Add instruction to use with new happyDomain checker

Split api/openapi.yaml schemas into api/schemas.yaml so structs can be
generated independently from the API server code. Models now generate
into internal/model/ via oapi-codegen, with the server referencing them
through import-mapping. Moved PtrTo helper to internal/utils and removed
storage.ReportSummary in favor of model.TestSummary.

.drone.yml

@@ -9,7 +9,7 @@ platform:
 
 steps:
 - name: frontend
-  image: node:22-alpine
+  image: node:24-alpine
   commands:
   - cd web
   - npm install --network-timeout=100000

.gitignore

@@ -26,5 +26,5 @@ logs/
 *.sqlite3
 
 # OpenAPI generated files
-internal/api/models.gen.go
 internal/api/server.gen.go
+internal/model/types.gen.go

Dockerfile

@@ -1,6 +1,6 @@
 # Multi-stage Dockerfile for happyDeliver with integrated MTA
 # Stage 1: Build the Svelte application
-FROM node:22-alpine AS nodebuild
+FROM node:24-alpine AS nodebuild
 
 WORKDIR /build
 
@@ -34,7 +34,7 @@ RUN go generate ./... && \
 # Stage 3: Prepare perl and spamass-milt
 FROM alpine:3 AS pl
 
-RUN echo "@testing https://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories && \
+RUN echo "@edge https://dl-cdn.alpinelinux.org/alpine/edge/community" >> /etc/apk/repositories && \
     apk add --no-cache \
     build-base \
     libmilter-dev \
@@ -55,7 +55,7 @@ RUN echo "@testing https://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/a
     perl-json-xs \
     perl-list-moreutils \
     perl-moose \
-    perl-net-idn-encode@testing \
+    perl-net-idn-encode@edge \
     perl-net-ssleay \
     perl-netaddr-ip \
     perl-package-stash \
@@ -86,7 +86,7 @@ RUN wget https://download.savannah.nongnu.org/releases/spamass-milt/spamass-milt
 FROM alpine:3
 
 # Install all required packages
-RUN echo "@testing https://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories && \
+RUN echo "@edge https://dl-cdn.alpinelinux.org/alpine/edge/community" >> /etc/apk/repositories && \
     apk add --no-cache \
     bash \
     ca-certificates \
@@ -106,7 +106,7 @@ RUN echo "@testing https://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/a
     perl-json-xs \
     perl-list-moreutils \
     perl-moose \
-    perl-net-idn-encode@testing \
+    perl-net-idn-encode@edge \
     perl-net-ssleay \
     perl-netaddr-ip \
     perl-package-stash \
@@ -121,6 +121,7 @@ RUN echo "@testing https://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/a
     perl-xml-libxml \
     postfix \
     postfix-pcre \
+    rspamd \
     spamassassin \
     spamassassin-client \
     supervisor \
@@ -143,8 +144,11 @@ RUN mkdir -p /etc/happydeliver \
     /var/lib/authentication_milter \
     /var/spool/postfix/authentication_milter \
     /var/spool/postfix/spamassassin \
+    /var/spool/postfix/rspamd \
     && chown -R happydeliver:happydeliver /var/lib/happydeliver /var/log/happydeliver \
-    && chown -R mail:mail /var/spool/postfix/authentication_milter /var/spool/postfix/spamassassin
+    && chown -R mail:mail /var/spool/postfix/authentication_milter /var/spool/postfix/spamassassin \
+    && chown rspamd:mail /var/spool/postfix/rspamd \
+    && chmod 750 /var/spool/postfix/rspamd
 
 # Copy the built application
 COPY --from=builder /build/happyDeliver /usr/local/bin/happyDeliver
@@ -154,6 +158,7 @@ RUN chmod +x /usr/local/bin/happyDeliver
 COPY docker/postfix/ /etc/postfix/
 COPY docker/authentication_milter/authentication_milter.json /etc/authentication_milter.json
 COPY docker/spamassassin/ /etc/mail/spamassassin/
+COPY docker/rspamd/local.d/ /etc/rspamd/local.d/
 COPY docker/supervisor/ /etc/supervisor/
 COPY docker/entrypoint.sh /entrypoint.sh
 
@@ -165,11 +170,21 @@ RUN chmod +x /entrypoint.sh
 EXPOSE 25 8080
 
 # Default configuration
-ENV HAPPYDELIVER_DATABASE_TYPE=sqlite HAPPYDELIVER_DATABASE_DSN=/var/lib/happydeliver/happydeliver.db HAPPYDELIVER_DOMAIN=happydeliver.local HAPPYDELIVER_ADDRESS_PREFIX=test- HAPPYDELIVER_DNS_TIMEOUT=5s HAPPYDELIVER_HTTP_TIMEOUT=10s HAPPYDELIVER_RBL=zen.spamhaus.org,bl.spamcop.net,b.barracudacentral.org,dnsbl.sorbs.net,dnsbl-1.uceprotect.net,bl.mailspike.net
+ENV HAPPYDELIVER_DATABASE_TYPE=sqlite \
+    HAPPYDELIVER_DATABASE_DSN=/var/lib/happydeliver/happydeliver.db \
+    HAPPYDELIVER_DOMAIN=happydeliver.local \
+    HAPPYDELIVER_ADDRESS_PREFIX=test- \
+    HAPPYDELIVER_DNS_TIMEOUT=5s \
+    HAPPYDELIVER_HTTP_TIMEOUT=10s \
+    HAPPYDELIVER_RSPAMD_API_URL=http://127.0.0.1:11334
 
 # Volume for persistent data
 VOLUME ["/var/lib/happydeliver", "/var/log/happydeliver"]
 
+# Health check
+HEALTHCHECK --interval=30s --timeout=10s --start-period=40s --retries=3 \
+    CMD wget --quiet --tries=1 --spider http://localhost:8080/api/status || exit 1
+
 # Set entrypoint
 ENTRYPOINT ["/entrypoint.sh"]
 CMD ["supervisord", "-c", "/etc/supervisor/supervisord.conf"]

README.md

@@ -6,7 +6,7 @@ An open-source email deliverability testing platform that analyzes test emails a
 
 ## Features
 
-- **Complete Email Analysis**: Analyzes SPF, DKIM, DMARC, BIMI, ARC, SpamAssassin scores, DNS records, blacklist status, content quality, and more
+- **Complete Email Analysis**: Analyzes SPF, DKIM, DMARC, BIMI, ARC, SpamAssassin and rspamd scores, DNS records, blacklist status, content quality, and more
 - **REST API**: Full-featured API for creating tests and retrieving reports
 - **LMTP Server**: Built-in LMTP server for seamless MTA integration
 - **Scoring System**: Gives A to F grades and scoring with weighted factors across dns, authentication, spam, blacklists, content, and headers
@@ -26,6 +26,7 @@ The easiest way to run happyDeliver is using the all-in-one Docker container tha
 - **Postfix MTA**: Receives emails on port 25
 - **authentication_milter**: Entreprise grade email authentication
 - **SpamAssassin**: Spam scoring and analysis
+- **rspamd**: Second spam filter for cross-validated scoring
 - **happyDeliver API**: REST API server on port 8080
 - **SQLite Database**: Persistent storage for tests and reports
 
@@ -37,7 +38,7 @@ git clone https://git.nemunai.re/happyDomain/happyDeliver.git
 cd happydeliver
 
 # Edit docker-compose.yml to set your domain
-# Change HAPPYDELIVER_DOMAIN and HOSTNAME environment variables
+# Change HAPPYDELIVER_DOMAIN environment variable and hostname
 
