/unbound.conf
+        uid: "100"
+        gid: "101"
+
+    networks:
+      default:
+        ipv4_address: 172.28.0.53
+
   happydeliver:
     build:
       context: .
       dockerfile: Dockerfile
-    image: happydeliver:latest
+    image: happydomain/happydeliver:latest
     container_name: happydeliver
+    # Set a hostname
     hostname: mail.happydeliver.local
 
     environment:
-      # Set your domain and hostname
-      DOMAIN: happydeliver.local
-      HOSTNAME: mail.happydeliver.local
+      # Set your domain
+      HAPPYDELIVER_DOMAIN: happydeliver.local
 
     ports:
       # SMTP port
@@ -24,15 +38,41 @@ services:
       # Log files
       - ./logs:/var/log/happydeliver
 
+    dns:
+      - 172.28.0.53
     restart: unless-stopped
 
-    healthcheck:
-      test: ["CMD", "wget", "--quiet", "--tries=1", "--spider", "http://localhost:8080/api/status"]
-      interval: 30s
-      timeout: 10s
-      retries: 3
-      start_period: 40s
+configs:
+  unbound_conf:
+    content: |
+      server:
+          verbosity: 1
+          interface: 0.0.0.0
+          port: 53
+          do-ip4: yes
+          do-ip6: no
+          do-udp: yes
+          do-tcp: yes
+
+          access-control: 127.0.0.0/8 allow
+          access-control: 172.28.0.0/24 allow
+
+          # Short cache for a testing resolver
+          cache-max-ttl: 60
+
+          # Buffers: let the system decide
+          so-sndbuf: 0
+          so-rcvbuf: 0
+
+          # Trust anchor (static, ships with the image)
+          trust-anchor-file: "/etc/unbound/root.key"
 
 volumes:
   data:
   logs:
+
+networks:
+  default:
+    ipam:
+      config:
+        - subnet: 172.28.0.0/24

docker/README.md

@@ -109,12 +109,37 @@ Default configuration for the Docker environment:
 
 The container accepts these environment variables:
 
-- `DOMAIN`: Email domain for test addresses (default: happydeliver.local)
-- `HOSTNAME`: Container hostname (default: mail.happydeliver.local)
+- `HAPPYDELIVER_DOMAIN`: Email domain for test addresses (default: happydeliver.local)
+- `HAPPYDELIVER_RECEIVER_HOSTNAME`: Hostname used to filter `Authentication-Results` headers (see below)
+- `POSTFIX_CERT_FILE` / `POSTFIX_KEY_FILE`: TLS certificate and key paths for Postfix SMTP
+
+### Receiver Hostname
+
+happyDeliver filters `Authentication-Results` headers by hostname to only trust results from the expected MTA. By default, it uses the system hostname (i.e., the container's `--hostname`).
+
+In the all-in-one Docker container, the container hostname is also used as the `authserv-id` in the embedded Postfix and authentication_milter, so everything matches automatically.
+
+**When bypassing the embedded Postfix** (e.g., routing emails from your own MTA via LMTP), your MTA's `authserv-id` will likely differ from the container hostname. In that case, set `HAPPYDELIVER_RECEIVER_HOSTNAME` to your MTA's hostname:
 
-Example:
 ```bash
-docker run -e DOMAIN=example.com -e HOSTNAME=mail.example.com ...
+docker run -d \
+  -e HAPPYDELIVER_DOMAIN=example.com \
+  -e HAPPYDELIVER_RECEIVER_HOSTNAME=mail.example.com \
+  ...
+```
+
+To find the correct value, look at the `Authentication-Results` headers in a received email — they start with the authserv-id, e.g. `Authentication-Results: mail.example.com; spf=pass ...`.
+
+If the value is misconfigured, happyDeliver will log a warning when the last `Received` hop doesn't match the expected hostname.
+
+Example (all-in-one, no override needed):
+```bash
+docker run -e HAPPYDELIVER_DOMAIN=example.com --hostname mail.example.com ...
+```
+
+Example (external MTA integration):
+```bash
+docker run -e HAPPYDELIVER_DOMAIN=example.com -e HAPPYDELIVER_RECEIVER_HOSTNAME=mail.example.com ...
 ```
 
 ## Volumes

docker/entrypoint.sh

@@ -4,7 +4,7 @@ set -e
 echo "Starting happyDeliver container..."
 
 # Get environment variables with defaults
-HOSTNAME="${HOSTNAME:-mail.happydeliver.local}"
+[ -n "${HOSTNAME}" ] || HOSTNAME=$(hostname)
 HAPPYDELIVER_DOMAIN="${HAPPYDELIVER_DOMAIN:-happydeliver.local}"
 
 echo "Hostname: $HOSTNAME"
@@ -15,6 +15,10 @@ mkdir -p /var/spool/postfix/authentication_milter
 chown mail:mail /var/spool/postfix/authentication_milter
 chmod 750 /var/spool/postfix/authentication_milter
 
+mkdir -p /var/spool/postfix/rspamd
+chown rspamd:mail /var/spool/postfix/rspamd
+chmod 750 /var/spool/postfix/rspamd
+
 # Create log directory
 mkdir -p /var/log/happydeliver /var/cache/authentication_milter /var/spool/authentication_milter /var/lib/authentication_milter /run/authentication_milter
 chown happydeliver:happydeliver /var/log/happydeliver
@@ -25,6 +29,15 @@ echo "Configuring Postfix..."
 sed -i "s/__HOSTNAME__/${HOSTNAME}/g" /etc/postfix/main.cf
 sed -i "s/__DOMAIN__/${HAPPYDELIVER_DOMAIN}/g" /etc/postfix/main.cf
 
+# Add certificates to postfix
+[ -n "${POSTFIX_CERT_FILE}" ] && [ -n "${POSTFIX_KEY_FILE}" ] && {
+    cat <<EOF >> /etc/postfix/main.cf
+smtpd_tls_cert_file = ${POSTFIX_CERT_FILE}
+smtpd_tls_key_file = ${POSTFIX_KEY_FILE}
+smtpd_tls_security_level = may
+EOF
+}
+
 # Replace placeholders in configurations
 sed -i "s/__HOSTNAME__/${HOSTNAME}/g" /etc/authentication_milter.json
 

docker/postfix/main.cf

@@ -28,7 +28,7 @@ transport_maps = pcre:/etc/postfix/transport_maps
 # OpenDKIM for DKIM verification
 milter_default_action = accept
 milter_protocol = 6
-smtpd_milters = unix:/var/spool/postfix/authentication_milter/authentication_milter.sock unix:/var/spool/postfix/spamassassin/spamass-milter.sock
+smtpd_milters = unix:/var/spool/postfix/authentication_milter/authentication_milter.sock unix:/var/spool/postfix/spamassassin/spamass-milter.sock unix:/var/spool/postfix/rspamd/rspamd-milter.sock
 non_smtpd_milters = $smtpd_milters
 
 # SPF policy checking

docker/rspamd/local.d/actions.conf

@@ -0,0 +1,5 @@
+no_action = 0;
+reject = null;
+add_header = null;
+rewrite_subject = null;
+greylist = null;

docker/rspamd/local.d/milter_headers.conf

@@ -0,0 +1,5 @@
+# Add "extended Rspamd headers"
+extended_spam_headers = true;
+
+skip_local = false;
+skip_authenticated = false;

docker/rspamd/local.d/options.inc

@@ -0,0 +1,3 @@
+# rspamd options for happyDeliver
+# Disable Bayes learning to keep the setup stateless
+use_redis = false;

docker/rspamd/local.d/worker-proxy.inc

@@ -0,0 +1,6 @@
+# Enable rspamd milter proxy worker via Unix socket for Postfix integration
+bind_socket = "/var/spool/postfix/rspamd/rspamd-milter.sock mode=0660 owner=rspamd group=mail";
+upstream "local" {
+  default = yes;
+  self_scan = yes;
+}

docker/spamassassin/local.cf

@@ -48,3 +48,14 @@ rbl_timeout 5
 # Don't use user-specific rules
 user_scores_dsn_timeout 3
 user_scores_sql_override 0
+
+# Disable Validity network rules
+dns_query_restriction deny sa-trusted.bondedsender.org
+dns_query_restriction deny sa-accredit.habeas.com
+dns_query_restriction deny bl.score.senderscore.com
+score RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0
+score RCVD_IN_VALIDITY_RPBL_BLOCKED 0
+score RCVD_IN_VALIDITY_SAFE_BLOCKED 0
+score RCVD_IN_VALIDITY_CERTIFIED 0
+score RCVD_IN_VALIDITY_RPBL 0
+score RCVD_IN_VALIDITY_SAFE 0

docker/supervisor/supervisord.conf

@@ -33,6 +33,16 @@ stderr_logfile=/var/log/happydeliver/authentication_milter.log
 user=mail
 group=mail
 
+# rspamd spam filter
+[program:rspamd]
+command=/usr/bin/rspamd -f -u rspamd -g mail
+autostart=true
+autorestart=true
+priority=11
+stdout_logfile=/var/log/happydeliver/rspamd.log
+stderr_logfile=/var/log/happydeliver/rspamd_error.log
+user=root
+
 # SpamAssassin daemon
 [program:spamd]
 command=/usr/sbin/spamd --max-children 5 --helper-home-dir /var/lib/spamassassin --syslog stderr --pidfile /var/run/spamd.pid

generate.go

@@ -21,5 +21,5 @@
 
 package main
 
-//go:generate go tool oapi-codegen -config api/config-models.yaml api/openapi.yaml
+//go:generate go tool oapi-codegen -config api/config-models.yaml api/schemas.yaml
 //go:generate go tool oapi-codegen -config api/config-server.yaml api/openapi.yaml

go.mod

@@ -1,41 +1,42 @@
 module git.happydns.org/happyDeliver
 
-go 1.24.6
+go 1.25.0
 
 require (
-	github.com/JGLTechnologies/gin-rate-limit v1.5.6
+	github.com/JGLTechnologies/gin-rate-limit v1.5.8
 	github.com/emersion/go-smtp v0.24.0
-	github.com/getkin/kin-openapi v0.133.0
-	github.com/gin-gonic/gin v1.11.0
+	github.com/getkin/kin-openapi v0.138.0
+	github.com/gin-gonic/gin v1.12.0
 	github.com/google/uuid v1.6.0
-	github.com/oapi-codegen/runtime v1.1.2
-	golang.org/x/net v0.46.0
+	github.com/oapi-codegen/runtime v1.4.0
+	golang.org/x/net v0.54.0
 	gorm.io/driver/postgres v1.6.0
 	gorm.io/driver/sqlite v1.6.0
-	gorm.io/gorm v1.31.0
+	gorm.io/gorm v1.31.1
 )
 
 require (
 	github.com/apapsch/go-jsonmerge/v2 v2.0.0 // indirect
-	github.com/bytedance/sonic v1.14.0 // indirect
-	github.com/bytedance/sonic/loader v0.3.0 // indirect
+	github.com/bytedance/gopkg v0.1.3 // indirect
+	github.com/bytedance/sonic v1.15.0 // indirect
+	github.com/bytedance/sonic/loader v0.5.0 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/cloudwego/base64x v0.1.6 // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
 	github.com/dprotaso/go-yit v0.0.0-20220510233725-9ba8df137936 // indirect
 	github.com/emersion/go-sasl v0.0.0-20241020182733-b788ff22d5a6 // indirect
-	github.com/gabriel-vasile/mimetype v1.4.8 // indirect
+	github.com/gabriel-vasile/mimetype v1.4.12 // indirect
 	github.com/gin-contrib/sse v1.1.0 // indirect
-	github.com/go-openapi/jsonpointer v0.21.0 // indirect
-	github.com/go-openapi/swag v0.23.0 // indirect
+	github.com/go-openapi/jsonpointer v0.22.4 // indirect
+	github.com/go-openapi/swag/jsonname v0.25.4 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
-	github.com/go-playground/validator/v10 v10.27.0 // indirect
+	github.com/go-playground/validator/v10 v10.30.1 // indirect
 	github.com/goccy/go-json v0.10.5 // indirect
-	github.com/goccy/go-yaml v1.18.0 // indirect
+	github.com/goccy/go-yaml v1.19.2 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
 	github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
-	github.com/jackc/pgx/v5 v5.7.6 // indirect
+	github.com/jackc/pgx/v5 v5.8.0 // indirect
 	github.com/jackc/puddle/v2 v2.2.2 // indirect
 	github.com/jinzhu/inflection v1.0.0 // indirect
 	github.com/jinzhu/now v1.1.5 // indirect
@@ -43,36 +44,38 @@ require (
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/klauspost/cpuid/v2 v2.3.0 // indirect
 	github.com/leodido/go-urn v1.4.0 // indirect
-	github.com/mailru/easyjson v0.7.7 // indirect
+	github.com/mailru/easyjson v0.9.1 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
-	github.com/mattn/go-sqlite3 v1.14.32 // indirect
+	github.com/mattn/go-sqlite3 v1.14.33 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 // indirect
-	github.com/oapi-codegen/oapi-codegen/v2 v2.5.0 // indirect
-	github.com/oasdiff/yaml v0.0.0-20250309154309-f31be36b4037 // indirect
-	github.com/oasdiff/yaml3 v0.0.0-20250309153720-d2182401db90 // indirect
+	github.com/oapi-codegen/oapi-codegen/v2 v2.7.0 // indirect
+	github.com/oasdiff/yaml v0.0.9 // indirect
+	github.com/oasdiff/yaml3 v0.0.12 // indirect
 	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
 	github.com/perimeterx/marshmallow v1.1.5 // indirect
-	github.com/quic-go/qpack v0.5.1 // indirect
-	github.com/quic-go/quic-go v0.54.1 // indirect
-	github.com/redis/go-redis/v9 v9.7.3 // indirect
-	github.com/speakeasy-api/jsonpath v0.6.0 // indirect
-	github.com/speakeasy-api/openapi-overlay v0.10.2 // indirect
+	github.com/quic-go/qpack v0.6.0 // indirect
+	github.com/quic-go/quic-go v0.59.0 // indirect
+	github.com/redis/go-redis/v9 v9.18.0 // indirect
+	github.com/santhosh-tekuri/jsonschema/v6 v6.0.2 // indirect
+	github.com/speakeasy-api/jsonpath v0.6.3 // indirect
+	github.com/speakeasy-api/openapi v1.19.2 // indirect
 	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
-	github.com/ugorji/go/codec v1.3.0 // indirect
+	github.com/ugorji/go/codec v1.3.1 // indirect
 	github.com/vmware-labs/yaml-jsonpath v0.3.2 // indirect
-	github.com/woodsbury/decimal128 v1.3.0 // indirect
-	go.uber.org/mock v0.5.0 // indirect
-	golang.org/x/arch v0.20.0 // indirect
-	golang.org/x/crypto v0.43.0 // indirect
-	golang.org/x/mod v0.28.0 // indirect
-	golang.org/x/sync v0.17.0 // indirect
-	golang.org/x/sys v0.37.0 // indirect
-	golang.org/x/text v0.30.0 // indirect
-	golang.org/x/tools v0.37.0 // indirect
-	google.golang.org/protobuf v1.36.9 // indirect
-	gopkg.in/yaml.v2 v2.4.0 // indirect
+	github.com/woodsbury/decimal128 v1.4.0 // indirect
+	go.mongodb.org/mongo-driver/v2 v2.5.0 // indirect
+	go.uber.org/atomic v1.11.0 // indirect
+	go.yaml.in/yaml/v3 v3.0.4 // indirect
+	golang.org/x/arch v0.23.0 // indirect
+	golang.org/x/crypto v0.51.0 // indirect
+	golang.org/x/mod v0.35.0 // indirect
+	golang.org/x/sync v0.20.0 // indirect
+	golang.org/x/sys v0.44.0 // indirect
+	golang.org/x/text v0.37.0 // indirect
+	golang.org/x/tools v0.44.0 // indirect
+	google.golang.org/protobuf v1.36.11 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
 

go.sum

@@ -1,5 +1,5 @@
-github.com/JGLTechnologies/gin-rate-limit v1.5.6 h1:BrL2wXrF7SSqmB88YTGFVKMGVcjURMUeKqwQrlmzweI=
-github.com/JGLTechnologies/gin-rate-limit v1.5.6/go.mod h1:fwUuBegxLKm8+/4ST0zDFssRFTFaVZ7bH3ApK7iNZww=
+github.com/JGLTechnologies/gin-rate-limit v1.5.8 h1:KiaHIEbpYxHpDvjhpjIif8fnVmjdw/afCMdGoN1AsB0=
+github.com/JGLTechnologies/gin-rate-limit v1.5.8/go.mod h1:t9eLOUxikPI0TzKy0VYRbZJr7hBP2Qg9E3JigoxF70g=
 github.com/RaveNoX/go-jsoncommentstrip v1.0.0/go.mod h1:78ihd09MekBnJnxpICcwzCMzGrKSKYe4AqU6PDYYpjk=
 github.com/apapsch/go-jsonmerge/v2 v2.0.0 h1:axGnT1gRIfimI7gJifB699GoE/oq+F2MU7Dml6nw9rQ=
 github.com/apapsch/go-jsonmerge/v2 v2.0.0/go.mod h1:lvDnEdqiQrp0O42VQGgmlKpxL1AP2+08jFMw88y4klk=
@@ -8,10 +8,12 @@ github.com/bsm/ginkgo/v2 v2.12.0 h1:Ny8MWAHyOepLGlLKYmXG4IEkioBysk6GpaRTLC8zwWs=
 github.com/bsm/ginkgo/v2 v2.12.0/go.mod h1:SwYbGRRDovPVboqFv0tPTcG1sN61LM1Z4ARdbAV9g4c=
 github.com/bsm/gomega v1.27.10 h1:yeMWxP2pV2fG3FgAODIY8EiRE3dy0aeFYt4l7wh6yKA=
 github.com/bsm/gomega v1.27.10/go.mod h1:JyEr/xRbxbtgWNi8tIEVPUYZ5Dzef52k01W3YH0H+O0=
-github.com/bytedance/sonic v1.14.0 h1:/OfKt8HFw0kh2rj8N0F6C/qPGRESq0BbaNZgcNXXzQQ=
-github.com/bytedance/sonic v1.14.0/go.mod h1:WoEbx8WTcFJfzCe0hbmyTGrfjt8PzNEBdxlNUO24NhA=
-github.com/bytedance/sonic/loader v0.3.0 h1:dskwH8edlzNMctoruo8FPTJDF3vLtDT0sXZwvZJyqeA=
-github.com/bytedance/sonic/loader v0.3.0/go.mod h1:N8A3vUdtUebEY2/VQC0MyhYeKUFosQU6FxH2JmUe6VI=
+github.com/bytedance/gopkg v0.1.3 h1:TPBSwH8RsouGCBcMBktLt1AymVo2TVsBVCY4b6TnZ/M=
+github.com/bytedance/gopkg v0.1.3/go.mod h1:576VvJ+eJgyCzdjS+c4+77QF3p7ubbtiKARP3TxducM=
+github.com/bytedance/sonic v1.15.0 h1:/PXeWFaR5ElNcVE84U0dOHjiMHQOwNIx3K4ymzh/uSE=
+github.com/bytedance/sonic v1.15.0/go.mod h1:tFkWrPz0/CUCLEF4ri4UkHekCIcdnkqXw9VduqpJh0k=
+github.com/bytedance/sonic/loader v0.5.0 h1:gXH3KVnatgY7loH5/TkeVyXPfESoqSBSBEiDd5VjlgE=
+github.com/bytedance/sonic/loader v0.5.0/go.mod h1:AR4NYCk5DdzZizZ5djGqQ92eEhCCcdf5x77udYiSJRo=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
@@ -20,10 +22,13 @@ github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMn
 github.com/cloudwego/base64x v0.1.6 h1:t11wG9AECkCDk5fMSoxmufanudBtJ+/HemLstXDLI2M=
 github.com/cloudwego/base64x v0.1.6/go.mod h1:OFcloc187FXDaYHvrNIjxSe8ncn0OOM8gEHfghB2IPU=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
+github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/rVNCu3HqELle0jiPLLBs70cWOduZpkS1E78=
 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc=
+github.com/dlclark/regexp2 v1.11.0 h1:G/nrcoOa7ZXlpoa/91N3X7mM3r8eIlMBBJZvsz/mxKI=
+github.com/dlclark/regexp2 v1.11.0/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8=
 github.com/dprotaso/go-yit v0.0.0-20191028211022-135eb7262960/go.mod h1:9HQzr9D/0PGwMEbC3d5AB7oi67+h4TsQqItC1GVYG58=
 github.com/dprotaso/go-yit v0.0.0-20220510233725-9ba8df137936 h1:PRxIJD8XjimM5aTknUK9w6DHLDox2r2M3DI4i2pnd3w=
 github.com/dprotaso/go-yit v0.0.0-20220510233725-9ba8df137936/go.mod h1:ttYvX5qlB+mlV1okblJqcSMtR4c52UKxDiX9GRBS8+Q=
@@ -34,33 +39,35 @@ github.com/emersion/go-smtp v0.24.0/go.mod h1:ZtRRkbTyp2XTHCA+BmyTFTrj8xY4I+b4Mc
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
 github.com/fsnotify/fsnotify v1.4.9 h1:hsms1Qyu0jgnwNXIxa+/V/PDsU6CfLf6CNO8H7IWoS4=
 github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
-github.com/gabriel-vasile/mimetype v1.4.8 h1:FfZ3gj38NjllZIeJAmMhr+qKL8Wu+nOoI3GqacKw1NM=
-github.com/gabriel-vasile/mimetype v1.4.8/go.mod h1:ByKUIKGjh1ODkGM1asKUbQZOLGrPjydw3hYPU2YU9t8=
-github.com/getkin/kin-openapi v0.133.0 h1:pJdmNohVIJ97r4AUFtEXRXwESr8b0bD721u/Tz6k8PQ=
-github.com/getkin/kin-openapi v0.133.0/go.mod h1:boAciF6cXk5FhPqe/NQeBTeenbjqU4LhWBf09ILVvWE=
+github.com/gabriel-vasile/mimetype v1.4.12 h1:e9hWvmLYvtp846tLHam2o++qitpguFiYCKbn0w9jyqw=
+github.com/gabriel-vasile/mimetype v1.4.12/go.mod h1:d+9Oxyo1wTzWdyVUPMmXFvp4F9tea18J8ufA774AB3s=
+github.com/getkin/kin-openapi v0.138.0 h1:ebfE0JAmF6AqHrNBy1KO3Fs68K9tPs48HalvLPo7Rv4=
+github.com/getkin/kin-openapi v0.138.0/go.mod h1:vUYWaKyMqj7PfTybelXtLuLN9tReS12vxnzMRK+z2GY=
 github.com/gin-contrib/sse v1.1.0 h1:n0w2GMuUpWDVp7qSpvze6fAu9iRxJY4Hmj6AmBOU05w=
 github.com/gin-contrib/sse v1.1.0/go.mod h1:hxRZ5gVpWMT7Z0B0gSNYqqsSCNIJMjzvm6fqCz9vjwM=
-github.com/gin-gonic/gin v1.11.0 h1:OW/6PLjyusp2PPXtyxKHU0RbX6I/l28FTdDlae5ueWk=
-github.com/gin-gonic/gin v1.11.0/go.mod h1:+iq/FyxlGzII0KHiBGjuNn4UNENUlKbGlNmc+W50Dls=
-github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ=
-github.com/go-openapi/jsonpointer v0.21.0/go.mod h1:IUyH9l/+uyhIYQ/PXVA41Rexl+kOkAPDdXEYns6fzUY=
-github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+GrE=
-github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ=
+github.com/gin-gonic/gin v1.12.0 h1:b3YAbrZtnf8N//yjKeU2+MQsh2mY5htkZidOM7O0wG8=
+github.com/gin-gonic/gin v1.12.0/go.mod h1:VxccKfsSllpKshkBWgVgRniFFAzFb9csfngsqANjnLc=
+github.com/go-openapi/jsonpointer v0.22.4 h1:dZtK82WlNpVLDW2jlA1YCiVJFVqkED1MegOUy9kR5T4=
+github.com/go-openapi/jsonpointer v0.22.4/go.mod h1:elX9+UgznpFhgBuaMQ7iu4lvvX1nvNsesQ3oxmYTw80=
+github.com/go-openapi/swag/jsonname v0.25.4 h1:bZH0+MsS03MbnwBXYhuTttMOqk+5KcQ9869Vye1bNHI=
+github.com/go-openapi/swag/jsonname v0.25.4/go.mod h1:GPVEk9CWVhNvWhZgrnvRA6utbAltopbKwDu8mXNUMag=
+github.com/go-openapi/testify/v2 v2.0.2 h1:X999g3jeLcoY8qctY/c/Z8iBHTbwLz7R2WXd6Ub6wls=
+github.com/go-openapi/testify/v2 v2.0.2/go.mod h1:HCPmvFFnheKK2BuwSA0TbbdxJ3I16pjwMkYkP4Ywn54=
 github.com/go-playground/assert/v2 v2.2.0 h1:JvknZsQTYeFEAhQwI4qEt9cyV5ONwRHC+lYKSsYSR8s=
 github.com/go-playground/assert/v2 v2.2.0/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4=
 github.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/oXslEjJA=
 github.com/go-playground/locales v0.14.1/go.mod h1:hxrqLVvrK65+Rwrd5Fc6F2O76J/NuW9t0sjnWqG1slY=
 github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJnYK9S473LQFuzCbDbfSFY=
 github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY=
-github.com/go-playground/validator/v10 v10.27.0 h1:w8+XrWVMhGkxOaaowyKH35gFydVHOvC0/uWoy2Fzwn4=
-github.com/go-playground/validator/v10 v10.27.0/go.mod h1:I5QpIEbmr8On7W0TktmJAumgzX4CA1XNl4ZmDuVHKKo=
+github.com/go-playground/validator/v10 v10.30.1 h1:f3zDSN/zOma+w6+1Wswgd9fLkdwy06ntQJp0BBvFG0w=
+github.com/go-playground/validator/v10 v10.30.1/go.mod h1:oSuBIQzuJxL//3MelwSLD5hc2Tu889bF0Idm9Dg26cM=
 github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE=
 github.com/go-test/deep v1.0.8 h1:TDsG77qcSprGbC6vTN8OuXp5g+J+b5Pcguhf7Zt61VM=
 github.com/go-test/deep v1.0.8/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE=
 github.com/goccy/go-json v0.10.5 h1:Fq85nIqj+gXn/S5ahsiTlK3TmC85qgirsdTP/+DeaC4=
 github.com/goccy/go-json v0.10.5/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
-github.com/goccy/go-yaml v1.18.0 h1:8W7wMFS12Pcas7KU+VVkaiCng+kG8QiFeFwzFb+rwuw=
-github.com/goccy/go-yaml v1.18.0/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=
+github.com/goccy/go-yaml v1.19.2 h1:PmFC1S6h8ljIz6gMRBopkjP1TVT7xuwrButHID66PoM=
+github.com/goccy/go-yaml v1.19.2/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
 github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
@@ -86,8 +93,8 @@ github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsI
 github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg=
 github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 h1:iCEnooe7UlwOQYpKFhBabPMi4aNAfoODPEFNiAnClxo=
 github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM=
-github.com/jackc/pgx/v5 v5.7.6 h1:rWQc5FwZSPX58r1OQmkuaNicxdmExaEz5A2DO2hUuTk=
-github.com/jackc/pgx/v5 v5.7.6/go.mod h1:aruU7o91Tc2q2cFp5h4uP3f6ztExVpyVv88Xl/8Vl8M=
+github.com/jackc/pgx/v5 v5.8.0 h1:TYPDoleBBme0xGSAX3/+NujXXtpZn9HBONkQC7IEZSo=
+github.com/jackc/pgx/v5 v5.8.0/go.mod h1:QVeDInX2m9VyzvNeiCJVjCkNFqzsNb43204HshNSZKw=
 github.com/jackc/puddle/v2 v2.2.2 h1:PR8nw+E/1w0GLuRFSmiioY6UooMp6KJv0/61nB7icHo=
 github.com/jackc/puddle/v2 v2.2.2/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4=
 github.com/jinzhu/inflection v1.0.0 h1:K317FqzuhWc8YvSVlFMCCUb36O/S9MCKRDI7QkRKD/E=
@@ -110,12 +117,12 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/leodido/go-urn v1.4.0 h1:WT9HwE9SGECu3lg4d/dIA+jxlljEa1/ffXKmRjqdmIQ=
 github.com/leodido/go-urn v1.4.0/go.mod h1:bvxc+MVxLKB4z00jd1z+Dvzr47oO32F/QSNjSBOlFxI=
-github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
-github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
+github.com/mailru/easyjson v0.9.1 h1:LbtsOm5WAswyWbvTEOqhypdPeZzHavpZx96/n553mR8=
+github.com/mailru/easyjson v0.9.1/go.mod h1:1+xMtQp2MRNVL/V1bOzuP3aP8VNwRW55fQUto+XFtTU=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
-github.com/mattn/go-sqlite3 v1.14.32 h1:JD12Ag3oLy1zQA+BNn74xRgaBbdhbNIDYvQUEuuErjs=
-github.com/mattn/go-sqlite3 v1.14.32/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
+github.com/mattn/go-sqlite3 v1.14.33 h1:A5blZ5ulQo2AtayQ9/limgHEkFreKj1Dv226a1K73s0=
+github.com/mattn/go-sqlite3 v1.14.33/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
@@ -126,14 +133,14 @@ github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826/go.mod h1:TaXosZuwd
 github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
 github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE=
 github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU=
-github.com/oapi-codegen/oapi-codegen/v2 v2.5.0 h1:iJvF8SdB/3/+eGOXEpsWkD8FQAHj6mqkb6Fnsoc8MFU=
-github.com/oapi-codegen/oapi-codegen/v2 v2.5.0/go.mod h1:fwlMxUEMuQK5ih9aymrxKPQqNm2n8bdLk1ppjH+lr9w=
-github.com/oapi-codegen/runtime v1.1.2 h1:P2+CubHq8fO4Q6fV1tqDBZHCwpVpvPg7oKiYzQgXIyI=
-github.com/oapi-codegen/runtime v1.1.2/go.mod h1:SK9X900oXmPWilYR5/WKPzt3Kqxn/uS/+lbpREv+eCg=
-github.com/oasdiff/yaml v0.0.0-20250309154309-f31be36b4037 h1:G7ERwszslrBzRxj//JalHPu/3yz+De2J+4aLtSRlHiY=
-github.com/oasdiff/yaml v0.0.0-20250309154309-f31be36b4037/go.mod h1:2bpvgLBZEtENV5scfDFEtB/5+1M4hkQhDQrccEJ/qGw=
-github.com/oasdiff/yaml3 v0.0.0-20250309153720-d2182401db90 h1:bQx3WeLcUWy+RletIKwUIt4x3t8n2SxavmoclizMb8c=
-github.com/oasdiff/yaml3 v0.0.0-20250309153720-d2182401db90/go.mod h1:y5+oSEHCPT/DGrS++Wc/479ERge0zTFxaF8PbGKcg2o=
+github.com/oapi-codegen/oapi-codegen/v2 v2.7.0 h1:/8daqIYZfwnsHEAZdHUu9m0D5LA+5DoJCP7zLlT5Cs0=
+github.com/oapi-codegen/oapi-codegen/v2 v2.7.0/go.mod h1:qzFy6iuobJw/hD1aRILee4G87/ShmhR0xYCwcUtZMCw=
+github.com/oapi-codegen/runtime v1.4.0 h1:KLOSFOp7UzkbS7Cs1ms6NBEKYr0WmH2wZG0KKbd2er4=
+github.com/oapi-codegen/runtime v1.4.0/go.mod h1:5sw5fxCDmnOzKNYmkVNF8d34kyUeejJEY8HNT2WaPec=
+github.com/oasdiff/yaml v0.0.9 h1:zQOvd2UKoozsSsAknnWoDJlSK4lC0mpmjfDsfqNwX48=
+github.com/oasdiff/yaml v0.0.9/go.mod h1:8lvhgJG4xiKPj3HN5lDow4jZHPlx1i7dIwzkdAo6oAM=
+github.com/oasdiff/yaml3 v0.0.12 h1:75urAtPeDg2/iDEWwzNrLOWxI9N/dCh81nTTJtokt2M=
+github.com/oasdiff/yaml3 v0.0.12/go.mod h1:y5+oSEHCPT/DGrS++Wc/479ERge0zTFxaF8PbGKcg2o=
 github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.10.2/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk=
@@ -150,56 +157,69 @@ github.com/pelletier/go-toml/v2 v2.2.4 h1:mye9XuhQ6gvn5h28+VilKrrPoQVanw5PMw/TB0
 github.com/pelletier/go-toml/v2 v2.2.4/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY=
 github.com/perimeterx/marshmallow v1.1.5 h1:a2LALqQ1BlHM8PZblsDdidgv1mWi1DgC2UmX50IvK2s=
 github.com/perimeterx/marshmallow v1.1.5/go.mod h1:dsXbUu8CRzfYP5a87xpp0xq9S3u0Vchtcl8we9tYaXw=
-github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/quic-go/qpack v0.5.1 h1:giqksBPnT/HDtZ6VhtFKgoLOWmlyo9Ei6u9PqzIMbhI=
-github.com/quic-go/qpack v0.5.1/go.mod h1:+PC4XFrEskIVkcLzpEkbLqq1uCoxPhQuvK5rH1ZgaEg=
-github.com/quic-go/quic-go v0.54.1 h1:4ZAWm0AhCb6+hE+l5Q1NAL0iRn/ZrMwqHRGQiFwj2eg=
-github.com/quic-go/quic-go v0.54.1/go.mod h1:e68ZEaCdyviluZmy44P6Iey98v/Wfz6HCjQEm+l8zTY=
-github.com/redis/go-redis/v9 v9.7.3 h1:YpPyAayJV+XErNsatSElgRZZVCwXX9QzkKYNvO7x0wM=
-github.com/redis/go-redis/v9 v9.7.3/go.mod h1:bGUrSggJ9X9GUmZpZNEOQKaANxSGgOEBRltRTZHSvrA=
-github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
-github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
+github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
+github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/quic-go/qpack v0.6.0 h1:g7W+BMYynC1LbYLSqRt8PBg5Tgwxn214ZZR34VIOjz8=
+github.com/quic-go/qpack v0.6.0/go.mod h1:lUpLKChi8njB4ty2bFLX2x4gzDqXwUpaO1DP9qMDZII=
+github.com/quic-go/quic-go v0.59.0 h1:OLJkp1Mlm/aS7dpKgTc6cnpynnD2Xg7C1pwL6vy/SAw=
+github.com/quic-go/quic-go v0.59.0/go.mod h1:upnsH4Ju1YkqpLXC305eW3yDZ4NfnNbmQRCMWS58IKU=
+github.com/redis/go-redis/v9 v9.18.0 h1:pMkxYPkEbMPwRdenAzUNyFNrDgHx9U+DrBabWNfSRQs=
+github.com/redis/go-redis/v9 v9.18.0/go.mod h1:k3ufPphLU5YXwNTUcCRXGxUoF1fqxnhFQmscfkCoDA0=
+github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
+github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
+github.com/santhosh-tekuri/jsonschema/v6 v6.0.2 h1:KRzFb2m7YtdldCEkzs6KqmJw4nqEVZGK7IN2kJkjTuQ=
+github.com/santhosh-tekuri/jsonschema/v6 v6.0.2/go.mod h1:JXeL+ps8p7/KNMjDQk3TCwPpBy0wYklyWTfbkIzdIFU=
 github.com/sergi/go-diff v1.1.0 h1:we8PVUC3FE2uYfodKH/nBHMSetSfHDR6scGdBi+erh0=
 github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=
-github.com/speakeasy-api/jsonpath v0.6.0 h1:IhtFOV9EbXplhyRqsVhHoBmmYjblIRh5D1/g8DHMXJ8=
-github.com/speakeasy-api/jsonpath v0.6.0/go.mod h1:ymb2iSkyOycmzKwbEAYPJV/yi2rSmvBCLZJcyD+VVWw=
-github.com/speakeasy-api/openapi-overlay v0.10.2 h1:VOdQ03eGKeiHnpb1boZCGm7x8Haj6gST0P3SGTX95GU=
-github.com/speakeasy-api/openapi-overlay v0.10.2/go.mod h1:n0iOU7AqKpNFfEt6tq7qYITC4f0yzVVdFw0S7hukemg=
+github.com/speakeasy-api/jsonpath v0.6.3 h1:c+QPwzAOdrWvzycuc9HFsIZcxKIaWcNpC+xhOW9rJxU=
+github.com/speakeasy-api/jsonpath v0.6.3/go.mod h1:2cXloNuQ+RSXi5HTRaeBh7JEmjRXTiaKpFTdZiL7URI=
+github.com/speakeasy-api/openapi v1.19.2 h1:md90tE71/M8jS3cuRlsuWP5Aed4xoG5PSRvXeZgCv/M=
+github.com/speakeasy-api/openapi v1.19.2/go.mod h1:UfKa7FqE4jgexJZuj51MmdHAFGmDv0Zaw3+yOd81YKU=
 github.com/spkg/bom v0.0.0-20160624110644-59b7046e48ad/go.mod h1:qLr4V1qq6nMqFKkMo8ZTx3f+BZEkzsRUY10Xsm2mwU0=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
+github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
-github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
+github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/twitchyliquid64/golang-asm v0.15.1 h1:SU5vSMR7hnwNxj24w34ZyCi/FmDZTkS4MhqMhdFk5YI=
 github.com/twitchyliquid64/golang-asm v0.15.1/go.mod h1:a1lVb/DtPvCB8fslRZhAngC2+aY1QWCk3Cedj/Gdt08=
-github.com/ugorji/go/codec v1.3.0 h1:Qd2W2sQawAfG8XSvzwhBeoGq71zXOC/Q1E9y/wUcsUA=
-github.com/ugorji/go/codec v1.3.0/go.mod h1:pRBVtBSKl77K30Bv8R2P+cLSGaTtex6fsA2Wjqmfxj4=
+github.com/ugorji/go/codec v1.3.1 h1:waO7eEiFDwidsBN6agj1vJQ4AG7lh2yqXyOXqhgQuyY=
+github.com/ugorji/go/codec v1.3.1/go.mod h1:pRBVtBSKl77K30Bv8R2P+cLSGaTtex6fsA2Wjqmfxj4=
 github.com/vmware-labs/yaml-jsonpath v0.3.2 h1:/5QKeCBGdsInyDCyVNLbXyilb61MXGi9NP674f9Hobk=
 github.com/vmware-labs/yaml-jsonpath v0.3.2/go.mod h1:U6whw1z03QyqgWdgXxvVnQ90zN1BWz5V+51Ewf8k+rQ=
-github.com/woodsbury/decimal128 v1.3.0 h1:8pffMNWIlC0O5vbyHWFZAt5yWvWcrHA+3ovIIjVWss0=
-github.com/woodsbury/decimal128 v1.3.0/go.mod h1:C5UTmyTjW3JftjUFzOVhC20BEQa2a4ZKOB5I6Zjb+ds=
+github.com/woodsbury/decimal128 v1.4.0 h1:xJATj7lLu4f2oObouMt2tgGiElE5gO6mSWUjQsBgUlc=
+github.com/woodsbury/decimal128 v1.4.0/go.mod h1:BP46FUrVjVhdTbKT+XuQh2xfQaGki9LMIRJSFuh6THU=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-go.uber.org/mock v0.5.0 h1:KAMbZvZPyBPWgD14IrIQ38QCyjwpvVVV6K/bHl1IwQU=
-go.uber.org/mock v0.5.0/go.mod h1:ge71pBPLYDk7QIi1LupWxdAykm7KIEFchiOqd6z7qMM=
-golang.org/x/arch v0.20.0 h1:dx1zTU0MAE98U+TQ8BLl7XsJbgze2WnNKF/8tGp/Q6c=
-golang.org/x/arch v0.20.0/go.mod h1:bdwinDaKcfZUGpH09BB7ZmOfhalA8lQdzl62l8gGWsk=
+github.com/zeebo/xxh3 v1.0.2 h1:xZmwmqxHZA8AI603jOQ0tMqmBr9lPeFwGg6d+xy9DC0=
+github.com/zeebo/xxh3 v1.0.2/go.mod h1:5NWz9Sef7zIDm2JHfFlcQvNekmcEl9ekUZQQKCYaDcA=
+go.mongodb.org/mongo-driver/v2 v2.5.0 h1:yXUhImUjjAInNcpTcAlPHiT7bIXhshCTL3jVBkF3xaE=
+go.mongodb.org/mongo-driver/v2 v2.5.0/go.mod h1:yOI9kBsufol30iFsl1slpdq1I0eHPzybRWdyYUs8K/0=
+go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
+go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
+go.uber.org/mock v0.6.0 h1:hyF9dfmbgIX5EfOdasqLsWD6xqpNZlXblLB/Dbnwv3Y=
+go.uber.org/mock v0.6.0/go.mod h1:KiVJ4BqZJaMj4svdfmHM0AUx4NJYO8ZNpPnZn1Z+BBU=
+go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
+go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
+golang.org/x/arch v0.23.0 h1:lKF64A2jF6Zd8L0knGltUnegD62JMFBiCPBmQpToHhg=
+golang.org/x/arch v0.23.0/go.mod h1:dNHoOeKiyja7GTvF9NJS1l3Z2yntpQNzgrjh1cU103A=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.43.0 h1:dduJYIi3A3KOfdGOHX8AVZ/jGiyPa3IbBozJ5kNuE04=
-golang.org/x/crypto v0.43.0/go.mod h1:BFbav4mRNlXJL4wNeejLpWxB7wMbc79PdRGhWKncxR0=
+golang.org/x/crypto v0.51.0 h1:IBPXwPfKxY7cWQZ38ZCIRPI50YLeevDLlLnyC5wRGTI=
+golang.org/x/crypto v0.51.0/go.mod h1:8AdwkbraGNABw2kOX6YFPs3WM22XqI4EXEd8g+x7Oc8=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.28.0 h1:gQBtGhjxykdjY9YhZpSlZIsbnaE2+PgjfLWUQTnoZ1U=
-golang.org/x/mod v0.28.0/go.mod h1:yfB/L0NOf/kmEbXjzCPOx1iK1fRutOydrCMsqRhEBxI=
+golang.org/x/mod v0.35.0 h1:Ww1D637e6Pg+Zb2KrWfHQUnH2dQRLBQyAtpr/haaJeM=
+golang.org/x/mod v0.35.0/go.mod h1:+GwiRhIInF8wPm+4AoT6L0FA1QWAad3OMdTRx4tFYlU=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
@@ -207,13 +227,13 @@ golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20210428140749-89ef3d95e781/go.mod h1:OJAsFXCWl8Ukc7SiCT/9KSuxbyM7479/AVlXFRxuMCk=
 golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
-golang.org/x/net v0.46.0 h1:giFlY12I07fugqwPuWJi68oOnpfqFnJIJzaIIm2JVV4=
-golang.org/x/net v0.46.0/go.mod h1:Q9BGdFy1y4nkUwiLvT5qtyhAnEHgnQ/zd8PfU6nc210=
+golang.org/x/net v0.54.0 h1:2zJIZAxAHV/OHCDTCOHAYehQzLfSXuf/5SoL/Dv6w/w=
+golang.org/x/net v0.54.0/go.mod h1:Sj4oj8jK6XmHpBZU/zWHw3BV3abl4Kvi+Ut7cQcY+cQ=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug=
-golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
+golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -229,21 +249,21 @@ golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.37.0 h1:fdNQudmxPjkdUTPnLn5mdQv7Zwvbvpaxqs831goi9kQ=
-golang.org/x/sys v0.37.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/sys v0.44.0 h1:ildZl3J4uzeKP07r2F++Op7E9B29JRUy+a27EibtBTQ=
+golang.org/x/sys v0.44.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.30.0 h1:yznKA/E9zq54KzlzBEAWn1NXSQ8DIp/NYMy88xJjl4k=
-golang.org/x/text v0.30.0/go.mod h1:yDdHFIX9t+tORqspjENWgzaCVXgk0yYnYuSZ8UzzBVM=
+golang.org/x/text v0.37.0 h1:Cqjiwd9eSg8e0QAkyCaQTNHFIIzWtidPahFWR83rTrc=
+golang.org/x/text v0.37.0/go.mod h1:a5sjxXGs9hsn/AJVwuElvCAo9v8QYLzvavO5z2PiM38=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.37.0 h1:DVSRzp7FwePZW356yEAChSdNcQo6Nsp+fex1SUW09lE=
-golang.org/x/tools v0.37.0/go.mod h1:MBN5QPQtLMHVdvsbtarmTNukZDdgwdwlO5qGacAzF0w=
+golang.org/x/tools v0.44.0 h1:UP4ajHPIcuMjT1GqzDWRlalUEoY+uzoZKnhOjbIPD2c=
+golang.org/x/tools v0.44.0/go.mod h1:KA0AfVErSdxRZIsOVipbv3rQhVXTnlU6UhKxHd1seDI=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -256,8 +276,8 @@ google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzi
 google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.36.9 h1:w2gp2mA27hUeUzj9Ex9FBjsBm40zfaDtEWow293U7Iw=
-google.golang.org/protobuf v1.36.9/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
+google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
+google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
@@ -279,5 +299,5 @@ gorm.io/driver/postgres v1.6.0 h1:2dxzU8xJ+ivvqTRph34QX+WrRaJlmfyPqXmoGVjMBa4=
 gorm.io/driver/postgres v1.6.0/go.mod h1:vUw0mrGgrTK+uPHEhAdV4sfFELrByKVGnaVRkXDhtWo=
 gorm.io/driver/sqlite v1.6.0 h1:WHRRrIiulaPiPFmDcod6prc4l2VGVWHz80KspNsxSfQ=
 gorm.io/driver/sqlite v1.6.0/go.mod h1:AO9V1qIQddBESngQUKWL9yoH93HIeA1X6V633rBwyT8=
-gorm.io/gorm v1.31.0 h1:0VlycGreVhK7RF/Bwt51Fk8v0xLiiiFdbGDPIZQ7mJY=
-gorm.io/gorm v1.31.0/go.mod h1:XyQVbO2k6YkOis7C2437jSit3SsDK72s7n7rsSHd+Gs=
+gorm.io/gorm v1.31.1 h1:7CA8FTFz/gRfgqgpeKIBcervUn3xSyPUmr6B2WXJ7kg=
+gorm.io/gorm v1.31.1/go.mod h1:XyQVbO2k6YkOis7C2437jSit3SsDK72s7n7rsSHd+Gs=