 # Build and start
 docker-compose up -d
@@ -63,13 +64,54 @@ docker run -d \
   -p 25:25 \
   -p 8080:8080 \
   -e HAPPYDELIVER_DOMAIN=yourdomain.com \
-  -e HOSTNAME=mail.yourdomain.com \
+  --hostname mail.yourdomain.com \
   -v $(pwd)/data:/var/lib/happydeliver \
   -v $(pwd)/logs:/var/log/happydeliver \
   happydeliver:latest
 ```
 
-#### 3. Configure Network and DNS
+#### 3. Configure TLS Certificates (Optional but Recommended)
+
+To enable TLS encryption for incoming SMTP connections, you can configure Postfix to use your SSL/TLS certificates. This is highly recommended for production deployments.
+
+##### Using docker-compose
+
+Add the certificate paths to your `docker-compose.yml`:
+
+```yaml
+environment:
+  - POSTFIX_CERT_FILE=/etc/ssl/certs/mail.yourdomain.com.crt
+  - POSTFIX_KEY_FILE=/etc/ssl/private/mail.yourdomain.com.key
+volumes:
+  - /path/to/your/certificate.crt:/etc/ssl/certs/mail.yourdomain.com.crt:ro
+  - /path/to/your/private.key:/etc/ssl/private/mail.yourdomain.com.key:ro
+```
+
+##### Using docker run
+
+```bash
+docker run -d \
+  --name happydeliver \
+  -p 25:25 \
+  -p 8080:8080 \
+  -e HAPPYDELIVER_DOMAIN=yourdomain.com \
+  -e POSTFIX_CERT_FILE=/etc/ssl/certs/mail.yourdomain.com.crt \
+  -e POSTFIX_KEY_FILE=/etc/ssl/private/mail.yourdomain.com.key \
+  --hostname mail.yourdomain.com \
+  -v /path/to/your/certificate.crt:/etc/ssl/certs/mail.yourdomain.com.crt:ro \
+  -v /path/to/your/private.key:/etc/ssl/private/mail.yourdomain.com.key:ro \
+  -v $(pwd)/data:/var/lib/happydeliver \
+  -v $(pwd)/logs:/var/log/happydeliver \
+  happydeliver:latest
+```
+
+**Notes:**
+- The certificate file should contain the full certificate chain (certificate + intermediate CAs)
+- The private key file must be readable by the postfix user inside the container
+- TLS is configured with `smtpd_tls_security_level = may`, which means it's opportunistic (STARTTLS supported but not required)
+- If both environment variables are not set, Postfix will run without TLS support
+
+#### 4. Configure Network and DNS
 
 ##### Open SMTP Port
 
@@ -121,10 +163,27 @@ The server will start on `http://localhost:8080` by default.
 
 #### 3. Integrate with your existing e-mail setup
 
-It is expected your setup annotate the email with eg. opendkim, spamassassin, ...
+It is expected your setup annotate the email with eg. opendkim, spamassassin, rspamd, ...
 happyDeliver will not perform thoses checks, it relies instead on standard software to have real world annotations.
 
-Choose one of the following way to integrate happyDeliver in your existing setup:
+#### Receiver Hostname
+
+happyDeliver filters `Authentication-Results` headers by hostname to only trust headers added by your MTA (and not headers that may have been injected by the sender). By default, it uses the system hostname (`os.Hostname()`).
+
+If your MTA's `authserv-id` (the hostname at the beginning of `Authentication-Results` headers) differs from the machine running happyDeliver, you must set it explicitly:
+
+```bash
+./happyDeliver server -receiver-hostname mail.example.com
+```
+
+Or via environment variable:
+```bash
+HAPPYDELIVER_RECEIVER_HOSTNAME=mail.example.com ./happyDeliver server
+```
+
+**How to find the correct value:** look at the `Authentication-Results` headers in a received email. They start with the authserv-id, e.g. `Authentication-Results: mail.example.com; spf=pass ...` — in this case, use `mail.example.com`.
+
+If the value is misconfigured, happyDeliver will log a warning when the last `Received` hop doesn't match the expected hostname.
 
 #### Postfix LMTP Transport
 
@@ -220,6 +279,33 @@ cat email.eml | ./happyDeliver analyze -recipient test-uuid@yourdomain.com
 
 **Note:** In production, emails are delivered via LMTP (see integration instructions above).
 
+## Use with happyDomain
+
+happyDeliver can be driven by [happyDomain](https://happydomain.org) through
+the [`checker-happydeliver`](https://git.nemunai.re/happyDomain/checker-happydeliver)
+plugin, so the deliverability of a domain you manage is monitored alongside
+its DNS and inbound SMTP posture.
+
+How it works:
+
+1. Attach the **Outbound deliverability** checker to the mail service of a zone
+   in happyDomain. Point it at a happyDeliver instance via `happydeliver_url`;
+   operators can configure a default instance globally.
+2. On each run, the checker calls `POST /api/test` to allocate a fresh
+   recipient address, prompts the user (or an automated sender) to mail it from
+   the tested domain, then polls `GET /api/test/{id}` until the report is
+   ready.
+3. The structured report from `GET /api/report/{id}` is translated into
+   happyDomain rule states: CRIT/WARN/INFO on SPF, DKIM, DMARC, alignment, spam
+   score, blacklists and headers, plus an overall score threshold
+   (`min_score`/`warn_score`).
+4. Runs repeat on a configurable interval so a regression in deliverability (a
+   new RBL listing, a DKIM key rotation gone wrong, a broken SPF include, ...)
+   surfaces as a domain-level alert in happyDomain.
+
+See the [`checker-happydeliver` repository](https://git.nemunai.re/happyDomain/checker-happydeliver)
+for build instructions and the full list of run options.
+
 ## Scoring System
 
 The deliverability score is calculated from A to F based on:
@@ -228,7 +314,7 @@ The deliverability score is calculated from A to F based on:
 - **Authentication**: IPRev, SPF, DKIM, DMARC, BIMI and ARC validation
 - **Blacklist**: RBL/DNSBL checks
 - **Headers**: Required headers, MIME structure, Domain alignment
-- **Spam**: SpamAssassin score
+- **Spam**: SpamAssassin and rspamd scores (combined 50/50)
 - **Content**: HTML quality, links, images, unsubscribe
 
 ## Funding

api/config-models.yaml

@@ -1,5 +1,9 @@
-package: api
+package: model
 generate:
   models: true
-  embedded-spec: false
-output: internal/api/models.gen.go
+  embedded-spec: true
+output: internal/model/types.gen.go
+output-options:
+  skip-prune: true
+import-mapping:
+  ./schemas.yaml: "-"

api/config-server.yaml

@@ -1,5 +1,8 @@
 package: api
 generate:
   gin-server: true
+  models: true
   embedded-spec: true
 output: internal/api/server.gen.go
+import-mapping:
+  ./schemas.yaml: git.happydns.org/happyDeliver/internal/model

cmd/happyDeliver/main.go

@@ -33,8 +33,8 @@ import (
 )
 
 func main() {
-	fmt.Println("happyDeliver - Email Deliverability Testing Platform")
-	fmt.Printf("Version: %s\n", version.Version)
+	fmt.Fprintln(os.Stderr, "happyDeliver - Email Deliverability Testing Platform")
+	fmt.Fprintf(os.Stderr, "Version: %s\n", version.Version)
 
 	cfg, err := config.ConsolidateConfig()
 	if err != nil {
@@ -52,6 +52,18 @@ func main() {
 		if err := app.RunAnalyzer(cfg, flag.Args()[1:], os.Stdin, os.Stdout); err != nil {
 			log.Fatalf("Analyzer error: %v", err)
 		}
+	case "backup":
+		if err := app.RunBackup(cfg); err != nil {
+			log.Fatalf("Backup error: %v", err)
+		}
+	case "restore":
+		inputFile := ""
+		if len(flag.Args()) >= 2 {
+			inputFile = flag.Args()[1]
+		}
+		if err := app.RunRestore(cfg, inputFile); err != nil {
+			log.Fatalf("Restore error: %v", err)
+		}
 	case "version":
 		fmt.Println(version.Version)
 	default:
@@ -63,9 +75,11 @@ func main() {
 
 func printUsage() {
 	fmt.Println("\nCommand availables:")
-	fmt.Println("  happyDeliver server          - Start the API server")
-	fmt.Println("  happyDeliver analyze [-json] - Analyze email from stdin and output results to terminal")
-	fmt.Println("  happyDeliver version         - Print version information")
+	fmt.Println("  happyDeliver server            - Start the API server")
+	fmt.Println("  happyDeliver analyze [-json]   - Analyze email from stdin and output results to terminal")
+	fmt.Println("  happyDeliver backup            - Backup database to stdout as JSON")
+	fmt.Println("  happyDeliver restore [file]    - Restore database from JSON file or stdin")
+	fmt.Println("  happyDeliver version           - Print version information")
 	fmt.Println("")
 	flag.Usage()
 }

docker-compose.yml

@@ -3,14 +3,14 @@ services:
     build:
       context: .
       dockerfile: Dockerfile
-    image: happydeliver:latest
+    image: happydomain/happydeliver:latest
     container_name: happydeliver
+    # Set a hostname
     hostname: mail.happydeliver.local
 
     environment:
-      # Set your domain and hostname
-      DOMAIN: happydeliver.local
-      HOSTNAME: mail.happydeliver.local
+      # Set your domain
+      HAPPYDELIVER_DOMAIN: happydeliver.local
 
     ports:
       # SMTP port
@@ -26,13 +26,6 @@ services:
 
     restart: unless-stopped
 
-    healthcheck:
-      test: ["CMD", "wget", "--quiet", "--tries=1", "--spider", "http://localhost:8080/api/status"]
-      interval: 30s
-      timeout: 10s
-      retries: 3
-      start_period: 40s
-
 volumes:
   data:
   logs:

docker/README.md

@@ -109,12 +109,37 @@ Default configuration for the Docker environment:
 
 The container accepts these environment variables:
 
-- `DOMAIN`: Email domain for test addresses (default: happydeliver.local)
-- `HOSTNAME`: Container hostname (default: mail.happydeliver.local)
+- `HAPPYDELIVER_DOMAIN`: Email domain for test addresses (default: happydeliver.local)
+- `HAPPYDELIVER_RECEIVER_HOSTNAME`: Hostname used to filter `Authentication-Results` headers (see below)
+- `POSTFIX_CERT_FILE` / `POSTFIX_KEY_FILE`: TLS certificate and key paths for Postfix SMTP
+
+### Receiver Hostname
+
+happyDeliver filters `Authentication-Results` headers by hostname to only trust results from the expected MTA. By default, it uses the system hostname (i.e., the container's `--hostname`).
+
+In the all-in-one Docker container, the container hostname is also used as the `authserv-id` in the embedded Postfix and authentication_milter, so everything matches automatically.
+
+**When bypassing the embedded Postfix** (e.g., routing emails from your own MTA via LMTP), your MTA's `authserv-id` will likely differ from the container hostname. In that case, set `HAPPYDELIVER_RECEIVER_HOSTNAME` to your MTA's hostname:
 
-Example:
 ```bash
-docker run -e DOMAIN=example.com -e HOSTNAME=mail.example.com ...
+docker run -d \
+  -e HAPPYDELIVER_DOMAIN=example.com \
+  -e HAPPYDELIVER_RECEIVER_HOSTNAME=mail.example.com \
+  ...
+```
+
+To find the correct value, look at the `Authentication-Results` headers in a received email — they start with the authserv-id, e.g. `Authentication-Results: mail.example.com; spf=pass ...`.
+
+If the value is misconfigured, happyDeliver will log a warning when the last `Received` hop doesn't match the expected hostname.
+
+Example (all-in-one, no override needed):
+```bash
+docker run -e HAPPYDELIVER_DOMAIN=example.com --hostname mail.example.com ...
+```
+
+Example (external MTA integration):
+```bash
+docker run -e HAPPYDELIVER_DOMAIN=example.com -e HAPPYDELIVER_RECEIVER_HOSTNAME=mail.example.com ...
 ```
 
 ## Volumes

docker/entrypoint.sh

@@ -4,7 +4,7 @@ set -e
 echo "Starting happyDeliver container..."
 
 # Get environment variables with defaults
-HOSTNAME="${HOSTNAME:-mail.happydeliver.local}"
+[ -n "${HOSTNAME}" ] || HOSTNAME=$(hostname)
 HAPPYDELIVER_DOMAIN="${HAPPYDELIVER_DOMAIN:-happydeliver.local}"
 
 echo "Hostname: $HOSTNAME"
@@ -15,6 +15,10 @@ mkdir -p /var/spool/postfix/authentication_milter
 chown mail:mail /var/spool/postfix/authentication_milter
 chmod 750 /var/spool/postfix/authentication_milter
 
+mkdir -p /var/spool/postfix/rspamd
+chown rspamd:mail /var/spool/postfix/rspamd
+chmod 750 /var/spool/postfix/rspamd
+
 # Create log directory
 mkdir -p /var/log/happydeliver /var/cache/authentication_milter /var/spool/authentication_milter /var/lib/authentication_milter /run/authentication_milter
 chown happydeliver:happydeliver /var/log/happydeliver
@@ -25,6 +29,15 @@ echo "Configuring Postfix..."
 sed -i "s/__HOSTNAME__/${HOSTNAME}/g" /etc/postfix/main.cf
 sed -i "s/__DOMAIN__/${HAPPYDELIVER_DOMAIN}/g" /etc/postfix/main.cf
 
+# Add certificates to postfix
+[ -n "${POSTFIX_CERT_FILE}" ] && [ -n "${POSTFIX_KEY_FILE}" ] && {
+    cat <<EOF >> /etc/postfix/main.cf
+smtpd_tls_cert_file = ${POSTFIX_CERT_FILE}
+smtpd_tls_key_file = ${POSTFIX_KEY_FILE}
+smtpd_tls_security_level = may
+EOF
+}
+
 # Replace placeholders in configurations
 sed -i "s/__HOSTNAME__/${HOSTNAME}/g" /etc/authentication_milter.json
 

docker/postfix/main.cf

@@ -28,7 +28,7 @@ transport_maps = pcre:/etc/postfix/transport_maps
 # OpenDKIM for DKIM verification
 milter_default_action = accept
 milter_protocol = 6
-smtpd_milters = unix:/var/spool/postfix/authentication_milter/authentication_milter.sock unix:/var/spool/postfix/spamassassin/spamass-milter.sock
+smtpd_milters = unix:/var/spool/postfix/authentication_milter/authentication_milter.sock unix:/var/spool/postfix/spamassassin/spamass-milter.sock unix:/var/spool/postfix/rspamd/rspamd-milter.sock
 non_smtpd_milters = $smtpd_milters
 
 # SPF policy checking

docker/rspamd/local.d/actions.conf

@@ -0,0 +1,5 @@
+no_action = 0;
+reject = null;
+add_header = null;
+rewrite_subject = null;
+greylist = null;

docker/rspamd/local.d/milter_headers.conf

@@ -0,0 +1,5 @@
+# Add "extended Rspamd headers"
+extended_spam_headers = true;
+
+skip_local = false;
+skip_authenticated = false;

docker/rspamd/local.d/options.inc

@@ -0,0 +1,3 @@
+# rspamd options for happyDeliver
+# Disable Bayes learning to keep the setup stateless
+use_redis = false;

docker/rspamd/local.d/worker-proxy.inc

@@ -0,0 +1,6 @@
+# Enable rspamd milter proxy worker via Unix socket for Postfix integration
+bind_socket = "/var/spool/postfix/rspamd/rspamd-milter.sock mode=0660 owner=rspamd group=mail";
+upstream "local" {
+  default = yes;
+  self_scan = yes;
+}

docker/spamassassin/local.cf

@@ -48,3 +48,14 @@ rbl_timeout 5
 # Don't use user-specific rules
 user_scores_dsn_timeout 3
 user_scores_sql_override 0
+
+# Disable Validity network rules
+dns_query_restriction deny sa-trusted.bondedsender.org
+dns_query_restriction deny sa-accredit.habeas.com
+dns_query_restriction deny bl.score.senderscore.com
+score RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0
+score RCVD_IN_VALIDITY_RPBL_BLOCKED 0
+score RCVD_IN_VALIDITY_SAFE_BLOCKED 0
+score RCVD_IN_VALIDITY_CERTIFIED 0
+score RCVD_IN_VALIDITY_RPBL 0
+score RCVD_IN_VALIDITY_SAFE 0

docker/supervisor/supervisord.conf

@@ -33,6 +33,16 @@ stderr_logfile=/var/log/happydeliver/authentication_milter.log
 user=mail
 group=mail
 
+# rspamd spam filter
+[program:rspamd]
+command=/usr/bin/rspamd -f -u rspamd -g mail
+autostart=true
+autorestart=true
+priority=11
+stdout_logfile=/var/log/happydeliver/rspamd.log
+stderr_logfile=/var/log/happydeliver/rspamd_error.log
+user=root
+
 # SpamAssassin daemon
 [program:spamd]
 command=/usr/sbin/spamd --max-children 5 --helper-home-dir /var/lib/spamassassin --syslog stderr --pidfile /var/run/spamd.pid

generate.go

@@ -21,5 +21,5 @@
 
 package main
 
-//go:generate go tool oapi-codegen -config api/config-models.yaml api/openapi.yaml
+//go:generate go tool oapi-codegen -config api/config-models.yaml api/schemas.yaml
 //go:generate go tool oapi-codegen -config api/config-server.yaml api/openapi.yaml

go.mod

@@ -1,41 +1,42 @@
 module git.happydns.org/happyDeliver
 
-go 1.24.6
+go 1.25.0
 
 require (
 	github.com/JGLTechnologies/gin-rate-limit v1.5.6
 	github.com/emersion/go-smtp v0.24.0
 	github.com/getkin/kin-openapi v0.133.0
-	github.com/gin-gonic/gin v1.11.0
+	github.com/gin-gonic/gin v1.12.0
 	github.com/google/uuid v1.6.0
-	github.com/oapi-codegen/runtime v1.1.2
-	golang.org/x/net v0.46.0
+	github.com/oapi-codegen/runtime v1.3.0
+	golang.org/x/net v0.52.0
 	gorm.io/driver/postgres v1.6.0
 	gorm.io/driver/sqlite v1.6.0
-	gorm.io/gorm v1.31.0
+	gorm.io/gorm v1.31.1
 )
 
 require (
 	github.com/apapsch/go-jsonmerge/v2 v2.0.0 // indirect
-	github.com/bytedance/sonic v1.14.0 // indirect
-	github.com/bytedance/sonic/loader v0.3.0 // indirect
+	github.com/bytedance/gopkg v0.1.3 // indirect
+	github.com/bytedance/sonic v1.15.0 // indirect
+	github.com/bytedance/sonic/loader v0.5.0 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/cloudwego/base64x v0.1.6 // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
 	github.com/dprotaso/go-yit v0.0.0-20220510233725-9ba8df137936 // indirect
 	github.com/emersion/go-sasl v0.0.0-20241020182733-b788ff22d5a6 // indirect
-	github.com/gabriel-vasile/mimetype v1.4.8 // indirect
+	github.com/gabriel-vasile/mimetype v1.4.12 // indirect
 	github.com/gin-contrib/sse v1.1.0 // indirect
-	github.com/go-openapi/jsonpointer v0.21.0 // indirect
-	github.com/go-openapi/swag v0.23.0 // indirect
+	github.com/go-openapi/jsonpointer v0.22.4 // indirect
+	github.com/go-openapi/swag/jsonname v0.25.4 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
-	github.com/go-playground/validator/v10 v10.27.0 // indirect
+	github.com/go-playground/validator/v10 v10.30.1 // indirect
 	github.com/goccy/go-json v0.10.5 // indirect
-	github.com/goccy/go-yaml v1.18.0 // indirect
+	github.com/goccy/go-yaml v1.19.2 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
 	github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
-	github.com/jackc/pgx/v5 v5.7.6 // indirect
+	github.com/jackc/pgx/v5 v5.8.0 // indirect
 	github.com/jackc/puddle/v2 v2.2.2 // indirect
 	github.com/jinzhu/inflection v1.0.0 // indirect
 	github.com/jinzhu/now v1.1.5 // indirect
@@ -43,35 +44,35 @@ require (
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/klauspost/cpuid/v2 v2.3.0 // indirect
 	github.com/leodido/go-urn v1.4.0 // indirect
-	github.com/mailru/easyjson v0.7.7 // indirect
+	github.com/mailru/easyjson v0.9.1 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
-	github.com/mattn/go-sqlite3 v1.14.32 // indirect
+	github.com/mattn/go-sqlite3 v1.14.33 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 // indirect
-	github.com/oapi-codegen/oapi-codegen/v2 v2.5.0 // indirect
+	github.com/oapi-codegen/oapi-codegen/v2 v2.5.1 // indirect
 	github.com/oasdiff/yaml v0.0.0-20250309154309-f31be36b4037 // indirect
 	github.com/oasdiff/yaml3 v0.0.0-20250309153720-d2182401db90 // indirect
 	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
 	github.com/perimeterx/marshmallow v1.1.5 // indirect
-	github.com/quic-go/qpack v0.5.1 // indirect
-	github.com/quic-go/quic-go v0.54.1 // indirect
-	github.com/redis/go-redis/v9 v9.7.3 // indirect
+	github.com/quic-go/qpack v0.6.0 // indirect
+	github.com/quic-go/quic-go v0.59.0 // indirect
+	github.com/redis/go-redis/v9 v9.17.2 // indirect
 	github.com/speakeasy-api/jsonpath v0.6.0 // indirect
 	github.com/speakeasy-api/openapi-overlay v0.10.2 // indirect
 	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
-	github.com/ugorji/go/codec v1.3.0 // indirect
+	github.com/ugorji/go/codec v1.3.1 // indirect
 	github.com/vmware-labs/yaml-jsonpath v0.3.2 // indirect
-	github.com/woodsbury/decimal128 v1.3.0 // indirect
-	go.uber.org/mock v0.5.0 // indirect
-	golang.org/x/arch v0.20.0 // indirect
-	golang.org/x/crypto v0.43.0 // indirect
-	golang.org/x/mod v0.28.0 // indirect
-	golang.org/x/sync v0.17.0 // indirect
-	golang.org/x/sys v0.37.0 // indirect
-	golang.org/x/text v0.30.0 // indirect
-	golang.org/x/tools v0.37.0 // indirect
-	google.golang.org/protobuf v1.36.9 // indirect
+	github.com/woodsbury/decimal128 v1.4.0 // indirect
+	go.mongodb.org/mongo-driver/v2 v2.5.0 // indirect
+	golang.org/x/arch v0.23.0 // indirect
+	golang.org/x/crypto v0.49.0 // indirect
+	golang.org/x/mod v0.33.0 // indirect
+	golang.org/x/sync v0.20.0 // indirect
+	golang.org/x/sys v0.42.0 // indirect
+	golang.org/x/text v0.35.0 // indirect
+	golang.org/x/tools v0.42.0 // indirect
+	google.golang.org/protobuf v1.36.11 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

go.sum

@@ -8,10 +8,12 @@ github.com/bsm/ginkgo/v2 v2.12.0 h1:Ny8MWAHyOepLGlLKYmXG4IEkioBysk6GpaRTLC8zwWs=
 github.com/bsm/ginkgo/v2 v2.12.0/go.mod h1:SwYbGRRDovPVboqFv0tPTcG1sN61LM1Z4ARdbAV9g4c=
 github.com/bsm/gomega v1.27.10 h1:yeMWxP2pV2fG3FgAODIY8EiRE3dy0aeFYt4l7wh6yKA=
 github.com/bsm/gomega v1.27.10/go.mod h1:JyEr/xRbxbtgWNi8tIEVPUYZ5Dzef52k01W3YH0H+O0=
-github.com/bytedance/sonic v1.14.0 h1:/OfKt8HFw0kh2rj8N0F6C/qPGRESq0BbaNZgcNXXzQQ=
-github.com/bytedance/sonic v1.14.0/go.mod h1:WoEbx8WTcFJfzCe0hbmyTGrfjt8PzNEBdxlNUO24NhA=
-github.com/bytedance/sonic/loader v0.3.0 h1:dskwH8edlzNMctoruo8FPTJDF3vLtDT0sXZwvZJyqeA=
-github.com/bytedance/sonic/loader v0.3.0/go.mod h1:N8A3vUdtUebEY2/VQC0MyhYeKUFosQU6FxH2JmUe6VI=
+github.com/bytedance/gopkg v0.1.3 h1:TPBSwH8RsouGCBcMBktLt1AymVo2TVsBVCY4b6TnZ/M=
+github.com/bytedance/gopkg v0.1.3/go.mod h1:576VvJ+eJgyCzdjS+c4+77QF3p7ubbtiKARP3TxducM=
+github.com/bytedance/sonic v1.15.0 h1:/PXeWFaR5ElNcVE84U0dOHjiMHQOwNIx3K4ymzh/uSE=
+github.com/bytedance/sonic v1.15.0/go.mod h1:tFkWrPz0/CUCLEF4ri4UkHekCIcdnkqXw9VduqpJh0k=
+github.com/bytedance/sonic/loader v0.5.0 h1:gXH3KVnatgY7loH5/TkeVyXPfESoqSBSBEiDd5VjlgE=
+github.com/bytedance/sonic/loader v0.5.0/go.mod h1:AR4NYCk5DdzZizZ5djGqQ92eEhCCcdf5x77udYiSJRo=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
@@ -34,33 +36,35 @@ github.com/emersion/go-smtp v0.24.0/go.mod h1:ZtRRkbTyp2XTHCA+BmyTFTrj8xY4I+b4Mc
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
 github.com/fsnotify/fsnotify v1.4.9 h1:hsms1Qyu0jgnwNXIxa+/V/PDsU6CfLf6CNO8H7IWoS4=
 github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
-github.com/gabriel-vasile/mimetype v1.4.8 h1:FfZ3gj38NjllZIeJAmMhr+qKL8Wu+nOoI3GqacKw1NM=
-github.com/gabriel-vasile/mimetype v1.4.8/go.mod h1:ByKUIKGjh1ODkGM1asKUbQZOLGrPjydw3hYPU2YU9t8=
+github.com/gabriel-vasile/mimetype v1.4.12 h1:e9hWvmLYvtp846tLHam2o++qitpguFiYCKbn0w9jyqw=
+github.com/gabriel-vasile/mimetype v1.4.12/go.mod h1:d+9Oxyo1wTzWdyVUPMmXFvp4F9tea18J8ufA774AB3s=
 github.com/getkin/kin-openapi v0.133.0 h1:pJdmNohVIJ97r4AUFtEXRXwESr8b0bD721u/Tz6k8PQ=
 github.com/getkin/kin-openapi v0.133.0/go.mod h1:boAciF6cXk5FhPqe/NQeBTeenbjqU4LhWBf09ILVvWE=
 github.com/gin-contrib/sse v1.1.0 h1:n0w2GMuUpWDVp7qSpvze6fAu9iRxJY4Hmj6AmBOU05w=
 github.com/gin-contrib/sse v1.1.0/go.mod h1:hxRZ5gVpWMT7Z0B0gSNYqqsSCNIJMjzvm6fqCz9vjwM=
-github.com/gin-gonic/gin v1.11.0 h1:OW/6PLjyusp2PPXtyxKHU0RbX6I/l28FTdDlae5ueWk=
-github.com/gin-gonic/gin v1.11.0/go.mod h1:+iq/FyxlGzII0KHiBGjuNn4UNENUlKbGlNmc+W50Dls=
-github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ=
-github.com/go-openapi/jsonpointer v0.21.0/go.mod h1:IUyH9l/+uyhIYQ/PXVA41Rexl+kOkAPDdXEYns6fzUY=
-github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+GrE=
-github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ=
+github.com/gin-gonic/gin v1.12.0 h1:b3YAbrZtnf8N//yjKeU2+MQsh2mY5htkZidOM7O0wG8=
+github.com/gin-gonic/gin v1.12.0/go.mod h1:VxccKfsSllpKshkBWgVgRniFFAzFb9csfngsqANjnLc=
+github.com/go-openapi/jsonpointer v0.22.4 h1:dZtK82WlNpVLDW2jlA1YCiVJFVqkED1MegOUy9kR5T4=
+github.com/go-openapi/jsonpointer v0.22.4/go.mod h1:elX9+UgznpFhgBuaMQ7iu4lvvX1nvNsesQ3oxmYTw80=
+github.com/go-openapi/swag/jsonname v0.25.4 h1:bZH0+MsS03MbnwBXYhuTttMOqk+5KcQ9869Vye1bNHI=
+github.com/go-openapi/swag/jsonname v0.25.4/go.mod h1:GPVEk9CWVhNvWhZgrnvRA6utbAltopbKwDu8mXNUMag=
+github.com/go-openapi/testify/v2 v2.0.2 h1:X999g3jeLcoY8qctY/c/Z8iBHTbwLz7R2WXd6Ub6wls=
+github.com/go-openapi/testify/v2 v2.0.2/go.mod h1:HCPmvFFnheKK2BuwSA0TbbdxJ3I16pjwMkYkP4Ywn54=
 github.com/go-playground/assert/v2 v2.2.0 h1:JvknZsQTYeFEAhQwI4qEt9cyV5ONwRHC+lYKSsYSR8s=
 github.com/go-playground/assert/v2 v2.2.0/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4=
 github.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/oXslEjJA=
 github.com/go-playground/locales v0.14.1/go.mod h1:hxrqLVvrK65+Rwrd5Fc6F2O76J/NuW9t0sjnWqG1slY=
 github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJnYK9S473LQFuzCbDbfSFY=
 github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY=
-github.com/go-playground/validator/v10 v10.27.0 h1:w8+XrWVMhGkxOaaowyKH35gFydVHOvC0/uWoy2Fzwn4=
-github.com/go-playground/validator/v10 v10.27.0/go.mod h1:I5QpIEbmr8On7W0TktmJAumgzX4CA1XNl4ZmDuVHKKo=
+github.com/go-playground/validator/v10 v10.30.1 h1:f3zDSN/zOma+w6+1Wswgd9fLkdwy06ntQJp0BBvFG0w=
+github.com/go-playground/validator/v10 v10.30.1/go.mod h1:oSuBIQzuJxL//3MelwSLD5hc2Tu889bF0Idm9Dg26cM=
 github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE=
 github.com/go-test/deep v1.0.8 h1:TDsG77qcSprGbC6vTN8OuXp5g+J+b5Pcguhf7Zt61VM=
 github.com/go-test/deep v1.0.8/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE=
 github.com/goccy/go-json v0.10.5 h1:Fq85nIqj+gXn/S5ahsiTlK3TmC85qgirsdTP/+DeaC4=
 github.com/goccy/go-json v0.10.5/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
-github.com/goccy/go-yaml v1.18.0 h1:8W7wMFS12Pcas7KU+VVkaiCng+kG8QiFeFwzFb+rwuw=
-github.com/goccy/go-yaml v1.18.0/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=
+github.com/goccy/go-yaml v1.19.2 h1:PmFC1S6h8ljIz6gMRBopkjP1TVT7xuwrButHID66PoM=
+github.com/goccy/go-yaml v1.19.2/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
 github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
@@ -86,8 +90,8 @@ github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsI
 github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg=
 github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 h1:iCEnooe7UlwOQYpKFhBabPMi4aNAfoODPEFNiAnClxo=
 github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM=
-github.com/jackc/pgx/v5 v5.7.6 h1:rWQc5FwZSPX58r1OQmkuaNicxdmExaEz5A2DO2hUuTk=
-github.com/jackc/pgx/v5 v5.7.6/go.mod h1:aruU7o91Tc2q2cFp5h4uP3f6ztExVpyVv88Xl/8Vl8M=
+github.com/jackc/pgx/v5 v5.8.0 h1:TYPDoleBBme0xGSAX3/+NujXXtpZn9HBONkQC7IEZSo=
+github.com/jackc/pgx/v5 v5.8.0/go.mod h1:QVeDInX2m9VyzvNeiCJVjCkNFqzsNb43204HshNSZKw=
 github.com/jackc/puddle/v2 v2.2.2 h1:PR8nw+E/1w0GLuRFSmiioY6UooMp6KJv0/61nB7icHo=
 github.com/jackc/puddle/v2 v2.2.2/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4=
 github.com/jinzhu/inflection v1.0.0 h1:K317FqzuhWc8YvSVlFMCCUb36O/S9MCKRDI7QkRKD/E=
@@ -110,12 +114,12 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/leodido/go-urn v1.4.0 h1:WT9HwE9SGECu3lg4d/dIA+jxlljEa1/ffXKmRjqdmIQ=
 github.com/leodido/go-urn v1.4.0/go.mod h1:bvxc+MVxLKB4z00jd1z+Dvzr47oO32F/QSNjSBOlFxI=
-github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
-github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
+github.com/mailru/easyjson v0.9.1 h1:LbtsOm5WAswyWbvTEOqhypdPeZzHavpZx96/n553mR8=
+github.com/mailru/easyjson v0.9.1/go.mod h1:1+xMtQp2MRNVL/V1bOzuP3aP8VNwRW55fQUto+XFtTU=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
-github.com/mattn/go-sqlite3 v1.14.32 h1:JD12Ag3oLy1zQA+BNn74xRgaBbdhbNIDYvQUEuuErjs=
-github.com/mattn/go-sqlite3 v1.14.32/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
+github.com/mattn/go-sqlite3 v1.14.33 h1:A5blZ5ulQo2AtayQ9/limgHEkFreKj1Dv226a1K73s0=