internal/api/handlers.go

@@ -31,6 +31,7 @@ import (
 	openapi_types "github.com/oapi-codegen/runtime/types"
 
 	"git.happydns.org/happyDeliver/internal/config"
+	"git.happydns.org/happyDeliver/internal/model"
 	"git.happydns.org/happyDeliver/internal/storage"
 	"git.happydns.org/happyDeliver/internal/utils"
 	"git.happydns.org/happyDeliver/internal/version"
@@ -40,6 +41,8 @@ import (
 // This interface breaks the circular dependency with pkg/analyzer
 type EmailAnalyzer interface {
 	AnalyzeEmailBytes(rawEmail []byte, testID uuid.UUID) (reportJSON []byte, err error)
+	AnalyzeDomain(domain string) (dnsResults *model.DNSResults, score int, grade string)
+	CheckBlacklistIP(ip string) (checks []model.BlacklistCheck, whitelists []model.BlacklistCheck, listedCount int, score int, grade string, err error)
 }
 
 // APIHandler implements the ServerInterface for handling API requests
@@ -77,11 +80,11 @@ func (h *APIHandler) CreateTest(c *gin.Context) {
 	)
 
 	// Return response
-	c.JSON(http.StatusCreated, TestResponse{
+	c.JSON(http.StatusCreated, model.TestResponse{
 		Id:      base32ID,
 		Email:   openapi_types.Email(email),
-		Status:  TestResponseStatusPending,
-		Message: stringPtr("Send your test email to the given address"),
+		Status:  model.TestResponseStatusPending,
+		Message: utils.PtrTo("Send your test email to the given address"),
 	})
 }
 
@@ -91,10 +94,10 @@ func (h *APIHandler) GetTest(c *gin.Context, id string) {
 	// Convert base32 ID to UUID
 	testUUID, err := utils.Base32ToUUID(id)
 	if err != nil {
-		c.JSON(http.StatusBadRequest, Error{
+		c.JSON(http.StatusBadRequest, model.Error{
 			Error:   "invalid_id",
 			Message: "Invalid test ID format",
-			Details: stringPtr(err.Error()),
+			Details: utils.PtrTo(err.Error()),
 		})
 		return
 	}
@@ -102,20 +105,20 @@ func (h *APIHandler) GetTest(c *gin.Context, id string) {
 	// Check if a report exists for this test ID
 	reportExists, err := h.storage.ReportExists(testUUID)
 	if err != nil {
-		c.JSON(http.StatusInternalServerError, Error{
+		c.JSON(http.StatusInternalServerError, model.Error{
 			Error:   "internal_error",
 			Message: "Failed to check test status",
-			Details: stringPtr(err.Error()),
+			Details: utils.PtrTo(err.Error()),
 		})
 		return
 	}
 
 	// Determine status based on report existence
-	var apiStatus TestStatus
+	var apiStatus model.TestStatus
 	if reportExists {
-		apiStatus = TestStatusAnalyzed
+		apiStatus = model.TestStatusAnalyzed
 	} else {
-		apiStatus = TestStatusPending
+		apiStatus = model.TestStatusPending
 	}
 
 	// Generate test email address using Base32-encoded UUID
@@ -125,7 +128,7 @@ func (h *APIHandler) GetTest(c *gin.Context, id string) {
 		h.config.Email.Domain,
 	)
 
-	c.JSON(http.StatusOK, Test{
+	c.JSON(http.StatusOK, model.Test{
 		Id:     id,
 		Email:  openapi_types.Email(email),
 		Status: apiStatus,
@@ -138,10 +141,10 @@ func (h *APIHandler) GetReport(c *gin.Context, id string) {
 	// Convert base32 ID to UUID
 	testUUID, err := utils.Base32ToUUID(id)
 	if err != nil {
-		c.JSON(http.StatusBadRequest, Error{
+		c.JSON(http.StatusBadRequest, model.Error{
 			Error:   "invalid_id",
 			Message: "Invalid test ID format",
-			Details: stringPtr(err.Error()),
+			Details: utils.PtrTo(err.Error()),
 		})
 		return
 	}
@@ -149,16 +152,16 @@ func (h *APIHandler) GetReport(c *gin.Context, id string) {
 	reportJSON, _, err := h.storage.GetReport(testUUID)
 	if err != nil {
 		if err == storage.ErrNotFound {
-			c.JSON(http.StatusNotFound, Error{
+			c.JSON(http.StatusNotFound, model.Error{
 				Error:   "not_found",
 				Message: "Report not found",
 			})
 			return
 		}
-		c.JSON(http.StatusInternalServerError, Error{
+		c.JSON(http.StatusInternalServerError, model.Error{
 			Error:   "internal_error",
 			Message: "Failed to retrieve report",
-			Details: stringPtr(err.Error()),
+			Details: utils.PtrTo(err.Error()),
 		})
 		return
 	}
@@ -173,10 +176,10 @@ func (h *APIHandler) GetRawEmail(c *gin.Context, id string) {
 	// Convert base32 ID to UUID
 	testUUID, err := utils.Base32ToUUID(id)
 	if err != nil {
-		c.JSON(http.StatusBadRequest, Error{
+		c.JSON(http.StatusBadRequest, model.Error{
 			Error:   "invalid_id",
 			Message: "Invalid test ID format",
-			Details: stringPtr(err.Error()),
+			Details: utils.PtrTo(err.Error()),
 		})
 		return
 	}
@@ -184,16 +187,16 @@ func (h *APIHandler) GetRawEmail(c *gin.Context, id string) {
 	_, rawEmail, err := h.storage.GetReport(testUUID)
 	if err != nil {
 		if err == storage.ErrNotFound {
-			c.JSON(http.StatusNotFound, Error{
+			c.JSON(http.StatusNotFound, model.Error{
 				Error:   "not_found",
 				Message: "Email not found",
 			})
 			return
 		}
-		c.JSON(http.StatusInternalServerError, Error{
+		c.JSON(http.StatusInternalServerError, model.Error{
 			Error:   "internal_error",
 			Message: "Failed to retrieve raw email",
-			Details: stringPtr(err.Error()),
+			Details: utils.PtrTo(err.Error()),
 		})
 		return
 	}
@@ -207,10 +210,10 @@ func (h *APIHandler) ReanalyzeReport(c *gin.Context, id string) {
 	// Convert base32 ID to UUID
 	testUUID, err := utils.Base32ToUUID(id)
 	if err != nil {
-		c.JSON(http.StatusBadRequest, Error{
+		c.JSON(http.StatusBadRequest, model.Error{
 			Error:   "invalid_id",
 			Message: "Invalid test ID format",
-			Details: stringPtr(err.Error()),
+			Details: utils.PtrTo(err.Error()),
 		})
 		return
 	}
@@ -219,16 +222,16 @@ func (h *APIHandler) ReanalyzeReport(c *gin.Context, id string) {
 	_, rawEmail, err := h.storage.GetReport(testUUID)
 	if err != nil {
 		if err == storage.ErrNotFound {
-			c.JSON(http.StatusNotFound, Error{
+			c.JSON(http.StatusNotFound, model.Error{
 				Error:   "not_found",
 				Message: "Email not found",
 			})
 			return
 		}
-		c.JSON(http.StatusInternalServerError, Error{
+		c.JSON(http.StatusInternalServerError, model.Error{
 			Error:   "internal_error",
 			Message: "Failed to retrieve email",
-			Details: stringPtr(err.Error()),
+			Details: utils.PtrTo(err.Error()),
 		})
 		return
 	}
@@ -236,20 +239,20 @@ func (h *APIHandler) ReanalyzeReport(c *gin.Context, id string) {
 	// Re-analyze the email using the current analyzer
 	reportJSON, err := h.analyzer.AnalyzeEmailBytes(rawEmail, testUUID)
 	if err != nil {
-		c.JSON(http.StatusInternalServerError, Error{
+		c.JSON(http.StatusInternalServerError, model.Error{
 			Error:   "analysis_error",
 			Message: "Failed to re-analyze email",
-			Details: stringPtr(err.Error()),
+			Details: utils.PtrTo(err.Error()),
 		})
 		return
 	}
 
 	// Update the report in storage
 	if err := h.storage.UpdateReport(testUUID, reportJSON); err != nil {
-		c.JSON(http.StatusInternalServerError, Error{
+		c.JSON(http.StatusInternalServerError, model.Error{
 			Error:   "internal_error",
 			Message: "Failed to update report",
-			Details: stringPtr(err.Error()),
+			Details: utils.PtrTo(err.Error()),
 		})
 		return
 	}
@@ -265,24 +268,24 @@ func (h *APIHandler) GetStatus(c *gin.Context) {
 	uptime := int(time.Since(h.startTime).Seconds())
 
 	// Check database connectivity by trying to check if a report exists
-	dbStatus := StatusComponentsDatabaseUp
+	dbStatus := model.StatusComponentsDatabaseUp
 	if _, err := h.storage.ReportExists(uuid.New()); err != nil {
-		dbStatus = StatusComponentsDatabaseDown
+		dbStatus = model.StatusComponentsDatabaseDown
 	}
 
 	// Determine overall status
-	overallStatus := Healthy
-	if dbStatus == StatusComponentsDatabaseDown {
-		overallStatus = Unhealthy
+	overallStatus := model.Healthy
+	if dbStatus == model.StatusComponentsDatabaseDown {
+		overallStatus = model.Unhealthy
 	}
 
-	mtaStatus := StatusComponentsMtaUp
-	c.JSON(http.StatusOK, Status{
+	mtaStatus := model.StatusComponentsMtaUp
+	c.JSON(http.StatusOK, model.Status{
 		Status:  overallStatus,
 		Version: version.Version,
 		Components: &struct {
-			Database *StatusComponentsDatabase `json:"database,omitempty"`
-			Mta      *StatusComponentsMta      `json:"mta,omitempty"`
+			Database *model.StatusComponentsDatabase `json:"database,omitempty"`
+			Mta      *model.StatusComponentsMta      `json:"mta,omitempty"`
 		}{
 			Database: &dbStatus,
 			Mta:      &mtaStatus,
@@ -290,3 +293,133 @@ func (h *APIHandler) GetStatus(c *gin.Context) {
 		Uptime: &uptime,
 	})
 }
+
+// TestDomain performs synchronous domain analysis
+// (POST /domain)
+func (h *APIHandler) TestDomain(c *gin.Context) {
+	var request model.DomainTestRequest
+
+	// Bind and validate request
+	if err := c.ShouldBindJSON(&request); err != nil {
+		c.JSON(http.StatusBadRequest, model.Error{
+			Error:   "invalid_request",
+			Message: "Invalid request body",
+			Details: utils.PtrTo(err.Error()),
+		})
+		return
+	}
+
+	// Perform domain analysis
+	dnsResults, score, grade := h.analyzer.AnalyzeDomain(request.Domain)
+
+	// Convert grade string to DomainTestResponseGrade enum
+	var responseGrade model.DomainTestResponseGrade
+	switch grade {
+	case "A+":
+		responseGrade = model.DomainTestResponseGradeA
+	case "A":
+		responseGrade = model.DomainTestResponseGradeA1
+	case "B":
+		responseGrade = model.DomainTestResponseGradeB
+	case "C":
+		responseGrade = model.DomainTestResponseGradeC
+	case "D":
+		responseGrade = model.DomainTestResponseGradeD
+	case "E":
+		responseGrade = model.DomainTestResponseGradeE
+	case "F":
+		responseGrade = model.DomainTestResponseGradeF
+	default:
+		responseGrade = model.DomainTestResponseGradeF
+	}
+
+	// Build response
+	response := model.DomainTestResponse{
+		Domain:     request.Domain,
+		Score:      score,
+		Grade:      responseGrade,
+		DnsResults: *dnsResults,
+	}
+
+	c.JSON(http.StatusOK, response)
+}
+
+// CheckBlacklist checks an IP address against DNS blacklists
+// (POST /blacklist)
+func (h *APIHandler) CheckBlacklist(c *gin.Context) {
+	var request model.BlacklistCheckRequest
+
+	// Bind and validate request
+	if err := c.ShouldBindJSON(&request); err != nil {
+		c.JSON(http.StatusBadRequest, model.Error{
+			Error:   "invalid_request",
+			Message: "Invalid request body",
+			Details: utils.PtrTo(err.Error()),
+		})
+		return
+	}
+
+	// Perform blacklist check using analyzer
+	checks, whitelists, listedCount, score, grade, err := h.analyzer.CheckBlacklistIP(request.Ip)
+	if err != nil {
+		c.JSON(http.StatusBadRequest, model.Error{
+			Error:   "invalid_ip",
+			Message: "Invalid IP address",
+			Details: utils.PtrTo(err.Error()),
+		})
+		return
+	}
+
+	// Build response
+	response := model.BlacklistCheckResponse{
+		Ip:          request.Ip,
+		Blacklists:  checks,
+		Whitelists:  &whitelists,
+		ListedCount: listedCount,
+		Score:       score,
+		Grade:       model.BlacklistCheckResponseGrade(grade),
+	}
+
+	c.JSON(http.StatusOK, response)
+}
+
+// ListTests returns a paginated list of test summaries
+// (GET /tests)
+func (h *APIHandler) ListTests(c *gin.Context, params ListTestsParams) {
+	if h.config.DisableTestList {
+		c.JSON(http.StatusForbidden, model.Error{
+			Error:   "feature_disabled",
+			Message: "Test listing is disabled on this instance",
+		})
+		return
+	}
+
+	offset := 0
+	limit := 20
+	if params.Offset != nil {
+		offset = *params.Offset
+	}
+	if params.Limit != nil {
+		limit = *params.Limit
+		if limit > 100 {
+			limit = 100
+		}
+	}
+
+	tests, total, err := h.storage.ListReportSummaries(offset, limit)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, model.Error{
+			Error:   "internal_error",
+			Message: "Failed to list tests",
+			Details: utils.PtrTo(err.Error()),
+		})
+		return
+	}
+
+	c.JSON(http.StatusOK, model.TestListResponse{
+		Tests:  tests,
+		Total:  int(total),
+		Offset: offset,
+		Limit:  limit,
+	})
+}

internal/app/cli_analyzer.go

@@ -202,6 +202,9 @@ func outputHumanReadable(result *analyzer.AnalysisResult, emailAnalyzer *analyze
 			if dns.DmarcRecord.SubdomainPolicy != nil {
 				fmt.Fprintf(writer, ", Subdomain Policy: %s", *dns.DmarcRecord.SubdomainPolicy)
 			}
+			if dns.DmarcRecord.NonexistentSubdomainPolicy != nil {
+				fmt.Fprintf(writer, ", Non-Existent Subdomain Policy: %s", *dns.DmarcRecord.NonexistentSubdomainPolicy)
+			}
 			fmt.Fprintln(writer)
 			if dns.DmarcRecord.Record != nil {
 				fmt.Fprintf(writer, "      %s\n", *dns.DmarcRecord.Record)

internal/app/cli_backup.go

@@ -0,0 +1,156 @@
+// This file is part of the happyDeliver (R) project.
+// Copyright (c) 2025 happyDomain
+// Authors: Pierre-Olivier Mercier, et al.
+//
+// This program is offered under a commercial and under the AGPL license.
+// For commercial licensing, contact us at <contact@happydomain.org>.
+//
+// For AGPL licensing:
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+package app
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+	"os"
+
+	"git.happydns.org/happyDeliver/internal/config"
+	"git.happydns.org/happyDeliver/internal/storage"
+)
+
+// BackupData represents the structure of a backup file
+type BackupData struct {
+	Version string           `json:"version"`
+	Reports []storage.Report `json:"reports"`
+}
+
+// RunBackup exports the database to stdout as JSON
+func RunBackup(cfg *config.Config) error {
+	if err := cfg.Validate(); err != nil {
+		return err
+	}
+
+	// Initialize storage
+	store, err := storage.NewStorage(cfg.Database.Type, cfg.Database.DSN)
+	if err != nil {
+		return fmt.Errorf("failed to connect to database: %w", err)
+	}
+	defer store.Close()
+
+	fmt.Fprintf(os.Stderr, "Connected to %s database\n", cfg.Database.Type)
+
+	// Get all reports from the database
+	reports, err := storage.GetAllReports(store)
+	if err != nil {
+		return fmt.Errorf("failed to retrieve reports: %w", err)
+	}
+
+	fmt.Fprintf(os.Stderr, "Found %d reports to backup\n", len(reports))
+
+	// Create backup data structure
+	backup := BackupData{
+		Version: "1.0",
+		Reports: reports,
+	}
+
+	// Encode to JSON and write to stdout
+	encoder := json.NewEncoder(os.Stdout)
+	encoder.SetIndent("", "  ")
+	if err := encoder.Encode(backup); err != nil {
+		return fmt.Errorf("failed to encode backup data: %w", err)
+	}
+
+	return nil
+}
+
+// RunRestore imports the database from a JSON file or stdin
+func RunRestore(cfg *config.Config, inputPath string) error {
+	if err := cfg.Validate(); err != nil {
+		return err
+	}
+
+	// Determine input source
+	var reader io.Reader
+	if inputPath == "" || inputPath == "-" {
+		fmt.Fprintln(os.Stderr, "Reading backup from stdin...")
+		reader = os.Stdin
+	} else {
+		inFile, err := os.Open(inputPath)
+		if err != nil {
+			return fmt.Errorf("failed to open backup file: %w", err)
+		}
+		defer inFile.Close()
+		fmt.Fprintf(os.Stderr, "Reading backup from file: %s\n", inputPath)
+		reader = inFile
+	}
+
+	// Decode JSON
+	var backup BackupData
+	decoder := json.NewDecoder(reader)
+	if err := decoder.Decode(&backup); err != nil {
+		if err == io.EOF {
+			return fmt.Errorf("backup file is empty or corrupted")
+		}
+		return fmt.Errorf("failed to decode backup data: %w", err)
+	}
+
+	fmt.Fprintf(os.Stderr, "Backup version: %s\n", backup.Version)
+	fmt.Fprintf(os.Stderr, "Found %d reports in backup\n", len(backup.Reports))
+
+	// Initialize storage
+	store, err := storage.NewStorage(cfg.Database.Type, cfg.Database.DSN)
+	if err != nil {
+		return fmt.Errorf("failed to connect to database: %w", err)
+	}
+	defer store.Close()
+
+	fmt.Fprintf(os.Stderr, "Connected to %s database\n", cfg.Database.Type)
+
+	// Restore reports
+	restored, skipped, failed := 0, 0, 0
+	for _, report := range backup.Reports {
+		// Check if report already exists
+		exists, err := store.ReportExists(report.TestID)
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "Warning: Failed to check if report %s exists: %v\n", report.TestID, err)
+			failed++
+			continue
+		}
+
+		if exists {
+			fmt.Fprintf(os.Stderr, "Report %s already exists, skipping\n", report.TestID)
+			skipped++
+			continue
+		}
+
+		// Create the report
+		_, err = storage.CreateReportFromBackup(store, &report)
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "Warning: Failed to restore report %s: %v\n", report.TestID, err)
+			failed++
+			continue
+		}
+
+		restored++
+	}
+
+	fmt.Fprintf(os.Stderr, "Restore completed: %d restored, %d skipped, %d failed\n", restored, skipped, failed)
+	if failed > 0 {
+		return fmt.Errorf("restore completed with %d failures", failed)
+	}
+
+	return nil
+}

internal/config/cli.go

@@ -34,13 +34,17 @@ func declareFlags(o *Config) {
 	flag.StringVar(&o.Email.Domain, "domain", o.Email.Domain, "Domain used to receive emails")
 	flag.StringVar(&o.Email.TestAddressPrefix, "address-prefix", o.Email.TestAddressPrefix, "Expected email adress prefix (deny address that doesn't start with this prefix)")
 	flag.StringVar(&o.Email.LMTPAddr, "lmtp-addr", o.Email.LMTPAddr, "LMTP server listen address")
+	flag.StringVar(&o.Email.ReceiverHostname, "receiver-hostname", o.Email.ReceiverHostname, "Hostname used to filter Authentication-Results headers (defaults to os.Hostname())")
 	flag.DurationVar(&o.Analysis.DNSTimeout, "dns-timeout", o.Analysis.DNSTimeout, "Timeout when performing DNS query")
 	flag.DurationVar(&o.Analysis.HTTPTimeout, "http-timeout", o.Analysis.HTTPTimeout, "Timeout when performing HTTP query")
 	flag.Var(&StringArray{&o.Analysis.RBLs}, "rbl", "Append a RBL (use this option multiple time to append multiple RBLs)")
 	flag.BoolVar(&o.Analysis.CheckAllIPs, "check-all-ips", o.Analysis.CheckAllIPs, "Check all IPs found in email headers against RBLs (not just the first one)")
+	flag.StringVar(&o.Analysis.RspamdAPIURL, "rspamd-api-url", o.Analysis.RspamdAPIURL, "rspamd API URL for symbol descriptions (default: use embedded list)")
 	flag.DurationVar(&o.ReportRetention, "report-retention", o.ReportRetention, "How long to keep reports (e.g., 720h, 30d). 0 = keep forever")
 	flag.UintVar(&o.RateLimit, "rate-limit", o.RateLimit, "API rate limit (requests per second per IP)")
 	flag.Var(&URL{&o.SurveyURL}, "survey-url", "URL for user feedback survey")
+	flag.StringVar(&o.CustomLogoURL, "custom-logo-url", o.CustomLogoURL, "URL for custom logo image in the web UI")
+	flag.BoolVar(&o.DisableTestList, "disable-test-list", o.DisableTestList, "Disable the public test listing endpoint")
 
 	// Others flags are declared in some other files likes sources, storages, ... when they need specials configurations
 }

internal/config/config.go

@@ -34,6 +34,11 @@ import (
 	openapi_types "github.com/oapi-codegen/runtime/types"
 )
 
+func getHostname() string {
+	h, _ := os.Hostname()
+	return h
+}
+
 // Config represents the application configuration
 type Config struct {
 	DevProxy        string
@@ -44,6 +49,8 @@ type Config struct {
 	ReportRetention time.Duration // How long to keep reports. 0 = keep forever
 	RateLimit       uint          // API rate limit (requests per second per IP)
 	SurveyURL       url.URL       // URL for user feedback survey
+	CustomLogoURL   string        // URL for custom logo image in the web UI
+	DisableTestList bool          // Disable the public test listing endpoint
 }
 
 // DatabaseConfig contains database connection settings
@@ -57,6 +64,7 @@ type EmailConfig struct {
 	Domain            string
 	TestAddressPrefix string
 	LMTPAddr          string
+	ReceiverHostname  string
 }
 
 // AnalysisConfig contains timeout and behavior settings for email analysis
@@ -64,7 +72,9 @@ type AnalysisConfig struct {
 	DNSTimeout   time.Duration
 	HTTPTimeout  time.Duration
 	RBLs         []string
-	CheckAllIPs  bool // Check all IPs found in headers, not just the first one
+	DNSWLs       []string
+	CheckAllIPs  bool   // Check all IPs found in headers, not just the first one
+	RspamdAPIURL string // rspamd API URL for fetching symbol descriptions (empty = use embedded list)
 }
 
 // DefaultConfig returns a configuration with sensible defaults
@@ -82,11 +92,13 @@ func DefaultConfig() *Config {
 			Domain:            "happydeliver.local",
 			TestAddressPrefix: "test-",
 			LMTPAddr:          "127.0.0.1:2525",
+			ReceiverHostname:  getHostname(),
 		},
 		Analysis: AnalysisConfig{
 			DNSTimeout:  5 * time.Second,
 			HTTPTimeout: 10 * time.Second,
 			RBLs:        []string{},
+			DNSWLs:      []string{},
 			CheckAllIPs: false, // By default, only check the first IP
 		},
 	}

internal/receiver/receiver.go

@@ -98,6 +98,17 @@ func (r *EmailReceiver) ProcessEmailBytes(rawEmail []byte, recipientEmail string
 
 	log.Printf("Analysis complete. Grade: %s. Score: %d/100", result.Report.Grade, result.Report.Score)
 
+	// Warn if the last Received hop doesn't match the expected receiver hostname
+	if r.config.Email.ReceiverHostname != "" &&
+		result.Report.HeaderAnalysis != nil &&
+		result.Report.HeaderAnalysis.ReceivedChain != nil &&
+		len(*result.Report.HeaderAnalysis.ReceivedChain) > 0 {
+		lastHop := (*result.Report.HeaderAnalysis.ReceivedChain)[0]
+		if lastHop.By != nil && *lastHop.By != r.config.Email.ReceiverHostname {
+			log.Printf("WARNING: Last Received hop 'by' field (%s) does not match expected receiver hostname (%s): check your RECEIVER_HOSTNAME config as authentication results will be false", *lastHop.By, r.config.Email.ReceiverHostname)
+		}
+	}
+
 	// Marshal report to JSON
 	reportJSON, err := json.Marshal(result.Report)
 	if err != nil {

internal/storage/storage.go

@@ -30,6 +30,9 @@ import (
 	"gorm.io/driver/postgres"
 	"gorm.io/driver/sqlite"
 	"gorm.io/gorm"
+
+	"git.happydns.org/happyDeliver/internal/model"
+	"git.happydns.org/happyDeliver/internal/utils"
 )
 
 var (
@@ -45,6 +48,7 @@ type Storage interface {
 	ReportExists(testID uuid.UUID) (bool, error)
 	UpdateReport(testID uuid.UUID, reportJSON []byte) error
 	DeleteOldReports(olderThan time.Time) (int64, error)
+	ListReportSummaries(offset, limit int) ([]model.TestSummary, int64, error)
 
 	// Close closes the database connection
 	Close() error
@@ -139,6 +143,72 @@ func (s *DBStorage) DeleteOldReports(olderThan time.Time) (int64, error) {
 	return result.RowsAffected, nil
 }
 