+github.com/mattn/go-sqlite3 v1.14.33/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
@@ -126,10 +130,10 @@ github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826/go.mod h1:TaXosZuwd
 github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
 github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE=
 github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU=
-github.com/oapi-codegen/oapi-codegen/v2 v2.5.0 h1:iJvF8SdB/3/+eGOXEpsWkD8FQAHj6mqkb6Fnsoc8MFU=
-github.com/oapi-codegen/oapi-codegen/v2 v2.5.0/go.mod h1:fwlMxUEMuQK5ih9aymrxKPQqNm2n8bdLk1ppjH+lr9w=
-github.com/oapi-codegen/runtime v1.1.2 h1:P2+CubHq8fO4Q6fV1tqDBZHCwpVpvPg7oKiYzQgXIyI=
-github.com/oapi-codegen/runtime v1.1.2/go.mod h1:SK9X900oXmPWilYR5/WKPzt3Kqxn/uS/+lbpREv+eCg=
+github.com/oapi-codegen/oapi-codegen/v2 v2.5.1 h1:5vHNY1uuPBRBWqB2Dp0G7YB03phxLQZupZTIZaeorjc=
+github.com/oapi-codegen/oapi-codegen/v2 v2.5.1/go.mod h1:ro0npU1BWkcGpCgGD9QwPp44l5OIZ94tB3eabnT7DjQ=
+github.com/oapi-codegen/runtime v1.3.0 h1:vyK1zc0gDWWXgk2xoQa4+X4RNNc5SL2RbTpJS/4vMYA=
+github.com/oapi-codegen/runtime v1.3.0/go.mod h1:kOdeacKy7t40Rclb1je37ZLFboFxh+YLy0zaPCMibPY=
 github.com/oasdiff/yaml v0.0.0-20250309154309-f31be36b4037 h1:G7ERwszslrBzRxj//JalHPu/3yz+De2J+4aLtSRlHiY=
 github.com/oasdiff/yaml v0.0.0-20250309154309-f31be36b4037/go.mod h1:2bpvgLBZEtENV5scfDFEtB/5+1M4hkQhDQrccEJ/qGw=
 github.com/oasdiff/yaml3 v0.0.0-20250309153720-d2182401db90 h1:bQx3WeLcUWy+RletIKwUIt4x3t8n2SxavmoclizMb8c=
@@ -152,12 +156,12 @@ github.com/perimeterx/marshmallow v1.1.5 h1:a2LALqQ1BlHM8PZblsDdidgv1mWi1DgC2UmX
 github.com/perimeterx/marshmallow v1.1.5/go.mod h1:dsXbUu8CRzfYP5a87xpp0xq9S3u0Vchtcl8we9tYaXw=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/quic-go/qpack v0.5.1 h1:giqksBPnT/HDtZ6VhtFKgoLOWmlyo9Ei6u9PqzIMbhI=
-github.com/quic-go/qpack v0.5.1/go.mod h1:+PC4XFrEskIVkcLzpEkbLqq1uCoxPhQuvK5rH1ZgaEg=
-github.com/quic-go/quic-go v0.54.1 h1:4ZAWm0AhCb6+hE+l5Q1NAL0iRn/ZrMwqHRGQiFwj2eg=
-github.com/quic-go/quic-go v0.54.1/go.mod h1:e68ZEaCdyviluZmy44P6Iey98v/Wfz6HCjQEm+l8zTY=
-github.com/redis/go-redis/v9 v9.7.3 h1:YpPyAayJV+XErNsatSElgRZZVCwXX9QzkKYNvO7x0wM=
-github.com/redis/go-redis/v9 v9.7.3/go.mod h1:bGUrSggJ9X9GUmZpZNEOQKaANxSGgOEBRltRTZHSvrA=
+github.com/quic-go/qpack v0.6.0 h1:g7W+BMYynC1LbYLSqRt8PBg5Tgwxn214ZZR34VIOjz8=
+github.com/quic-go/qpack v0.6.0/go.mod h1:lUpLKChi8njB4ty2bFLX2x4gzDqXwUpaO1DP9qMDZII=
+github.com/quic-go/quic-go v0.59.0 h1:OLJkp1Mlm/aS7dpKgTc6cnpynnD2Xg7C1pwL6vy/SAw=
+github.com/quic-go/quic-go v0.59.0/go.mod h1:upnsH4Ju1YkqpLXC305eW3yDZ4NfnNbmQRCMWS58IKU=
+github.com/redis/go-redis/v9 v9.17.2 h1:P2EGsA4qVIM3Pp+aPocCJ7DguDHhqrXNhVcEp4ViluI=
+github.com/redis/go-redis/v9 v9.17.2/go.mod h1:u410H11HMLoB+TP67dz8rL9s6QW2j76l0//kSOd3370=
 github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
 github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
 github.com/sergi/go-diff v1.1.0 h1:we8PVUC3FE2uYfodKH/nBHMSetSfHDR6scGdBi+erh0=
@@ -170,36 +174,40 @@ github.com/spkg/bom v0.0.0-20160624110644-59b7046e48ad/go.mod h1:qLr4V1qq6nMqFKk
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
+github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
-github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
+github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/twitchyliquid64/golang-asm v0.15.1 h1:SU5vSMR7hnwNxj24w34ZyCi/FmDZTkS4MhqMhdFk5YI=
 github.com/twitchyliquid64/golang-asm v0.15.1/go.mod h1:a1lVb/DtPvCB8fslRZhAngC2+aY1QWCk3Cedj/Gdt08=
-github.com/ugorji/go/codec v1.3.0 h1:Qd2W2sQawAfG8XSvzwhBeoGq71zXOC/Q1E9y/wUcsUA=
-github.com/ugorji/go/codec v1.3.0/go.mod h1:pRBVtBSKl77K30Bv8R2P+cLSGaTtex6fsA2Wjqmfxj4=
+github.com/ugorji/go/codec v1.3.1 h1:waO7eEiFDwidsBN6agj1vJQ4AG7lh2yqXyOXqhgQuyY=
+github.com/ugorji/go/codec v1.3.1/go.mod h1:pRBVtBSKl77K30Bv8R2P+cLSGaTtex6fsA2Wjqmfxj4=
 github.com/vmware-labs/yaml-jsonpath v0.3.2 h1:/5QKeCBGdsInyDCyVNLbXyilb61MXGi9NP674f9Hobk=
 github.com/vmware-labs/yaml-jsonpath v0.3.2/go.mod h1:U6whw1z03QyqgWdgXxvVnQ90zN1BWz5V+51Ewf8k+rQ=
-github.com/woodsbury/decimal128 v1.3.0 h1:8pffMNWIlC0O5vbyHWFZAt5yWvWcrHA+3ovIIjVWss0=
-github.com/woodsbury/decimal128 v1.3.0/go.mod h1:C5UTmyTjW3JftjUFzOVhC20BEQa2a4ZKOB5I6Zjb+ds=
+github.com/woodsbury/decimal128 v1.4.0 h1:xJATj7lLu4f2oObouMt2tgGiElE5gO6mSWUjQsBgUlc=
+github.com/woodsbury/decimal128 v1.4.0/go.mod h1:BP46FUrVjVhdTbKT+XuQh2xfQaGki9LMIRJSFuh6THU=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-go.uber.org/mock v0.5.0 h1:KAMbZvZPyBPWgD14IrIQ38QCyjwpvVVV6K/bHl1IwQU=
-go.uber.org/mock v0.5.0/go.mod h1:ge71pBPLYDk7QIi1LupWxdAykm7KIEFchiOqd6z7qMM=
-golang.org/x/arch v0.20.0 h1:dx1zTU0MAE98U+TQ8BLl7XsJbgze2WnNKF/8tGp/Q6c=
-golang.org/x/arch v0.20.0/go.mod h1:bdwinDaKcfZUGpH09BB7ZmOfhalA8lQdzl62l8gGWsk=
+go.mongodb.org/mongo-driver/v2 v2.5.0 h1:yXUhImUjjAInNcpTcAlPHiT7bIXhshCTL3jVBkF3xaE=
+go.mongodb.org/mongo-driver/v2 v2.5.0/go.mod h1:yOI9kBsufol30iFsl1slpdq1I0eHPzybRWdyYUs8K/0=
+go.uber.org/mock v0.6.0 h1:hyF9dfmbgIX5EfOdasqLsWD6xqpNZlXblLB/Dbnwv3Y=
+go.uber.org/mock v0.6.0/go.mod h1:KiVJ4BqZJaMj4svdfmHM0AUx4NJYO8ZNpPnZn1Z+BBU=
+golang.org/x/arch v0.23.0 h1:lKF64A2jF6Zd8L0knGltUnegD62JMFBiCPBmQpToHhg=
+golang.org/x/arch v0.23.0/go.mod h1:dNHoOeKiyja7GTvF9NJS1l3Z2yntpQNzgrjh1cU103A=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.43.0 h1:dduJYIi3A3KOfdGOHX8AVZ/jGiyPa3IbBozJ5kNuE04=
-golang.org/x/crypto v0.43.0/go.mod h1:BFbav4mRNlXJL4wNeejLpWxB7wMbc79PdRGhWKncxR0=
+golang.org/x/crypto v0.49.0 h1:+Ng2ULVvLHnJ/ZFEq4KdcDd/cfjrrjjNSXNzxg0Y4U4=
+golang.org/x/crypto v0.49.0/go.mod h1:ErX4dUh2UM+CFYiXZRTcMpEcN8b/1gxEuv3nODoYtCA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.28.0 h1:gQBtGhjxykdjY9YhZpSlZIsbnaE2+PgjfLWUQTnoZ1U=
-golang.org/x/mod v0.28.0/go.mod h1:yfB/L0NOf/kmEbXjzCPOx1iK1fRutOydrCMsqRhEBxI=
+golang.org/x/mod v0.33.0 h1:tHFzIWbBifEmbwtGz65eaWyGiGZatSrT9prnU8DbVL8=
+golang.org/x/mod v0.33.0/go.mod h1:swjeQEj+6r7fODbD2cqrnje9PnziFuw4bmLbBZFrQ5w=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
@@ -207,13 +215,13 @@ golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20210428140749-89ef3d95e781/go.mod h1:OJAsFXCWl8Ukc7SiCT/9KSuxbyM7479/AVlXFRxuMCk=
 golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
-golang.org/x/net v0.46.0 h1:giFlY12I07fugqwPuWJi68oOnpfqFnJIJzaIIm2JVV4=
-golang.org/x/net v0.46.0/go.mod h1:Q9BGdFy1y4nkUwiLvT5qtyhAnEHgnQ/zd8PfU6nc210=
+golang.org/x/net v0.52.0 h1:He/TN1l0e4mmR3QqHMT2Xab3Aj3L9qjbhRm78/6jrW0=
+golang.org/x/net v0.52.0/go.mod h1:R1MAz7uMZxVMualyPXb+VaqGSa3LIaUqk0eEt3w36Sw=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug=
-golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
+golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -229,21 +237,21 @@ golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.37.0 h1:fdNQudmxPjkdUTPnLn5mdQv7Zwvbvpaxqs831goi9kQ=
-golang.org/x/sys v0.37.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo=
+golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.30.0 h1:yznKA/E9zq54KzlzBEAWn1NXSQ8DIp/NYMy88xJjl4k=
-golang.org/x/text v0.30.0/go.mod h1:yDdHFIX9t+tORqspjENWgzaCVXgk0yYnYuSZ8UzzBVM=
+golang.org/x/text v0.35.0 h1:JOVx6vVDFokkpaq1AEptVzLTpDe9KGpj5tR4/X+ybL8=
+golang.org/x/text v0.35.0/go.mod h1:khi/HExzZJ2pGnjenulevKNX1W67CUy0AsXcNubPGCA=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.37.0 h1:DVSRzp7FwePZW356yEAChSdNcQo6Nsp+fex1SUW09lE=
-golang.org/x/tools v0.37.0/go.mod h1:MBN5QPQtLMHVdvsbtarmTNukZDdgwdwlO5qGacAzF0w=
+golang.org/x/tools v0.42.0 h1:uNgphsn75Tdz5Ji2q36v/nsFSfR/9BRFvqhGBaJGd5k=
+golang.org/x/tools v0.42.0/go.mod h1:Ma6lCIwGZvHK6XtgbswSoWroEkhugApmsXyrUmBhfr0=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -256,8 +264,8 @@ google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzi
 google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.36.9 h1:w2gp2mA27hUeUzj9Ex9FBjsBm40zfaDtEWow293U7Iw=
-google.golang.org/protobuf v1.36.9/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
+google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
+google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
@@ -279,5 +287,5 @@ gorm.io/driver/postgres v1.6.0 h1:2dxzU8xJ+ivvqTRph34QX+WrRaJlmfyPqXmoGVjMBa4=
 gorm.io/driver/postgres v1.6.0/go.mod h1:vUw0mrGgrTK+uPHEhAdV4sfFELrByKVGnaVRkXDhtWo=
 gorm.io/driver/sqlite v1.6.0 h1:WHRRrIiulaPiPFmDcod6prc4l2VGVWHz80KspNsxSfQ=
 gorm.io/driver/sqlite v1.6.0/go.mod h1:AO9V1qIQddBESngQUKWL9yoH93HIeA1X6V633rBwyT8=
-gorm.io/gorm v1.31.0 h1:0VlycGreVhK7RF/Bwt51Fk8v0xLiiiFdbGDPIZQ7mJY=
-gorm.io/gorm v1.31.0/go.mod h1:XyQVbO2k6YkOis7C2437jSit3SsDK72s7n7rsSHd+Gs=
+gorm.io/gorm v1.31.1 h1:7CA8FTFz/gRfgqgpeKIBcervUn3xSyPUmr6B2WXJ7kg=
+gorm.io/gorm v1.31.1/go.mod h1:XyQVbO2k6YkOis7C2437jSit3SsDK72s7n7rsSHd+Gs=

internal/api/handlers.go

@@ -31,6 +31,7 @@ import (
 	openapi_types "github.com/oapi-codegen/runtime/types"
 
 	"git.happydns.org/happyDeliver/internal/config"
+	"git.happydns.org/happyDeliver/internal/model"
 	"git.happydns.org/happyDeliver/internal/storage"
 	"git.happydns.org/happyDeliver/internal/utils"
 	"git.happydns.org/happyDeliver/internal/version"
@@ -40,6 +41,8 @@ import (
 // This interface breaks the circular dependency with pkg/analyzer
 type EmailAnalyzer interface {
 	AnalyzeEmailBytes(rawEmail []byte, testID uuid.UUID) (reportJSON []byte, err error)
+	AnalyzeDomain(domain string) (dnsResults *model.DNSResults, score int, grade string)
+	CheckBlacklistIP(ip string) (checks []model.BlacklistCheck, whitelists []model.BlacklistCheck, listedCount int, score int, grade string, err error)
 }
 
 // APIHandler implements the ServerInterface for handling API requests
@@ -77,11 +80,11 @@ func (h *APIHandler) CreateTest(c *gin.Context) {
 	)
 
 	// Return response
-	c.JSON(http.StatusCreated, TestResponse{
+	c.JSON(http.StatusCreated, model.TestResponse{
 		Id:      base32ID,
 		Email:   openapi_types.Email(email),
-		Status:  TestResponseStatusPending,
-		Message: stringPtr("Send your test email to the given address"),
+		Status:  model.TestResponseStatusPending,
+		Message: utils.PtrTo("Send your test email to the given address"),
 	})
 }
 
@@ -91,10 +94,10 @@ func (h *APIHandler) GetTest(c *gin.Context, id string) {
 	// Convert base32 ID to UUID
 	testUUID, err := utils.Base32ToUUID(id)
 	if err != nil {
-		c.JSON(http.StatusBadRequest, Error{
+		c.JSON(http.StatusBadRequest, model.Error{
 			Error:   "invalid_id",
 			Message: "Invalid test ID format",
-			Details: stringPtr(err.Error()),
+			Details: utils.PtrTo(err.Error()),
 		})
 		return
 	}
@@ -102,20 +105,20 @@ func (h *APIHandler) GetTest(c *gin.Context, id string) {
 	// Check if a report exists for this test ID
 	reportExists, err := h.storage.ReportExists(testUUID)
 	if err != nil {
-		c.JSON(http.StatusInternalServerError, Error{
+		c.JSON(http.StatusInternalServerError, model.Error{
 			Error:   "internal_error",
 			Message: "Failed to check test status",
-			Details: stringPtr(err.Error()),
+			Details: utils.PtrTo(err.Error()),
 		})
 		return
 	}
 
 	// Determine status based on report existence
-	var apiStatus TestStatus
+	var apiStatus model.TestStatus
 	if reportExists {
-		apiStatus = TestStatusAnalyzed
+		apiStatus = model.TestStatusAnalyzed
 	} else {
-		apiStatus = TestStatusPending
+		apiStatus = model.TestStatusPending
 	}
 
 	// Generate test email address using Base32-encoded UUID
@@ -125,7 +128,7 @@ func (h *APIHandler) GetTest(c *gin.Context, id string) {
 		h.config.Email.Domain,
 	)
 
-	c.JSON(http.StatusOK, Test{
+	c.JSON(http.StatusOK, model.Test{
 		Id:     id,
 		Email:  openapi_types.Email(email),
 		Status: apiStatus,
@@ -138,10 +141,10 @@ func (h *APIHandler) GetReport(c *gin.Context, id string) {
 	// Convert base32 ID to UUID
 	testUUID, err := utils.Base32ToUUID(id)
 	if err != nil {
-		c.JSON(http.StatusBadRequest, Error{
+		c.JSON(http.StatusBadRequest, model.Error{
 			Error:   "invalid_id",
 			Message: "Invalid test ID format",
-			Details: stringPtr(err.Error()),
+			Details: utils.PtrTo(err.Error()),
 		})
 		return
 	}
@@ -149,16 +152,16 @@ func (h *APIHandler) GetReport(c *gin.Context, id string) {
 	reportJSON, _, err := h.storage.GetReport(testUUID)
 	if err != nil {
 		if err == storage.ErrNotFound {
-			c.JSON(http.StatusNotFound, Error{
+			c.JSON(http.StatusNotFound, model.Error{
 				Error:   "not_found",
 				Message: "Report not found",
 			})
 			return
 		}
-		c.JSON(http.StatusInternalServerError, Error{
+		c.JSON(http.StatusInternalServerError, model.Error{
 			Error:   "internal_error",
 			Message: "Failed to retrieve report",
-			Details: stringPtr(err.Error()),
+			Details: utils.PtrTo(err.Error()),
 		})
 		return
 	}
@@ -173,10 +176,10 @@ func (h *APIHandler) GetRawEmail(c *gin.Context, id string) {
 	// Convert base32 ID to UUID
 	testUUID, err := utils.Base32ToUUID(id)
 	if err != nil {
-		c.JSON(http.StatusBadRequest, Error{
+		c.JSON(http.StatusBadRequest, model.Error{
 			Error:   "invalid_id",
 			Message: "Invalid test ID format",
-			Details: stringPtr(err.Error()),
+			Details: utils.PtrTo(err.Error()),
 		})
 		return
 	}
@@ -184,16 +187,16 @@ func (h *APIHandler) GetRawEmail(c *gin.Context, id string) {
 	_, rawEmail, err := h.storage.GetReport(testUUID)
 	if err != nil {
 		if err == storage.ErrNotFound {
-			c.JSON(http.StatusNotFound, Error{
+			c.JSON(http.StatusNotFound, model.Error{
 				Error:   "not_found",
 				Message: "Email not found",
 			})
 			return
 		}
-		c.JSON(http.StatusInternalServerError, Error{
+		c.JSON(http.StatusInternalServerError, model.Error{
 			Error:   "internal_error",
 			Message: "Failed to retrieve raw email",
-			Details: stringPtr(err.Error()),
+			Details: utils.PtrTo(err.Error()),
 		})
 		return
 	}
@@ -207,10 +210,10 @@ func (h *APIHandler) ReanalyzeReport(c *gin.Context, id string) {
 	// Convert base32 ID to UUID
 	testUUID, err := utils.Base32ToUUID(id)
 	if err != nil {
-		c.JSON(http.StatusBadRequest, Error{
+		c.JSON(http.StatusBadRequest, model.Error{
 			Error:   "invalid_id",
 			Message: "Invalid test ID format",
-			Details: stringPtr(err.Error()),
+			Details: utils.PtrTo(err.Error()),
 		})
 		return
 	}
@@ -219,16 +222,16 @@ func (h *APIHandler) ReanalyzeReport(c *gin.Context, id string) {
 	_, rawEmail, err := h.storage.GetReport(testUUID)
 	if err != nil {
 		if err == storage.ErrNotFound {
-			c.JSON(http.StatusNotFound, Error{
+			c.JSON(http.StatusNotFound, model.Error{
 				Error:   "not_found",
 				Message: "Email not found",
 			})
 			return
 		}
-		c.JSON(http.StatusInternalServerError, Error{
+		c.JSON(http.StatusInternalServerError, model.Error{
 			Error:   "internal_error",
 			Message: "Failed to retrieve email",
-			Details: stringPtr(err.Error()),
+			Details: utils.PtrTo(err.Error()),
 		})
 		return
 	}
@@ -236,20 +239,20 @@ func (h *APIHandler) ReanalyzeReport(c *gin.Context, id string) {
 	// Re-analyze the email using the current analyzer
 	reportJSON, err := h.analyzer.AnalyzeEmailBytes(rawEmail, testUUID)
 	if err != nil {
-		c.JSON(http.StatusInternalServerError, Error{
+		c.JSON(http.StatusInternalServerError, model.Error{
 			Error:   "analysis_error",
 			Message: "Failed to re-analyze email",
-			Details: stringPtr(err.Error()),
+			Details: utils.PtrTo(err.Error()),
 		})
 		return
 	}
 
 	// Update the report in storage
 	if err := h.storage.UpdateReport(testUUID, reportJSON); err != nil {
-		c.JSON(http.StatusInternalServerError, Error{
+		c.JSON(http.StatusInternalServerError, model.Error{
 			Error:   "internal_error",
 			Message: "Failed to update report",
-			Details: stringPtr(err.Error()),
+			Details: utils.PtrTo(err.Error()),
 		})
 		return
 	}
@@ -265,24 +268,24 @@ func (h *APIHandler) GetStatus(c *gin.Context) {
 	uptime := int(time.Since(h.startTime).Seconds())
 
 	// Check database connectivity by trying to check if a report exists
-	dbStatus := StatusComponentsDatabaseUp
+	dbStatus := model.StatusComponentsDatabaseUp
 	if _, err := h.storage.ReportExists(uuid.New()); err != nil {
-		dbStatus = StatusComponentsDatabaseDown
+		dbStatus = model.StatusComponentsDatabaseDown
 	}
 
 	// Determine overall status
-	overallStatus := Healthy
-	if dbStatus == StatusComponentsDatabaseDown {
-		overallStatus = Unhealthy
+	overallStatus := model.Healthy
+	if dbStatus == model.StatusComponentsDatabaseDown {
+		overallStatus = model.Unhealthy
 	}
 
-	mtaStatus := StatusComponentsMtaUp
-	c.JSON(http.StatusOK, Status{
+	mtaStatus := model.StatusComponentsMtaUp
+	c.JSON(http.StatusOK, model.Status{
 		Status:  overallStatus,
 		Version: version.Version,
 		Components: &struct {
-			Database *StatusComponentsDatabase `json:"database,omitempty"`
-			Mta      *StatusComponentsMta      `json:"mta,omitempty"`
+			Database *model.StatusComponentsDatabase `json:"database,omitempty"`
+			Mta      *model.StatusComponentsMta      `json:"mta,omitempty"`
 		}{
 			Database: &dbStatus,
 			Mta:      &mtaStatus,
@@ -290,3 +293,133 @@ func (h *APIHandler) GetStatus(c *gin.Context) {
 		Uptime: &uptime,
 	})
 }
+
+// TestDomain performs synchronous domain analysis
+// (POST /domain)
+func (h *APIHandler) TestDomain(c *gin.Context) {
+	var request model.DomainTestRequest
+
+	// Bind and validate request
+	if err := c.ShouldBindJSON(&request); err != nil {
+		c.JSON(http.StatusBadRequest, model.Error{
+			Error:   "invalid_request",
+			Message: "Invalid request body",
+			Details: utils.PtrTo(err.Error()),
+		})
+		return
+	}
+
+	// Perform domain analysis
+	dnsResults, score, grade := h.analyzer.AnalyzeDomain(request.Domain)
+
+	// Convert grade string to DomainTestResponseGrade enum
+	var responseGrade model.DomainTestResponseGrade
+	switch grade {
+	case "A+":
+		responseGrade = model.DomainTestResponseGradeA
+	case "A":
+		responseGrade = model.DomainTestResponseGradeA1
+	case "B":
+		responseGrade = model.DomainTestResponseGradeB
+	case "C":
+		responseGrade = model.DomainTestResponseGradeC
+	case "D":
+		responseGrade = model.DomainTestResponseGradeD
+	case "E":
+		responseGrade = model.DomainTestResponseGradeE
+	case "F":
+		responseGrade = model.DomainTestResponseGradeF
+	default:
+		responseGrade = model.DomainTestResponseGradeF
+	}
+
+	// Build response
+	response := model.DomainTestResponse{
+		Domain:     request.Domain,
+		Score:      score,
+		Grade:      responseGrade,
+		DnsResults: *dnsResults,
+	}
+
+	c.JSON(http.StatusOK, response)
+}
+
+// CheckBlacklist checks an IP address against DNS blacklists
+// (POST /blacklist)
+func (h *APIHandler) CheckBlacklist(c *gin.Context) {
+	var request model.BlacklistCheckRequest
+
+	// Bind and validate request
+	if err := c.ShouldBindJSON(&request); err != nil {
+		c.JSON(http.StatusBadRequest, model.Error{
+			Error:   "invalid_request",
+			Message: "Invalid request body",
+			Details: utils.PtrTo(err.Error()),
+		})
+		return
+	}
+
+	// Perform blacklist check using analyzer
+	checks, whitelists, listedCount, score, grade, err := h.analyzer.CheckBlacklistIP(request.Ip)
+	if err != nil {
+		c.JSON(http.StatusBadRequest, model.Error{
+			Error:   "invalid_ip",
+			Message: "Invalid IP address",
+			Details: utils.PtrTo(err.Error()),
+		})
+		return
+	}
+
+	// Build response
+	response := model.BlacklistCheckResponse{
+		Ip:          request.Ip,
+		Blacklists:  checks,
+		Whitelists:  &whitelists,
+		ListedCount: listedCount,
+		Score:       score,
+		Grade:       model.BlacklistCheckResponseGrade(grade),
+	}
+
+	c.JSON(http.StatusOK, response)
+}
+
+// ListTests returns a paginated list of test summaries
+// (GET /tests)
+func (h *APIHandler) ListTests(c *gin.Context, params ListTestsParams) {
+	if h.config.DisableTestList {
+		c.JSON(http.StatusForbidden, model.Error{
+			Error:   "feature_disabled",
+			Message: "Test listing is disabled on this instance",
+		})
+		return
+	}
+
+	offset := 0
+	limit := 20
+	if params.Offset != nil {
+		offset = *params.Offset
+	}
+	if params.Limit != nil {
+		limit = *params.Limit
+		if limit > 100 {
+			limit = 100
+		}
+	}
+
+	tests, total, err := h.storage.ListReportSummaries(offset, limit)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, model.Error{
+			Error:   "internal_error",
+			Message: "Failed to list tests",
+			Details: utils.PtrTo(err.Error()),
+		})
+		return
+	}
+
+	c.JSON(http.StatusOK, model.TestListResponse{
+		Tests:  tests,
+		Total:  int(total),
+		Offset: offset,
+		Limit:  limit,
+	})
+}

internal/app/cli_backup.go

@@ -0,0 +1,156 @@
+// This file is part of the happyDeliver (R) project.
+// Copyright (c) 2025 happyDomain
+// Authors: Pierre-Olivier Mercier, et al.
+//
+// This program is offered under a commercial and under the AGPL license.
+// For commercial licensing, contact us at <contact@happydomain.org>.
+//
+// For AGPL licensing:
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+package app
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+	"os"
+
+	"git.happydns.org/happyDeliver/internal/config"
+	"git.happydns.org/happyDeliver/internal/storage"
+)
+
+// BackupData represents the structure of a backup file
+type BackupData struct {
+	Version string           `json:"version"`
+	Reports []storage.Report `json:"reports"`
+}
+
+// RunBackup exports the database to stdout as JSON
+func RunBackup(cfg *config.Config) error {
+	if err := cfg.Validate(); err != nil {
+		return err
+	}
+
+	// Initialize storage
+	store, err := storage.NewStorage(cfg.Database.Type, cfg.Database.DSN)
+	if err != nil {
+		return fmt.Errorf("failed to connect to database: %w", err)
+	}
+	defer store.Close()
+
+	fmt.Fprintf(os.Stderr, "Connected to %s database\n", cfg.Database.Type)
+
+	// Get all reports from the database
+	reports, err := storage.GetAllReports(store)
+	if err != nil {
+		return fmt.Errorf("failed to retrieve reports: %w", err)
+	}
+
+	fmt.Fprintf(os.Stderr, "Found %d reports to backup\n", len(reports))
+
+	// Create backup data structure
+	backup := BackupData{
+		Version: "1.0",
+		Reports: reports,
+	}
+
+	// Encode to JSON and write to stdout
+	encoder := json.NewEncoder(os.Stdout)
+	encoder.SetIndent("", "  ")
+	if err := encoder.Encode(backup); err != nil {
+		return fmt.Errorf("failed to encode backup data: %w", err)
+	}
+
+	return nil
+}
+
+// RunRestore imports the database from a JSON file or stdin
+func RunRestore(cfg *config.Config, inputPath string) error {
+	if err := cfg.Validate(); err != nil {
+		return err
+	}
+
+	// Determine input source
+	var reader io.Reader
+	if inputPath == "" || inputPath == "-" {
+		fmt.Fprintln(os.Stderr, "Reading backup from stdin...")
+		reader = os.Stdin
+	} else {
+		inFile, err := os.Open(inputPath)
+		if err != nil {
+			return fmt.Errorf("failed to open backup file: %w", err)
+		}
+		defer inFile.Close()
+		fmt.Fprintf(os.Stderr, "Reading backup from file: %s\n", inputPath)
+		reader = inFile
+	}
+
+	// Decode JSON
+	var backup BackupData
+	decoder := json.NewDecoder(reader)
+	if err := decoder.Decode(&backup); err != nil {
+		if err == io.EOF {
+			return fmt.Errorf("backup file is empty or corrupted")
+		}
+		return fmt.Errorf("failed to decode backup data: %w", err)
+	}
+
+	fmt.Fprintf(os.Stderr, "Backup version: %s\n", backup.Version)
+	fmt.Fprintf(os.Stderr, "Found %d reports in backup\n", len(backup.Reports))
+
+	// Initialize storage
+	store, err := storage.NewStorage(cfg.Database.Type, cfg.Database.DSN)
+	if err != nil {
+		return fmt.Errorf("failed to connect to database: %w", err)
+	}
+	defer store.Close()
+
+	fmt.Fprintf(os.Stderr, "Connected to %s database\n", cfg.Database.Type)
+
+	// Restore reports
+	restored, skipped, failed := 0, 0, 0
+	for _, report := range backup.Reports {
+		// Check if report already exists
+		exists, err := store.ReportExists(report.TestID)
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "Warning: Failed to check if report %s exists: %v\n", report.TestID, err)
+			failed++
+			continue
+		}
+
+		if exists {
+			fmt.Fprintf(os.Stderr, "Report %s already exists, skipping\n", report.TestID)
+			skipped++
+			continue
+		}
+
+		// Create the report
+		_, err = storage.CreateReportFromBackup(store, &report)
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "Warning: Failed to restore report %s: %v\n", report.TestID, err)
+			failed++
+			continue
+		}
+
+		restored++
+	}
+
+	fmt.Fprintf(os.Stderr, "Restore completed: %d restored, %d skipped, %d failed\n", restored, skipped, failed)
+	if failed > 0 {
+		return fmt.Errorf("restore completed with %d failures", failed)
+	}
+
+	return nil
+}

internal/config/cli.go

@@ -34,13 +34,17 @@ func declareFlags(o *Config) {
 	flag.StringVar(&o.Email.Domain, "domain", o.Email.Domain, "Domain used to receive emails")
 	flag.StringVar(&o.Email.TestAddressPrefix, "address-prefix", o.Email.TestAddressPrefix, "Expected email adress prefix (deny address that doesn't start with this prefix)")
 	flag.StringVar(&o.Email.LMTPAddr, "lmtp-addr", o.Email.LMTPAddr, "LMTP server listen address")
+	flag.StringVar(&o.Email.ReceiverHostname, "receiver-hostname", o.Email.ReceiverHostname, "Hostname used to filter Authentication-Results headers (defaults to os.Hostname())")
 	flag.DurationVar(&o.Analysis.DNSTimeout, "dns-timeout", o.Analysis.DNSTimeout, "Timeout when performing DNS query")
 	flag.DurationVar(&o.Analysis.HTTPTimeout, "http-timeout", o.Analysis.HTTPTimeout, "Timeout when performing HTTP query")
 	flag.Var(&StringArray{&o.Analysis.RBLs}, "rbl", "Append a RBL (use this option multiple time to append multiple RBLs)")
 	flag.BoolVar(&o.Analysis.CheckAllIPs, "check-all-ips", o.Analysis.CheckAllIPs, "Check all IPs found in email headers against RBLs (not just the first one)")
+	flag.StringVar(&o.Analysis.RspamdAPIURL, "rspamd-api-url", o.Analysis.RspamdAPIURL, "rspamd API URL for symbol descriptions (default: use embedded list)")
 	flag.DurationVar(&o.ReportRetention, "report-retention", o.ReportRetention, "How long to keep reports (e.g., 720h, 30d). 0 = keep forever")
 	flag.UintVar(&o.RateLimit, "rate-limit", o.RateLimit, "API rate limit (requests per second per IP)")
 	flag.Var(&URL{&o.SurveyURL}, "survey-url", "URL for user feedback survey")
+	flag.StringVar(&o.CustomLogoURL, "custom-logo-url", o.CustomLogoURL, "URL for custom logo image in the web UI")
+	flag.BoolVar(&o.DisableTestList, "disable-test-list", o.DisableTestList, "Disable the public test listing endpoint")
 
 	// Others flags are declared in some other files likes sources, storages, ... when they need specials configurations
 }

internal/config/config.go

@@ -34,6 +34,11 @@ import (
 	openapi_types "github.com/oapi-codegen/runtime/types"
 )
 
+func getHostname() string {
+	h, _ := os.Hostname()
+	return h
+}
+
 // Config represents the application configuration
 type Config struct {
 	DevProxy        string
@@ -44,6 +49,8 @@ type Config struct {
 	ReportRetention time.Duration // How long to keep reports. 0 = keep forever
 	RateLimit       uint          // API rate limit (requests per second per IP)
 	SurveyURL       url.URL       // URL for user feedback survey
+	CustomLogoURL   string        // URL for custom logo image in the web UI
+	DisableTestList bool          // Disable the public test listing endpoint
 }
 
 // DatabaseConfig contains database connection settings
@@ -57,6 +64,7 @@ type EmailConfig struct {
 	Domain            string
 	TestAddressPrefix string
 	LMTPAddr          string
+	ReceiverHostname  string
 }
 
 // AnalysisConfig contains timeout and behavior settings for email analysis
@@ -64,7 +72,9 @@ type AnalysisConfig struct {
 	DNSTimeout   time.Duration
 	HTTPTimeout  time.Duration
 	RBLs         []string
-	CheckAllIPs  bool // Check all IPs found in headers, not just the first one
+	DNSWLs       []string
+	CheckAllIPs  bool   // Check all IPs found in headers, not just the first one
+	RspamdAPIURL string // rspamd API URL for fetching symbol descriptions (empty = use embedded list)
 }
 
 // DefaultConfig returns a configuration with sensible defaults
@@ -82,11 +92,13 @@ func DefaultConfig() *Config {
 			Domain:            "happydeliver.local",
 			TestAddressPrefix: "test-",
 			LMTPAddr:          "127.0.0.1:2525",
+			ReceiverHostname:  getHostname(),
 		},
 		Analysis: AnalysisConfig{
 			DNSTimeout:  5 * time.Second,
 			HTTPTimeout: 10 * time.Second,
 			RBLs:        []string{},
+			DNSWLs:      []string{},
 			CheckAllIPs: false, // By default, only check the first IP
 		},
 	}

internal/receiver/receiver.go

@@ -98,6 +98,17 @@ func (r *EmailReceiver) ProcessEmailBytes(rawEmail []byte, recipientEmail string
 
 	log.Printf("Analysis complete. Grade: %s. Score: %d/100", result.Report.Grade, result.Report.Score)
 
+	// Warn if the last Received hop doesn't match the expected receiver hostname
+	if r.config.Email.ReceiverHostname != "" &&
+		result.Report.HeaderAnalysis != nil &&
+		result.Report.HeaderAnalysis.ReceivedChain != nil &&
+		len(*result.Report.HeaderAnalysis.ReceivedChain) > 0 {
+		lastHop := (*result.Report.HeaderAnalysis.ReceivedChain)[0]
+		if lastHop.By != nil && *lastHop.By != r.config.Email.ReceiverHostname {
+			log.Printf("WARNING: Last Received hop 'by' field (%s) does not match expected receiver hostname (%s): check your RECEIVER_HOSTNAME config as authentication results will be false", *lastHop.By, r.config.Email.ReceiverHostname)
+		}
+	}
+
 	// Marshal report to JSON
 	reportJSON, err := json.Marshal(result.Report)
 	if err != nil {

internal/storage/storage.go

@@ -30,6 +30,9 @@ import (
 	"gorm.io/driver/postgres"
 	"gorm.io/driver/sqlite"
 	"gorm.io/gorm"
+
+	"git.happydns.org/happyDeliver/internal/model"
+	"git.happydns.org/happyDeliver/internal/utils"
 )
 
 var (
@@ -45,6 +48,7 @@ type Storage interface {
 	ReportExists(testID uuid.UUID) (bool, error)
 	UpdateReport(testID uuid.UUID, reportJSON []byte) error
 	DeleteOldReports(olderThan time.Time) (int64, error)
+	ListReportSummaries(offset, limit int) ([]model.TestSummary, int64, error)
 
 	// Close closes the database connection
 	Close() error
@@ -139,6 +143,72 @@ func (s *DBStorage) DeleteOldReports(olderThan time.Time) (int64, error) {
 	return result.RowsAffected, nil
 }
 
+// reportSummaryRow is used internally to scan SQL results before converting to model.TestSummary
+type reportSummaryRow struct {
+	TestID     uuid.UUID
+	Score      int
+	Grade      string
+	FromDomain string
+	CreatedAt  time.Time
+}
+
+// ListReportSummaries returns a paginated list of lightweight report summaries
+func (s *DBStorage) ListReportSummaries(offset, limit int) ([]model.TestSummary, int64, error) {
+	var total int64
+	if err := s.db.Model(&Report{}).Count(&total).Error; err != nil {
+		return nil, 0, fmt.Errorf("failed to count reports: %w", err)
+	}
+
+	if total == 0 {
+		return []model.TestSummary{}, 0, nil
+	}
+
+	var selectExpr string
+	switch s.db.Dialector.Name() {
+	case "postgres":
+		selectExpr = `test_id, ` +
+			`(convert_from(report_json, 'UTF8')::jsonb->>'score')::int as score, ` +
+			`convert_from(report_json, 'UTF8')::jsonb->>'grade' as grade, ` +
+			`convert_from(report_json, 'UTF8')::jsonb->'dns_results'->>'from_domain' as from_domain, ` +
+			`created_at`
+	case "sqlite":
+		selectExpr = `test_id, ` +
+			`json_extract(report_json, '$.score') as score, ` +
+			`json_extract(report_json, '$.grade') as grade, ` +
+			`json_extract(report_json, '$.dns_results.from_domain') as from_domain, ` +
+			`created_at`
+	default:
+		return nil, 0, fmt.Errorf("history tests list not implemented in this database dialect")
+	}
+
+	var rows []reportSummaryRow
+	err := s.db.Model(&Report{}).
+		Select(selectExpr).
+		Order("created_at DESC").
+		Offset(offset).
+		Limit(limit).
+		Scan(&rows).Error
+	if err != nil {
+		return nil, 0, fmt.Errorf("failed to list report summaries: %w", err)
+	}
+
+	summaries := make([]model.TestSummary, 0, len(rows))
+	for _, r := range rows {
+		s := model.TestSummary{
+			TestId:    utils.UUIDToBase32(r.TestID),
+			Score:     r.Score,
+			Grade:     model.TestSummaryGrade(r.Grade),
+			CreatedAt: r.CreatedAt,
+		}
+		if r.FromDomain != "" {
+			s.FromDomain = utils.PtrTo(r.FromDomain)
+		}
+		summaries = append(summaries, s)
+	}
+
+	return summaries, total, nil
+}
+
 // Close closes the database connection
 func (s *DBStorage) Close() error {
 	sqlDB, err := s.db.DB()
@@ -147,3 +217,33 @@ func (s *DBStorage) Close() error {
 	}
 	return sqlDB.Close()
 }
+
+// GetAllReports retrieves all reports from the database
+func GetAllReports(s Storage) ([]Report, error) {
+	dbStorage, ok := s.(*DBStorage)
+	if !ok {
+		return nil, fmt.Errorf("storage type does not support GetAllReports")
+	}
+
+	var reports []Report
+	if err := dbStorage.db.Find(&reports).Error; err != nil {
+		return nil, fmt.Errorf("failed to retrieve reports: %w", err)
+	}
+
+	return reports, nil
+}
+
+// CreateReportFromBackup creates a report from backup data, preserving timestamps
+func CreateReportFromBackup(s Storage, report *Report) (*Report, error) {
+	dbStorage, ok := s.(*DBStorage)
+	if !ok {
+		return nil, fmt.Errorf("storage type does not support CreateReportFromBackup")
+	}
+
+	// Use Create to insert the report with all fields including timestamps
+	if err := dbStorage.db.Create(report).Error; err != nil {
+		return nil, fmt.Errorf("failed to create report from backup: %w", err)
+	}
+
+	return report, nil
+}

internal/utils/ptr.go

@@ -1,5 +1,5 @@
 // This file is part of the happyDeliver (R) project.
-// Copyright (c) 2025 happyDomain
+// Copyright (c) 2026 happyDomain
 // Authors: Pierre-Olivier Mercier, et al.
 //
 // This program is offered under a commercial and under the AGPL license.
@@ -19,11 +19,7 @@
 // You should have received a copy of the GNU Affero General Public License
 // along with this program.  If not, see <https://www.gnu.org/licenses/>.
 
-package api
-
-func stringPtr(s string) *string {
-	return &s
-}
+package utils
 
 // PtrTo returns a pointer to the provided value
 func PtrTo[T any](v T) *T {

pkg/analyzer/analyzer.go

@@ -28,7 +28,7 @@ import (
 
 	"github.com/google/uuid"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
 	"git.happydns.org/happyDeliver/internal/config"
 )
 
@@ -41,10 +41,13 @@ type EmailAnalyzer struct {
 // NewEmailAnalyzer creates a new email analyzer with the given configuration
 func NewEmailAnalyzer(cfg *config.Config) *EmailAnalyzer {
 	generator := NewReportGenerator(
+		cfg.Email.ReceiverHostname,
 		cfg.Analysis.DNSTimeout,
 		cfg.Analysis.HTTPTimeout,
 		cfg.Analysis.RBLs,
+		cfg.Analysis.DNSWLs,
 		cfg.Analysis.CheckAllIPs,
+		cfg.Analysis.RspamdAPIURL,
 	)
 
 	return &EmailAnalyzer{
@@ -56,7 +59,7 @@ func NewEmailAnalyzer(cfg *config.Config) *EmailAnalyzer {
 type AnalysisResult struct {
 	Email   *EmailMessage
 	Results *AnalysisResults
-	Report  *api.Report
+	Report  *model.Report
 }
 
 // AnalyzeEmailBytes performs complete email analysis from raw bytes
@@ -108,3 +111,40 @@ func (a *APIAdapter) AnalyzeEmailBytes(rawEmail []byte, testID uuid.UUID) ([]byt
 
 	return reportJSON, nil
 }
+
+// AnalyzeDomain performs DNS analysis for a domain and returns the results
+func (a *APIAdapter) AnalyzeDomain(domain string) (*model.DNSResults, int, string) {
+	// Perform DNS analysis
+	dnsResults := a.analyzer.generator.dnsAnalyzer.AnalyzeDomainOnly(domain)
+
+	// Calculate score
+	score, grade := a.analyzer.generator.dnsAnalyzer.CalculateDomainOnlyScore(dnsResults)
+
+	return dnsResults, score, grade
+}
+
+// CheckBlacklistIP checks a single IP address against DNS blacklists and whitelists
+func (a *APIAdapter) CheckBlacklistIP(ip string) ([]model.BlacklistCheck, []model.BlacklistCheck, int, int, string, error) {
+	// Check the IP against all configured RBLs
+	checks, listedCount, err := a.analyzer.generator.rblChecker.CheckIP(ip)
+	if err != nil {
+		return nil, nil, 0, 0, "", err
+	}
+
+	// Calculate score using the existing function
+	// Create a minimal RBLResults structure for scoring
+	results := &DNSListResults{
+		Checks:      map[string][]model.BlacklistCheck{ip: checks},
+		IPsChecked:  []string{ip},
+		ListedCount: listedCount,
+	}
+	score, grade := a.analyzer.generator.rblChecker.CalculateScore(results, false)
+
+	// Check the IP against all configured DNSWLs (informational only)
+	whitelists, _, err := a.analyzer.generator.dnswlChecker.CheckIP(ip)
+	if err != nil {
+		whitelists = nil
+	}
+
+	return checks, whitelists, listedCount, score, grade, nil
+}

pkg/analyzer/authentication.go

@@ -24,23 +24,25 @@ package analyzer
 import (
 	"strings"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
 )
 
 // AuthenticationAnalyzer analyzes email authentication results
-type AuthenticationAnalyzer struct{}
+type AuthenticationAnalyzer struct {
+	receiverHostname string
+}
 
 // NewAuthenticationAnalyzer creates a new authentication analyzer
-func NewAuthenticationAnalyzer() *AuthenticationAnalyzer {
-	return &AuthenticationAnalyzer{}
+func NewAuthenticationAnalyzer(receiverHostname string) *AuthenticationAnalyzer {
+	return &AuthenticationAnalyzer{receiverHostname: receiverHostname}
 }
 
 // AnalyzeAuthentication extracts and analyzes authentication results from email headers
-func (a *AuthenticationAnalyzer) AnalyzeAuthentication(email *EmailMessage) *api.AuthenticationResults {
-	results := &api.AuthenticationResults{}
+func (a *AuthenticationAnalyzer) AnalyzeAuthentication(email *EmailMessage) *model.AuthenticationResults {
+	results := &model.AuthenticationResults{}
 
 	// Parse Authentication-Results headers
-	authHeaders := email.GetAuthenticationResults()
+	authHeaders := email.GetAuthenticationResults(a.receiverHostname)
 	for _, header := range authHeaders {
 		a.parseAuthenticationResultsHeader(header, results)
 	}
@@ -50,13 +52,6 @@ func (a *AuthenticationAnalyzer) AnalyzeAuthentication(email *EmailMessage) *api
 		results.Spf = a.parseLegacySPF(email)
 	}
 
-	if results.Dkim == nil || len(*results.Dkim) == 0 {
-		dkimResults := a.parseLegacyDKIM(email)
-		if len(dkimResults) > 0 {
-			results.Dkim = &dkimResults
-		}
-	}
-
 	// Parse ARC headers if not already parsed from Authentication-Results
 	if results.Arc == nil {
 		results.Arc = a.parseARCHeaders(email)
@@ -70,7 +65,7 @@ func (a *AuthenticationAnalyzer) AnalyzeAuthentication(email *EmailMessage) *api
 
 // parseAuthenticationResultsHeader parses an Authentication-Results header
 // Format: example.com; spf=pass smtp.mailfrom=sender@example.com; dkim=pass header.d=example.com
-func (a *AuthenticationAnalyzer) parseAuthenticationResultsHeader(header string, results *api.AuthenticationResults) {
+func (a *AuthenticationAnalyzer) parseAuthenticationResultsHeader(header string, results *model.AuthenticationResults) {
 	// Split by semicolon to get individual results
 	parts := strings.Split(header, ";")
 	if len(parts) < 2 {
@@ -96,7 +91,7 @@ func (a *AuthenticationAnalyzer) parseAuthenticationResultsHeader(header string,
 			dkimResult := a.parseDKIMResult(part)
 			if dkimResult != nil {
 				if results.Dkim == nil {
-					dkimList := []api.AuthResult{*dkimResult}
+					dkimList := []model.AuthResult{*dkimResult}
 					results.Dkim = &dkimList
 				} else {
 					*results.Dkim = append(*results.Dkim, *dkimResult)
@@ -150,34 +145,39 @@ func (a *AuthenticationAnalyzer) parseAuthenticationResultsHeader(header string,
 
 // CalculateAuthenticationScore calculates the authentication score from auth results
 // Returns a score from 0-100 where higher is better
-func (a *AuthenticationAnalyzer) CalculateAuthenticationScore(results *api.AuthenticationResults) (int, string) {
+func (a *AuthenticationAnalyzer) CalculateAuthenticationScore(results *model.AuthenticationResults) (int, string) {
 	if results == nil {
 		return 0, ""
 	}
 
 	score := 0
 
-	// IPRev (15 points)
-	score += 15 * a.calculateIPRevScore(results) / 100
+	// Core authentication (90 points total)
+	// SPF (30 points)
+	score += 30 * a.calculateSPFScore(results) / 100
 
-	// SPF (25 points)
-	score += 25 * a.calculateSPFScore(results) / 100
+	// DKIM (30 points)
+	score += 30 * a.calculateDKIMScore(results) / 100
 
-	// DKIM (23 points)
-	score += 23 * a.calculateDKIMScore(results) / 100
-
-	// X-Google-DKIM (optional) - penalty if failed
-	score += 12 * a.calculateXGoogleDKIMScore(results) / 100
-
-	// X-Aligned-From
-	score += 2 * a.calculateXAlignedFromScore(results) / 100
-
-	// DMARC (25 points)
-	score += 25 * a.calculateDMARCScore(results) / 100
+	// DMARC (30 points)
+	score += 30 * a.calculateDMARCScore(results) / 100
 
 	// BIMI (10 points)
 	score += 10 * a.calculateBIMIScore(results) / 100
 
+	// Penalty-only: IPRev (up to -7 points on failure)
+	if iprevScore := a.calculateIPRevScore(results); iprevScore < 100 {
+		score += 7 * (iprevScore - 100) / 100
+	}
+
+	// Penalty-only: X-Google-DKIM (up to -12 points on failure)
+	score += 12 * a.calculateXGoogleDKIMScore(results) / 100
+
+	// Penalty-only: X-Aligned-From (up to -5 points on failure)
+	if xAlignedScore := a.calculateXAlignedFromScore(results); xAlignedScore < 100 {
+		score += 5 * (xAlignedScore - 100) / 100
+	}
+
 	// Ensure score doesn't exceed 100
 	if score > 100 {
 		score = 100

pkg/analyzer/authentication_arc.go

@@ -27,7 +27,8 @@ import (
 	"slices"
 	"strings"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
+	"git.happydns.org/happyDeliver/internal/utils"
 )
 
 // textprotoCanonical converts a header name to canonical form
@@ -52,24 +53,24 @@ func pluralize(count int) string {
 
 // parseARCResult parses ARC result from Authentication-Results
 // Example: arc=pass
-func (a *AuthenticationAnalyzer) parseARCResult(part string) *api.ARCResult {
-	result := &api.ARCResult{}
+func (a *AuthenticationAnalyzer) parseARCResult(part string) *model.ARCResult {
+	result := &model.ARCResult{}
 
 	// Extract result (pass, fail, none)
 	re := regexp.MustCompile(`arc=(\w+)`)
 	if matches := re.FindStringSubmatch(part); len(matches) > 1 {
 		resultStr := strings.ToLower(matches[1])
-		result.Result = api.ARCResultResult(resultStr)
+		result.Result = model.ARCResultResult(resultStr)
 	}
 
-	result.Details = api.PtrTo(strings.TrimPrefix(part, "arc="))
+	result.Details = utils.PtrTo(strings.TrimPrefix(part, "arc="))
 
 	return result
 }
 
 // parseARCHeaders parses ARC headers from email message
 // ARC consists of three headers per hop: ARC-Authentication-Results, ARC-Message-Signature, ARC-Seal
-func (a *AuthenticationAnalyzer) parseARCHeaders(email *EmailMessage) *api.ARCResult {
+func (a *AuthenticationAnalyzer) parseARCHeaders(email *EmailMessage) *model.ARCResult {
 	// Get all ARC-related headers
 	arcAuthResults := email.Header[textprotoCanonical("ARC-Authentication-Results")]
 	arcMessageSig := email.Header[textprotoCanonical("ARC-Message-Signature")]
@@ -80,8 +81,8 @@ func (a *AuthenticationAnalyzer) parseARCHeaders(email *EmailMessage) *api.ARCRe
 		return nil
 	}
 
-	result := &api.ARCResult{
-		Result: api.ARCResultResultNone,
+	result := &model.ARCResult{
+		Result: model.ARCResultResultNone,
 	}
 
 	// Count the ARC chain length (number of sets)
@@ -94,15 +95,15 @@ func (a *AuthenticationAnalyzer) parseARCHeaders(email *EmailMessage) *api.ARCRe
 
 	// Determine overall result
 	if chainLength == 0 {
-		result.Result = api.ARCResultResultNone
+		result.Result = model.ARCResultResultNone
 		details := "No ARC chain present"
 		result.Details = &details
 	} else if !chainValid {
-		result.Result = api.ARCResultResultFail
+		result.Result = model.ARCResultResultFail
 		details := fmt.Sprintf("ARC chain validation failed (chain length: %d)", chainLength)
 		result.Details = &details
 	} else {
-		result.Result = api.ARCResultResultPass
+		result.Result = model.ARCResultResultPass
 		details := fmt.Sprintf("ARC chain valid with %d intermediar%s", chainLength, pluralize(chainLength))
 		result.Details = &details
 	}
@@ -111,7 +112,7 @@ func (a *AuthenticationAnalyzer) parseARCHeaders(email *EmailMessage) *api.ARCRe
 }
 
 // enhanceARCResult enhances an existing ARC result with chain information
-func (a *AuthenticationAnalyzer) enhanceARCResult(email *EmailMessage, arcResult *api.ARCResult) {
+func (a *AuthenticationAnalyzer) enhanceARCResult(email *EmailMessage, arcResult *model.ARCResult) {
 	if arcResult == nil {
 		return
 	}

pkg/analyzer/authentication_arc_test.go

@@ -24,33 +24,33 @@ package analyzer
 import (
 	"testing"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
 )
 
 func TestParseARCResult(t *testing.T) {
 	tests := []struct {
 		name           string
 		part           string
-		expectedResult api.ARCResultResult
+		expectedResult model.ARCResultResult
 	}{
 		{
 			name:           "ARC pass",
 			part:           "arc=pass",
-			expectedResult: api.ARCResultResultPass,
+			expectedResult: model.ARCResultResultPass,
 		},
 		{
 			name:           "ARC fail",
 			part:           "arc=fail",
-			expectedResult: api.ARCResultResultFail,
+			expectedResult: model.ARCResultResultFail,
 		},
 		{
 			name:           "ARC none",
 			part:           "arc=none",
-			expectedResult: api.ARCResultResultNone,
+			expectedResult: model.ARCResultResultNone,
 		},
 	}
 
-	analyzer := NewAuthenticationAnalyzer()
+	analyzer := NewAuthenticationAnalyzer("")
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -136,7 +136,7 @@ func TestValidateARCChain(t *testing.T) {
 		},
 	}
 
-	analyzer := NewAuthenticationAnalyzer()
+	analyzer := NewAuthenticationAnalyzer("")
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

pkg/analyzer/authentication_bimi.go

@@ -25,19 +25,20 @@ import (
 	"regexp"
 	"strings"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
+	"git.happydns.org/happyDeliver/internal/utils"
 )
 
 // parseBIMIResult parses BIMI result from Authentication-Results
 // Example: bimi=pass header.d=example.com header.selector=default
-func (a *AuthenticationAnalyzer) parseBIMIResult(part string) *api.AuthResult {
-	result := &api.AuthResult{}
+func (a *AuthenticationAnalyzer) parseBIMIResult(part string) *model.AuthResult {
+	result := &model.AuthResult{}
 
 	// Extract result (pass, fail, etc.)
 	re := regexp.MustCompile(`bimi=(\w+)`)
 	if matches := re.FindStringSubmatch(part); len(matches) > 1 {
 		resultStr := strings.ToLower(matches[1])
-		result.Result = api.AuthResultResult(resultStr)
+		result.Result = model.AuthResultResult(resultStr)
 	}
 
 	// Extract domain (header.d or d)
@@ -54,17 +55,17 @@ func (a *AuthenticationAnalyzer) parseBIMIResult(part string) *api.AuthResult {
 		result.Selector = &selector
 	}
 
-	result.Details = api.PtrTo(strings.TrimPrefix(part, "bimi="))
+	result.Details = utils.PtrTo(strings.TrimPrefix(part, "bimi="))
 
 	return result
 }
 
-func (a *AuthenticationAnalyzer) calculateBIMIScore(results *api.AuthenticationResults) (score int) {
+func (a *AuthenticationAnalyzer) calculateBIMIScore(results *model.AuthenticationResults) (score int) {
 	if results.Bimi != nil {
 		switch results.Bimi.Result {
-		case api.AuthResultResultPass:
+		case model.AuthResultResultPass:
 			return 100
-		case api.AuthResultResultDeclined:
+		case model.AuthResultResultDeclined:
 			return 59
 		default: // fail
 			return 0

pkg/analyzer/authentication_bimi_test.go

@@ -24,47 +24,47 @@ package analyzer
 import (
 	"testing"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
 )
 
 func TestParseBIMIResult(t *testing.T) {
 	tests := []struct {
 		name             string
 		part             string
-		expectedResult   api.AuthResultResult
+		expectedResult   model.AuthResultResult
 		expectedDomain   string
 		expectedSelector string
 	}{
 		{
 			name:             "BIMI pass with domain and selector",
 			part:             "bimi=pass header.d=example.com header.selector=default",
-			expectedResult:   api.AuthResultResultPass,
+			expectedResult:   model.AuthResultResultPass,
 			expectedDomain:   "example.com",
 			expectedSelector: "default",
 		},
 		{
 			name:             "BIMI fail",
 			part:             "bimi=fail header.d=example.com header.selector=default",
-			expectedResult:   api.AuthResultResultFail,
+			expectedResult:   model.AuthResultResultFail,
 			expectedDomain:   "example.com",
 			expectedSelector: "default",
 		},
 		{
 			name:             "BIMI with short form (d= and selector=)",
 			part:             "bimi=pass d=example.com selector=v1",
-			expectedResult:   api.AuthResultResultPass,
+			expectedResult:   model.AuthResultResultPass,
 			expectedDomain:   "example.com",
 			expectedSelector: "v1",
 		},
 		{
 			name:           "BIMI none",
 			part:           "bimi=none header.d=example.com",
-			expectedResult: api.AuthResultResultNone,
+			expectedResult: model.AuthResultResultNone,
 			expectedDomain: "example.com",
 		},
 	}
 
-	analyzer := NewAuthenticationAnalyzer()
+	analyzer := NewAuthenticationAnalyzer("")
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

pkg/analyzer/authentication_dkim.go

@@ -25,19 +25,20 @@ import (
 	"regexp"
 	"strings"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
+	"git.happydns.org/happyDeliver/internal/utils"
 )
 
 // parseDKIMResult parses DKIM result from Authentication-Results
 // Example: dkim=pass header.d=example.com header.s=selector1
-func (a *AuthenticationAnalyzer) parseDKIMResult(part string) *api.AuthResult {
-	result := &api.AuthResult{}
+func (a *AuthenticationAnalyzer) parseDKIMResult(part string) *model.AuthResult {
+	result := &model.AuthResult{}
 
 	// Extract result (pass, fail, etc.)
 	re := regexp.MustCompile(`dkim=(\w+)`)
 	if matches := re.FindStringSubmatch(part); len(matches) > 1 {
 		resultStr := strings.ToLower(matches[1])
-		result.Result = api.AuthResultResult(resultStr)
+		result.Result = model.AuthResultResult(resultStr)
 	}
 
 	// Extract domain (header.d or d)
@@ -54,52 +55,18 @@ func (a *AuthenticationAnalyzer) parseDKIMResult(part string) *api.AuthResult {
 		result.Selector = &selector
 	}
 
-	result.Details = api.PtrTo(strings.TrimPrefix(part, "dkim="))
+	result.Details = utils.PtrTo(strings.TrimPrefix(part, "dkim="))
 
 	return result
 }
 
-// parseLegacyDKIM attempts to parse DKIM from DKIM-Signature header
-func (a *AuthenticationAnalyzer) parseLegacyDKIM(email *EmailMessage) []api.AuthResult {
-	var results []api.AuthResult
-
-	// Get all DKIM-Signature headers
-	dkimHeaders := email.Header[textprotoCanonical("DKIM-Signature")]
-	for _, dkimHeader := range dkimHeaders {
-		result := api.AuthResult{
-			Result: api.AuthResultResultNone, // We can't determine pass/fail from signature alone
-		}
-
-		// Extract domain (d=)
-		domainRe := regexp.MustCompile(`d=([^\s;]+)`)
-		if matches := domainRe.FindStringSubmatch(dkimHeader); len(matches) > 1 {
-			domain := matches[1]
-			result.Domain = &domain
-		}
-
-		// Extract selector (s=)
-		selectorRe := regexp.MustCompile(`s=([^\s;]+)`)
-		if matches := selectorRe.FindStringSubmatch(dkimHeader); len(matches) > 1 {
-			selector := matches[1]
-			result.Selector = &selector
-		}
-
-		details := "DKIM signature present (verification status unknown)"
-		result.Details = &details
-
-		results = append(results, result)
-	}
-
-	return results
-}
-
-func (a *AuthenticationAnalyzer) calculateDKIMScore(results *api.AuthenticationResults) (score int) {
+func (a *AuthenticationAnalyzer) calculateDKIMScore(results *model.AuthenticationResults) (score int) {
 	// Expect at least one passing signature
 	if results.Dkim != nil && len(*results.Dkim) > 0 {
 		hasPass := false
 		hasNonPass := false
 		for _, dkim := range *results.Dkim {
-			if dkim.Result == api.AuthResultResultPass {
+			if dkim.Result == model.AuthResultResultPass {
 				hasPass = true
 			} else {
 				hasNonPass = true

pkg/analyzer/authentication_dkim_test.go

@@ -22,44 +22,43 @@
 package analyzer
 
 import (
-	"strings"
 	"testing"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
 )
 
 func TestParseDKIMResult(t *testing.T) {
 	tests := []struct {
 		name             string
 		part             string
-		expectedResult   api.AuthResultResult
+		expectedResult   model.AuthResultResult
 		expectedDomain   string
 		expectedSelector string
 	}{
 		{
 			name:             "DKIM pass with domain and selector",
 			part:             "dkim=pass header.d=example.com header.s=default",
-			expectedResult:   api.AuthResultResultPass,
+			expectedResult:   model.AuthResultResultPass,
 			expectedDomain:   "example.com",
 			expectedSelector: "default",
 		},
 		{
 			name:             "DKIM fail",
 			part:             "dkim=fail header.d=example.com header.s=selector1",
-			expectedResult:   api.AuthResultResultFail,
+			expectedResult:   model.AuthResultResultFail,
 			expectedDomain:   "example.com",
 			expectedSelector: "selector1",
 		},
 		{
 			name:             "DKIM with short form (d= and s=)",
 			part:             "dkim=pass d=example.com s=default",
-			expectedResult:   api.AuthResultResultPass,
+			expectedResult:   model.AuthResultResultPass,
 			expectedDomain:   "example.com",
 			expectedSelector: "default",
 		},
 	}
 
-	analyzer := NewAuthenticationAnalyzer()
+	analyzer := NewAuthenticationAnalyzer("")
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -85,246 +84,3 @@ func TestParseDKIMResult(t *testing.T) {
 		})
 	}
 }
-
-func TestParseLegacyDKIM(t *testing.T) {
-	tests := []struct {
-		name             string
-		dkimSignatures   []string
-		expectedCount    int
-		expectedDomains  []string
-		expectedSelector []string
-	}{
-		{
-			name: "Single DKIM signature with domain and selector",
-			dkimSignatures: []string{