+// reportSummaryRow is used internally to scan SQL results before converting to model.TestSummary
+type reportSummaryRow struct {
+	TestID     uuid.UUID
+	Score      int
+	Grade      string
+	FromDomain string
+	CreatedAt  time.Time
+}
+
+// ListReportSummaries returns a paginated list of lightweight report summaries
+func (s *DBStorage) ListReportSummaries(offset, limit int) ([]model.TestSummary, int64, error) {
+	var total int64
+	if err := s.db.Model(&Report{}).Count(&total).Error; err != nil {
+		return nil, 0, fmt.Errorf("failed to count reports: %w", err)
+	}
+
+	if total == 0 {
+		return []model.TestSummary{}, 0, nil
+	}
+
+	var selectExpr string
+	switch s.db.Dialector.Name() {
+	case "postgres":
+		selectExpr = `test_id, ` +
+			`(convert_from(report_json, 'UTF8')::jsonb->>'score')::int as score, ` +
+			`convert_from(report_json, 'UTF8')::jsonb->>'grade' as grade, ` +
+			`convert_from(report_json, 'UTF8')::jsonb->'dns_results'->>'from_domain' as from_domain, ` +
+			`created_at`
+	case "sqlite":
+		selectExpr = `test_id, ` +
+			`json_extract(report_json, '$.score') as score, ` +
+			`json_extract(report_json, '$.grade') as grade, ` +
+			`json_extract(report_json, '$.dns_results.from_domain') as from_domain, ` +
+			`created_at`
+	default:
+		return nil, 0, fmt.Errorf("history tests list not implemented in this database dialect")
+	}
+
+	var rows []reportSummaryRow
+	err := s.db.Model(&Report{}).
+		Select(selectExpr).
+		Order("created_at DESC").
+		Offset(offset).
+		Limit(limit).
+		Scan(&rows).Error
+	if err != nil {
+		return nil, 0, fmt.Errorf("failed to list report summaries: %w", err)
+	}
+
+	summaries := make([]model.TestSummary, 0, len(rows))
+	for _, r := range rows {
+		s := model.TestSummary{
+			TestId:    utils.UUIDToBase32(r.TestID),
+			Score:     r.Score,
+			Grade:     model.TestSummaryGrade(r.Grade),
+			CreatedAt: r.CreatedAt,
+		}
+		if r.FromDomain != "" {
+			s.FromDomain = utils.PtrTo(r.FromDomain)
+		}
+		summaries = append(summaries, s)
+	}
+
+	return summaries, total, nil
+}
+
 // Close closes the database connection
 func (s *DBStorage) Close() error {
 	sqlDB, err := s.db.DB()
@@ -147,3 +217,33 @@ func (s *DBStorage) Close() error {
 	}
 	return sqlDB.Close()
 }
+
+// GetAllReports retrieves all reports from the database
+func GetAllReports(s Storage) ([]Report, error) {
+	dbStorage, ok := s.(*DBStorage)
+	if !ok {
+		return nil, fmt.Errorf("storage type does not support GetAllReports")
+	}
+
+	var reports []Report
+	if err := dbStorage.db.Find(&reports).Error; err != nil {
+		return nil, fmt.Errorf("failed to retrieve reports: %w", err)
+	}
+
+	return reports, nil
+}
+
+// CreateReportFromBackup creates a report from backup data, preserving timestamps
+func CreateReportFromBackup(s Storage, report *Report) (*Report, error) {
+	dbStorage, ok := s.(*DBStorage)
+	if !ok {
+		return nil, fmt.Errorf("storage type does not support CreateReportFromBackup")
+	}
+
+	// Use Create to insert the report with all fields including timestamps
+	if err := dbStorage.db.Create(report).Error; err != nil {
+		return nil, fmt.Errorf("failed to create report from backup: %w", err)
+	}
+
+	return report, nil
+}

internal/utils/ptr.go

@@ -1,5 +1,5 @@
 // This file is part of the happyDeliver (R) project.
-// Copyright (c) 2025 happyDomain
+// Copyright (c) 2026 happyDomain
 // Authors: Pierre-Olivier Mercier, et al.
 //
 // This program is offered under a commercial and under the AGPL license.
@@ -19,11 +19,7 @@
 // You should have received a copy of the GNU Affero General Public License
 // along with this program.  If not, see <https://www.gnu.org/licenses/>.
 
-package api
-
-func stringPtr(s string) *string {
-	return &s
-}
+package utils
 
 // PtrTo returns a pointer to the provided value
 func PtrTo[T any](v T) *T {

pkg/analyzer/analyzer.go

@@ -28,7 +28,7 @@ import (
 
 	"github.com/google/uuid"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
 	"git.happydns.org/happyDeliver/internal/config"
 )
 
@@ -41,10 +41,13 @@ type EmailAnalyzer struct {
 // NewEmailAnalyzer creates a new email analyzer with the given configuration
 func NewEmailAnalyzer(cfg *config.Config) *EmailAnalyzer {
 	generator := NewReportGenerator(
+		cfg.Email.ReceiverHostname,
 		cfg.Analysis.DNSTimeout,
 		cfg.Analysis.HTTPTimeout,
 		cfg.Analysis.RBLs,
+		cfg.Analysis.DNSWLs,
 		cfg.Analysis.CheckAllIPs,
+		cfg.Analysis.RspamdAPIURL,
 	)
 
 	return &EmailAnalyzer{
@@ -56,7 +59,7 @@ func NewEmailAnalyzer(cfg *config.Config) *EmailAnalyzer {
 type AnalysisResult struct {
 	Email   *EmailMessage
 	Results *AnalysisResults
-	Report  *api.Report
+	Report  *model.Report
 }
 
 // AnalyzeEmailBytes performs complete email analysis from raw bytes
@@ -108,3 +111,40 @@ func (a *APIAdapter) AnalyzeEmailBytes(rawEmail []byte, testID uuid.UUID) ([]byt
 
 	return reportJSON, nil
 }
+
+// AnalyzeDomain performs DNS analysis for a domain and returns the results
+func (a *APIAdapter) AnalyzeDomain(domain string) (*model.DNSResults, int, string) {
+	// Perform DNS analysis
+	dnsResults := a.analyzer.generator.dnsAnalyzer.AnalyzeDomainOnly(domain)
+
+	// Calculate score
+	score, grade := a.analyzer.generator.dnsAnalyzer.CalculateDomainOnlyScore(dnsResults)
+
+	return dnsResults, score, grade
+}
+
+// CheckBlacklistIP checks a single IP address against DNS blacklists and whitelists
+func (a *APIAdapter) CheckBlacklistIP(ip string) ([]model.BlacklistCheck, []model.BlacklistCheck, int, int, string, error) {
+	// Check the IP against all configured RBLs
+	checks, listedCount, err := a.analyzer.generator.rblChecker.CheckIP(ip)
+	if err != nil {
+		return nil, nil, 0, 0, "", err
+	}
+
+	// Calculate score using the existing function
+	// Create a minimal RBLResults structure for scoring
+	results := &DNSListResults{
+		Checks:      map[string][]model.BlacklistCheck{ip: checks},
+		IPsChecked:  []string{ip},
+		ListedCount: listedCount,
+	}
+	score, grade := a.analyzer.generator.rblChecker.CalculateScore(results, false)
+
+	// Check the IP against all configured DNSWLs (informational only)
+	whitelists, _, err := a.analyzer.generator.dnswlChecker.CheckIP(ip)
+	if err != nil {
+		whitelists = nil
+	}
+
+	return checks, whitelists, listedCount, score, grade, nil
+}

pkg/analyzer/authentication.go

@@ -24,23 +24,25 @@ package analyzer
 import (
 	"strings"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
 )
 
 // AuthenticationAnalyzer analyzes email authentication results
-type AuthenticationAnalyzer struct{}
+type AuthenticationAnalyzer struct {
+	receiverHostname string
+}
 
 // NewAuthenticationAnalyzer creates a new authentication analyzer
-func NewAuthenticationAnalyzer() *AuthenticationAnalyzer {
-	return &AuthenticationAnalyzer{}
+func NewAuthenticationAnalyzer(receiverHostname string) *AuthenticationAnalyzer {
+	return &AuthenticationAnalyzer{receiverHostname: receiverHostname}
 }
 
 // AnalyzeAuthentication extracts and analyzes authentication results from email headers
-func (a *AuthenticationAnalyzer) AnalyzeAuthentication(email *EmailMessage) *api.AuthenticationResults {
-	results := &api.AuthenticationResults{}
+func (a *AuthenticationAnalyzer) AnalyzeAuthentication(email *EmailMessage) *model.AuthenticationResults {
+	results := &model.AuthenticationResults{}
 
 	// Parse Authentication-Results headers
-	authHeaders := email.GetAuthenticationResults()
+	authHeaders := email.GetAuthenticationResults(a.receiverHostname)
 	for _, header := range authHeaders {
 		a.parseAuthenticationResultsHeader(header, results)
 	}
@@ -50,13 +52,6 @@ func (a *AuthenticationAnalyzer) AnalyzeAuthentication(email *EmailMessage) *api
 		results.Spf = a.parseLegacySPF(email)
 	}
 
-	if results.Dkim == nil || len(*results.Dkim) == 0 {
-		dkimResults := a.parseLegacyDKIM(email)
-		if len(dkimResults) > 0 {
-			results.Dkim = &dkimResults
-		}
-	}
-
 	// Parse ARC headers if not already parsed from Authentication-Results
 	if results.Arc == nil {
 		results.Arc = a.parseARCHeaders(email)
@@ -70,7 +65,7 @@ func (a *AuthenticationAnalyzer) AnalyzeAuthentication(email *EmailMessage) *api
 
 // parseAuthenticationResultsHeader parses an Authentication-Results header
 // Format: example.com; spf=pass smtp.mailfrom=sender@example.com; dkim=pass header.d=example.com
-func (a *AuthenticationAnalyzer) parseAuthenticationResultsHeader(header string, results *api.AuthenticationResults) {
+func (a *AuthenticationAnalyzer) parseAuthenticationResultsHeader(header string, results *model.AuthenticationResults) {
 	// Split by semicolon to get individual results
 	parts := strings.Split(header, ";")
 	if len(parts) < 2 {
@@ -96,7 +91,7 @@ func (a *AuthenticationAnalyzer) parseAuthenticationResultsHeader(header string,
 			dkimResult := a.parseDKIMResult(part)
 			if dkimResult != nil {
 				if results.Dkim == nil {
-					dkimList := []api.AuthResult{*dkimResult}
+					dkimList := []model.AuthResult{*dkimResult}
 					results.Dkim = &dkimList
 				} else {
 					*results.Dkim = append(*results.Dkim, *dkimResult)
@@ -150,34 +145,37 @@ func (a *AuthenticationAnalyzer) parseAuthenticationResultsHeader(header string,
 
 // CalculateAuthenticationScore calculates the authentication score from auth results
 // Returns a score from 0-100 where higher is better
-func (a *AuthenticationAnalyzer) CalculateAuthenticationScore(results *api.AuthenticationResults) (int, string) {
+func (a *AuthenticationAnalyzer) CalculateAuthenticationScore(results *model.AuthenticationResults) (int, string) {
 	if results == nil {
 		return 0, ""
 	}
 
 	score := 0
 
-	// IPRev (15 points)
-	score += 15 * a.calculateIPRevScore(results) / 100
+	// Core authentication (90 points total)
+	// SPF (30 points)
+	score += 30 * a.calculateSPFScore(results) / 100
 
-	// SPF (25 points)
-	score += 25 * a.calculateSPFScore(results) / 100
+	// DKIM (30 points)
+	score += 30 * a.calculateDKIMScore(results) / 100
 
-	// DKIM (23 points)
-	score += 23 * a.calculateDKIMScore(results) / 100
-
-	// X-Google-DKIM (optional) - penalty if failed
-	score += 12 * a.calculateXGoogleDKIMScore(results) / 100
-
-	// X-Aligned-From
-	score += 2 * a.calculateXAlignedFromScore(results) / 100
-
-	// DMARC (25 points)
-	score += 25 * a.calculateDMARCScore(results) / 100
+	// DMARC (30 points)
+	score += 30 * a.calculateDMARCScore(results) / 100
 
 	// BIMI (10 points)
 	score += 10 * a.calculateBIMIScore(results) / 100
 
+	// Penalty-only: IPRev (up to -7 points on failure)
+	if iprevScore := a.calculateIPRevScore(results); iprevScore < 100 {
+		score += 7 * (iprevScore - 100) / 100
+	}
+
+	// Penalty-only: X-Google-DKIM (up to -12 points on failure)
+	score += 12 * a.calculateXGoogleDKIMScore(results) / 100
+
+	// Penalty-only: X-Aligned-From (up to -5 points on failure)
+	score += 5 * a.calculateXAlignedFromScore(results) / 100
+
 	// Ensure score doesn't exceed 100
 	if score > 100 {
 		score = 100

pkg/analyzer/authentication_arc.go

@@ -27,7 +27,8 @@ import (
 	"slices"
 	"strings"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
+	"git.happydns.org/happyDeliver/internal/utils"
 )
 
 // textprotoCanonical converts a header name to canonical form
@@ -52,24 +53,24 @@ func pluralize(count int) string {
 
 // parseARCResult parses ARC result from Authentication-Results
 // Example: arc=pass
-func (a *AuthenticationAnalyzer) parseARCResult(part string) *api.ARCResult {
-	result := &api.ARCResult{}
+func (a *AuthenticationAnalyzer) parseARCResult(part string) *model.ARCResult {
+	result := &model.ARCResult{}
 
 	// Extract result (pass, fail, none)
 	re := regexp.MustCompile(`arc=(\w+)`)
 	if matches := re.FindStringSubmatch(part); len(matches) > 1 {
 		resultStr := strings.ToLower(matches[1])
-		result.Result = api.ARCResultResult(resultStr)
+		result.Result = model.ARCResultResult(resultStr)
 	}
 
-	result.Details = api.PtrTo(strings.TrimPrefix(part, "arc="))
+	result.Details = utils.PtrTo(strings.TrimPrefix(part, "arc="))
 
 	return result
 }
 
 // parseARCHeaders parses ARC headers from email message
 // ARC consists of three headers per hop: ARC-Authentication-Results, ARC-Message-Signature, ARC-Seal
-func (a *AuthenticationAnalyzer) parseARCHeaders(email *EmailMessage) *api.ARCResult {
+func (a *AuthenticationAnalyzer) parseARCHeaders(email *EmailMessage) *model.ARCResult {
 	// Get all ARC-related headers
 	arcAuthResults := email.Header[textprotoCanonical("ARC-Authentication-Results")]
 	arcMessageSig := email.Header[textprotoCanonical("ARC-Message-Signature")]
@@ -80,8 +81,8 @@ func (a *AuthenticationAnalyzer) parseARCHeaders(email *EmailMessage) *api.ARCRe
 		return nil
 	}
 
-	result := &api.ARCResult{
-		Result: api.ARCResultResultNone,
+	result := &model.ARCResult{
+		Result: model.ARCResultResultNone,
 	}
 
 	// Count the ARC chain length (number of sets)
@@ -94,15 +95,15 @@ func (a *AuthenticationAnalyzer) parseARCHeaders(email *EmailMessage) *api.ARCRe
 
 	// Determine overall result
 	if chainLength == 0 {
-		result.Result = api.ARCResultResultNone
+		result.Result = model.ARCResultResultNone
 		details := "No ARC chain present"
 		result.Details = &details
 	} else if !chainValid {
-		result.Result = api.ARCResultResultFail
+		result.Result = model.ARCResultResultFail
 		details := fmt.Sprintf("ARC chain validation failed (chain length: %d)", chainLength)
 		result.Details = &details
 	} else {
-		result.Result = api.ARCResultResultPass
+		result.Result = model.ARCResultResultPass
 		details := fmt.Sprintf("ARC chain valid with %d intermediar%s", chainLength, pluralize(chainLength))
 		result.Details = &details
 	}
@@ -111,7 +112,7 @@ func (a *AuthenticationAnalyzer) parseARCHeaders(email *EmailMessage) *api.ARCRe
 }
 
 // enhanceARCResult enhances an existing ARC result with chain information
-func (a *AuthenticationAnalyzer) enhanceARCResult(email *EmailMessage, arcResult *api.ARCResult) {
+func (a *AuthenticationAnalyzer) enhanceARCResult(email *EmailMessage, arcResult *model.ARCResult) {
 	if arcResult == nil {
 		return
 	}

pkg/analyzer/authentication_arc_test.go

@@ -24,33 +24,33 @@ package analyzer
 import (
 	"testing"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
 )
 
 func TestParseARCResult(t *testing.T) {
 	tests := []struct {
 		name           string
 		part           string
-		expectedResult api.ARCResultResult
+		expectedResult model.ARCResultResult
 	}{
 		{
 			name:           "ARC pass",
 			part:           "arc=pass",
-			expectedResult: api.ARCResultResultPass,
+			expectedResult: model.ARCResultResultPass,
 		},
 		{
 			name:           "ARC fail",
 			part:           "arc=fail",
-			expectedResult: api.ARCResultResultFail,
+			expectedResult: model.ARCResultResultFail,
 		},
 		{
 			name:           "ARC none",
 			part:           "arc=none",
-			expectedResult: api.ARCResultResultNone,
+			expectedResult: model.ARCResultResultNone,
 		},
 	}
 
-	analyzer := NewAuthenticationAnalyzer()
+	analyzer := NewAuthenticationAnalyzer("")
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -136,7 +136,7 @@ func TestValidateARCChain(t *testing.T) {
 		},
 	}
 
-	analyzer := NewAuthenticationAnalyzer()
+	analyzer := NewAuthenticationAnalyzer("")
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

pkg/analyzer/authentication_bimi.go

@@ -25,19 +25,20 @@ import (
 	"regexp"
 	"strings"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
+	"git.happydns.org/happyDeliver/internal/utils"
 )
 
 // parseBIMIResult parses BIMI result from Authentication-Results
 // Example: bimi=pass header.d=example.com header.selector=default
-func (a *AuthenticationAnalyzer) parseBIMIResult(part string) *api.AuthResult {
-	result := &api.AuthResult{}
+func (a *AuthenticationAnalyzer) parseBIMIResult(part string) *model.AuthResult {
+	result := &model.AuthResult{}
 
 	// Extract result (pass, fail, etc.)
 	re := regexp.MustCompile(`bimi=(\w+)`)
 	if matches := re.FindStringSubmatch(part); len(matches) > 1 {
 		resultStr := strings.ToLower(matches[1])
-		result.Result = api.AuthResultResult(resultStr)
+		result.Result = model.AuthResultResult(resultStr)
 	}
 
 	// Extract domain (header.d or d)
@@ -54,17 +55,17 @@ func (a *AuthenticationAnalyzer) parseBIMIResult(part string) *api.AuthResult {
 		result.Selector = &selector
 	}
 