-				"v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com; s=selector1; h=from:to:subject:date; bh=xyz; b=abc",
-			},
-			expectedCount:    1,
-			expectedDomains:  []string{"example.com"},
-			expectedSelector: []string{"selector1"},
-		},
-		{
-			name: "Multiple DKIM signatures",
-			dkimSignatures: []string{
-				"v=1; a=rsa-sha256; d=example.com; s=selector1; b=abc123",
-				"v=1; a=rsa-sha256; d=example.com; s=selector2; b=def456",
-			},
-			expectedCount:    2,
-			expectedDomains:  []string{"example.com", "example.com"},
-			expectedSelector: []string{"selector1", "selector2"},
-		},
-		{
-			name: "DKIM signature with different domain",
-			dkimSignatures: []string{
-				"v=1; a=rsa-sha256; d=mail.example.org; s=default; b=xyz789",
-			},
-			expectedCount:    1,
-			expectedDomains:  []string{"mail.example.org"},
-			expectedSelector: []string{"default"},
-		},
-		{
-			name: "DKIM signature with subdomain",
-			dkimSignatures: []string{
-				"v=1; a=rsa-sha256; d=newsletters.example.com; s=marketing; b=aaa",
-			},
-			expectedCount:    1,
-			expectedDomains:  []string{"newsletters.example.com"},
-			expectedSelector: []string{"marketing"},
-		},
-		{
-			name: "Multiple signatures from different domains",
-			dkimSignatures: []string{
-				"v=1; a=rsa-sha256; d=example.com; s=s1; b=abc",
-				"v=1; a=rsa-sha256; d=relay.com; s=s2; b=def",
-			},
-			expectedCount:    2,
-			expectedDomains:  []string{"example.com", "relay.com"},
-			expectedSelector: []string{"s1", "s2"},
-		},
-		{
-			name:             "No DKIM signatures",
-			dkimSignatures:   []string{},
-			expectedCount:    0,
-			expectedDomains:  []string{},
-			expectedSelector: []string{},
-		},
-		{
-			name: "DKIM signature without selector",
-			dkimSignatures: []string{
-				"v=1; a=rsa-sha256; d=example.com; b=abc123",
-			},
-			expectedCount:    1,
-			expectedDomains:  []string{"example.com"},
-			expectedSelector: []string{""},
-		},
-		{
-			name: "DKIM signature without domain",
-			dkimSignatures: []string{
-				"v=1; a=rsa-sha256; s=selector1; b=abc123",
-			},
-			expectedCount:    1,
-			expectedDomains:  []string{""},
-			expectedSelector: []string{"selector1"},
-		},
-		{
-			name: "DKIM signature with whitespace in parameters",
-			dkimSignatures: []string{
-				"v=1; a=rsa-sha256; d=example.com ; s=selector1 ; b=abc123",
-			},
-			expectedCount:    1,
-			expectedDomains:  []string{"example.com"},
-			expectedSelector: []string{"selector1"},
-		},
-		{
-			name: "DKIM signature with multiline format",
-			dkimSignatures: []string{
-				"v=1; a=rsa-sha256; c=relaxed/relaxed;\r\n\td=example.com; s=selector1;\r\n\th=from:to:subject:date;\r\n\tb=abc123def456ghi789",
-			},
-			expectedCount:    1,
-			expectedDomains:  []string{"example.com"},
-			expectedSelector: []string{"selector1"},
-		},
-		{
-			name: "DKIM signature with ed25519 algorithm",
-			dkimSignatures: []string{
-				"v=1; a=ed25519-sha256; d=example.com; s=ed25519; b=xyz",
-			},
-			expectedCount:    1,
-			expectedDomains:  []string{"example.com"},
-			expectedSelector: []string{"ed25519"},
-		},
-		{
-			name: "Complex real-world DKIM signature",
-			dkimSignatures: []string{
-				"v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1234567890; x=1234567950; darn=example.com; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject:date:message-id:reply-to; bh=abc123def456==; b=longsignaturehere==",
-			},
-			expectedCount:    1,
-			expectedDomains:  []string{"google.com"},
-			expectedSelector: []string{"20230601"},
-		},
-	}
-
-	analyzer := NewAuthenticationAnalyzer()
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			// Create a mock email message with DKIM-Signature headers
-			email := &EmailMessage{
-				Header: make(map[string][]string),
-			}
-			if len(tt.dkimSignatures) > 0 {
-				email.Header["Dkim-Signature"] = tt.dkimSignatures
-			}
-
-			results := analyzer.parseLegacyDKIM(email)
-
-			// Check count
-			if len(results) != tt.expectedCount {
-				t.Errorf("Expected %d results, got %d", tt.expectedCount, len(results))
-				return
-			}
-
-			// Check each result
-			for i, result := range results {
-				// All legacy DKIM results should have Result = none
-				if result.Result != api.AuthResultResultNone {
-					t.Errorf("Result[%d].Result = %v, want %v", i, result.Result, api.AuthResultResultNone)
-				}
-
-				// Check domain
-				if i < len(tt.expectedDomains) {
-					expectedDomain := tt.expectedDomains[i]
-					if expectedDomain != "" {
-						if result.Domain == nil {
-							t.Errorf("Result[%d].Domain = nil, want %v", i, expectedDomain)
-						} else if strings.TrimSpace(*result.Domain) != expectedDomain {
-							t.Errorf("Result[%d].Domain = %v, want %v", i, *result.Domain, expectedDomain)
-						}
-					}
-				}
-
-				// Check selector
-				if i < len(tt.expectedSelector) {
-					expectedSelector := tt.expectedSelector[i]
-					if expectedSelector != "" {
-						if result.Selector == nil {
-							t.Errorf("Result[%d].Selector = nil, want %v", i, expectedSelector)
-						} else if strings.TrimSpace(*result.Selector) != expectedSelector {
-							t.Errorf("Result[%d].Selector = %v, want %v", i, *result.Selector, expectedSelector)
-						}
-					}
-				}
-
-				// Check that Details is set
-				if result.Details == nil {
-					t.Errorf("Result[%d].Details = nil, expected non-nil", i)
-				} else {
-					expectedDetails := "DKIM signature present (verification status unknown)"
-					if *result.Details != expectedDetails {
-						t.Errorf("Result[%d].Details = %v, want %v", i, *result.Details, expectedDetails)
-					}
-				}
-			}
-		})
-	}
-}
-
-func TestParseLegacyDKIM_Integration(t *testing.T) {
-	hostname = ""
-
-	// Test that parseLegacyDKIM is properly integrated into AnalyzeAuthentication
-	t.Run("Legacy DKIM is used when no Authentication-Results", func(t *testing.T) {
-		analyzer := NewAuthenticationAnalyzer()
-		email := &EmailMessage{
-			Header: make(map[string][]string),
-		}
-		email.Header["Dkim-Signature"] = []string{
-			"v=1; a=rsa-sha256; d=example.com; s=selector1; b=abc",
-		}
-
-		results := analyzer.AnalyzeAuthentication(email)
-
-		if results.Dkim == nil {
-			t.Fatal("Expected DKIM results, got nil")
-		}
-		if len(*results.Dkim) != 1 {
-			t.Errorf("Expected 1 DKIM result, got %d", len(*results.Dkim))
-		}
-		if (*results.Dkim)[0].Result != api.AuthResultResultNone {
-			t.Errorf("Expected DKIM result to be 'none', got %v", (*results.Dkim)[0].Result)
-		}
-		if (*results.Dkim)[0].Domain == nil || *(*results.Dkim)[0].Domain != "example.com" {
-			t.Error("Expected domain to be 'example.com'")
-		}
-	})
-
-	t.Run("Legacy DKIM is NOT used when Authentication-Results present", func(t *testing.T) {
-		analyzer := NewAuthenticationAnalyzer()
-		email := &EmailMessage{
-			Header: make(map[string][]string),
-		}
-		// Both Authentication-Results and DKIM-Signature headers
-		email.Header["Authentication-Results"] = []string{
-			"mx.example.com; dkim=pass header.d=verified.com header.s=s1",
-		}
-		email.Header["Dkim-Signature"] = []string{
-			"v=1; a=rsa-sha256; d=example.com; s=selector1; b=abc",
-		}
-
-		results := analyzer.AnalyzeAuthentication(email)
-
-		// Should use the Authentication-Results DKIM (pass from verified.com), not the legacy signature
-		if results.Dkim == nil {
-			t.Fatal("Expected DKIM results, got nil")
-		}
-		if len(*results.Dkim) != 1 {
-			t.Errorf("Expected 1 DKIM result, got %d", len(*results.Dkim))
-		}
-		if (*results.Dkim)[0].Result != api.AuthResultResultPass {
-			t.Errorf("Expected DKIM result to be 'pass', got %v", (*results.Dkim)[0].Result)
-		}
-		if (*results.Dkim)[0].Domain == nil || *(*results.Dkim)[0].Domain != "verified.com" {
-			t.Error("Expected domain to be 'verified.com' from Authentication-Results, not 'example.com' from legacy")
-		}
-	})
-}

pkg/analyzer/authentication_dmarc.go

@@ -25,19 +25,20 @@ import (
 	"regexp"
 	"strings"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
+	"git.happydns.org/happyDeliver/internal/utils"
 )
 
 // parseDMARCResult parses DMARC result from Authentication-Results
 // Example: dmarc=pass action=none header.from=example.com
-func (a *AuthenticationAnalyzer) parseDMARCResult(part string) *api.AuthResult {
-	result := &api.AuthResult{}
+func (a *AuthenticationAnalyzer) parseDMARCResult(part string) *model.AuthResult {
+	result := &model.AuthResult{}
 
 	// Extract result (pass, fail, etc.)
 	re := regexp.MustCompile(`dmarc=(\w+)`)
 	if matches := re.FindStringSubmatch(part); len(matches) > 1 {
 		resultStr := strings.ToLower(matches[1])
-		result.Result = api.AuthResultResult(resultStr)
+		result.Result = model.AuthResultResult(resultStr)
 	}
 
 	// Extract domain (header.from)
@@ -47,17 +48,17 @@ func (a *AuthenticationAnalyzer) parseDMARCResult(part string) *api.AuthResult {
 		result.Domain = &domain
 	}
 
-	result.Details = api.PtrTo(strings.TrimPrefix(part, "dmarc="))
+	result.Details = utils.PtrTo(strings.TrimPrefix(part, "dmarc="))
 
 	return result
 }
 
-func (a *AuthenticationAnalyzer) calculateDMARCScore(results *api.AuthenticationResults) (score int) {
+func (a *AuthenticationAnalyzer) calculateDMARCScore(results *model.AuthenticationResults) (score int) {
 	if results.Dmarc != nil {
 		switch results.Dmarc.Result {
-		case api.AuthResultResultPass:
+		case model.AuthResultResultPass:
 			return 100
-		case api.AuthResultResultNone:
+		case model.AuthResultResultNone:
 			return 33
 		default: // fail
 			return 0

pkg/analyzer/authentication_dmarc_test.go

@@ -24,31 +24,31 @@ package analyzer
 import (
 	"testing"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
 )
 
 func TestParseDMARCResult(t *testing.T) {
 	tests := []struct {
 		name           string
 		part           string
-		expectedResult api.AuthResultResult
+		expectedResult model.AuthResultResult
 		expectedDomain string
 	}{
 		{
 			name:           "DMARC pass",
 			part:           "dmarc=pass action=none header.from=example.com",
-			expectedResult: api.AuthResultResultPass,
+			expectedResult: model.AuthResultResultPass,
 			expectedDomain: "example.com",
 		},
 		{
 			name:           "DMARC fail",
 			part:           "dmarc=fail action=quarantine header.from=example.com",
-			expectedResult: api.AuthResultResultFail,
+			expectedResult: model.AuthResultResultFail,
 			expectedDomain: "example.com",
 		},
 	}
 
-	analyzer := NewAuthenticationAnalyzer()
+	analyzer := NewAuthenticationAnalyzer("")
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

pkg/analyzer/authentication_iprev.go

@@ -25,19 +25,20 @@ import (
 	"regexp"
 	"strings"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
+	"git.happydns.org/happyDeliver/internal/utils"
 )
 
 // parseIPRevResult parses IP reverse lookup result from Authentication-Results
 // Example: iprev=pass smtp.remote-ip=195.110.101.58 (authsmtp74.register.it)
-func (a *AuthenticationAnalyzer) parseIPRevResult(part string) *api.IPRevResult {
-	result := &api.IPRevResult{}
+func (a *AuthenticationAnalyzer) parseIPRevResult(part string) *model.IPRevResult {
+	result := &model.IPRevResult{}
 
 	// Extract result (pass, fail, temperror, permerror, none)
 	re := regexp.MustCompile(`iprev=(\w+)`)
 	if matches := re.FindStringSubmatch(part); len(matches) > 1 {
 		resultStr := strings.ToLower(matches[1])
-		result.Result = api.IPRevResultResult(resultStr)
+		result.Result = model.IPRevResultResult(resultStr)
 	}
 
 	// Extract IP address (smtp.remote-ip or remote-ip)
@@ -54,20 +55,20 @@ func (a *AuthenticationAnalyzer) parseIPRevResult(part string) *api.IPRevResult
 		result.Hostname = &hostname
 	}
 
-	result.Details = api.PtrTo(strings.TrimPrefix(part, "iprev="))
+	result.Details = utils.PtrTo(strings.TrimPrefix(part, "iprev="))
 
 	return result
 }
 
-func (a *AuthenticationAnalyzer) calculateIPRevScore(results *api.AuthenticationResults) (score int) {
+func (a *AuthenticationAnalyzer) calculateIPRevScore(results *model.AuthenticationResults) (score int) {
 	if results.Iprev != nil {
 		switch results.Iprev.Result {
-		case api.Pass:
+		case model.Pass:
 			return 100
 		default: // fail, temperror, permerror
 			return 0
 		}
 	}
 
-	return 0
+	return 100
 }

pkg/analyzer/authentication_iprev_test.go

@@ -24,76 +24,77 @@ package analyzer
 import (
 	"testing"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
+	"git.happydns.org/happyDeliver/internal/utils"
 )
 
 func TestParseIPRevResult(t *testing.T) {
 	tests := []struct {
 		name             string
 		part             string
-		expectedResult   api.IPRevResultResult
+		expectedResult   model.IPRevResultResult
 		expectedIP       *string
 		expectedHostname *string
 	}{
 		{
 			name:             "IPRev pass with IP and hostname",
 			part:             "iprev=pass smtp.remote-ip=195.110.101.58 (authsmtp74.register.it)",
-			expectedResult:   api.Pass,
-			expectedIP:       api.PtrTo("195.110.101.58"),
-			expectedHostname: api.PtrTo("authsmtp74.register.it"),
+			expectedResult:   model.Pass,
+			expectedIP:       utils.PtrTo("195.110.101.58"),
+			expectedHostname: utils.PtrTo("authsmtp74.register.it"),
 		},
 		{
 			name:             "IPRev pass without smtp prefix",
 			part:             "iprev=pass remote-ip=192.0.2.1 (mail.example.com)",
-			expectedResult:   api.Pass,
-			expectedIP:       api.PtrTo("192.0.2.1"),
-			expectedHostname: api.PtrTo("mail.example.com"),
+			expectedResult:   model.Pass,
+			expectedIP:       utils.PtrTo("192.0.2.1"),
+			expectedHostname: utils.PtrTo("mail.example.com"),
 		},
 		{
 			name:             "IPRev fail",
 			part:             "iprev=fail smtp.remote-ip=198.51.100.42 (unknown.host.com)",
-			expectedResult:   api.Fail,
-			expectedIP:       api.PtrTo("198.51.100.42"),
-			expectedHostname: api.PtrTo("unknown.host.com"),
+			expectedResult:   model.Fail,
+			expectedIP:       utils.PtrTo("198.51.100.42"),
+			expectedHostname: utils.PtrTo("unknown.host.com"),
 		},
 		{
 			name:             "IPRev temperror",
 			part:             "iprev=temperror smtp.remote-ip=203.0.113.1",
-			expectedResult:   api.Temperror,
-			expectedIP:       api.PtrTo("203.0.113.1"),
+			expectedResult:   model.Temperror,
+			expectedIP:       utils.PtrTo("203.0.113.1"),
 			expectedHostname: nil,
 		},
 		{
 			name:             "IPRev permerror",
 			part:             "iprev=permerror smtp.remote-ip=192.0.2.100",
-			expectedResult:   api.Permerror,
-			expectedIP:       api.PtrTo("192.0.2.100"),
+			expectedResult:   model.Permerror,
+			expectedIP:       utils.PtrTo("192.0.2.100"),
 			expectedHostname: nil,
 		},
 		{
 			name:             "IPRev with IPv6",
 			part:             "iprev=pass smtp.remote-ip=2001:db8::1 (ipv6.example.com)",
-			expectedResult:   api.Pass,
-			expectedIP:       api.PtrTo("2001:db8::1"),
-			expectedHostname: api.PtrTo("ipv6.example.com"),
+			expectedResult:   model.Pass,
+			expectedIP:       utils.PtrTo("2001:db8::1"),
+			expectedHostname: utils.PtrTo("ipv6.example.com"),
 		},
 		{
 			name:             "IPRev with subdomain hostname",
 			part:             "iprev=pass smtp.remote-ip=192.0.2.50 (mail.subdomain.example.com)",
-			expectedResult:   api.Pass,
-			expectedIP:       api.PtrTo("192.0.2.50"),
-			expectedHostname: api.PtrTo("mail.subdomain.example.com"),
+			expectedResult:   model.Pass,
+			expectedIP:       utils.PtrTo("192.0.2.50"),
+			expectedHostname: utils.PtrTo("mail.subdomain.example.com"),
 		},
 		{
 			name:             "IPRev pass without parentheses",
 			part:             "iprev=pass smtp.remote-ip=192.0.2.200",
-			expectedResult:   api.Pass,
-			expectedIP:       api.PtrTo("192.0.2.200"),
+			expectedResult:   model.Pass,
+			expectedIP:       utils.PtrTo("192.0.2.200"),
 			expectedHostname: nil,
 		},
 	}
 
-	analyzer := NewAuthenticationAnalyzer()
+	analyzer := NewAuthenticationAnalyzer("")
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -142,29 +143,29 @@ func TestParseAuthenticationResultsHeader_IPRev(t *testing.T) {
 	tests := []struct {
 		name                string
 		header              string
-		expectedIPRevResult *api.IPRevResultResult
+		expectedIPRevResult *model.IPRevResultResult
 		expectedIP          *string
 		expectedHostname    *string
 	}{
 		{
 			name:                "IPRev pass in Authentication-Results",
 			header:              "mx.google.com; iprev=pass smtp.remote-ip=195.110.101.58 (authsmtp74.register.it)",
-			expectedIPRevResult: api.PtrTo(api.Pass),
-			expectedIP:          api.PtrTo("195.110.101.58"),
-			expectedHostname:    api.PtrTo("authsmtp74.register.it"),
+			expectedIPRevResult: utils.PtrTo(model.Pass),
+			expectedIP:          utils.PtrTo("195.110.101.58"),
+			expectedHostname:    utils.PtrTo("authsmtp74.register.it"),
 		},
 		{
 			name:                "IPRev with other authentication methods",
 			header:              "mx.google.com; spf=pass smtp.mailfrom=sender@example.com; iprev=pass smtp.remote-ip=192.0.2.1 (mail.example.com); dkim=pass header.d=example.com",
-			expectedIPRevResult: api.PtrTo(api.Pass),
-			expectedIP:          api.PtrTo("192.0.2.1"),
-			expectedHostname:    api.PtrTo("mail.example.com"),
+			expectedIPRevResult: utils.PtrTo(model.Pass),
+			expectedIP:          utils.PtrTo("192.0.2.1"),
+			expectedHostname:    utils.PtrTo("mail.example.com"),
 		},
 		{
 			name:                "IPRev fail",
 			header:              "mx.google.com; iprev=fail smtp.remote-ip=198.51.100.42",
-			expectedIPRevResult: api.PtrTo(api.Fail),
-			expectedIP:          api.PtrTo("198.51.100.42"),
+			expectedIPRevResult: utils.PtrTo(model.Fail),
+			expectedIP:          utils.PtrTo("198.51.100.42"),
 			expectedHostname:    nil,
 		},
 		{
@@ -175,17 +176,17 @@ func TestParseAuthenticationResultsHeader_IPRev(t *testing.T) {
 		{
 			name:                "Multiple IPRev results - only first is parsed",
 			header:              "mx.google.com; iprev=pass smtp.remote-ip=192.0.2.1 (first.com); iprev=fail smtp.remote-ip=192.0.2.2 (second.com)",
-			expectedIPRevResult: api.PtrTo(api.Pass),
-			expectedIP:          api.PtrTo("192.0.2.1"),
-			expectedHostname:    api.PtrTo("first.com"),
+			expectedIPRevResult: utils.PtrTo(model.Pass),
+			expectedIP:          utils.PtrTo("192.0.2.1"),
+			expectedHostname:    utils.PtrTo("first.com"),
 		},
 	}
 
-	analyzer := NewAuthenticationAnalyzer()
+	analyzer := NewAuthenticationAnalyzer("")
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			results := &api.AuthenticationResults{}
+			results := &model.AuthenticationResults{}
 			analyzer.parseAuthenticationResultsHeader(tt.header, results)
 
 			// Check IPRev

pkg/analyzer/authentication_spf.go

@@ -25,19 +25,20 @@ import (
 	"regexp"
 	"strings"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
+	"git.happydns.org/happyDeliver/internal/utils"
 )
 
 // parseSPFResult parses SPF result from Authentication-Results
 // Example: spf=pass smtp.mailfrom=sender@example.com
-func (a *AuthenticationAnalyzer) parseSPFResult(part string) *api.AuthResult {
-	result := &api.AuthResult{}
+func (a *AuthenticationAnalyzer) parseSPFResult(part string) *model.AuthResult {
+	result := &model.AuthResult{}
 
 	// Extract result (pass, fail, etc.)
 	re := regexp.MustCompile(`spf=(\w+)`)
 	if matches := re.FindStringSubmatch(part); len(matches) > 1 {
 		resultStr := strings.ToLower(matches[1])
-		result.Result = api.AuthResultResult(resultStr)
+		result.Result = model.AuthResultResult(resultStr)
 	}
 
 	// Extract domain
@@ -51,25 +52,35 @@ func (a *AuthenticationAnalyzer) parseSPFResult(part string) *api.AuthResult {
 		}
 	}
 
-	result.Details = api.PtrTo(strings.TrimPrefix(part, "spf="))
+	result.Details = utils.PtrTo(strings.TrimPrefix(part, "spf="))
 
 	return result
 }
 
 // parseLegacySPF attempts to parse SPF from Received-SPF header
-func (a *AuthenticationAnalyzer) parseLegacySPF(email *EmailMessage) *api.AuthResult {
+func (a *AuthenticationAnalyzer) parseLegacySPF(email *EmailMessage) *model.AuthResult {
 	receivedSPF := email.Header.Get("Received-SPF")
 	if receivedSPF == "" {
 		return nil
 	}
 
-	result := &api.AuthResult{}
+	// Verify receiver matches our hostname
+	if a.receiverHostname != "" {
+		receiverRe := regexp.MustCompile(`receiver=([^\s;]+)`)
+		if matches := receiverRe.FindStringSubmatch(receivedSPF); len(matches) > 1 {
+			if matches[1] != a.receiverHostname {
+				return nil
+			}
+		}
+	}
+
+	result := &model.AuthResult{}
 
 	// Extract result (first word)
 	parts := strings.Fields(receivedSPF)
 	if len(parts) > 0 {
 		resultStr := strings.ToLower(parts[0])
-		result.Result = api.AuthResultResult(resultStr)
+		result.Result = model.AuthResultResult(resultStr)
 	}
 
 	result.Details = &receivedSPF
@@ -87,14 +98,14 @@ func (a *AuthenticationAnalyzer) parseLegacySPF(email *EmailMessage) *api.AuthRe
 	return result
 }
 
-func (a *AuthenticationAnalyzer) calculateSPFScore(results *api.AuthenticationResults) (score int) {
+func (a *AuthenticationAnalyzer) calculateSPFScore(results *model.AuthenticationResults) (score int) {
 	if results.Spf != nil {
 		switch results.Spf.Result {
-		case api.AuthResultResultPass:
+		case model.AuthResultResultPass:
 			return 100
-		case api.AuthResultResultNeutral, api.AuthResultResultNone:
+		case model.AuthResultResultNeutral, model.AuthResultResultNone:
 			return 50
-		case api.AuthResultResultSoftfail:
+		case model.AuthResultResultSoftfail:
 			return 17
 		default: // fail, temperror, permerror
 			return 0

pkg/analyzer/authentication_spf_test.go

@@ -24,43 +24,44 @@ package analyzer
 import (
 	"testing"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
+	"git.happydns.org/happyDeliver/internal/utils"
 )
 
 func TestParseSPFResult(t *testing.T) {
 	tests := []struct {
 		name           string
 		part           string
-		expectedResult api.AuthResultResult
+		expectedResult model.AuthResultResult
 		expectedDomain string
 	}{
 		{
 			name:           "SPF pass with domain",
 			part:           "spf=pass smtp.mailfrom=sender@example.com",
-			expectedResult: api.AuthResultResultPass,
+			expectedResult: model.AuthResultResultPass,
 			expectedDomain: "example.com",
 		},
 		{
 			name:           "SPF fail",
 			part:           "spf=fail smtp.mailfrom=sender@example.com",
-			expectedResult: api.AuthResultResultFail,
+			expectedResult: model.AuthResultResultFail,
 			expectedDomain: "example.com",
 		},
 		{
 			name:           "SPF neutral",
 			part:           "spf=neutral smtp.mailfrom=sender@example.com",
-			expectedResult: api.AuthResultResultNeutral,
+			expectedResult: model.AuthResultResultNeutral,
 			expectedDomain: "example.com",
 		},
 		{
 			name:           "SPF softfail",
 			part:           "spf=softfail smtp.mailfrom=sender@example.com",
-			expectedResult: api.AuthResultResultSoftfail,
+			expectedResult: model.AuthResultResultSoftfail,
 			expectedDomain: "example.com",
 		},
 	}
 
-	analyzer := NewAuthenticationAnalyzer()
+	analyzer := NewAuthenticationAnalyzer("")
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -84,7 +85,7 @@ func TestParseLegacySPF(t *testing.T) {
 	tests := []struct {
 		name           string
 		receivedSPF    string
-		expectedResult api.AuthResultResult
+		expectedResult model.AuthResultResult
 		expectedDomain *string
 		expectNil      bool
 	}{
@@ -97,8 +98,8 @@ func TestParseLegacySPF(t *testing.T) {
     envelope-from="user@example.com";
     helo=smtp.example.com;
     client-ip=192.0.2.10`,
-			expectedResult: api.AuthResultResultPass,
-			expectedDomain: api.PtrTo("example.com"),
+			expectedResult: model.AuthResultResultPass,
+			expectedDomain: utils.PtrTo("example.com"),
 		},
 		{
 			name: "SPF fail with sender",
@@ -109,43 +110,43 @@ func TestParseLegacySPF(t *testing.T) {
     sender="sender@test.com";
     helo=smtp.test.com;
     client-ip=192.0.2.20`,
-			expectedResult: api.AuthResultResultFail,
-			expectedDomain: api.PtrTo("test.com"),
+			expectedResult: model.AuthResultResultFail,
+			expectedDomain: utils.PtrTo("test.com"),
 		},
 		{
 			name:           "SPF softfail",
 			receivedSPF:    "softfail (example.com: transitioning domain of admin@example.org does not designate 192.0.2.30 as permitted sender) envelope-from=\"admin@example.org\"",
-			expectedResult: api.AuthResultResultSoftfail,
-			expectedDomain: api.PtrTo("example.org"),
+			expectedResult: model.AuthResultResultSoftfail,
+			expectedDomain: utils.PtrTo("example.org"),
 		},
 		{
 			name:           "SPF neutral",
 			receivedSPF:    "neutral (example.com: 192.0.2.40 is neither permitted nor denied by domain of info@domain.net) envelope-from=\"info@domain.net\"",
-			expectedResult: api.AuthResultResultNeutral,
-			expectedDomain: api.PtrTo("domain.net"),
+			expectedResult: model.AuthResultResultNeutral,
+			expectedDomain: utils.PtrTo("domain.net"),
 		},
 		{
 			name:           "SPF none",
 			receivedSPF:    "none (example.com: domain of noreply@company.io has no SPF record) envelope-from=\"noreply@company.io\"",
-			expectedResult: api.AuthResultResultNone,
-			expectedDomain: api.PtrTo("company.io"),
+			expectedResult: model.AuthResultResultNone,
+			expectedDomain: utils.PtrTo("company.io"),
 		},
 		{
 			name:           "SPF temperror",
 			receivedSPF:    "temperror (example.com: error in processing SPF record) envelope-from=\"support@shop.example\"",
-			expectedResult: api.AuthResultResultTemperror,
-			expectedDomain: api.PtrTo("shop.example"),
+			expectedResult: model.AuthResultResultTemperror,
+			expectedDomain: utils.PtrTo("shop.example"),
 		},
 		{
 			name:           "SPF permerror",
 			receivedSPF:    "permerror (example.com: domain of contact@invalid.test has invalid SPF record) envelope-from=\"contact@invalid.test\"",
-			expectedResult: api.AuthResultResultPermerror,
-			expectedDomain: api.PtrTo("invalid.test"),
+			expectedResult: model.AuthResultResultPermerror,
+			expectedDomain: utils.PtrTo("invalid.test"),
 		},
 		{
 			name:           "SPF pass without domain extraction",
 			receivedSPF:    "pass (example.com: 192.0.2.50 is authorized)",
-			expectedResult: api.AuthResultResultPass,
+			expectedResult: model.AuthResultResultPass,
 			expectedDomain: nil,
 		},
 		{
@@ -156,12 +157,12 @@ func TestParseLegacySPF(t *testing.T) {
 		{
 			name:           "SPF with unquoted envelope-from",
 			receivedSPF:    "pass (example.com: sender SPF authorized) envelope-from=postmaster@mail.example.net",
-			expectedResult: api.AuthResultResultPass,
-			expectedDomain: api.PtrTo("mail.example.net"),
+			expectedResult: model.AuthResultResultPass,
+			expectedDomain: utils.PtrTo("mail.example.net"),
 		},
 	}
 
-	analyzer := NewAuthenticationAnalyzer()
+	analyzer := NewAuthenticationAnalyzer("")
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

pkg/analyzer/authentication_test.go

@@ -24,83 +24,84 @@ package analyzer
 import (
 	"testing"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
+	"git.happydns.org/happyDeliver/internal/utils"
 )
 
 func TestGetAuthenticationScore(t *testing.T) {
 	tests := []struct {
 		name          string
-		results       *api.AuthenticationResults
+		results       *model.AuthenticationResults
 		expectedScore int
 	}{
 		{
 			name: "Perfect authentication (SPF + DKIM + DMARC)",
-			results: &api.AuthenticationResults{
-				Spf: &api.AuthResult{
-					Result: api.AuthResultResultPass,
+			results: &model.AuthenticationResults{
+				Spf: &model.AuthResult{
+					Result: model.AuthResultResultPass,
 				},
-				Dkim: &[]api.AuthResult{
-					{Result: api.AuthResultResultPass},
+				Dkim: &[]model.AuthResult{
+					{Result: model.AuthResultResultPass},
 				},
-				Dmarc: &api.AuthResult{
-					Result: api.AuthResultResultPass,
+				Dmarc: &model.AuthResult{
+					Result: model.AuthResultResultPass,
 				},
 			},
 			expectedScore: 73, // SPF=25 + DKIM=23 + DMARC=25
 		},
 		{
 			name: "SPF and DKIM only",
-			results: &api.AuthenticationResults{
-				Spf: &api.AuthResult{
-					Result: api.AuthResultResultPass,
+			results: &model.AuthenticationResults{
+				Spf: &model.AuthResult{
+					Result: model.AuthResultResultPass,
 				},
-				Dkim: &[]api.AuthResult{
-					{Result: api.AuthResultResultPass},
+				Dkim: &[]model.AuthResult{
+					{Result: model.AuthResultResultPass},
 				},
 			},
 			expectedScore: 48, // SPF=25 + DKIM=23
 		},
 		{
 			name: "SPF fail, DKIM pass",
-			results: &api.AuthenticationResults{
-				Spf: &api.AuthResult{
-					Result: api.AuthResultResultFail,
+			results: &model.AuthenticationResults{
+				Spf: &model.AuthResult{
+					Result: model.AuthResultResultFail,
 				},
-				Dkim: &[]api.AuthResult{
-					{Result: api.AuthResultResultPass},
+				Dkim: &[]model.AuthResult{
+					{Result: model.AuthResultResultPass},
 				},
 			},
 			expectedScore: 23, // SPF=0 + DKIM=23
 		},
 		{
 			name: "SPF softfail",
-			results: &api.AuthenticationResults{
-				Spf: &api.AuthResult{
-					Result: api.AuthResultResultSoftfail,
+			results: &model.AuthenticationResults{
+				Spf: &model.AuthResult{
+					Result: model.AuthResultResultSoftfail,
 				},
 			},
 			expectedScore: 4,
 		},
 		{
 			name:          "No authentication",
-			results:       &api.AuthenticationResults{},
+			results:       &model.AuthenticationResults{},
 			expectedScore: 0,
 		},
 		{
 			name: "BIMI adds to score",
-			results: &api.AuthenticationResults{
-				Spf: &api.AuthResult{
-					Result: api.AuthResultResultPass,
+			results: &model.AuthenticationResults{
+				Spf: &model.AuthResult{
+					Result: model.AuthResultResultPass,
 				},
-				Bimi: &api.AuthResult{
-					Result: api.AuthResultResultPass,
+				Bimi: &model.AuthResult{
+					Result: model.AuthResultResultPass,
 				},
 			},
 			expectedScore: 35, // SPF (25) + BIMI (10)
 		},
 	}
 
-	scorer := NewAuthenticationAnalyzer()
+	scorer := NewAuthenticationAnalyzer("")
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -117,30 +118,30 @@ func TestParseAuthenticationResultsHeader(t *testing.T) {
 	tests := []struct {
 		name                string
 		header              string
-		expectedSPFResult   *api.AuthResultResult
+		expectedSPFResult   *model.AuthResultResult
 		expectedSPFDomain   *string
 		expectedDKIMCount   int
-		expectedDKIMResult  *api.AuthResultResult
-		expectedDMARCResult *api.AuthResultResult
+		expectedDKIMResult  *model.AuthResultResult
+		expectedDMARCResult *model.AuthResultResult
 		expectedDMARCDomain *string
-		expectedBIMIResult  *api.AuthResultResult
-		expectedARCResult   *api.ARCResultResult
+		expectedBIMIResult  *model.AuthResultResult
+		expectedARCResult   *model.ARCResultResult
 	}{
 		{
 			name:                "Complete authentication results",
 			header:              "mx.google.com; spf=pass smtp.mailfrom=sender@example.com; dkim=pass header.d=example.com header.s=default; dmarc=pass action=none header.from=example.com",
-			expectedSPFResult:   api.PtrTo(api.AuthResultResultPass),
-			expectedSPFDomain:   api.PtrTo("example.com"),
+			expectedSPFResult:   utils.PtrTo(model.AuthResultResultPass),
+			expectedSPFDomain:   utils.PtrTo("example.com"),
 			expectedDKIMCount:   1,
-			expectedDKIMResult:  api.PtrTo(api.AuthResultResultPass),
-			expectedDMARCResult: api.PtrTo(api.AuthResultResultPass),
-			expectedDMARCDomain: api.PtrTo("example.com"),
+			expectedDKIMResult:  utils.PtrTo(model.AuthResultResultPass),
+			expectedDMARCResult: utils.PtrTo(model.AuthResultResultPass),
+			expectedDMARCDomain: utils.PtrTo("example.com"),
 		},
 		{
 			name:                "SPF only",
 			header:              "mail.example.com; spf=pass smtp.mailfrom=user@domain.com",
-			expectedSPFResult:   api.PtrTo(api.AuthResultResultPass),
-			expectedSPFDomain:   api.PtrTo("domain.com"),
+			expectedSPFResult:   utils.PtrTo(model.AuthResultResultPass),
+			expectedSPFDomain:   utils.PtrTo("domain.com"),
 			expectedDKIMCount:   0,
 			expectedDMARCResult: nil,
 		},
@@ -149,68 +150,68 @@ func TestParseAuthenticationResultsHeader(t *testing.T) {
 			header:             "mail.example.com; dkim=pass header.d=example.com header.s=selector1",
 			expectedSPFResult:  nil,
 			expectedDKIMCount:  1,
-			expectedDKIMResult: api.PtrTo(api.AuthResultResultPass),
+			expectedDKIMResult: utils.PtrTo(model.AuthResultResultPass),
 		},
 		{
 			name:                "Multiple DKIM signatures",
 			header:              "mail.example.com; dkim=pass header.d=example.com header.s=s1; dkim=pass header.d=example.com header.s=s2",
 			expectedSPFResult:   nil,
 			expectedDKIMCount:   2,
-			expectedDKIMResult:  api.PtrTo(api.AuthResultResultPass),
+			expectedDKIMResult:  utils.PtrTo(model.AuthResultResultPass),
 			expectedDMARCResult: nil,
 		},
 		{
 			name:                "SPF fail with DKIM pass",
 			header:              "mail.example.com; spf=fail smtp.mailfrom=sender@example.com; dkim=pass header.d=example.com header.s=default",
-			expectedSPFResult:   api.PtrTo(api.AuthResultResultFail),
-			expectedSPFDomain:   api.PtrTo("example.com"),
+			expectedSPFResult:   utils.PtrTo(model.AuthResultResultFail),
+			expectedSPFDomain:   utils.PtrTo("example.com"),
 			expectedDKIMCount:   1,
-			expectedDKIMResult:  api.PtrTo(api.AuthResultResultPass),
+			expectedDKIMResult:  utils.PtrTo(model.AuthResultResultPass),
 			expectedDMARCResult: nil,
 		},
 		{
 			name:                "SPF softfail",
 			header:              "mail.example.com; spf=softfail smtp.mailfrom=sender@example.com",
-			expectedSPFResult:   api.PtrTo(api.AuthResultResultSoftfail),
-			expectedSPFDomain:   api.PtrTo("example.com"),
+			expectedSPFResult:   utils.PtrTo(model.AuthResultResultSoftfail),
+			expectedSPFDomain:   utils.PtrTo("example.com"),
 			expectedDKIMCount:   0,
 			expectedDMARCResult: nil,
 		},
 		{
 			name:                "DMARC fail",
 			header:              "mail.example.com; spf=pass smtp.mailfrom=sender@example.com; dkim=pass header.d=example.com header.s=default; dmarc=fail action=quarantine header.from=example.com",
-			expectedSPFResult:   api.PtrTo(api.AuthResultResultPass),
+			expectedSPFResult:   utils.PtrTo(model.AuthResultResultPass),
 			expectedDKIMCount:   1,
-			expectedDKIMResult:  api.PtrTo(api.AuthResultResultPass),
-			expectedDMARCResult: api.PtrTo(api.AuthResultResultFail),
-			expectedDMARCDomain: api.PtrTo("example.com"),
+			expectedDKIMResult:  utils.PtrTo(model.AuthResultResultPass),
+			expectedDMARCResult: utils.PtrTo(model.AuthResultResultFail),
+			expectedDMARCDomain: utils.PtrTo("example.com"),
 		},
 		{
 			name:               "BIMI pass",
 			header:             "mail.example.com; spf=pass smtp.mailfrom=sender@example.com; bimi=pass header.d=example.com header.selector=default",
-			expectedSPFResult:  api.PtrTo(api.AuthResultResultPass),
-			expectedSPFDomain:  api.PtrTo("example.com"),
+			expectedSPFResult:  utils.PtrTo(model.AuthResultResultPass),
+			expectedSPFDomain:  utils.PtrTo("example.com"),
 			expectedDKIMCount:  0,
-			expectedBIMIResult: api.PtrTo(api.AuthResultResultPass),
+			expectedBIMIResult: utils.PtrTo(model.AuthResultResultPass),
 		},
 		{
 			name:              "ARC pass",
 			header:            "mail.example.com; arc=pass",
 			expectedSPFResult: nil,
 			expectedDKIMCount: 0,
-			expectedARCResult: api.PtrTo(api.ARCResultResultPass),
+			expectedARCResult: utils.PtrTo(model.ARCResultResultPass),
 		},
 		{
 			name:                "All authentication methods",
 			header:              "mx.google.com; spf=pass smtp.mailfrom=sender@example.com; dkim=pass header.d=example.com header.s=default; dmarc=pass action=none header.from=example.com; bimi=pass header.d=example.com header.selector=v1; arc=pass",
-			expectedSPFResult:   api.PtrTo(api.AuthResultResultPass),
-			expectedSPFDomain:   api.PtrTo("example.com"),
+			expectedSPFResult:   utils.PtrTo(model.AuthResultResultPass),
+			expectedSPFDomain:   utils.PtrTo("example.com"),
 			expectedDKIMCount:   1,
-			expectedDKIMResult:  api.PtrTo(api.AuthResultResultPass),
-			expectedDMARCResult: api.PtrTo(api.AuthResultResultPass),
-			expectedDMARCDomain: api.PtrTo("example.com"),
-			expectedBIMIResult:  api.PtrTo(api.AuthResultResultPass),
-			expectedARCResult:   api.PtrTo(api.ARCResultResultPass),
+			expectedDKIMResult:  utils.PtrTo(model.AuthResultResultPass),
+			expectedDMARCResult: utils.PtrTo(model.AuthResultResultPass),
+			expectedDMARCDomain: utils.PtrTo("example.com"),
+			expectedBIMIResult:  utils.PtrTo(model.AuthResultResultPass),
+			expectedARCResult:   utils.PtrTo(model.ARCResultResultPass),
 		},
 		{
 			name:              "Empty header (authserv-id only)",
@@ -221,8 +222,8 @@ func TestParseAuthenticationResultsHeader(t *testing.T) {
 		{
 			name:              "Empty parts with semicolons",
 			header:            "mx.google.com; ; ; spf=pass smtp.mailfrom=sender@example.com; ;",
-			expectedSPFResult: api.PtrTo(api.AuthResultResultPass),
-			expectedSPFDomain: api.PtrTo("example.com"),
+			expectedSPFResult: utils.PtrTo(model.AuthResultResultPass),
+			expectedSPFDomain: utils.PtrTo("example.com"),
 			expectedDKIMCount: 0,
 		},
 		{
@@ -230,28 +231,28 @@ func TestParseAuthenticationResultsHeader(t *testing.T) {
 			header:             "mail.example.com; dkim=pass d=example.com s=selector1",
 			expectedSPFResult:  nil,
 			expectedDKIMCount:  1,
-			expectedDKIMResult: api.PtrTo(api.AuthResultResultPass),
+			expectedDKIMResult: utils.PtrTo(model.AuthResultResultPass),
 		},
 		{
 			name:              "SPF neutral",
 			header:            "mail.example.com; spf=neutral smtp.mailfrom=sender@example.com",
-			expectedSPFResult: api.PtrTo(api.AuthResultResultNeutral),
-			expectedSPFDomain: api.PtrTo("example.com"),
+			expectedSPFResult: utils.PtrTo(model.AuthResultResultNeutral),
+			expectedSPFDomain: utils.PtrTo("example.com"),
 			expectedDKIMCount: 0,
 		},
 		{
 			name:              "SPF none",
 			header:            "mail.example.com; spf=none",
-			expectedSPFResult: api.PtrTo(api.AuthResultResultNone),
+			expectedSPFResult: utils.PtrTo(model.AuthResultResultNone),
 			expectedDKIMCount: 0,
 		},
 	}
 
-	analyzer := NewAuthenticationAnalyzer()
+	analyzer := NewAuthenticationAnalyzer("")
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			results := &api.AuthenticationResults{}
+			results := &model.AuthenticationResults{}
 			analyzer.parseAuthenticationResultsHeader(tt.header, results)
 
 			// Check SPF
@@ -353,17 +354,17 @@ func TestParseAuthenticationResultsHeader(t *testing.T) {
 
 func TestParseAuthenticationResultsHeader_OnlyFirstResultParsed(t *testing.T) {
 	// This test verifies that only the first occurrence of each auth method is parsed
-	analyzer := NewAuthenticationAnalyzer()
+	analyzer := NewAuthenticationAnalyzer("")
 
 	t.Run("Multiple SPF results - only first is parsed", func(t *testing.T) {
 		header := "mail.example.com; spf=pass smtp.mailfrom=first@example.com; spf=fail smtp.mailfrom=second@example.com"
-		results := &api.AuthenticationResults{}
+		results := &model.AuthenticationResults{}
 		analyzer.parseAuthenticationResultsHeader(header, results)
 
 		if results.Spf == nil {
 			t.Fatal("Expected SPF result, got nil")
 		}
-		if results.Spf.Result != api.AuthResultResultPass {
+		if results.Spf.Result != model.AuthResultResultPass {
 			t.Errorf("Expected first SPF result (pass), got %v", results.Spf.Result)
 		}
 		if results.Spf.Domain == nil || *results.Spf.Domain != "example.com" {
@@ -373,13 +374,13 @@ func TestParseAuthenticationResultsHeader_OnlyFirstResultParsed(t *testing.T) {
 
 	t.Run("Multiple DMARC results - only first is parsed", func(t *testing.T) {
 		header := "mail.example.com; dmarc=pass header.from=first.com; dmarc=fail header.from=second.com"
-		results := &api.AuthenticationResults{}
+		results := &model.AuthenticationResults{}
 		analyzer.parseAuthenticationResultsHeader(header, results)
 
 		if results.Dmarc == nil {
 			t.Fatal("Expected DMARC result, got nil")
 		}
-		if results.Dmarc.Result != api.AuthResultResultPass {
+		if results.Dmarc.Result != model.AuthResultResultPass {
 			t.Errorf("Expected first DMARC result (pass), got %v", results.Dmarc.Result)
 		}
 		if results.Dmarc.Domain == nil || *results.Dmarc.Domain != "first.com" {
@@ -389,26 +390,26 @@ func TestParseAuthenticationResultsHeader_OnlyFirstResultParsed(t *testing.T) {
 
 	t.Run("Multiple ARC results - only first is parsed", func(t *testing.T) {
 		header := "mail.example.com; arc=pass; arc=fail"
-		results := &api.AuthenticationResults{}
+		results := &model.AuthenticationResults{}
 		analyzer.parseAuthenticationResultsHeader(header, results)
 
 		if results.Arc == nil {
 			t.Fatal("Expected ARC result, got nil")
 		}
-		if results.Arc.Result != api.ARCResultResultPass {
+		if results.Arc.Result != model.ARCResultResultPass {
 			t.Errorf("Expected first ARC result (pass), got %v", results.Arc.Result)
 		}
 	})
 
 	t.Run("Multiple BIMI results - only first is parsed", func(t *testing.T) {
 		header := "mail.example.com; bimi=pass header.d=first.com; bimi=fail header.d=second.com"
-		results := &api.AuthenticationResults{}
+		results := &model.AuthenticationResults{}
 		analyzer.parseAuthenticationResultsHeader(header, results)
 
 		if results.Bimi == nil {
 			t.Fatal("Expected BIMI result, got nil")
 		}
-		if results.Bimi.Result != api.AuthResultResultPass {
+		if results.Bimi.Result != model.AuthResultResultPass {
 			t.Errorf("Expected first BIMI result (pass), got %v", results.Bimi.Result)
 		}
 		if results.Bimi.Domain == nil || *results.Bimi.Domain != "first.com" {
@@ -419,7 +420,7 @@ func TestParseAuthenticationResultsHeader_OnlyFirstResultParsed(t *testing.T) {
 	t.Run("Multiple DKIM results - all are parsed", func(t *testing.T) {
 		// DKIM is special - multiple signatures should all be collected
 		header := "mail.example.com; dkim=pass header.d=first.com header.s=s1; dkim=fail header.d=second.com header.s=s2"
-		results := &api.AuthenticationResults{}
+		results := &model.AuthenticationResults{}
 		analyzer.parseAuthenticationResultsHeader(header, results)
 
 		if results.Dkim == nil {
@@ -428,10 +429,10 @@ func TestParseAuthenticationResultsHeader_OnlyFirstResultParsed(t *testing.T) {
 		if len(*results.Dkim) != 2 {
 			t.Errorf("Expected 2 DKIM results, got %d", len(*results.Dkim))
 		}
-		if (*results.Dkim)[0].Result != api.AuthResultResultPass {
+		if (*results.Dkim)[0].Result != model.AuthResultResultPass {
 			t.Errorf("Expected first DKIM result to be pass, got %v", (*results.Dkim)[0].Result)
 		}
-		if (*results.Dkim)[1].Result != api.AuthResultResultFail {
+		if (*results.Dkim)[1].Result != model.AuthResultResultFail {
 			t.Errorf("Expected second DKIM result to be fail, got %v", (*results.Dkim)[1].Result)
 		}
 	})

pkg/analyzer/authentication_x_aligned_from.go

@@ -25,34 +25,35 @@ import (
 	"regexp"
 	"strings"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
+	"git.happydns.org/happyDeliver/internal/utils"
 )
 
 // parseXAlignedFromResult parses X-Aligned-From result from Authentication-Results
 // Example: x-aligned-from=pass (Address match)
-func (a *AuthenticationAnalyzer) parseXAlignedFromResult(part string) *api.AuthResult {
-	result := &api.AuthResult{}
+func (a *AuthenticationAnalyzer) parseXAlignedFromResult(part string) *model.AuthResult {
+	result := &model.AuthResult{}
 
 	// Extract result (pass, fail, etc.)
 	re := regexp.MustCompile(`x-aligned-from=([\w]+)`)
 	if matches := re.FindStringSubmatch(part); len(matches) > 1 {
 		resultStr := strings.ToLower(matches[1])
-		result.Result = api.AuthResultResult(resultStr)
+		result.Result = model.AuthResultResult(resultStr)
 	}
 
 	// Extract details (everything after the result)
-	result.Details = api.PtrTo(strings.TrimPrefix(part, "x-aligned-from="))
+	result.Details = utils.PtrTo(strings.TrimPrefix(part, "x-aligned-from="))
 
 	return result
 }
 
-func (a *AuthenticationAnalyzer) calculateXAlignedFromScore(results *api.AuthenticationResults) (score int) {
+func (a *AuthenticationAnalyzer) calculateXAlignedFromScore(results *model.AuthenticationResults) (score int) {
 	if results.XAlignedFrom != nil {
 		switch results.XAlignedFrom.Result {
-		case api.AuthResultResultPass:
+		case model.AuthResultResultPass:
 			// pass: positive contribution
 			return 100
-		case api.AuthResultResultFail:
+		case model.AuthResultResultFail:
 			// fail: negative contribution
 			return 0
 		default:
@@ -61,5 +62,5 @@ func (a *AuthenticationAnalyzer) calculateXAlignedFromScore(results *api.Authent
 		}
 	}
 
-	return 0
+	return 100
 }

pkg/analyzer/authentication_x_aligned_from_test.go

@@ -24,49 +24,49 @@ package analyzer
 import (
 	"testing"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
 )
 
 func TestParseXAlignedFromResult(t *testing.T) {
 	tests := []struct {
 		name           string
 		part           string
-		expectedResult api.AuthResultResult
+		expectedResult model.AuthResultResult
 		expectedDetail string
 	}{
 		{
 			name:           "x-aligned-from pass with details",
 			part:           "x-aligned-from=pass (Address match)",
-			expectedResult: api.AuthResultResultPass,
+			expectedResult: model.AuthResultResultPass,
 			expectedDetail: "pass (Address match)",
 		},
 		{
 			name:           "x-aligned-from fail with reason",
 			part:           "x-aligned-from=fail (Address mismatch)",
-			expectedResult: api.AuthResultResultFail,
+			expectedResult: model.AuthResultResultFail,
 			expectedDetail: "fail (Address mismatch)",
 		},
 		{
 			name:           "x-aligned-from pass minimal",
 			part:           "x-aligned-from=pass",
-			expectedResult: api.AuthResultResultPass,
+			expectedResult: model.AuthResultResultPass,
 			expectedDetail: "pass",
 		},
 		{
 			name:           "x-aligned-from neutral",
 			part:           "x-aligned-from=neutral (No alignment check performed)",
-			expectedResult: api.AuthResultResultNeutral,
+			expectedResult: model.AuthResultResultNeutral,
 			expectedDetail: "neutral (No alignment check performed)",
 		},
 		{
 			name:           "x-aligned-from none",
 			part:           "x-aligned-from=none",
-			expectedResult: api.AuthResultResultNone,
+			expectedResult: model.AuthResultResultNone,
 			expectedDetail: "none",
 		},
 	}
 
-	analyzer := NewAuthenticationAnalyzer()
+	analyzer := NewAuthenticationAnalyzer("")
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -88,34 +88,34 @@ func TestParseXAlignedFromResult(t *testing.T) {
 func TestCalculateXAlignedFromScore(t *testing.T) {
 	tests := []struct {
 		name          string
-		result        *api.AuthResult
+		result        *model.AuthResult
 		expectedScore int
 	}{
 		{
 			name: "pass result gives positive score",
-			result: &api.AuthResult{
-				Result: api.AuthResultResultPass,
+			result: &model.AuthResult{
+				Result: model.AuthResultResultPass,
 			},
 			expectedScore: 100,
 		},
 		{
 			name: "fail result gives zero score",
-			result: &api.AuthResult{
-				Result: api.AuthResultResultFail,
+			result: &model.AuthResult{
+				Result: model.AuthResultResultFail,
 			},
 			expectedScore: 0,
 		},
 		{
 			name: "neutral result gives zero score",
-			result: &api.AuthResult{
-				Result: api.AuthResultResultNeutral,
+			result: &model.AuthResult{
+				Result: model.AuthResultResultNeutral,
 			},
 			expectedScore: 0,
 		},
 		{
 			name: "none result gives zero score",
-			result: &api.AuthResult{
-				Result: api.AuthResultResultNone,
+			result: &model.AuthResult{
+				Result: model.AuthResultResultNone,
 			},
 			expectedScore: 0,
 		},
@@ -126,11 +126,11 @@ func TestCalculateXAlignedFromScore(t *testing.T) {
 		},
 	}
 
-	analyzer := NewAuthenticationAnalyzer()
+	analyzer := NewAuthenticationAnalyzer("")
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			results := &api.AuthenticationResults{
+			results := &model.AuthenticationResults{
 				XAlignedFrom: tt.result,
 			}
 

pkg/analyzer/authentication_x_google_dkim.go

@@ -25,19 +25,20 @@ import (
 	"regexp"
 	"strings"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
+	"git.happydns.org/happyDeliver/internal/utils"
 )
 
 // parseXGoogleDKIMResult parses Google DKIM result from Authentication-Results
 // Example: x-google-dkim=pass (2048-bit rsa key) header.d=1e100.net header.i=@1e100.net header.b=fauiPVZ6
-func (a *AuthenticationAnalyzer) parseXGoogleDKIMResult(part string) *api.AuthResult {
-	result := &api.AuthResult{}
+func (a *AuthenticationAnalyzer) parseXGoogleDKIMResult(part string) *model.AuthResult {
+	result := &model.AuthResult{}
 
 	// Extract result (pass, fail, etc.)
 	re := regexp.MustCompile(`x-google-dkim=(\w+)`)
 	if matches := re.FindStringSubmatch(part); len(matches) > 1 {
 		resultStr := strings.ToLower(matches[1])
-		result.Result = api.AuthResultResult(resultStr)
+		result.Result = model.AuthResultResult(resultStr)
 	}
 
 	// Extract domain (header.d or d)
@@ -54,15 +55,15 @@ func (a *AuthenticationAnalyzer) parseXGoogleDKIMResult(part string) *api.AuthRe
 		result.Selector = &selector
 	}
 
-	result.Details = api.PtrTo(strings.TrimPrefix(part, "x-google-dkim="))
+	result.Details = utils.PtrTo(strings.TrimPrefix(part, "x-google-dkim="))
 
 	return result
 }
 
-func (a *AuthenticationAnalyzer) calculateXGoogleDKIMScore(results *api.AuthenticationResults) (score int) {
+func (a *AuthenticationAnalyzer) calculateXGoogleDKIMScore(results *model.AuthenticationResults) (score int) {
 	if results.XGoogleDkim != nil {
 		switch results.XGoogleDkim.Result {
-		case api.AuthResultResultPass:
+		case model.AuthResultResultPass:
 			// pass: don't alter the score
 		default: // fail
 			return -100

pkg/analyzer/authentication_x_google_dkim_test.go

@@ -24,43 +24,43 @@ package analyzer
 import (
 	"testing"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
 )
 
 func TestParseXGoogleDKIMResult(t *testing.T) {
 	tests := []struct {
 		name             string
 		part             string
-		expectedResult   api.AuthResultResult
+		expectedResult   model.AuthResultResult
 		expectedDomain   string
 		expectedSelector string
 	}{
 		{
 			name:           "x-google-dkim pass with domain",
 			part:           "x-google-dkim=pass (2048-bit rsa key) header.d=1e100.net header.i=@1e100.net header.b=fauiPVZ6",
-			expectedResult: api.AuthResultResultPass,
+			expectedResult: model.AuthResultResultPass,
 			expectedDomain: "1e100.net",
 		},
 		{
 			name:           "x-google-dkim pass with short form",
 			part:           "x-google-dkim=pass d=gmail.com",
-			expectedResult: api.AuthResultResultPass,
+			expectedResult: model.AuthResultResultPass,
 			expectedDomain: "gmail.com",
 		},
 		{
 			name:           "x-google-dkim fail",
 			part:           "x-google-dkim=fail header.d=example.com",
-			expectedResult: api.AuthResultResultFail,
+			expectedResult: model.AuthResultResultFail,
 			expectedDomain: "example.com",
 		},
 		{
 			name:           "x-google-dkim with minimal info",
 			part:           "x-google-dkim=pass",
-			expectedResult: api.AuthResultResultPass,
+			expectedResult: model.AuthResultResultPass,
 		},
 	}
 
-	analyzer := NewAuthenticationAnalyzer()
+	analyzer := NewAuthenticationAnalyzer("")
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

pkg/analyzer/content.go

@@ -27,18 +27,22 @@ import (
 	"net/http"
 	"net/url"
 	"regexp"
+	"slices"
 	"strings"
 	"time"
 	"unicode"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
+	"git.happydns.org/happyDeliver/internal/utils"
 	"golang.org/x/net/html"
 )
 
 // ContentAnalyzer analyzes email content (HTML, links, images)
 type ContentAnalyzer struct {
-	Timeout    time.Duration
-	httpClient *http.Client
+	Timeout                time.Duration
+	httpClient             *http.Client
+	listUnsubscribeURLs    []string // URLs from List-Unsubscribe header
+	hasOneClickUnsubscribe bool     // True if List-Unsubscribe-Post: List-Unsubscribe=One-Click
 }
 
 // NewContentAnalyzer creates a new content analyzer with configurable timeout
@@ -110,6 +114,13 @@ func (c *ContentAnalyzer) AnalyzeContent(email *EmailMessage) *ContentResults {
 
 	results.IsMultipart = len(email.Parts) > 1
 
+	// Parse List-Unsubscribe header URLs for use in link detection
+	c.listUnsubscribeURLs = email.GetListUnsubscribeURLs()
+
+	// Check for one-click unsubscribe support
+	listUnsubscribePost := email.Header.Get("List-Unsubscribe-Post")
+	c.hasOneClickUnsubscribe = strings.EqualFold(strings.TrimSpace(listUnsubscribePost), "List-Unsubscribe=One-Click")
+
 	// Get HTML and text parts
 	htmlParts := email.GetHTMLParts()
 	textParts := email.GetTextParts()
@@ -220,6 +231,18 @@ func (c *ContentAnalyzer) traverseHTML(n *html.Node, results *ContentResults) {
 
 				// Validate link
 				linkCheck := c.validateLink(href)
+
+				// Check for domain misalignment (phishing detection)
+				linkText := c.getNodeText(n)
+				if c.hasDomainMisalignment(href, linkText) {
+					linkCheck.IsSafe = false
+					if linkCheck.Warning == "" {
+						linkCheck.Warning = "Link text domain does not match actual URL domain (possible phishing)"
+					} else {
+						linkCheck.Warning += "; Link text domain does not match actual URL domain (possible phishing)"
+					}
+				}
+
 				results.Links = append(results.Links, linkCheck)
 
 				// Check for suspicious URLs
@@ -319,9 +342,14 @@ func (c *ContentAnalyzer) getAttr(n *html.Node, key string) string {
 