-	result.Details = api.PtrTo(strings.TrimPrefix(part, "bimi="))
+	result.Details = utils.PtrTo(strings.TrimPrefix(part, "bimi="))
 
 	return result
 }
 
-func (a *AuthenticationAnalyzer) calculateBIMIScore(results *api.AuthenticationResults) (score int) {
+func (a *AuthenticationAnalyzer) calculateBIMIScore(results *model.AuthenticationResults) (score int) {
 	if results.Bimi != nil {
 		switch results.Bimi.Result {
-		case api.AuthResultResultPass:
+		case model.AuthResultResultPass:
 			return 100
-		case api.AuthResultResultDeclined:
+		case model.AuthResultResultDeclined:
 			return 59
 		default: // fail
 			return 0

pkg/analyzer/authentication_bimi_test.go

@@ -24,47 +24,47 @@ package analyzer
 import (
 	"testing"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
 )
 
 func TestParseBIMIResult(t *testing.T) {
 	tests := []struct {
 		name             string
 		part             string
-		expectedResult   api.AuthResultResult
+		expectedResult   model.AuthResultResult
 		expectedDomain   string
 		expectedSelector string
 	}{
 		{
 			name:             "BIMI pass with domain and selector",
 			part:             "bimi=pass header.d=example.com header.selector=default",
-			expectedResult:   api.AuthResultResultPass,
+			expectedResult:   model.AuthResultResultPass,
 			expectedDomain:   "example.com",
 			expectedSelector: "default",
 		},
 		{
 			name:             "BIMI fail",
 			part:             "bimi=fail header.d=example.com header.selector=default",
-			expectedResult:   api.AuthResultResultFail,
+			expectedResult:   model.AuthResultResultFail,
 			expectedDomain:   "example.com",
 			expectedSelector: "default",
 		},
 		{
 			name:             "BIMI with short form (d= and selector=)",
 			part:             "bimi=pass d=example.com selector=v1",
-			expectedResult:   api.AuthResultResultPass,
+			expectedResult:   model.AuthResultResultPass,
 			expectedDomain:   "example.com",
 			expectedSelector: "v1",
 		},
 		{
 			name:           "BIMI none",
 			part:           "bimi=none header.d=example.com",
-			expectedResult: api.AuthResultResultNone,
+			expectedResult: model.AuthResultResultNone,
 			expectedDomain: "example.com",
 		},
 	}
 
-	analyzer := NewAuthenticationAnalyzer()
+	analyzer := NewAuthenticationAnalyzer("")
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

pkg/analyzer/authentication_dkim.go

@@ -25,19 +25,20 @@ import (
 	"regexp"
 	"strings"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
+	"git.happydns.org/happyDeliver/internal/utils"
 )
 
 // parseDKIMResult parses DKIM result from Authentication-Results
 // Example: dkim=pass header.d=example.com header.s=selector1
-func (a *AuthenticationAnalyzer) parseDKIMResult(part string) *api.AuthResult {
-	result := &api.AuthResult{}
+func (a *AuthenticationAnalyzer) parseDKIMResult(part string) *model.AuthResult {
+	result := &model.AuthResult{}
 
 	// Extract result (pass, fail, etc.)
 	re := regexp.MustCompile(`dkim=(\w+)`)
 	if matches := re.FindStringSubmatch(part); len(matches) > 1 {
 		resultStr := strings.ToLower(matches[1])
-		result.Result = api.AuthResultResult(resultStr)
+		result.Result = model.AuthResultResult(resultStr)
 	}
 
 	// Extract domain (header.d or d)
@@ -54,52 +55,18 @@ func (a *AuthenticationAnalyzer) parseDKIMResult(part string) *api.AuthResult {
 		result.Selector = &selector
 	}
 
-	result.Details = api.PtrTo(strings.TrimPrefix(part, "dkim="))
+	result.Details = utils.PtrTo(strings.TrimPrefix(part, "dkim="))
 
 	return result
 }
 
-// parseLegacyDKIM attempts to parse DKIM from DKIM-Signature header
-func (a *AuthenticationAnalyzer) parseLegacyDKIM(email *EmailMessage) []api.AuthResult {
-	var results []api.AuthResult
-
-	// Get all DKIM-Signature headers
-	dkimHeaders := email.Header[textprotoCanonical("DKIM-Signature")]
-	for _, dkimHeader := range dkimHeaders {
-		result := api.AuthResult{
-			Result: api.AuthResultResultNone, // We can't determine pass/fail from signature alone
-		}
-
-		// Extract domain (d=)
-		domainRe := regexp.MustCompile(`d=([^\s;]+)`)
-		if matches := domainRe.FindStringSubmatch(dkimHeader); len(matches) > 1 {
-			domain := matches[1]
-			result.Domain = &domain
-		}
-
-		// Extract selector (s=)
-		selectorRe := regexp.MustCompile(`s=([^\s;]+)`)
-		if matches := selectorRe.FindStringSubmatch(dkimHeader); len(matches) > 1 {
-			selector := matches[1]
-			result.Selector = &selector
-		}
-
-		details := "DKIM signature present (verification status unknown)"
-		result.Details = &details
-
-		results = append(results, result)
-	}
-
-	return results
-}
-
-func (a *AuthenticationAnalyzer) calculateDKIMScore(results *api.AuthenticationResults) (score int) {
+func (a *AuthenticationAnalyzer) calculateDKIMScore(results *model.AuthenticationResults) (score int) {
 	// Expect at least one passing signature
 	if results.Dkim != nil && len(*results.Dkim) > 0 {
 		hasPass := false
 		hasNonPass := false
 		for _, dkim := range *results.Dkim {
-			if dkim.Result == api.AuthResultResultPass {
+			if dkim.Result == model.AuthResultResultPass {
 				hasPass = true
 			} else {
 				hasNonPass = true

pkg/analyzer/authentication_dkim_test.go

@@ -22,44 +22,43 @@
 package analyzer
 
 import (
-	"strings"
 	"testing"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
 )
 
 func TestParseDKIMResult(t *testing.T) {
 	tests := []struct {
 		name             string
 		part             string
-		expectedResult   api.AuthResultResult
+		expectedResult   model.AuthResultResult
 		expectedDomain   string
 		expectedSelector string
 	}{
 		{
 			name:             "DKIM pass with domain and selector",
 			part:             "dkim=pass header.d=example.com header.s=default",
-			expectedResult:   api.AuthResultResultPass,
+			expectedResult:   model.AuthResultResultPass,
 			expectedDomain:   "example.com",
 			expectedSelector: "default",
 		},
 		{
 			name:             "DKIM fail",
 			part:             "dkim=fail header.d=example.com header.s=selector1",
-			expectedResult:   api.AuthResultResultFail,
+			expectedResult:   model.AuthResultResultFail,
 			expectedDomain:   "example.com",
 			expectedSelector: "selector1",
 		},
 		{
 			name:             "DKIM with short form (d= and s=)",
 			part:             "dkim=pass d=example.com s=default",
-			expectedResult:   api.AuthResultResultPass,
+			expectedResult:   model.AuthResultResultPass,
 			expectedDomain:   "example.com",
 			expectedSelector: "default",
 		},
 	}
 
-	analyzer := NewAuthenticationAnalyzer()
+	analyzer := NewAuthenticationAnalyzer("")
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -85,246 +84,3 @@ func TestParseDKIMResult(t *testing.T) {
 		})
 	}
 }
-
-func TestParseLegacyDKIM(t *testing.T) {
-	tests := []struct {
-		name             string
-		dkimSignatures   []string
-		expectedCount    int
-		expectedDomains  []string
-		expectedSelector []string
-	}{
-		{
-			name: "Single DKIM signature with domain and selector",
-			dkimSignatures: []string{
-				"v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com; s=selector1; h=from:to:subject:date; bh=xyz; b=abc",
-			},
-			expectedCount:    1,
-			expectedDomains:  []string{"example.com"},
-			expectedSelector: []string{"selector1"},
-		},
-		{
-			name: "Multiple DKIM signatures",
-			dkimSignatures: []string{
-				"v=1; a=rsa-sha256; d=example.com; s=selector1; b=abc123",
-				"v=1; a=rsa-sha256; d=example.com; s=selector2; b=def456",
-			},
-			expectedCount:    2,
-			expectedDomains:  []string{"example.com", "example.com"},
-			expectedSelector: []string{"selector1", "selector2"},
-		},
-		{
-			name: "DKIM signature with different domain",
-			dkimSignatures: []string{
-				"v=1; a=rsa-sha256; d=mail.example.org; s=default; b=xyz789",
-			},
-			expectedCount:    1,
-			expectedDomains:  []string{"mail.example.org"},
-			expectedSelector: []string{"default"},
-		},
-		{
-			name: "DKIM signature with subdomain",
-			dkimSignatures: []string{
-				"v=1; a=rsa-sha256; d=newsletters.example.com; s=marketing; b=aaa",
-			},
-			expectedCount:    1,
-			expectedDomains:  []string{"newsletters.example.com"},
-			expectedSelector: []string{"marketing"},
-		},
-		{
-			name: "Multiple signatures from different domains",
-			dkimSignatures: []string{
-				"v=1; a=rsa-sha256; d=example.com; s=s1; b=abc",
-				"v=1; a=rsa-sha256; d=relay.com; s=s2; b=def",
-			},
-			expectedCount:    2,
-			expectedDomains:  []string{"example.com", "relay.com"},
-			expectedSelector: []string{"s1", "s2"},
-		},
-		{
-			name:             "No DKIM signatures",
-			dkimSignatures:   []string{},
-			expectedCount:    0,
-			expectedDomains:  []string{},
-			expectedSelector: []string{},
-		},
-		{
-			name: "DKIM signature without selector",
-			dkimSignatures: []string{
-				"v=1; a=rsa-sha256; d=example.com; b=abc123",
-			},
-			expectedCount:    1,
-			expectedDomains:  []string{"example.com"},
-			expectedSelector: []string{""},
-		},
-		{
-			name: "DKIM signature without domain",
-			dkimSignatures: []string{
-				"v=1; a=rsa-sha256; s=selector1; b=abc123",
-			},
-			expectedCount:    1,
-			expectedDomains:  []string{""},
-			expectedSelector: []string{"selector1"},
-		},
-		{
-			name: "DKIM signature with whitespace in parameters",
-			dkimSignatures: []string{
-				"v=1; a=rsa-sha256; d=example.com ; s=selector1 ; b=abc123",
-			},
-			expectedCount:    1,
-			expectedDomains:  []string{"example.com"},
-			expectedSelector: []string{"selector1"},
-		},
-		{
-			name: "DKIM signature with multiline format",
-			dkimSignatures: []string{
-				"v=1; a=rsa-sha256; c=relaxed/relaxed;\r\n\td=example.com; s=selector1;\r\n\th=from:to:subject:date;\r\n\tb=abc123def456ghi789",
-			},
-			expectedCount:    1,
-			expectedDomains:  []string{"example.com"},
-			expectedSelector: []string{"selector1"},
-		},
-		{
-			name: "DKIM signature with ed25519 algorithm",
-			dkimSignatures: []string{
-				"v=1; a=ed25519-sha256; d=example.com; s=ed25519; b=xyz",
-			},
-			expectedCount:    1,
-			expectedDomains:  []string{"example.com"},
-			expectedSelector: []string{"ed25519"},
-		},
-		{
-			name: "Complex real-world DKIM signature",
-			dkimSignatures: []string{
-				"v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1234567890; x=1234567950; darn=example.com; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject:date:message-id:reply-to; bh=abc123def456==; b=longsignaturehere==",
-			},
-			expectedCount:    1,
-			expectedDomains:  []string{"google.com"},
-			expectedSelector: []string{"20230601"},
-		},
-	}
-
-	analyzer := NewAuthenticationAnalyzer()
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			// Create a mock email message with DKIM-Signature headers
-			email := &EmailMessage{
-				Header: make(map[string][]string),
-			}
-			if len(tt.dkimSignatures) > 0 {
-				email.Header["Dkim-Signature"] = tt.dkimSignatures
-			}
-
-			results := analyzer.parseLegacyDKIM(email)
-
-			// Check count
-			if len(results) != tt.expectedCount {
-				t.Errorf("Expected %d results, got %d", tt.expectedCount, len(results))
-				return
-			}
-
-			// Check each result
-			for i, result := range results {
-				// All legacy DKIM results should have Result = none
-				if result.Result != api.AuthResultResultNone {
-					t.Errorf("Result[%d].Result = %v, want %v", i, result.Result, api.AuthResultResultNone)
-				}
-
-				// Check domain
-				if i < len(tt.expectedDomains) {
-					expectedDomain := tt.expectedDomains[i]
-					if expectedDomain != "" {
-						if result.Domain == nil {
-							t.Errorf("Result[%d].Domain = nil, want %v", i, expectedDomain)
-						} else if strings.TrimSpace(*result.Domain) != expectedDomain {
-							t.Errorf("Result[%d].Domain = %v, want %v", i, *result.Domain, expectedDomain)
-						}
-					}
-				}
-
-				// Check selector
-				if i < len(tt.expectedSelector) {
-					expectedSelector := tt.expectedSelector[i]
-					if expectedSelector != "" {
-						if result.Selector == nil {
-							t.Errorf("Result[%d].Selector = nil, want %v", i, expectedSelector)
-						} else if strings.TrimSpace(*result.Selector) != expectedSelector {
-							t.Errorf("Result[%d].Selector = %v, want %v", i, *result.Selector, expectedSelector)
-						}
-					}
-				}
-
-				// Check that Details is set
-				if result.Details == nil {
-					t.Errorf("Result[%d].Details = nil, expected non-nil", i)
-				} else {
-					expectedDetails := "DKIM signature present (verification status unknown)"
-					if *result.Details != expectedDetails {
-						t.Errorf("Result[%d].Details = %v, want %v", i, *result.Details, expectedDetails)
-					}
-				}
-			}
-		})
-	}
-}
-
-func TestParseLegacyDKIM_Integration(t *testing.T) {
-	hostname = ""
-
-	// Test that parseLegacyDKIM is properly integrated into AnalyzeAuthentication
-	t.Run("Legacy DKIM is used when no Authentication-Results", func(t *testing.T) {
-		analyzer := NewAuthenticationAnalyzer()
-		email := &EmailMessage{
-			Header: make(map[string][]string),
-		}
-		email.Header["Dkim-Signature"] = []string{
-			"v=1; a=rsa-sha256; d=example.com; s=selector1; b=abc",
-		}
-
-		results := analyzer.AnalyzeAuthentication(email)
-
-		if results.Dkim == nil {
-			t.Fatal("Expected DKIM results, got nil")
-		}
-		if len(*results.Dkim) != 1 {
-			t.Errorf("Expected 1 DKIM result, got %d", len(*results.Dkim))
-		}
-		if (*results.Dkim)[0].Result != api.AuthResultResultNone {
-			t.Errorf("Expected DKIM result to be 'none', got %v", (*results.Dkim)[0].Result)
-		}
-		if (*results.Dkim)[0].Domain == nil || *(*results.Dkim)[0].Domain != "example.com" {
-			t.Error("Expected domain to be 'example.com'")
-		}
-	})
-
-	t.Run("Legacy DKIM is NOT used when Authentication-Results present", func(t *testing.T) {
-		analyzer := NewAuthenticationAnalyzer()
-		email := &EmailMessage{
-			Header: make(map[string][]string),
-		}
-		// Both Authentication-Results and DKIM-Signature headers
-		email.Header["Authentication-Results"] = []string{
-			"mx.example.com; dkim=pass header.d=verified.com header.s=s1",
-		}
-		email.Header["Dkim-Signature"] = []string{
-			"v=1; a=rsa-sha256; d=example.com; s=selector1; b=abc",
-		}
-
-		results := analyzer.AnalyzeAuthentication(email)
-
-		// Should use the Authentication-Results DKIM (pass from verified.com), not the legacy signature
-		if results.Dkim == nil {
-			t.Fatal("Expected DKIM results, got nil")
-		}
-		if len(*results.Dkim) != 1 {
-			t.Errorf("Expected 1 DKIM result, got %d", len(*results.Dkim))
-		}
-		if (*results.Dkim)[0].Result != api.AuthResultResultPass {
-			t.Errorf("Expected DKIM result to be 'pass', got %v", (*results.Dkim)[0].Result)
-		}
-		if (*results.Dkim)[0].Domain == nil || *(*results.Dkim)[0].Domain != "verified.com" {
-			t.Error("Expected domain to be 'verified.com' from Authentication-Results, not 'example.com' from legacy")
-		}
-	})
-}

pkg/analyzer/authentication_dmarc.go

@@ -25,19 +25,20 @@ import (
 	"regexp"
 	"strings"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
+	"git.happydns.org/happyDeliver/internal/utils"
 )
 
 // parseDMARCResult parses DMARC result from Authentication-Results
 // Example: dmarc=pass action=none header.from=example.com
-func (a *AuthenticationAnalyzer) parseDMARCResult(part string) *api.AuthResult {
-	result := &api.AuthResult{}
+func (a *AuthenticationAnalyzer) parseDMARCResult(part string) *model.AuthResult {
+	result := &model.AuthResult{}
 
 	// Extract result (pass, fail, etc.)
 	re := regexp.MustCompile(`dmarc=(\w+)`)
 	if matches := re.FindStringSubmatch(part); len(matches) > 1 {
 		resultStr := strings.ToLower(matches[1])
-		result.Result = api.AuthResultResult(resultStr)
+		result.Result = model.AuthResultResult(resultStr)
 	}
 
 	// Extract domain (header.from)
@@ -47,17 +48,17 @@ func (a *AuthenticationAnalyzer) parseDMARCResult(part string) *api.AuthResult {
 		result.Domain = &domain
 	}
 
-	result.Details = api.PtrTo(strings.TrimPrefix(part, "dmarc="))
+	result.Details = utils.PtrTo(strings.TrimPrefix(part, "dmarc="))
 
 	return result
 }
 
-func (a *AuthenticationAnalyzer) calculateDMARCScore(results *api.AuthenticationResults) (score int) {
+func (a *AuthenticationAnalyzer) calculateDMARCScore(results *model.AuthenticationResults) (score int) {
 	if results.Dmarc != nil {
 		switch results.Dmarc.Result {
-		case api.AuthResultResultPass:
+		case model.AuthResultResultPass:
 			return 100
-		case api.AuthResultResultNone:
+		case model.AuthResultResultNone:
 			return 33
 		default: // fail
 			return 0

pkg/analyzer/authentication_dmarc_test.go

@@ -24,31 +24,31 @@ package analyzer
 import (
 	"testing"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
 )
 
 func TestParseDMARCResult(t *testing.T) {
 	tests := []struct {
 		name           string
 		part           string
-		expectedResult api.AuthResultResult
+		expectedResult model.AuthResultResult
 		expectedDomain string
 	}{
 		{
 			name:           "DMARC pass",
 			part:           "dmarc=pass action=none header.from=example.com",
-			expectedResult: api.AuthResultResultPass,
+			expectedResult: model.AuthResultResultPass,
 			expectedDomain: "example.com",
 		},
 		{
 			name:           "DMARC fail",
 			part:           "dmarc=fail action=quarantine header.from=example.com",
-			expectedResult: api.AuthResultResultFail,
+			expectedResult: model.AuthResultResultFail,
 			expectedDomain: "example.com",
 		},
 	}
 