 // isUnsubscribeLink checks if a link is an unsubscribe link
 func (c *ContentAnalyzer) isUnsubscribeLink(href string, node *html.Node) bool {
+	// First check: does the href match a URL from the List-Unsubscribe header?
+	if slices.Contains(c.listUnsubscribeURLs, href) {
+		return true
+	}
+
 	// Check href for unsubscribe keywords
 	lowerHref := strings.ToLower(href)
-	unsubKeywords := []string{"unsubscribe", "opt-out", "optout", "remove", "list-unsubscribe"}
+	unsubKeywords := []string{"unsubscribe", "opt-out", "optout", "remove", "list-unsubscribe", "отписване", "desubscripció", "zrušit odběr", "dad-danysgrifio", "afmeld", "abmelden", "διαγραφή", "darse de baja", "poistu postituslistalta", "se désabonner", "ביטול רישום", "leiratkozás", "cancella iscrizione", "登録を取り消す", "구독 해지", "വരിക്കാരനല്ലാതാകുക", "uitschrijven", "meld av", "odsubskrybuj", "cancelar assinatura", "cancelar subscrição", "dezabonare", "отписаться", "avsluta prenumeration", "zrušiť odber", "odjava", "üyeliği sonlandır", "відписатися", "hủy đăng ký", "退订", "退訂"}
 	for _, keyword := range unsubKeywords {
 		if strings.Contains(lowerHref, keyword) {
 			return true
@@ -415,8 +443,131 @@ func (c *ContentAnalyzer) validateLink(urlStr string) LinkCheck {
 	return check
 }
 
+// hasDomainMisalignment checks if the link text contains a different domain than the actual URL
+// This is a common phishing technique (e.g., text shows "paypal.com" but links to "evil.com")
+func (c *ContentAnalyzer) hasDomainMisalignment(href, linkText string) bool {
+	// Parse the actual URL
+	parsedURL, err := url.Parse(href)
+	if err != nil {
+		return false
+	}
+
+	// Extract the actual destination domain/email based on scheme
+	var actualDomain string
+
+	switch parsedURL.Scheme {
+	case "mailto":
+		// Extract email address from mailto: URL
+		// Format can be: mailto:user@domain.com or mailto:user@domain.com?subject=...
+		mailtoAddr := parsedURL.Opaque
+
+		// Remove query parameters if present
+		if idx := strings.Index(mailtoAddr, "?"); idx != -1 {
+			mailtoAddr = mailtoAddr[:idx]
+		}
+
+		mailtoAddr = strings.TrimSpace(strings.ToLower(mailtoAddr))
+
+		// Extract domain from email address
+		if idx := strings.Index(mailtoAddr, "@"); idx != -1 {
+			actualDomain = mailtoAddr[idx+1:]
+		} else {
+			return false // Invalid mailto
+		}
+	case "http":
+	case "https":
+		// Check if URL has a host
+		if parsedURL.Host == "" {
+			return false
+		}
+
+		// Extract the actual URL's domain (remove port if present)
+		actualDomain = parsedURL.Host
+		if idx := strings.LastIndex(actualDomain, ":"); idx != -1 {
+			actualDomain = actualDomain[:idx]
+		}
+		actualDomain = strings.ToLower(actualDomain)
+	default:
+		// Skip checks for other URL schemes (tel, etc.)
+		return false
+	}
+
+	// Normalize link text
+	linkText = strings.TrimSpace(linkText)
+	linkText = strings.ToLower(linkText)
+
+	// Skip if link text is empty, too short, or just generic text like "click here"
+	if linkText == "" || len(linkText) < 4 {
+		return false
+	}
+
+	// Common generic link texts that shouldn't trigger warnings
+	genericTexts := []string{
+		"click here", "read more", "learn more", "download", "subscribe",
+		"unsubscribe", "view online", "view in browser", "click", "here",
+		"update", "verify", "confirm", "continue", "get started",
+		// mailto-specific generic texts
+		"email us", "contact us", "send email", "get in touch", "reach out",
+		"contact", "email", "write to us",
+	}
+	if slices.Contains(genericTexts, linkText) {
+		return false
+	}
+
+	// Extract domain-like patterns from link text using regex
+	// Matches patterns like "example.com", "www.example.com", "http://example.com"
+	domainRegex := regexp.MustCompile(`(?i)(?:https?://)?(?:www\.)?([a-z0-9][-a-z0-9]*\.)+[a-z]{2,}`)
+	matches := domainRegex.FindAllString(linkText, -1)
+
+	if len(matches) == 0 {
+		return false
+	}
+
+	// Check each domain-like pattern found in the text
+	for _, textDomain := range matches {
+		// Normalize the text domain
+		textDomain = strings.ToLower(textDomain)
+		textDomain = strings.TrimPrefix(textDomain, "http://")
+		textDomain = strings.TrimPrefix(textDomain, "https://")
+		textDomain = strings.TrimPrefix(textDomain, "www.")
+
+		// Remove trailing slashes and paths
+		if idx := strings.Index(textDomain, "/"); idx != -1 {
+			textDomain = textDomain[:idx]
+		}
+
+		// Compare domains - they should match or the actual URL should be a subdomain of the text domain
+		if textDomain != actualDomain {
+			// Check if actual domain is a subdomain of text domain
+			if !strings.HasSuffix(actualDomain, "."+textDomain) && !strings.HasSuffix(actualDomain, textDomain) {
+				// Check if they share the same base domain (last 2 parts)
+				textParts := strings.Split(textDomain, ".")
+				actualParts := strings.Split(actualDomain, ".")
+
+				if len(textParts) >= 2 && len(actualParts) >= 2 {
+					textBase := strings.Join(textParts[len(textParts)-2:], ".")
+					actualBase := strings.Join(actualParts[len(actualParts)-2:], ".")
+
+					if textBase != actualBase {
+						return true // Domain mismatch detected!
+					}
+				} else {
+					return true // Domain mismatch detected!
+				}
+			}
+		}
+	}
+
+	return false
+}
+
 // isSuspiciousURL checks if a URL looks suspicious
 func (c *ContentAnalyzer) isSuspiciousURL(urlStr string, parsedURL *url.URL) bool {
+	// Skip checks for mailto: URLs
+	if parsedURL.Scheme == "mailto" {
+		return false
+	}
+
 	// Check for IP address instead of domain
 	if c.isIPAddress(parsedURL.Host) {
 		return true
@@ -427,10 +578,8 @@ func (c *ContentAnalyzer) isSuspiciousURL(urlStr string, parsedURL *url.URL) boo
 		"bit.ly", "tinyurl.com", "goo.gl", "ow.ly", "t.co",
 		"buff.ly", "is.gd", "bl.ink", "short.io",
 	}
-	for _, shortener := range shorteners {
-		if strings.ToLower(parsedURL.Host) == shortener {
-			return true
-		}
+	if slices.Contains(shorteners, strings.ToLower(parsedURL.Host)) {
+		return true
 	}
 
 	// Check for excessive subdomains (possible obfuscation)
@@ -492,7 +641,7 @@ func (c *ContentAnalyzer) extractTextFromHTML(htmlContent string) string {
 	var extract func(*html.Node)
 	extract = func(n *html.Node) {
 		if n.Type == html.TextNode {
-			text.WriteString(n.Data)
+			text.WriteString(" " + n.Data)
 		}
 		// Skip script and style tags
 		if n.Type == html.ElementNode && (n.Data == "script" || n.Data == "style") {
@@ -504,7 +653,7 @@ func (c *ContentAnalyzer) extractTextFromHTML(htmlContent string) string {
 	}
 	extract(doc)
 
-	return text.String()
+	return strings.TrimSpace(text.String())
 }
 
 // calculateTextPlainConsistency compares plain text and HTML versions
@@ -524,30 +673,47 @@ func (c *ContentAnalyzer) calculateTextPlainConsistency(plainText, htmlText stri
 		return 0.0
 	}
 
-	// Count common words
-	commonWords := 0
-	plainWordSet := make(map[string]bool)
+	// Count common words by building sets
+	plainWordSet := make(map[string]int)
 	for _, word := range plainWords {
-		plainWordSet[word] = true
+		plainWordSet[word]++
 	}
 
+	htmlWordSet := make(map[string]int)
 	for _, word := range htmlWords {
-		if plainWordSet[word] {
-			commonWords++
+		htmlWordSet[word]++
+	}
+
+	// Count matches: for each unique word, count minimum occurrences in both texts
+	commonWords := 0
+	for word, plainCount := range plainWordSet {
+		if htmlCount, exists := htmlWordSet[word]; exists {
+			// Count the minimum occurrences between both texts
+			if plainCount < htmlCount {
+				commonWords += plainCount
+			} else {
+				commonWords += htmlCount
+			}
 		}
 	}
 
-	// Calculate ratio (Jaccard similarity approximation)
-	maxWords := len(plainWords)
-	if len(htmlWords) > maxWords {
-		maxWords = len(htmlWords)
-	}
-
-	if maxWords == 0 {
+	// Calculate ratio using total words from both texts (union approach)
+	// This provides a balanced measure: perfect match = 1.0, partial overlap = 0.3-0.8
+	totalWords := len(plainWords) + len(htmlWords)
+	if totalWords == 0 {
 		return 0.0
 	}
 
-	return float32(commonWords) / float32(maxWords)
+	// Divide by average word count for better scoring
+	avgWords := float32(totalWords) / 2.0
+	ratio := float32(commonWords) / avgWords
+
+	// Cap at 1.0 for perfect matches
+	if ratio > 1.0 {
+		ratio = 1.0
+	}
+
+	return ratio
 }
 
 // normalizeText normalizes text for comparison
@@ -563,15 +729,16 @@ func (c *ContentAnalyzer) normalizeText(text string) string {
 }
 
 // GenerateContentAnalysis creates structured content analysis from results
-func (c *ContentAnalyzer) GenerateContentAnalysis(results *ContentResults) *api.ContentAnalysis {
+func (c *ContentAnalyzer) GenerateContentAnalysis(results *ContentResults) *model.ContentAnalysis {
 	if results == nil {
 		return nil
 	}
 
-	analysis := &api.ContentAnalysis{
-		HasHtml:            api.PtrTo(results.HTMLContent != ""),
-		HasPlaintext:       api.PtrTo(results.TextContent != ""),
-		HasUnsubscribeLink: api.PtrTo(results.HasUnsubscribe),
+	analysis := &model.ContentAnalysis{
+		HasHtml:            utils.PtrTo(results.HTMLContent != ""),
+		HasPlaintext:       utils.PtrTo(results.TextContent != ""),
+		HasUnsubscribeLink: utils.PtrTo(results.HasUnsubscribe),
+		UnsubscribeMethods: &[]model.ContentAnalysisUnsubscribeMethods{},
 	}
 
 	// Calculate text-to-image ratio (inverse of image-to-text)
@@ -584,16 +751,16 @@ func (c *ContentAnalyzer) GenerateContentAnalysis(results *ContentResults) *api.
 	}
 
 	// Build HTML issues
-	htmlIssues := []api.ContentIssue{}
+	htmlIssues := []model.ContentIssue{}
 
 	// Add HTML parsing errors
 	if !results.HTMLValid && len(results.HTMLErrors) > 0 {
 		for _, errMsg := range results.HTMLErrors {
-			htmlIssues = append(htmlIssues, api.ContentIssue{
-				Type:     api.BrokenHtml,
-				Severity: api.ContentIssueSeverityHigh,
+			htmlIssues = append(htmlIssues, model.ContentIssue{
+				Type:     model.BrokenHtml,
+				Severity: model.ContentIssueSeverityHigh,
 				Message:  errMsg,
-				Advice:   api.PtrTo("Fix HTML structure errors to improve email rendering across clients"),
+				Advice:   utils.PtrTo("Fix HTML structure errors to improve email rendering across clients"),
 			})
 		}
 	}
@@ -607,53 +774,53 @@ func (c *ContentAnalyzer) GenerateContentAnalysis(results *ContentResults) *api.
 			}
 		}
 		if missingAltCount > 0 {
-			htmlIssues = append(htmlIssues, api.ContentIssue{
-				Type:     api.MissingAlt,
-				Severity: api.ContentIssueSeverityMedium,
+			htmlIssues = append(htmlIssues, model.ContentIssue{
+				Type:     model.MissingAlt,
+				Severity: model.ContentIssueSeverityMedium,
 				Message:  fmt.Sprintf("%d image(s) missing alt attributes", missingAltCount),
-				Advice:   api.PtrTo("Add descriptive alt text to all images for better accessibility and deliverability"),
+				Advice:   utils.PtrTo("Add descriptive alt text to all images for better accessibility and deliverability"),
 			})
 		}
 	}
 
 	// Add excessive images issue
 	if results.ImageTextRatio > 10.0 {
-		htmlIssues = append(htmlIssues, api.ContentIssue{
-			Type:     api.ExcessiveImages,
-			Severity: api.ContentIssueSeverityMedium,
+		htmlIssues = append(htmlIssues, model.ContentIssue{
+			Type:     model.ExcessiveImages,
+			Severity: model.ContentIssueSeverityMedium,
 			Message:  "Email is excessively image-heavy",
-			Advice:   api.PtrTo("Reduce the number of images relative to text content"),
+			Advice:   utils.PtrTo("Reduce the number of images relative to text content"),
 		})
 	}
 
 	// Add suspicious URL issues
 	for _, suspURL := range results.SuspiciousURLs {
-		htmlIssues = append(htmlIssues, api.ContentIssue{
-			Type:     api.SuspiciousLink,
-			Severity: api.ContentIssueSeverityHigh,
+		htmlIssues = append(htmlIssues, model.ContentIssue{
+			Type:     model.SuspiciousLink,
+			Severity: model.ContentIssueSeverityHigh,
 			Message:  "Suspicious URL detected",
 			Location: &suspURL,
-			Advice:   api.PtrTo("Avoid URL shorteners, IP addresses, and obfuscated URLs in emails"),
+			Advice:   utils.PtrTo("Avoid URL shorteners, IP addresses, and obfuscated URLs in emails"),
 		})
 	}
 
 	// Add harmful HTML tag issues
 	for _, harmfulIssue := range results.HarmfullIssues {
-		htmlIssues = append(htmlIssues, api.ContentIssue{
-			Type:     api.DangerousHtml,
-			Severity: api.ContentIssueSeverityCritical,
+		htmlIssues = append(htmlIssues, model.ContentIssue{
+			Type:     model.DangerousHtml,
+			Severity: model.ContentIssueSeverityCritical,
 			Message:  harmfulIssue,
-			Advice:   api.PtrTo("Remove dangerous HTML tags like <script>, <iframe>, <object>, <embed>, <applet>, <form>, and <base> from email content"),
+			Advice:   utils.PtrTo("Remove dangerous HTML tags like <script>, <iframe>, <object>, <embed>, <applet>, <form>, and <base> from email content"),
 		})
 	}
 
 	// Add general content issues (like external stylesheets)
 	for _, contentIssue := range results.ContentIssues {
-		htmlIssues = append(htmlIssues, api.ContentIssue{
-			Type:     api.BrokenHtml,
-			Severity: api.ContentIssueSeverityLow,
+		htmlIssues = append(htmlIssues, model.ContentIssue{
+			Type:     model.BrokenHtml,
+			Severity: model.ContentIssueSeverityLow,
 			Message:  contentIssue,
-			Advice:   api.PtrTo("Use inline CSS instead of external stylesheets for better email compatibility"),
+			Advice:   utils.PtrTo("Use inline CSS instead of external stylesheets for better email compatibility"),
 		})
 	}
 
@@ -663,31 +830,31 @@ func (c *ContentAnalyzer) GenerateContentAnalysis(results *ContentResults) *api.
 
 	// Convert links
 	if len(results.Links) > 0 {
-		links := make([]api.LinkCheck, 0, len(results.Links))
+		links := make([]model.LinkCheck, 0, len(results.Links))
 		for _, link := range results.Links {
-			status := api.Valid
+			status := model.Valid
 			if link.Status >= 400 {
-				status = api.Broken
+				status = model.Broken
 			} else if !link.IsSafe {
-				status = api.Suspicious
+				status = model.Suspicious
 			} else if link.Warning != "" {
-				status = api.Timeout
+				status = model.Timeout
 			}
 
-			apiLink := api.LinkCheck{
+			apiLink := model.LinkCheck{
 				Url:    link.URL,
 				Status: status,
 			}
 
 			if link.Status > 0 {
-				apiLink.HttpCode = api.PtrTo(link.Status)
+				apiLink.HttpCode = utils.PtrTo(link.Status)
 			}
 
 			// Check if it's a URL shortener
 			parsedURL, err := url.Parse(link.URL)
 			if err == nil {
 				isShortened := c.isSuspiciousURL(link.URL, parsedURL)
-				apiLink.IsShortened = api.PtrTo(isShortened)
+				apiLink.IsShortened = utils.PtrTo(isShortened)
 			}
 
 			links = append(links, apiLink)
@@ -697,9 +864,9 @@ func (c *ContentAnalyzer) GenerateContentAnalysis(results *ContentResults) *api.
 
 	// Convert images
 	if len(results.Images) > 0 {
-		images := make([]api.ImageCheck, 0, len(results.Images))
+		images := make([]model.ImageCheck, 0, len(results.Images))
 		for _, img := range results.Images {
-			apiImg := api.ImageCheck{
+			apiImg := model.ImageCheck{
 				HasAlt: img.HasAlt,
 			}
 			if img.Src != "" {
@@ -709,7 +876,7 @@ func (c *ContentAnalyzer) GenerateContentAnalysis(results *ContentResults) *api.
 				apiImg.AltText = &img.AltText
 			}
 			// Simple heuristic: tracking pixels are typically 1x1
-			apiImg.IsTrackingPixel = api.PtrTo(false)
+			apiImg.IsTrackingPixel = utils.PtrTo(false)
 
 			images = append(images, apiImg)
 		}
@@ -718,8 +885,19 @@ func (c *ContentAnalyzer) GenerateContentAnalysis(results *ContentResults) *api.
 
 	// Unsubscribe methods
 	if results.HasUnsubscribe {
-		methods := []api.ContentAnalysisUnsubscribeMethods{api.Link}
-		analysis.UnsubscribeMethods = &methods
+		*analysis.UnsubscribeMethods = append(*analysis.UnsubscribeMethods, model.Link)
+	}
+
+	for _, url := range c.listUnsubscribeURLs {
+		if strings.HasPrefix(url, "mailto:") {
+			*analysis.UnsubscribeMethods = append(*analysis.UnsubscribeMethods, model.Mailto)
+		} else if strings.HasPrefix(url, "http:") || strings.HasPrefix(url, "https:") {
+			*analysis.UnsubscribeMethods = append(*analysis.UnsubscribeMethods, model.ListUnsubscribeHeader)
+		}
+	}
+
+	if slices.Contains(*analysis.UnsubscribeMethods, model.ListUnsubscribeHeader) && c.hasOneClickUnsubscribe {
+		*analysis.UnsubscribeMethods = append(*analysis.UnsubscribeMethods, model.OneClick)
 	}
 
 	return analysis

pkg/analyzer/content_test.go

@@ -76,17 +76,17 @@ func TestExtractTextFromHTML(t *testing.T) {
 		{
 			name:         "Multiple elements",
 			html:         "<div><h1>Title</h1><p>Paragraph</p></div>",
-			expectedText: "TitleParagraph",
+			expectedText: "Title Paragraph",
 		},
 		{
 			name:         "With script tag",
 			html:         "<p>Text</p><script>alert('hi')</script><p>More</p>",
-			expectedText: "TextMore",
+			expectedText: "Text More",
 		},
 		{
 			name:         "With style tag",
 			html:         "<p>Text</p><style>.class { color: red; }</style><p>More</p>",
-			expectedText: "TextMore",
+			expectedText: "Text More",
 		},
 		{
 			name:         "Empty HTML",
@@ -144,6 +144,74 @@ func TestIsUnsubscribeLink(t *testing.T) {
 			linkText: "Read more",
 			expected: false,
 		},
+		// Multilingual keyword detection - URL path
+		{
+			name:     "German abmelden in URL",
+			href:     "https://example.com/abmelden?id=42",
+			linkText: "Click here",
+			expected: true,
+		},
+		{
+			name:     "French se-desabonner slug in URL (no accent/space - not detected by keyword)",
+			href:     "https://example.com/se-desabonner?id=42",
+			linkText: "Click here",
+			expected: false,
+		},
+		// Multilingual keyword detection - link text
+		{
+			name:     "German Abmelden in link text",
+			href:     "https://example.com/manage?id=42&lang=de",
+			linkText: "Abmelden",
+			expected: true,
+		},
+		{
+			name:     "French Se désabonner in link text",
+			href:     "https://example.com/manage?id=42&lang=fr",
+			linkText: "Se désabonner",
+			expected: true,
+		},
+		{
+			name:     "Russian Отписаться in link text",
+			href:     "https://example.com/manage?id=42&lang=ru",
+			linkText: "Отписаться",
+			expected: true,
+		},
+		{
+			name:     "Chinese 退订 in link text",
+			href:     "https://example.com/manage?id=42&lang=zh",
+			linkText: "退订",
+			expected: true,
+		},
+		{
+			name:     "Japanese 登録を取り消す in link text",
+			href:     "https://example.com/manage?id=42&lang=ja",
+			linkText: "登録を取り消す",
+			expected: true,
+		},
+		{
+			name:     "Korean 구독 해지 in link text",
+			href:     "https://example.com/manage?id=42&lang=ko",
+			linkText: "구독 해지",
+			expected: true,
+		},
+		{
+			name:     "Dutch Uitschrijven in link text",
+			href:     "https://example.com/manage?id=42&lang=nl",
+			linkText: "Uitschrijven",
+			expected: true,
+		},
+		{
+			name:     "Polish Odsubskrybuj in link text",
+			href:     "https://example.com/manage?id=42&lang=pl",
+			linkText: "Odsubskrybuj",
+			expected: true,
+		},
+		{
+			name:     "Turkish Üyeliği sonlandır in link text",
+			href:     "https://example.com/manage?id=42&lang=tr",
+			linkText: "Üyeliği sonlandır",
+			expected: true,
+		},
 	}
 
 	analyzer := NewContentAnalyzer(5 * time.Second)
@@ -213,6 +281,16 @@ func TestIsSuspiciousURL(t *testing.T) {
 			url:      "https://mail.example.com/page",
 			expected: false,
 		},
+		{
+			name:     "Mailto with @ symbol",
+			url:      "mailto:support@example.com",
+			expected: false,
+		},
+		{
+			name:     "Mailto with multiple @ symbols",
+			url:      "mailto:user@subdomain@example.com",
+			expected: false,
+		},
 	}
 
 	analyzer := NewContentAnalyzer(5 * time.Second)
@@ -628,3 +706,276 @@ func findFirstLink(n *html.Node) *html.Node {
 func parseURL(urlStr string) (*url.URL, error) {
 	return url.Parse(urlStr)
 }
+
+func TestHasDomainMisalignment(t *testing.T) {
+	tests := []struct {
+		name     string
+		href     string
+		linkText string
+		expected bool
+		reason   string
+	}{
+		// Phishing cases - should return true
+		{
+			name:     "Obvious phishing - different domains",
+			href:     "https://evil.com/page",
+			linkText: "Click here to verify your paypal.com account",
+			expected: true,
+			reason:   "Link text shows 'paypal.com' but URL points to 'evil.com'",
+		},
+		{
+			name:     "Domain in link text differs from URL",
+			href:     "http://attacker.net",
+			linkText: "Visit google.com for more info",
+			expected: true,
+			reason:   "Link text shows 'google.com' but URL points to 'attacker.net'",
+		},
+		{
+			name:     "URL shown in text differs from actual URL",
+			href:     "https://phishing-site.xyz/login",
+			linkText: "https://www.bank.example.com/secure",
+			expected: true,
+			reason:   "Full URL in text doesn't match actual destination",
+		},
+		{
+			name:     "Similar but different domain",
+			href:     "https://paypa1.com/login",
+			linkText: "Login to your paypal.com account",
+			expected: true,
+			reason:   "Typosquatting: 'paypa1.com' vs 'paypal.com'",
+		},
+		{
+			name:     "Subdomain spoofing",
+			href:     "https://paypal.com.evil.com/login",
+			linkText: "Verify your paypal.com account",
+			expected: true,
+			reason:   "Domain is 'evil.com', not 'paypal.com'",
+		},
+		{
+			name:     "Multiple domains in text, none match",
+			href:     "https://badsite.com",
+			linkText: "Transfer from bank.com to paypal.com",
+			expected: true,
+			reason:   "Neither 'bank.com' nor 'paypal.com' matches 'badsite.com'",
+		},
+
+		// Legitimate cases - should return false
+		{
+			name:     "Exact domain match",
+			href:     "https://example.com/page",
+			linkText: "Visit example.com for more information",
+			expected: false,
+			reason:   "Domains match exactly",
+		},
+		{
+			name:     "Legitimate subdomain",
+			href:     "https://mail.google.com/inbox",
+			linkText: "Check your google.com email",
+			expected: false,
+			reason:   "Subdomain of the mentioned domain",
+		},
+		{
+			name:     "www prefix variation",
+			href:     "https://www.example.com/page",
+			linkText: "Visit example.com",
+			expected: false,
+			reason:   "www prefix is acceptable variation",
+		},
+		{
+			name:     "Generic link text - click here",
+			href:     "https://anywhere.com",
+			linkText: "click here",
+			expected: false,
+			reason:   "Generic text doesn't contain a domain",
+		},
+		{
+			name:     "Generic link text - read more",
+			href:     "https://example.com/article",
+			linkText: "Read more",
+			expected: false,
+			reason:   "Generic text doesn't contain a domain",
+		},
+		{
+			name:     "Generic link text - learn more",
+			href:     "https://example.com/info",
+			linkText: "Learn More",
+			expected: false,
+			reason:   "Generic text doesn't contain a domain (case insensitive)",
+		},
+		{
+			name:     "No domain in link text",
+			href:     "https://example.com/page",
+			linkText: "Click to continue",
+			expected: false,
+			reason:   "Link text has no domain reference",
+		},
+		{
+			name:     "Short link text",
+			href:     "https://example.com",
+			linkText: "Go",
+			expected: false,
+			reason:   "Text too short to contain meaningful domain",
+		},
+		{
+			name:     "Empty link text",
+			href:     "https://example.com",
+			linkText: "",
+			expected: false,
+			reason:   "Empty text cannot contain domain",
+		},
+		{
+			name:     "Mailto link - matching domain",
+			href:     "mailto:support@example.com",
+			linkText: "Email support@example.com",
+			expected: false,
+			reason:   "Mailto email matches text email",
+		},
+		{
+			name:     "Mailto link - domain mismatch (phishing)",
+			href:     "mailto:attacker@evil.com",
+			linkText: "Contact support@paypal.com for help",
+			expected: true,
+			reason:   "Mailto domain 'evil.com' doesn't match text domain 'paypal.com'",
+		},
+		{
+			name:     "Mailto link - generic text",
+			href:     "mailto:info@example.com",
+			linkText: "Contact us",
+			expected: false,
+			reason:   "Generic text without domain reference",
+		},
+		{
+			name:     "Mailto link - same domain different user",
+			href:     "mailto:sales@example.com",
+			linkText: "Email support@example.com",
+			expected: false,
+			reason:   "Both emails share the same domain",
+		},
+		{
+			name:     "Mailto link - text shows only domain",
+			href:     "mailto:info@example.com",
+			linkText: "Write to example.com",
+			expected: false,
+			reason:   "Text domain matches mailto domain",
+		},
+		{
+			name:     "Mailto link - domain in text doesn't match",
+			href:     "mailto:scam@phishing.net",
+			linkText: "Reply to customer-service@amazon.com",
+			expected: true,
+			reason:   "Mailto domain 'phishing.net' doesn't match 'amazon.com' in text",
+		},
+		{
+			name:     "Tel link",
+			href:     "tel:+1234567890",
+			linkText: "Call example.com support",
+			expected: false,
+			reason:   "Non-HTTP(S) links are excluded",
+		},
+		{
+			name:     "Same base domain with different subdomains",
+			href:     "https://www.example.com/page",
+			linkText: "Visit blog.example.com",
+			expected: false,
+			reason:   "Both share same base domain 'example.com'",
+		},
+		{
+			name:     "URL with path matches domain in text",
+			href:     "https://example.com/section/page",
+			linkText: "Go to example.com",
+			expected: false,
+			reason:   "Domain matches, path doesn't matter",
+		},
+		{
+			name:     "Generic text - subscribe",
+			href:     "https://newsletter.example.com/signup",
+			linkText: "Subscribe",
+			expected: false,
+			reason:   "Generic call-to-action text",
+		},
+		{
+			name:     "Generic text - unsubscribe",
+			href:     "https://example.com/unsubscribe?id=123",
+			linkText: "Unsubscribe",
+			expected: false,
+			reason:   "Generic unsubscribe text",
+		},
+		{
+			name:     "Generic text - download",
+			href:     "https://files.example.com/document.pdf",
+			linkText: "Download",
+			expected: false,
+			reason:   "Generic action text",
+		},
+		{
+			name:     "Descriptive text without domain",
+			href:     "https://shop.example.com/products",
+			linkText: "View our latest products",
+			expected: false,
+			reason:   "No domain mentioned in text",
+		},
+
+		// Edge cases
+		{
+			name:     "Domain-like text but not valid domain",
+			href:     "https://example.com",
+			linkText: "Save up to 50.00 dollars",
+			expected: false,
+			reason:   "50.00 looks like domain but isn't",
+		},
+		{
+			name:     "Text with http prefix matching domain",
+			href:     "https://example.com/page",
+			linkText: "Visit http://example.com",
+			expected: false,
+			reason:   "Domains match despite different protocols in display",
+		},
+		{
+			name:     "Port in URL should not affect matching",
+			href:     "https://example.com:8080/page",
+			linkText: "Go to example.com",