-	analyzer := NewAuthenticationAnalyzer()
+	analyzer := NewAuthenticationAnalyzer("")
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

pkg/analyzer/authentication_iprev.go

@@ -25,19 +25,20 @@ import (
 	"regexp"
 	"strings"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
+	"git.happydns.org/happyDeliver/internal/utils"
 )
 
 // parseIPRevResult parses IP reverse lookup result from Authentication-Results
 // Example: iprev=pass smtp.remote-ip=195.110.101.58 (authsmtp74.register.it)
-func (a *AuthenticationAnalyzer) parseIPRevResult(part string) *api.IPRevResult {
-	result := &api.IPRevResult{}
+func (a *AuthenticationAnalyzer) parseIPRevResult(part string) *model.IPRevResult {
+	result := &model.IPRevResult{}
 
 	// Extract result (pass, fail, temperror, permerror, none)
 	re := regexp.MustCompile(`iprev=(\w+)`)
 	if matches := re.FindStringSubmatch(part); len(matches) > 1 {
 		resultStr := strings.ToLower(matches[1])
-		result.Result = api.IPRevResultResult(resultStr)
+		result.Result = model.IPRevResultResult(resultStr)
 	}
 
 	// Extract IP address (smtp.remote-ip or remote-ip)
@@ -54,20 +55,20 @@ func (a *AuthenticationAnalyzer) parseIPRevResult(part string) *api.IPRevResult
 		result.Hostname = &hostname
 	}
 
-	result.Details = api.PtrTo(strings.TrimPrefix(part, "iprev="))
+	result.Details = utils.PtrTo(strings.TrimPrefix(part, "iprev="))
 
 	return result
 }
 
-func (a *AuthenticationAnalyzer) calculateIPRevScore(results *api.AuthenticationResults) (score int) {
+func (a *AuthenticationAnalyzer) calculateIPRevScore(results *model.AuthenticationResults) (score int) {
 	if results.Iprev != nil {
 		switch results.Iprev.Result {
-		case api.Pass:
+		case model.Pass:
 			return 100
 		default: // fail, temperror, permerror
 			return 0
 		}
 	}
 
-	return 0
+	return 100
 }

pkg/analyzer/authentication_iprev_test.go

@@ -24,76 +24,77 @@ package analyzer
 import (
 	"testing"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
+	"git.happydns.org/happyDeliver/internal/utils"
 )
 
 func TestParseIPRevResult(t *testing.T) {
 	tests := []struct {
 		name             string
 		part             string
-		expectedResult   api.IPRevResultResult
+		expectedResult   model.IPRevResultResult
 		expectedIP       *string
 		expectedHostname *string
 	}{
 		{
 			name:             "IPRev pass with IP and hostname",
 			part:             "iprev=pass smtp.remote-ip=195.110.101.58 (authsmtp74.register.it)",
-			expectedResult:   api.Pass,
-			expectedIP:       api.PtrTo("195.110.101.58"),
-			expectedHostname: api.PtrTo("authsmtp74.register.it"),
+			expectedResult:   model.Pass,
+			expectedIP:       utils.PtrTo("195.110.101.58"),
+			expectedHostname: utils.PtrTo("authsmtp74.register.it"),
 		},
 		{
 			name:             "IPRev pass without smtp prefix",
 			part:             "iprev=pass remote-ip=192.0.2.1 (mail.example.com)",
-			expectedResult:   api.Pass,
-			expectedIP:       api.PtrTo("192.0.2.1"),
-			expectedHostname: api.PtrTo("mail.example.com"),
+			expectedResult:   model.Pass,
+			expectedIP:       utils.PtrTo("192.0.2.1"),
+			expectedHostname: utils.PtrTo("mail.example.com"),
 		},
 		{
 			name:             "IPRev fail",
 			part:             "iprev=fail smtp.remote-ip=198.51.100.42 (unknown.host.com)",
-			expectedResult:   api.Fail,
-			expectedIP:       api.PtrTo("198.51.100.42"),
-			expectedHostname: api.PtrTo("unknown.host.com"),
+			expectedResult:   model.Fail,
+			expectedIP:       utils.PtrTo("198.51.100.42"),
+			expectedHostname: utils.PtrTo("unknown.host.com"),
 		},
 		{
 			name:             "IPRev temperror",
 			part:             "iprev=temperror smtp.remote-ip=203.0.113.1",
-			expectedResult:   api.Temperror,
-			expectedIP:       api.PtrTo("203.0.113.1"),
+			expectedResult:   model.Temperror,
+			expectedIP:       utils.PtrTo("203.0.113.1"),
 			expectedHostname: nil,
 		},
 		{
 			name:             "IPRev permerror",
 			part:             "iprev=permerror smtp.remote-ip=192.0.2.100",
-			expectedResult:   api.Permerror,
-			expectedIP:       api.PtrTo("192.0.2.100"),
+			expectedResult:   model.Permerror,
+			expectedIP:       utils.PtrTo("192.0.2.100"),
 			expectedHostname: nil,
 		},
 		{
 			name:             "IPRev with IPv6",
 			part:             "iprev=pass smtp.remote-ip=2001:db8::1 (ipv6.example.com)",
-			expectedResult:   api.Pass,
-			expectedIP:       api.PtrTo("2001:db8::1"),
-			expectedHostname: api.PtrTo("ipv6.example.com"),
+			expectedResult:   model.Pass,
+			expectedIP:       utils.PtrTo("2001:db8::1"),
+			expectedHostname: utils.PtrTo("ipv6.example.com"),
 		},
 		{
 			name:             "IPRev with subdomain hostname",
 			part:             "iprev=pass smtp.remote-ip=192.0.2.50 (mail.subdomain.example.com)",
-			expectedResult:   api.Pass,
-			expectedIP:       api.PtrTo("192.0.2.50"),
-			expectedHostname: api.PtrTo("mail.subdomain.example.com"),
+			expectedResult:   model.Pass,
+			expectedIP:       utils.PtrTo("192.0.2.50"),
+			expectedHostname: utils.PtrTo("mail.subdomain.example.com"),
 		},
 		{
 			name:             "IPRev pass without parentheses",
 			part:             "iprev=pass smtp.remote-ip=192.0.2.200",
-			expectedResult:   api.Pass,
-			expectedIP:       api.PtrTo("192.0.2.200"),
+			expectedResult:   model.Pass,
+			expectedIP:       utils.PtrTo("192.0.2.200"),
 			expectedHostname: nil,
 		},
 	}
 
-	analyzer := NewAuthenticationAnalyzer()
+	analyzer := NewAuthenticationAnalyzer("")
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -142,29 +143,29 @@ func TestParseAuthenticationResultsHeader_IPRev(t *testing.T) {
 	tests := []struct {
 		name                string
 		header              string
-		expectedIPRevResult *api.IPRevResultResult
+		expectedIPRevResult *model.IPRevResultResult
 		expectedIP          *string
 		expectedHostname    *string
 	}{
 		{
 			name:                "IPRev pass in Authentication-Results",
 			header:              "mx.google.com; iprev=pass smtp.remote-ip=195.110.101.58 (authsmtp74.register.it)",
-			expectedIPRevResult: api.PtrTo(api.Pass),
-			expectedIP:          api.PtrTo("195.110.101.58"),
-			expectedHostname:    api.PtrTo("authsmtp74.register.it"),
+			expectedIPRevResult: utils.PtrTo(model.Pass),
+			expectedIP:          utils.PtrTo("195.110.101.58"),
+			expectedHostname:    utils.PtrTo("authsmtp74.register.it"),
 		},
 		{
 			name:                "IPRev with other authentication methods",
 			header:              "mx.google.com; spf=pass smtp.mailfrom=sender@example.com; iprev=pass smtp.remote-ip=192.0.2.1 (mail.example.com); dkim=pass header.d=example.com",
-			expectedIPRevResult: api.PtrTo(api.Pass),
-			expectedIP:          api.PtrTo("192.0.2.1"),
-			expectedHostname:    api.PtrTo("mail.example.com"),
+			expectedIPRevResult: utils.PtrTo(model.Pass),
+			expectedIP:          utils.PtrTo("192.0.2.1"),
+			expectedHostname:    utils.PtrTo("mail.example.com"),
 		},
 		{
 			name:                "IPRev fail",
 			header:              "mx.google.com; iprev=fail smtp.remote-ip=198.51.100.42",
-			expectedIPRevResult: api.PtrTo(api.Fail),
-			expectedIP:          api.PtrTo("198.51.100.42"),
+			expectedIPRevResult: utils.PtrTo(model.Fail),
+			expectedIP:          utils.PtrTo("198.51.100.42"),
 			expectedHostname:    nil,
 		},
 		{
@@ -175,17 +176,17 @@ func TestParseAuthenticationResultsHeader_IPRev(t *testing.T) {
 		{
 			name:                "Multiple IPRev results - only first is parsed",
 			header:              "mx.google.com; iprev=pass smtp.remote-ip=192.0.2.1 (first.com); iprev=fail smtp.remote-ip=192.0.2.2 (second.com)",
-			expectedIPRevResult: api.PtrTo(api.Pass),
-			expectedIP:          api.PtrTo("192.0.2.1"),
-			expectedHostname:    api.PtrTo("first.com"),
+			expectedIPRevResult: utils.PtrTo(model.Pass),
+			expectedIP:          utils.PtrTo("192.0.2.1"),
+			expectedHostname:    utils.PtrTo("first.com"),
 		},
 	}
 
-	analyzer := NewAuthenticationAnalyzer()
+	analyzer := NewAuthenticationAnalyzer("")
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			results := &api.AuthenticationResults{}
+			results := &model.AuthenticationResults{}
 			analyzer.parseAuthenticationResultsHeader(tt.header, results)
 
 			// Check IPRev

pkg/analyzer/authentication_spf.go

@@ -25,19 +25,20 @@ import (
 	"regexp"
 	"strings"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
+	"git.happydns.org/happyDeliver/internal/utils"
 )
 
 // parseSPFResult parses SPF result from Authentication-Results
 // Example: spf=pass smtp.mailfrom=sender@example.com
-func (a *AuthenticationAnalyzer) parseSPFResult(part string) *api.AuthResult {
-	result := &api.AuthResult{}
+func (a *AuthenticationAnalyzer) parseSPFResult(part string) *model.AuthResult {
+	result := &model.AuthResult{}
 
 	// Extract result (pass, fail, etc.)
 	re := regexp.MustCompile(`spf=(\w+)`)
 	if matches := re.FindStringSubmatch(part); len(matches) > 1 {
 		resultStr := strings.ToLower(matches[1])
-		result.Result = api.AuthResultResult(resultStr)
+		result.Result = model.AuthResultResult(resultStr)
 	}
 
 	// Extract domain
@@ -51,25 +52,35 @@ func (a *AuthenticationAnalyzer) parseSPFResult(part string) *api.AuthResult {
 		}
 	}
 
-	result.Details = api.PtrTo(strings.TrimPrefix(part, "spf="))
+	result.Details = utils.PtrTo(strings.TrimPrefix(part, "spf="))
 
 	return result
 }
 
 // parseLegacySPF attempts to parse SPF from Received-SPF header
-func (a *AuthenticationAnalyzer) parseLegacySPF(email *EmailMessage) *api.AuthResult {
+func (a *AuthenticationAnalyzer) parseLegacySPF(email *EmailMessage) *model.AuthResult {
 	receivedSPF := email.Header.Get("Received-SPF")
 	if receivedSPF == "" {
 		return nil
 	}
 
-	result := &api.AuthResult{}
+	// Verify receiver matches our hostname
+	if a.receiverHostname != "" {
+		receiverRe := regexp.MustCompile(`receiver=([^\s;]+)`)
+		if matches := receiverRe.FindStringSubmatch(receivedSPF); len(matches) > 1 {
+			if matches[1] != a.receiverHostname {
+				return nil
+			}
+		}
+	}
+
+	result := &model.AuthResult{}
 
 	// Extract result (first word)
 	parts := strings.Fields(receivedSPF)
 	if len(parts) > 0 {
 		resultStr := strings.ToLower(parts[0])
-		result.Result = api.AuthResultResult(resultStr)
+		result.Result = model.AuthResultResult(resultStr)
 	}
 
 	result.Details = &receivedSPF
@@ -87,14 +98,14 @@ func (a *AuthenticationAnalyzer) parseLegacySPF(email *EmailMessage) *api.AuthRe
 	return result
 }
 
-func (a *AuthenticationAnalyzer) calculateSPFScore(results *api.AuthenticationResults) (score int) {
+func (a *AuthenticationAnalyzer) calculateSPFScore(results *model.AuthenticationResults) (score int) {
 	if results.Spf != nil {
 		switch results.Spf.Result {
-		case api.AuthResultResultPass:
+		case model.AuthResultResultPass:
 			return 100
-		case api.AuthResultResultNeutral, api.AuthResultResultNone:
+		case model.AuthResultResultNeutral, model.AuthResultResultNone:
 			return 50
-		case api.AuthResultResultSoftfail:
+		case model.AuthResultResultSoftfail:
 			return 17
 		default: // fail, temperror, permerror
 			return 0

pkg/analyzer/authentication_spf_test.go

@@ -24,43 +24,44 @@ package analyzer
 import (
 	"testing"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
+	"git.happydns.org/happyDeliver/internal/utils"
 )
 
 func TestParseSPFResult(t *testing.T) {
 	tests := []struct {
 		name           string
 		part           string
-		expectedResult api.AuthResultResult
+		expectedResult model.AuthResultResult
 		expectedDomain string
 	}{
 		{
 			name:           "SPF pass with domain",
 			part:           "spf=pass smtp.mailfrom=sender@example.com",
-			expectedResult: api.AuthResultResultPass,
+			expectedResult: model.AuthResultResultPass,
 			expectedDomain: "example.com",
 		},
 		{
 			name:           "SPF fail",
 			part:           "spf=fail smtp.mailfrom=sender@example.com",
-			expectedResult: api.AuthResultResultFail,
+			expectedResult: model.AuthResultResultFail,
 			expectedDomain: "example.com",
 		},
 		{
 			name:           "SPF neutral",
 			part:           "spf=neutral smtp.mailfrom=sender@example.com",
-			expectedResult: api.AuthResultResultNeutral,
+			expectedResult: model.AuthResultResultNeutral,
 			expectedDomain: "example.com",
 		},
 		{
 			name:           "SPF softfail",
 			part:           "spf=softfail smtp.mailfrom=sender@example.com",
-			expectedResult: api.AuthResultResultSoftfail,
+			expectedResult: model.AuthResultResultSoftfail,
 			expectedDomain: "example.com",
 		},
 	}
 
-	analyzer := NewAuthenticationAnalyzer()
+	analyzer := NewAuthenticationAnalyzer("")
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -84,7 +85,7 @@ func TestParseLegacySPF(t *testing.T) {
 	tests := []struct {
 		name           string
 		receivedSPF    string
-		expectedResult api.AuthResultResult
+		expectedResult model.AuthResultResult
 		expectedDomain *string
 		expectNil      bool
 	}{
@@ -97,8 +98,8 @@ func TestParseLegacySPF(t *testing.T) {
     envelope-from="user@example.com";
     helo=smtp.example.com;
     client-ip=192.0.2.10`,
-			expectedResult: api.AuthResultResultPass,
-			expectedDomain: api.PtrTo("example.com"),
+			expectedResult: model.AuthResultResultPass,
+			expectedDomain: utils.PtrTo("example.com"),
 		},
 		{
 			name: "SPF fail with sender",
@@ -109,43 +110,43 @@ func TestParseLegacySPF(t *testing.T) {
     sender="sender@test.com";
     helo=smtp.test.com;
     client-ip=192.0.2.20`,
-			expectedResult: api.AuthResultResultFail,
-			expectedDomain: api.PtrTo("test.com"),
+			expectedResult: model.AuthResultResultFail,
+			expectedDomain: utils.PtrTo("test.com"),
 		},
 		{
 			name:           "SPF softfail",
 			receivedSPF:    "softfail (example.com: transitioning domain of admin@example.org does not designate 192.0.2.30 as permitted sender) envelope-from=\"admin@example.org\"",
-			expectedResult: api.AuthResultResultSoftfail,
-			expectedDomain: api.PtrTo("example.org"),
+			expectedResult: model.AuthResultResultSoftfail,
+			expectedDomain: utils.PtrTo("example.org"),
 		},
 		{
 			name:           "SPF neutral",
 			receivedSPF:    "neutral (example.com: 192.0.2.40 is neither permitted nor denied by domain of info@domain.net) envelope-from=\"info@domain.net\"",
-			expectedResult: api.AuthResultResultNeutral,
-			expectedDomain: api.PtrTo("domain.net"),
+			expectedResult: model.AuthResultResultNeutral,
+			expectedDomain: utils.PtrTo("domain.net"),
 		},
 		{
 			name:           "SPF none",
 			receivedSPF:    "none (example.com: domain of noreply@company.io has no SPF record) envelope-from=\"noreply@company.io\"",
-			expectedResult: api.AuthResultResultNone,
-			expectedDomain: api.PtrTo("company.io"),
+			expectedResult: model.AuthResultResultNone,
+			expectedDomain: utils.PtrTo("company.io"),
 		},
 		{
 			name:           "SPF temperror",
 			receivedSPF:    "temperror (example.com: error in processing SPF record) envelope-from=\"support@shop.example\"",
-			expectedResult: api.AuthResultResultTemperror,
-			expectedDomain: api.PtrTo("shop.example"),
+			expectedResult: model.AuthResultResultTemperror,
+			expectedDomain: utils.PtrTo("shop.example"),
 		},
 		{
 			name:           "SPF permerror",
 			receivedSPF:    "permerror (example.com: domain of contact@invalid.test has invalid SPF record) envelope-from=\"contact@invalid.test\"",
-			expectedResult: api.AuthResultResultPermerror,
-			expectedDomain: api.PtrTo("invalid.test"),
+			expectedResult: model.AuthResultResultPermerror,
+			expectedDomain: utils.PtrTo("invalid.test"),
 		},
 		{
 			name:           "SPF pass without domain extraction",
 			receivedSPF:    "pass (example.com: 192.0.2.50 is authorized)",
-			expectedResult: api.AuthResultResultPass,
+			expectedResult: model.AuthResultResultPass,
 			expectedDomain: nil,
 		},
 		{
@@ -156,12 +157,12 @@ func TestParseLegacySPF(t *testing.T) {
 		{
 			name:           "SPF with unquoted envelope-from",
 			receivedSPF:    "pass (example.com: sender SPF authorized) envelope-from=postmaster@mail.example.net",
-			expectedResult: api.AuthResultResultPass,
-			expectedDomain: api.PtrTo("mail.example.net"),
+			expectedResult: model.AuthResultResultPass,
+			expectedDomain: utils.PtrTo("mail.example.net"),
 		},
 	}
 
-	analyzer := NewAuthenticationAnalyzer()
+	analyzer := NewAuthenticationAnalyzer("")
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

pkg/analyzer/authentication_test.go

@@ -24,83 +24,84 @@ package analyzer
 import (
 	"testing"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
+	"git.happydns.org/happyDeliver/internal/utils"
 )
 
 func TestGetAuthenticationScore(t *testing.T) {
 	tests := []struct {
 		name          string
-		results       *api.AuthenticationResults
+		results       *model.AuthenticationResults
 		expectedScore int
 	}{
 		{
 			name: "Perfect authentication (SPF + DKIM + DMARC)",
-			results: &api.AuthenticationResults{
-				Spf: &api.AuthResult{
-					Result: api.AuthResultResultPass,
+			results: &model.AuthenticationResults{
+				Spf: &model.AuthResult{
+					Result: model.AuthResultResultPass,
 				},
-				Dkim: &[]api.AuthResult{
-					{Result: api.AuthResultResultPass},
+				Dkim: &[]model.AuthResult{
+					{Result: model.AuthResultResultPass},
 				},
-				Dmarc: &api.AuthResult{
-					Result: api.AuthResultResultPass,
+				Dmarc: &model.AuthResult{
+					Result: model.AuthResultResultPass,
 				},
 			},
-			expectedScore: 73, // SPF=25 + DKIM=23 + DMARC=25
+			expectedScore: 90, // SPF=30 + DKIM=30 + DMARC=30
 		},
 		{
 			name: "SPF and DKIM only",
-			results: &api.AuthenticationResults{
-				Spf: &api.AuthResult{
-					Result: api.AuthResultResultPass,
+			results: &model.AuthenticationResults{
+				Spf: &model.AuthResult{
+					Result: model.AuthResultResultPass,
 				},
-				Dkim: &[]api.AuthResult{
-					{Result: api.AuthResultResultPass},
+				Dkim: &[]model.AuthResult{
+					{Result: model.AuthResultResultPass},
 				},
 			},
-			expectedScore: 48, // SPF=25 + DKIM=23
+			expectedScore: 60, // SPF=30 + DKIM=30
 		},
 		{
 			name: "SPF fail, DKIM pass",
-			results: &api.AuthenticationResults{
-				Spf: &api.AuthResult{
-					Result: api.AuthResultResultFail,
+			results: &model.AuthenticationResults{
+				Spf: &model.AuthResult{
+					Result: model.AuthResultResultFail,
 				},
-				Dkim: &[]api.AuthResult{
-					{Result: api.AuthResultResultPass},
+				Dkim: &[]model.AuthResult{
+					{Result: model.AuthResultResultPass},
 				},
 			},
-			expectedScore: 23, // SPF=0 + DKIM=23
+			expectedScore: 30, // SPF=0 + DKIM=30
 		},
 		{
 			name: "SPF softfail",
-			results: &api.AuthenticationResults{
-				Spf: &api.AuthResult{
-					Result: api.AuthResultResultSoftfail,
+			results: &model.AuthenticationResults{
+				Spf: &model.AuthResult{
+					Result: model.AuthResultResultSoftfail,
 				},
 			},
-			expectedScore: 4,
+			expectedScore: 5, // 30 * 17 / 100 = 5
 		},
 		{
 			name:          "No authentication",
-			results:       &api.AuthenticationResults{},
+			results:       &model.AuthenticationResults{},
 			expectedScore: 0,
 		},
 		{
 			name: "BIMI adds to score",
-			results: &api.AuthenticationResults{
-				Spf: &api.AuthResult{
-					Result: api.AuthResultResultPass,
+			results: &model.AuthenticationResults{
+				Spf: &model.AuthResult{
+					Result: model.AuthResultResultPass,
 				},
-				Bimi: &api.AuthResult{
-					Result: api.AuthResultResultPass,
+				Bimi: &model.AuthResult{
+					Result: model.AuthResultResultPass,
 				},
 			},
-			expectedScore: 35, // SPF (25) + BIMI (10)
+			expectedScore: 40, // SPF (30) + BIMI (10)
 		},
 	}
 
-	scorer := NewAuthenticationAnalyzer()
+	scorer := NewAuthenticationAnalyzer("")
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -117,30 +118,30 @@ func TestParseAuthenticationResultsHeader(t *testing.T) {
 	tests := []struct {
 		name                string
 		header              string
-		expectedSPFResult   *api.AuthResultResult
+		expectedSPFResult   *model.AuthResultResult
 		expectedSPFDomain   *string
 		expectedDKIMCount   int
-		expectedDKIMResult  *api.AuthResultResult
-		expectedDMARCResult *api.AuthResultResult
+		expectedDKIMResult  *model.AuthResultResult
+		expectedDMARCResult *model.AuthResultResult
 		expectedDMARCDomain *string
-		expectedBIMIResult  *api.AuthResultResult
-		expectedARCResult   *api.ARCResultResult
+		expectedBIMIResult  *model.AuthResultResult
+		expectedARCResult   *model.ARCResultResult
 	}{
 		{
 			name:                "Complete authentication results",
 			header:              "mx.google.com; spf=pass smtp.mailfrom=sender@example.com; dkim=pass header.d=example.com header.s=default; dmarc=pass action=none header.from=example.com",
-			expectedSPFResult:   api.PtrTo(api.AuthResultResultPass),
-			expectedSPFDomain:   api.PtrTo("example.com"),
+			expectedSPFResult:   utils.PtrTo(model.AuthResultResultPass),
+			expectedSPFDomain:   utils.PtrTo("example.com"),
 			expectedDKIMCount:   1,
-			expectedDKIMResult:  api.PtrTo(api.AuthResultResultPass),
-			expectedDMARCResult: api.PtrTo(api.AuthResultResultPass),
-			expectedDMARCDomain: api.PtrTo("example.com"),
+			expectedDKIMResult:  utils.PtrTo(model.AuthResultResultPass),
+			expectedDMARCResult: utils.PtrTo(model.AuthResultResultPass),
+			expectedDMARCDomain: utils.PtrTo("example.com"),
 		},
 		{
 			name:                "SPF only",
 			header:              "mail.example.com; spf=pass smtp.mailfrom=user@domain.com",
-			expectedSPFResult:   api.PtrTo(api.AuthResultResultPass),
-			expectedSPFDomain:   api.PtrTo("domain.com"),
+			expectedSPFResult:   utils.PtrTo(model.AuthResultResultPass),
+			expectedSPFDomain:   utils.PtrTo("domain.com"),
 			expectedDKIMCount:   0,
 			expectedDMARCResult: nil,
 		},
@@ -149,68 +150,68 @@ func TestParseAuthenticationResultsHeader(t *testing.T) {
 			header:             "mail.example.com; dkim=pass header.d=example.com header.s=selector1",
 			expectedSPFResult:  nil,
 			expectedDKIMCount:  1,
-			expectedDKIMResult: api.PtrTo(api.AuthResultResultPass),
+			expectedDKIMResult: utils.PtrTo(model.AuthResultResultPass),
 		},
 		{
 			name:                "Multiple DKIM signatures",
 			header:              "mail.example.com; dkim=pass header.d=example.com header.s=s1; dkim=pass header.d=example.com header.s=s2",
 			expectedSPFResult:   nil,
 			expectedDKIMCount:   2,
-			expectedDKIMResult:  api.PtrTo(api.AuthResultResultPass),
+			expectedDKIMResult:  utils.PtrTo(model.AuthResultResultPass),
 			expectedDMARCResult: nil,
 		},
 		{
 			name:                "SPF fail with DKIM pass",
 			header:              "mail.example.com; spf=fail smtp.mailfrom=sender@example.com; dkim=pass header.d=example.com header.s=default",
-			expectedSPFResult:   api.PtrTo(api.AuthResultResultFail),
-			expectedSPFDomain:   api.PtrTo("example.com"),
+			expectedSPFResult:   utils.PtrTo(model.AuthResultResultFail),
+			expectedSPFDomain:   utils.PtrTo("example.com"),
 			expectedDKIMCount:   1,
-			expectedDKIMResult:  api.PtrTo(api.AuthResultResultPass),
+			expectedDKIMResult:  utils.PtrTo(model.AuthResultResultPass),
 			expectedDMARCResult: nil,
 		},
 		{
 			name:                "SPF softfail",
 			header:              "mail.example.com; spf=softfail smtp.mailfrom=sender@example.com",
-			expectedSPFResult:   api.PtrTo(api.AuthResultResultSoftfail),
-			expectedSPFDomain:   api.PtrTo("example.com"),
+			expectedSPFResult:   utils.PtrTo(model.AuthResultResultSoftfail),
+			expectedSPFDomain:   utils.PtrTo("example.com"),
 			expectedDKIMCount:   0,
 			expectedDMARCResult: nil,
 		},
 		{
 			name:                "DMARC fail",
 			header:              "mail.example.com; spf=pass smtp.mailfrom=sender@example.com; dkim=pass header.d=example.com header.s=default; dmarc=fail action=quarantine header.from=example.com",
-			expectedSPFResult:   api.PtrTo(api.AuthResultResultPass),
+			expectedSPFResult:   utils.PtrTo(model.AuthResultResultPass),
 			expectedDKIMCount:   1,
-			expectedDKIMResult:  api.PtrTo(api.AuthResultResultPass),
-			expectedDMARCResult: api.PtrTo(api.AuthResultResultFail),
-			expectedDMARCDomain: api.PtrTo("example.com"),
+			expectedDKIMResult:  utils.PtrTo(model.AuthResultResultPass),
+			expectedDMARCResult: utils.PtrTo(model.AuthResultResultFail),
+			expectedDMARCDomain: utils.PtrTo("example.com"),
 		},
 		{
 			name:               "BIMI pass",
 			header:             "mail.example.com; spf=pass smtp.mailfrom=sender@example.com; bimi=pass header.d=example.com header.selector=default",
-			expectedSPFResult:  api.PtrTo(api.AuthResultResultPass),
-			expectedSPFDomain:  api.PtrTo("example.com"),
+			expectedSPFResult:  utils.PtrTo(model.AuthResultResultPass),
+			expectedSPFDomain:  utils.PtrTo("example.com"),
 			expectedDKIMCount:  0,
-			expectedBIMIResult: api.PtrTo(api.AuthResultResultPass),
+			expectedBIMIResult: utils.PtrTo(model.AuthResultResultPass),
 		},
 		{
 			name:              "ARC pass",
 			header:            "mail.example.com; arc=pass",
 			expectedSPFResult: nil,
 			expectedDKIMCount: 0,
-			expectedARCResult: api.PtrTo(api.ARCResultResultPass),
+			expectedARCResult: utils.PtrTo(model.ARCResultResultPass),
 		},
 		{
 			name:                "All authentication methods",
 			header:              "mx.google.com; spf=pass smtp.mailfrom=sender@example.com; dkim=pass header.d=example.com header.s=default; dmarc=pass action=none header.from=example.com; bimi=pass header.d=example.com header.selector=v1; arc=pass",
-			expectedSPFResult:   api.PtrTo(api.AuthResultResultPass),
-			expectedSPFDomain:   api.PtrTo("example.com"),
+			expectedSPFResult:   utils.PtrTo(model.AuthResultResultPass),
+			expectedSPFDomain:   utils.PtrTo("example.com"),
 			expectedDKIMCount:   1,
-			expectedDKIMResult:  api.PtrTo(api.AuthResultResultPass),
-			expectedDMARCResult: api.PtrTo(api.AuthResultResultPass),
-			expectedDMARCDomain: api.PtrTo("example.com"),
-			expectedBIMIResult:  api.PtrTo(api.AuthResultResultPass),
-			expectedARCResult:   api.PtrTo(api.ARCResultResultPass),
+			expectedDKIMResult:  utils.PtrTo(model.AuthResultResultPass),
+			expectedDMARCResult: utils.PtrTo(model.AuthResultResultPass),
+			expectedDMARCDomain: utils.PtrTo("example.com"),
+			expectedBIMIResult:  utils.PtrTo(model.AuthResultResultPass),
+			expectedARCResult:   utils.PtrTo(model.ARCResultResultPass),
 		},
 		{
 			name:              "Empty header (authserv-id only)",
@@ -221,8 +222,8 @@ func TestParseAuthenticationResultsHeader(t *testing.T) {
 		{
 			name:              "Empty parts with semicolons",
 			header:            "mx.google.com; ; ; spf=pass smtp.mailfrom=sender@example.com; ;",
-			expectedSPFResult: api.PtrTo(api.AuthResultResultPass),
-			expectedSPFDomain: api.PtrTo("example.com"),
+			expectedSPFResult: utils.PtrTo(model.AuthResultResultPass),
+			expectedSPFDomain: utils.PtrTo("example.com"),
 			expectedDKIMCount: 0,
 		},
 		{
@@ -230,28 +231,28 @@ func TestParseAuthenticationResultsHeader(t *testing.T) {
 			header:             "mail.example.com; dkim=pass d=example.com s=selector1",
 			expectedSPFResult:  nil,
 			expectedDKIMCount:  1,
-			expectedDKIMResult: api.PtrTo(api.AuthResultResultPass),
+			expectedDKIMResult: utils.PtrTo(model.AuthResultResultPass),
 		},
 		{
 			name:              "SPF neutral",
 			header:            "mail.example.com; spf=neutral smtp.mailfrom=sender@example.com",
-			expectedSPFResult: api.PtrTo(api.AuthResultResultNeutral),
-			expectedSPFDomain: api.PtrTo("example.com"),
+			expectedSPFResult: utils.PtrTo(model.AuthResultResultNeutral),
+			expectedSPFDomain: utils.PtrTo("example.com"),
 			expectedDKIMCount: 0,
 		},
 		{
 			name:              "SPF none",
 			header:            "mail.example.com; spf=none",
-			expectedSPFResult: api.PtrTo(api.AuthResultResultNone),
+			expectedSPFResult: utils.PtrTo(model.AuthResultResultNone),
 			expectedDKIMCount: 0,
 		},
 	}
 
-	analyzer := NewAuthenticationAnalyzer()
+	analyzer := NewAuthenticationAnalyzer("")
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			results := &api.AuthenticationResults{}
+			results := &model.AuthenticationResults{}
 			analyzer.parseAuthenticationResultsHeader(tt.header, results)
 
 			// Check SPF
@@ -353,17 +354,17 @@ func TestParseAuthenticationResultsHeader(t *testing.T) {
 
 func TestParseAuthenticationResultsHeader_OnlyFirstResultParsed(t *testing.T) {
 	// This test verifies that only the first occurrence of each auth method is parsed
-	analyzer := NewAuthenticationAnalyzer()
+	analyzer := NewAuthenticationAnalyzer("")
 
 	t.Run("Multiple SPF results - only first is parsed", func(t *testing.T) {
 		header := "mail.example.com; spf=pass smtp.mailfrom=first@example.com; spf=fail smtp.mailfrom=second@example.com"
-		results := &api.AuthenticationResults{}
+		results := &model.AuthenticationResults{}
 		analyzer.parseAuthenticationResultsHeader(header, results)
 
 		if results.Spf == nil {
 			t.Fatal("Expected SPF result, got nil")
 		}
-		if results.Spf.Result != api.AuthResultResultPass {
+		if results.Spf.Result != model.AuthResultResultPass {
 			t.Errorf("Expected first SPF result (pass), got %v", results.Spf.Result)
 		}
 		if results.Spf.Domain == nil || *results.Spf.Domain != "example.com" {
@@ -373,13 +374,13 @@ func TestParseAuthenticationResultsHeader_OnlyFirstResultParsed(t *testing.T) {
 
 	t.Run("Multiple DMARC results - only first is parsed", func(t *testing.T) {
 		header := "mail.example.com; dmarc=pass header.from=first.com; dmarc=fail header.from=second.com"
-		results := &api.AuthenticationResults{}
+		results := &model.AuthenticationResults{}
 		analyzer.parseAuthenticationResultsHeader(header, results)
 
 		if results.Dmarc == nil {
 			t.Fatal("Expected DMARC result, got nil")
 		}
-		if results.Dmarc.Result != api.AuthResultResultPass {
+		if results.Dmarc.Result != model.AuthResultResultPass {
 			t.Errorf("Expected first DMARC result (pass), got %v", results.Dmarc.Result)
 		}
 		if results.Dmarc.Domain == nil || *results.Dmarc.Domain != "first.com" {
@@ -389,26 +390,26 @@ func TestParseAuthenticationResultsHeader_OnlyFirstResultParsed(t *testing.T) {
 
 	t.Run("Multiple ARC results - only first is parsed", func(t *testing.T) {
 		header := "mail.example.com; arc=pass; arc=fail"
-		results := &api.AuthenticationResults{}
+		results := &model.AuthenticationResults{}
 		analyzer.parseAuthenticationResultsHeader(header, results)
 
 		if results.Arc == nil {
 			t.Fatal("Expected ARC result, got nil")
 		}
-		if results.Arc.Result != api.ARCResultResultPass {
+		if results.Arc.Result != model.ARCResultResultPass {
 			t.Errorf("Expected first ARC result (pass), got %v", results.Arc.Result)
 		}
 	})
 
 	t.Run("Multiple BIMI results - only first is parsed", func(t *testing.T) {
 		header := "mail.example.com; bimi=pass header.d=first.com; bimi=fail header.d=second.com"
-		results := &api.AuthenticationResults{}
+		results := &model.AuthenticationResults{}
 		analyzer.parseAuthenticationResultsHeader(header, results)
 
 		if results.Bimi == nil {
 			t.Fatal("Expected BIMI result, got nil")
 		}
-		if results.Bimi.Result != api.AuthResultResultPass {
+		if results.Bimi.Result != model.AuthResultResultPass {
 			t.Errorf("Expected first BIMI result (pass), got %v", results.Bimi.Result)
 		}
 		if results.Bimi.Domain == nil || *results.Bimi.