+			expected: false,
+			reason:   "Port number doesn't affect domain matching",
+		},
+		{
+			name:     "Whitespace in link text",
+			href:     "https://example.com",
+			linkText: "  example.com  ",
+			expected: false,
+			reason:   "Whitespace should be trimmed",
+		},
+		{
+			name:     "Multiple spaces in generic text",
+			href:     "https://example.com",
+			linkText: "click  here",
+			expected: false,
+			reason:   "Generic text with extra spaces",
+		},
+		{
+			name:     "Anchor fragment in URL",
+			href:     "https://example.com/page#section",
+			linkText: "example.com section",
+			expected: false,
+			reason:   "Fragment doesn't affect domain matching",
+		},
+		{
+			name:     "Query parameters in URL",
+			href:     "https://example.com/page?utm_source=email",
+			linkText: "Visit example.com",
+			expected: false,
+			reason:   "Query params don't affect domain matching",
+		},
+	}
+
+	analyzer := NewContentAnalyzer(5 * time.Second)
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := analyzer.hasDomainMisalignment(tt.href, tt.linkText)
+			if result != tt.expected {
+				t.Errorf("hasDomainMisalignment(%q, %q) = %v, want %v\nReason: %s",
+					tt.href, tt.linkText, result, tt.expected, tt.reason)
+			}
+		})
+	}
+}

pkg/analyzer/dns.go

@@ -22,42 +22,48 @@
 package analyzer
 
 import (
-	"net"
 	"time"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
 )
 
 // DNSAnalyzer analyzes DNS records for email domains
 type DNSAnalyzer struct {
 	Timeout  time.Duration
-	resolver *net.Resolver
+	resolver DNSResolver
 }
 
 // NewDNSAnalyzer creates a new DNS analyzer with configurable timeout
 func NewDNSAnalyzer(timeout time.Duration) *DNSAnalyzer {
+	return NewDNSAnalyzerWithResolver(timeout, NewStandardDNSResolver())
+}
+
+// NewDNSAnalyzerWithResolver creates a new DNS analyzer with a custom resolver.
+// If resolver is nil, a StandardDNSResolver will be used.
+func NewDNSAnalyzerWithResolver(timeout time.Duration, resolver DNSResolver) *DNSAnalyzer {
 	if timeout == 0 {
 		timeout = 10 * time.Second // Default timeout
 	}
+	if resolver == nil {
+		resolver = NewStandardDNSResolver()
+	}
 	return &DNSAnalyzer{
-		Timeout: timeout,
-		resolver: &net.Resolver{
-			PreferGo: true,
-		},
+		Timeout:  timeout,
+		resolver: resolver,
 	}
 }
 
 // AnalyzeDNS performs DNS validation for the email's domain
-func (d *DNSAnalyzer) AnalyzeDNS(email *EmailMessage, authResults *api.AuthenticationResults, headersResults *api.HeaderAnalysis) *api.DNSResults {
+func (d *DNSAnalyzer) AnalyzeDNS(email *EmailMessage, headersResults *model.HeaderAnalysis) *model.DNSResults {
 	// Extract domain from From address
 	if headersResults.DomainAlignment.FromDomain == nil || *headersResults.DomainAlignment.FromDomain == "" {
-		return &api.DNSResults{
+		return &model.DNSResults{
 			Errors: &[]string{"Unable to extract domain from email"},
 		}
 	}
 	fromDomain := *headersResults.DomainAlignment.FromDomain
 
-	results := &api.DNSResults{
+	results := &model.DNSResults{
 		FromDomain: fromDomain,
 		RpDomain:   headersResults.DomainAlignment.ReturnPathDomain,
 	}
@@ -98,19 +104,14 @@ func (d *DNSAnalyzer) AnalyzeDNS(email *EmailMessage, authResults *api.Authentic
 	// SPF validates the MAIL FROM command, which corresponds to Return-Path
 	results.SpfRecords = d.checkSPFRecords(spfDomain)
 
-	// Check DKIM records (from authentication results)
-	// DKIM can be for any domain, but typically the From domain
-	if authResults != nil && authResults.Dkim != nil {
-		for _, dkim := range *authResults.Dkim {
-			if dkim.Domain != nil && dkim.Selector != nil {
-				dkimRecord := d.checkDKIMRecord(*dkim.Domain, *dkim.Selector)
-				if dkimRecord != nil {
-					if results.DkimRecords == nil {
-						results.DkimRecords = new([]api.DKIMRecord)
-					}
-					*results.DkimRecords = append(*results.DkimRecords, *dkimRecord)
-				}
+	// Check DKIM records by parsing DKIM-Signature headers directly
+	for _, sig := range parseDKIMSignatures(email.Header["Dkim-Signature"]) {
+		dkimRecord := d.checkDKIMRecord(sig.Domain, sig.Selector)
+		if dkimRecord != nil {
+			if results.DkimRecords == nil {
+				results.DkimRecords = new([]model.DKIMRecord)
 			}
+			*results.DkimRecords = append(*results.DkimRecords, *dkimRecord)
 		}
 	}
 
@@ -124,10 +125,74 @@ func (d *DNSAnalyzer) AnalyzeDNS(email *EmailMessage, authResults *api.Authentic
 	return results
 }
 
+// AnalyzeDomainOnly performs DNS validation for a domain without email context
+// This is useful for checking domain configuration without sending an actual email
+func (d *DNSAnalyzer) AnalyzeDomainOnly(domain string) *model.DNSResults {
+	results := &model.DNSResults{
+		FromDomain: domain,
+	}
+
+	// Check MX records
+	results.FromMxRecords = d.checkMXRecords(domain)
+
+	// Check SPF records
+	results.SpfRecords = d.checkSPFRecords(domain)
+
+	// Check DMARC record
+	results.DmarcRecord = d.checkDMARCRecord(domain)
+
+	// Check BIMI record with default selector
+	results.BimiRecord = d.checkBIMIRecord(domain, "default")
+
+	return results
+}
+
+// CalculateDomainOnlyScore calculates the DNS score for domain-only tests
+// Returns a score from 0-100 where higher is better
+// This version excludes PTR and DKIM checks since they require email context
+func (d *DNSAnalyzer) CalculateDomainOnlyScore(results *model.DNSResults) (int, string) {
+	if results == nil {
+		return 0, ""
+	}
+
+	score := 0
+
+	// MX Records: 30 points (only one domain to check)
+	mxScore := d.calculateMXScore(results)
+	// Since calculateMXScore checks both From and RP domains,
+	// and we only have From domain, we use the full score
+	score += 30 * mxScore / 100
+
+	// SPF Records: 30 points
+	score += 30 * d.calculateSPFScore(results) / 100
+
+	// DMARC Record: 40 points
+	score += 40 * d.calculateDMARCScore(results) / 100
+
+	// BIMI Record: only bonus
+	if results.BimiRecord != nil && results.BimiRecord.Valid {
+		if score >= 100 {
+			return 100, "A+"
+		}
+	}
+
+	// Ensure score doesn't exceed maximum
+	if score > 100 {
+		score = 100
+	}
+
+	// Ensure score is non-negative
+	if score < 0 {
+		score = 0
+	}
+
+	return score, ScoreToGradeKind(score)
+}
+
 // CalculateDNSScore calculates the DNS score from records results
 // Returns a score from 0-100 where higher is better
 // senderIP is the original sender IP address used for FCrDNS verification
-func (d *DNSAnalyzer) CalculateDNSScore(results *api.DNSResults, senderIP string) (int, string) {
+func (d *DNSAnalyzer) CalculateDNSScore(results *model.DNSResults, senderIP string) (int, string) {
 	if results == nil {
 		return 0, ""
 	}

pkg/analyzer/dns_bimi.go

@@ -27,11 +27,12 @@ import (
 	"regexp"
 	"strings"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
+	"git.happydns.org/happyDeliver/internal/utils"
 )
 
 // checkBIMIRecord looks up and validates BIMI record for a domain and selector
-func (d *DNSAnalyzer) checkBIMIRecord(domain, selector string) *api.BIMIRecord {
+func (d *DNSAnalyzer) checkBIMIRecord(domain, selector string) *model.BIMIRecord {
 	// BIMI records are at: selector._bimi.domain
 	bimiDomain := fmt.Sprintf("%s._bimi.%s", selector, domain)
 
@@ -40,20 +41,20 @@ func (d *DNSAnalyzer) checkBIMIRecord(domain, selector string) *api.BIMIRecord {
 
 	txtRecords, err := d.resolver.LookupTXT(ctx, bimiDomain)
 	if err != nil {
-		return &api.BIMIRecord{
+		return &model.BIMIRecord{
 			Selector: selector,
 			Domain:   domain,
 			Valid:    false,
-			Error:    api.PtrTo(fmt.Sprintf("Failed to lookup BIMI record: %v", err)),
+			Error:    utils.PtrTo(fmt.Sprintf("Failed to lookup BIMI record: %v", err)),
 		}
 	}
 
 	if len(txtRecords) == 0 {
-		return &api.BIMIRecord{
+		return &model.BIMIRecord{
 			Selector: selector,
 			Domain:   domain,
 			Valid:    false,
-			Error:    api.PtrTo("No BIMI record found"),
+			Error:    utils.PtrTo("No BIMI record found"),
 		}
 	}
 
@@ -66,18 +67,18 @@ func (d *DNSAnalyzer) checkBIMIRecord(domain, selector string) *api.BIMIRecord {
 
 	// Basic validation - should contain "v=BIMI1" and "l=" (logo URL)
 	if !d.validateBIMI(bimiRecord) {
-		return &api.BIMIRecord{
+		return &model.BIMIRecord{
 			Selector: selector,
 			Domain:   domain,
 			Record:   &bimiRecord,
 			LogoUrl:  &logoURL,
 			VmcUrl:   &vmcURL,
 			Valid:    false,
-			Error:    api.PtrTo("BIMI record appears malformed"),
+			Error:    utils.PtrTo("BIMI record appears malformed"),
 		}
 	}
 
-	return &api.BIMIRecord{
+	return &model.BIMIRecord{
 		Selector: selector,
 		Domain:   domain,
 		Record:   &bimiRecord,

pkg/analyzer/dns_dkim.go

@@ -26,11 +26,44 @@ import (
 	"fmt"
 	"strings"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
+	"git.happydns.org/happyDeliver/internal/utils"
 )
 
-// checkapi.DKIMRecord looks up and validates DKIM record for a domain and selector
-func (d *DNSAnalyzer) checkDKIMRecord(domain, selector string) *api.DKIMRecord {
+// DKIMHeader holds the domain and selector extracted from a DKIM-Signature header.
+type DKIMHeader struct {
+	Domain   string
+	Selector string
+}
+
+// parseDKIMSignatures extracts domain and selector from DKIM-Signature header values.
+func parseDKIMSignatures(signatures []string) []DKIMHeader {
+	var results []DKIMHeader
+	for _, sig := range signatures {
+		var domain, selector string
+		for _, part := range strings.Split(sig, ";") {
+			kv := strings.SplitN(strings.TrimSpace(part), "=", 2)
+			if len(kv) != 2 {
+				continue
+			}
+			key := strings.TrimSpace(kv[0])
+			val := strings.TrimSpace(kv[1])
+			switch key {
+			case "d":
+				domain = val
+			case "s":
+				selector = val
+			}
+		}
+		if domain != "" && selector != "" {
+			results = append(results, DKIMHeader{Domain: domain, Selector: selector})
+		}
+	}
+	return results
+}
+
+// checkmodel.DKIMRecord looks up and validates DKIM record for a domain and selector
+func (d *DNSAnalyzer) checkDKIMRecord(domain, selector string) *model.DKIMRecord {
 	// DKIM records are at: selector._domainkey.domain
 	dkimDomain := fmt.Sprintf("%s._domainkey.%s", selector, domain)
 
@@ -39,20 +72,20 @@ func (d *DNSAnalyzer) checkDKIMRecord(domain, selector string) *api.DKIMRecord {
 
 	txtRecords, err := d.resolver.LookupTXT(ctx, dkimDomain)
 	if err != nil {
-		return &api.DKIMRecord{
+		return &model.DKIMRecord{
 			Selector: selector,
 			Domain:   domain,
 			Valid:    false,
-			Error:    api.PtrTo(fmt.Sprintf("Failed to lookup DKIM record: %v", err)),
+			Error:    utils.PtrTo(fmt.Sprintf("Failed to lookup DKIM record: %v", err)),
 		}
 	}
 
 	if len(txtRecords) == 0 {
-		return &api.DKIMRecord{
+		return &model.DKIMRecord{
 			Selector: selector,
 			Domain:   domain,
 			Valid:    false,
-			Error:    api.PtrTo("No DKIM record found"),
+			Error:    utils.PtrTo("No DKIM record found"),
 		}
 	}
 
@@ -61,16 +94,16 @@ func (d *DNSAnalyzer) checkDKIMRecord(domain, selector string) *api.DKIMRecord {
 
 	// Basic validation - should contain "v=DKIM1" and "p=" (public key)
 	if !d.validateDKIM(dkimRecord) {
-		return &api.DKIMRecord{
+		return &model.DKIMRecord{
 			Selector: selector,
 			Domain:   domain,
-			Record:   api.PtrTo(dkimRecord),
+			Record:   utils.PtrTo(dkimRecord),
 			Valid:    false,
-			Error:    api.PtrTo("DKIM record appears malformed"),
+			Error:    utils.PtrTo("DKIM record appears malformed"),
 		}
 	}
 
-	return &api.DKIMRecord{
+	return &model.DKIMRecord{
 		Selector: selector,
 		Domain:   domain,
 		Record:   &dkimRecord,
@@ -94,7 +127,7 @@ func (d *DNSAnalyzer) validateDKIM(record string) bool {
 	return true
 }
 
-func (d *DNSAnalyzer) calculateDKIMScore(results *api.DNSResults) (score int) {
+func (d *DNSAnalyzer) calculateDKIMScore(results *model.DNSResults) (score int) {
 	// DKIM provides strong email authentication
 	if results.DkimRecords != nil && len(*results.DkimRecords) > 0 {
 		hasValidDKIM := false

pkg/analyzer/dns_dkim_test.go

@@ -26,6 +26,220 @@ import (
 	"time"
 )
 
+func TestParseDKIMSignatures(t *testing.T) {
+	tests := []struct {
+		name       string
+		signatures []string
+		expected   []DKIMHeader
+	}{
+		{
+			name:       "Empty input",
+			signatures: nil,
+			expected:   nil,
+		},
+		{
+			name:       "Empty string",
+			signatures: []string{""},
+			expected:   nil,
+		},
+		{
+			name: "Simple Gmail-style",
+			signatures: []string{
+				`v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:subject:date:message-id; bh=abcdef1234567890=; b=SIGNATURE_DATA_HERE==`,
+			},
+			expected: []DKIMHeader{{Domain: "gmail.com", Selector: "20210112"}},
+		},
+		{
+			name: "Microsoft 365 style",
+			signatures: []string{
+				`v=1; a=rsa-sha256; c=relaxed/relaxed; d=contoso.com; s=selector1; h=From:Date:Subject:Message-ID; bh=UErATeHehIIPIXPeUA==; b=SIGNATURE_DATA==`,
+			},
+			expected: []DKIMHeader{{Domain: "contoso.com", Selector: "selector1"}},
+		},
+		{
+			name: "Tab-folded multiline (Postfix-style)",
+			signatures: []string{
+				"v=1; a=rsa-sha256; c=relaxed/simple; d=nemunai.re; s=thot;\r\n\tt=1760866834; bh=YNB7c8Qgm8YGn9X1FAXTcdpO7t4YSZFiMrmpCfD/3zw=;\r\n\th=From:To:Subject;\r\n\tb=T4TFaypMpsHGYCl3PGLwmzOYRF11rYjC7lF8V5VFU+ldvG8WBpFn==",
+			},
+			expected: []DKIMHeader{{Domain: "nemunai.re", Selector: "thot"}},
+		},
+		{
+			name: "Space-folded multiline (RFC-style)",
+			signatures: []string{
+				"v=1; a=rsa-sha256; c=relaxed/relaxed;\r\n d=football.example.com; i=@football.example.com;\r\n q=dns/txt; s=test; t=1528637909; h=from:to:subject;\r\n bh=2jUSOH9NhtVGCQWNr9BrIAPreKQjO6Sn7XIkfJVOzv8=;\r\n b=F45dVWDfMbQDGHJFlXUNB2HKfbCeLRyhDXgFpEL8Gwps==",
+			},
+			expected: []DKIMHeader{{Domain: "football.example.com", Selector: "test"}},
+		},
+		{
+			name: "d= and s= on separate continuation lines",
+			signatures: []string{
+				"v=1; a=rsa-sha256;\r\n\tc=relaxed/relaxed;\r\n\td=mycompany.com;\r\n\ts=selector1;\r\n\tbh=hash=;\r\n\tb=sig==",
+			},
+			expected: []DKIMHeader{{Domain: "mycompany.com", Selector: "selector1"}},
+		},
+		{
+			name: "No space after semicolons",
+			signatures: []string{
+				`v=1;a=rsa-sha256;c=relaxed/relaxed;d=example.net;s=mail;h=from:to:subject;bh=abc=;b=xyz==`,
+			},
+			expected: []DKIMHeader{{Domain: "example.net", Selector: "mail"}},
+		},
+		{
+			name: "Multiple spaces after semicolons",
+			signatures: []string{
+				`v=1;  a=rsa-sha256;  c=relaxed/relaxed;  d=example.com;  s=myselector;  bh=hash=;  b=sig==`,
+			},
+			expected: []DKIMHeader{{Domain: "example.com", Selector: "myselector"}},
+		},
+		{
+			name: "Ed25519 signature (RFC 8463)",
+			signatures: []string{
+				"v=1; a=ed25519-sha256; c=relaxed/relaxed;\r\n d=football.example.com; i=@football.example.com;\r\n q=dns/txt; s=brisbane; t=1528637909; h=from:to:subject;\r\n bh=2jUSOH9NhtVGCQWNr9BrIAPreKQjO6Sn7XIkfJVOzv8=;\r\n b=/gCrinpcQOoIfuHNQIbq4pgh9kyIK3AQ==",
+			},
+			expected: []DKIMHeader{{Domain: "football.example.com", Selector: "brisbane"}},
+		},
+		{
+			name: "Multiple signatures (ESP double-signing)",
+			signatures: []string{
+				`v=1; a=rsa-sha256; c=relaxed/relaxed; d=mydomain.com; s=mail; h=from:to:subject; bh=hash1=; b=sig1==`,
+				`v=1; a=rsa-sha256; c=relaxed/relaxed; d=sendib.com; s=mail; h=from:to:subject; bh=hash1=; b=sig2==`,
+			},
+			expected: []DKIMHeader{
+				{Domain: "mydomain.com", Selector: "mail"},
+				{Domain: "sendib.com", Selector: "mail"},
+			},
+		},
+		{
+			name: "Dual-algorithm signing (Ed25519 + RSA, same domain, different selectors)",
+			signatures: []string{
+				`v=1; a=ed25519-sha256; c=relaxed/relaxed; d=football.example.com; s=brisbane; h=from:to:subject; bh=hash=; b=edSig==`,
+				`v=1; a=rsa-sha256; c=relaxed/relaxed; d=football.example.com; s=test; h=from:to:subject; bh=hash=; b=rsaSig==`,
+			},
+			expected: []DKIMHeader{
+				{Domain: "football.example.com", Selector: "brisbane"},
+				{Domain: "football.example.com", Selector: "test"},
+			},
+		},
+		{
+			name: "Amazon SES long selectors",
+			signatures: []string{
+				`v=1; a=rsa-sha256; c=relaxed/simple; d=amazonses.com; s=224i4yxa5dv7c2xz3womw6peuabd; h=from:to:subject; bh=sesHash=; b=sesSig==`,
+				`v=1; a=rsa-sha256; c=relaxed/simple; d=customerdomain.io; s=ug7nbtf4gccmlpwj322ax3p6ow6fovbt; h=from:to:subject; bh=sesHash=; b=customSig==`,
+			},
+			expected: []DKIMHeader{
+				{Domain: "amazonses.com", Selector: "224i4yxa5dv7c2xz3womw6peuabd"},
+				{Domain: "customerdomain.io", Selector: "ug7nbtf4gccmlpwj322ax3p6ow6fovbt"},
+			},
+		},
+		{
+			name: "Subdomain in d=",
+			signatures: []string{
+				`v=1; a=rsa-sha256; c=relaxed/relaxed; d=mail.example.co.uk; s=dkim2025; h=from:to:subject; bh=hash=; b=sig==`,
+			},
+			expected: []DKIMHeader{{Domain: "mail.example.co.uk", Selector: "dkim2025"}},
+		},
+		{
+			name: "Deeply nested subdomain",
+			signatures: []string{
+				`v=1; a=rsa-sha256; c=relaxed/relaxed; d=bounce.transactional.mail.example.com; s=s2048; h=from:to:subject; bh=hash=; b=sig==`,
+			},
+			expected: []DKIMHeader{{Domain: "bounce.transactional.mail.example.com", Selector: "s2048"}},
+		},
+		{
+			name: "Selector with hyphens (Microsoft 365 custom domain style)",
+			signatures: []string{
+				`v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com; s=selector1-contoso-com; h=from:to:subject; bh=hash=; b=sig==`,
+			},
+			expected: []DKIMHeader{{Domain: "example.com", Selector: "selector1-contoso-com"}},
+		},
+		{
+			name: "Selector with dots",
+			signatures: []string{
+				`v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com; s=smtp.mail; h=from:to:subject; bh=hash=; b=sig==`,
+			},
+			expected: []DKIMHeader{{Domain: "example.com", Selector: "smtp.mail"}},
+		},
+		{
+			name: "Single-character selector",
+			signatures: []string{
+				`v=1; a=rsa-sha256; c=relaxed/relaxed; d=tiny.io; s=x; h=from:to:subject; bh=hash=; b=sig==`,
+			},
+			expected: []DKIMHeader{{Domain: "tiny.io", Selector: "x"}},
+		},
+		{
+			name: "Postmark-style timestamp selector, s= before d=",
+			signatures: []string{
+				`v=1; a=rsa-sha1; c=relaxed/relaxed; s=20130519032151pm; d=postmarkapp.com; h=From:Date:Subject; bh=vYFvy46eesUDGJ45hyBTH30JfN4=; b=iHeFQ+7rCiSQs3DPjR2eUSZSv4i==`,
+			},
+			expected: []DKIMHeader{{Domain: "postmarkapp.com", Selector: "20130519032151pm"}},
+		},
+		{
+			name: "d= and s= at the very end",
+			signatures: []string{
+				`v=1; a=rsa-sha256; c=relaxed/relaxed; h=from:to:subject; bh=hash=; b=sig==; d=example.net; s=trailing`,
+			},
+			expected: []DKIMHeader{{Domain: "example.net", Selector: "trailing"}},
+		},
+		{
+			name: "Full tag set",
+			signatures: []string{
+				`v=1; a=rsa-sha256; d=example.com; s=selector1; c=relaxed/simple; q=dns/txt; i=user@example.com; t=1255993973; x=1256598773; h=From:Sender:Reply-To:Subject:Date:Message-Id:To:Cc; bh=+7qxGePcmmrtZAIVQAtkSSGHfQ/ftNuvUTWJ3vXC9Zc=; b=dB85+qM+If1KGQmqMLNpqLgNtUaG5dhGjYjQD6/QXtXmViJx8tf9gLEjcHr+musLCAvr0Fsn1DA3ZLLlUxpf4AR==`,
+			},
+			expected: []DKIMHeader{{Domain: "example.com", Selector: "selector1"}},
+		},
+		{
+			name: "Missing d= tag",
+			signatures: []string{
+				`v=1; a=rsa-sha256; c=relaxed/relaxed; s=selector1; h=from:to; bh=hash=; b=sig==`,
+			},
+			expected: nil,
+		},
+		{
+			name: "Missing s= tag",
+			signatures: []string{
+				`v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com; h=from:to; bh=hash=; b=sig==`,
+			},
+			expected: nil,
+		},
+		{
+			name: "Missing both d= and s= tags",
+			signatures: []string{
+				`v=1; a=rsa-sha256; c=relaxed/relaxed; h=from:to; bh=hash=; b=sig==`,
+			},
+			expected: nil,
+		},
+		{
+			name: "Mix of valid and invalid signatures",
+			signatures: []string{
+				`v=1; a=rsa-sha256; c=relaxed/relaxed; d=good.com; s=sel1; h=from:to; bh=hash=; b=sig==`,
+				`v=1; a=rsa-sha256; c=relaxed/relaxed; s=orphan; h=from:to; bh=hash=; b=sig==`,
+				`v=1; a=rsa-sha256; c=relaxed/relaxed; d=also-good.com; s=sel2; h=from:to; bh=hash=; b=sig==`,
+			},
+			expected: []DKIMHeader{
+				{Domain: "good.com", Selector: "sel1"},
+				{Domain: "also-good.com", Selector: "sel2"},
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := parseDKIMSignatures(tt.signatures)
+			if len(result) != len(tt.expected) {
+				t.Fatalf("parseDKIMSignatures() returned %d results, want %d\n  got:  %+v\n  want: %+v", len(result), len(tt.expected), result, tt.expected)
+			}
+			for i := range tt.expected {
+				if result[i].Domain != tt.expected[i].Domain {
+					t.Errorf("result[%d].Domain = %q, want %q", i, result[i].Domain, tt.expected[i].Domain)
+				}
+				if result[i].Selector != tt.expected[i].Selector {
+					t.Errorf("result[%d].Selector = %q, want %q", i, result[i].Selector, tt.expected[i].Selector)
+				}
+			}
+		})
+	}
+}
+
 func TestValidateDKIM(t *testing.T) {
 	tests := []struct {
 		name     string

pkg/analyzer/dns_dmarc.go

@@ -27,11 +27,12 @@ import (
 	"regexp"
 	"strings"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
+	"git.happydns.org/happyDeliver/internal/utils"
 )
 
-// checkapi.DMARCRecord looks up and validates DMARC record for a domain
-func (d *DNSAnalyzer) checkDMARCRecord(domain string) *api.DMARCRecord {
+// checkmodel.DMARCRecord looks up and validates DMARC record for a domain
+func (d *DNSAnalyzer) checkDMARCRecord(domain string) *model.DMARCRecord {
 	// DMARC records are at: _dmarc.domain
 	dmarcDomain := fmt.Sprintf("_dmarc.%s", domain)
 
@@ -40,9 +41,9 @@ func (d *DNSAnalyzer) checkDMARCRecord(domain string) *api.DMARCRecord {
 
 	txtRecords, err := d.resolver.LookupTXT(ctx, dmarcDomain)
 	if err != nil {
-		return &api.DMARCRecord{
+		return &model.DMARCRecord{
 			Valid: false,
-			Error: api.PtrTo(fmt.Sprintf("Failed to lookup DMARC record: %v", err)),
+			Error: utils.PtrTo(fmt.Sprintf("Failed to lookup DMARC record: %v", err)),
 		}
 	}
 
@@ -56,9 +57,9 @@ func (d *DNSAnalyzer) checkDMARCRecord(domain string) *api.DMARCRecord {
 	}
 
 	if dmarcRecord == "" {
-		return &api.DMARCRecord{
+		return &model.DMARCRecord{
 			Valid: false,
-			Error: api.PtrTo("No DMARC record found"),
+			Error: utils.PtrTo("No DMARC record found"),
 		}
 	}
 
@@ -77,21 +78,21 @@ func (d *DNSAnalyzer) checkDMARCRecord(domain string) *api.DMARCRecord {
 
 	// Basic validation
 	if !d.validateDMARC(dmarcRecord) {
-		return &api.DMARCRecord{
+		return &model.DMARCRecord{
 			Record:          &dmarcRecord,
-			Policy:          api.PtrTo(api.DMARCRecordPolicy(policy)),
+			Policy:          utils.PtrTo(model.DMARCRecordPolicy(policy)),
 			SubdomainPolicy: subdomainPolicy,
 			Percentage:      percentage,
 			SpfAlignment:    spfAlignment,
 			DkimAlignment:   dkimAlignment,
 			Valid:           false,
-			Error:           api.PtrTo("DMARC record appears malformed"),
+			Error:           utils.PtrTo("DMARC record appears malformed"),
 		}
 	}
 
-	return &api.DMARCRecord{
+	return &model.DMARCRecord{
 		Record:          &dmarcRecord,
-		Policy:          api.PtrTo(api.DMARCRecordPolicy(policy)),
+		Policy:          utils.PtrTo(model.DMARCRecordPolicy(policy)),
 		SubdomainPolicy: subdomainPolicy,
 		Percentage:      percentage,
 		SpfAlignment:    spfAlignment,
@@ -113,44 +114,44 @@ func (d *DNSAnalyzer) extractDMARCPolicy(record string) string {
 
 // extractDMARCSPFAlignment extracts SPF alignment mode from a DMARC record
 // Returns "relaxed" (default) or "strict"
-func (d *DNSAnalyzer) extractDMARCSPFAlignment(record string) *api.DMARCRecordSpfAlignment {
+func (d *DNSAnalyzer) extractDMARCSPFAlignment(record string) *model.DMARCRecordSpfAlignment {
 	// Look for aspf=s (strict) or aspf=r (relaxed)
 	re := regexp.MustCompile(`aspf=(r|s)`)
 	matches := re.FindStringSubmatch(record)
 	if len(matches) > 1 {
 		if matches[1] == "s" {
-			return api.PtrTo(api.DMARCRecordSpfAlignmentStrict)
+			return utils.PtrTo(model.DMARCRecordSpfAlignmentStrict)
 		}
-		return api.PtrTo(api.DMARCRecordSpfAlignmentRelaxed)
+		return utils.PtrTo(model.DMARCRecordSpfAlignmentRelaxed)
 	}
 	// Default is relaxed if not specified
-	return api.PtrTo(api.DMARCRecordSpfAlignmentRelaxed)
+	return utils.PtrTo(model.DMARCRecordSpfAlignmentRelaxed)
 }
 
 // extractDMARCDKIMAlignment extracts DKIM alignment mode from a DMARC record
 // Returns "relaxed" (default) or "strict"
-func (d *DNSAnalyzer) extractDMARCDKIMAlignment(record string) *api.DMARCRecordDkimAlignment {
+func (d *DNSAnalyzer) extractDMARCDKIMAlignment(record string) *model.DMARCRecordDkimAlignment {
 	// Look for adkim=s (strict) or adkim=r (relaxed)
 	re := regexp.MustCompile(`adkim=(r|s)`)
 	matches := re.FindStringSubmatch(record)
 	if len(matches) > 1 {
 		if matches[1] == "s" {
-			return api.PtrTo(api.DMARCRecordDkimAlignmentStrict)
+			return utils.PtrTo(model.DMARCRecordDkimAlignmentStrict)
 		}
-		return api.PtrTo(api.DMARCRecordDkimAlignmentRelaxed)
+		return utils.PtrTo(model.DMARCRecordDkimAlignmentRelaxed)
 	}
 	// Default is relaxed if not specified
-	return api.PtrTo(api.DMARCRecordDkimAlignmentRelaxed)
+	return utils.PtrTo(model.DMARCRecordDkimAlignmentRelaxed)
 }
 
 // extractDMARCSubdomainPolicy extracts subdomain policy from a DMARC record
 // Returns the sp tag value or nil if not specified (defaults to main policy)
-func (d *DNSAnalyzer) extractDMARCSubdomainPolicy(record string) *api.DMARCRecordSubdomainPolicy {
+func (d *DNSAnalyzer) extractDMARCSubdomainPolicy(record string) *model.DMARCRecordSubdomainPolicy {
 	// Look for sp=none, sp=quarantine, or sp=reject
 	re := regexp.MustCompile(`sp=(none|quarantine|reject)`)
 	matches := re.FindStringSubmatch(record)
 	if len(matches) > 1 {
-		return api.PtrTo(api.DMARCRecordSubdomainPolicy(matches[1]))
+		return utils.PtrTo(model.DMARCRecordSubdomainPolicy(matches[1]))
 	}
 	// If sp is not specified, it defaults to the main policy (p tag)
 	// Return nil to indicate it's using the default
@@ -191,7 +192,7 @@ func (d *DNSAnalyzer) validateDMARC(record string) bool {
 	return true
 }
 
-func (d *DNSAnalyzer) calculateDMARCScore(results *api.DNSResults) (score int) {
+func (d *DNSAnalyzer) calculateDMARCScore(results *model.DNSResults) (score int) {
 	// DMARC ties SPF and DKIM together and provides policy
 	if results.DmarcRecord != nil {
 		if results.DmarcRecord.Valid {
@@ -210,10 +211,10 @@ func (d *DNSAnalyzer) calculateDMARCScore(results *api.DNSResults) (score int) {
 				}
 			}
 			// Bonus points for strict alignment modes (2 points each)
-			if results.DmarcRecord.SpfAlignment != nil && *results.DmarcRecord.SpfAlignment == api.DMARCRecordSpfAlignmentStrict {
+			if results.DmarcRecord.SpfAlignment != nil && *results.DmarcRecord.SpfAlignment == model.DMARCRecordSpfAlignmentStrict {
 				score += 5
 			}
-			if results.DmarcRecord.DkimAlignment != nil && *results.DmarcRecord.DkimAlignment == api.DMARCRecordDkimAlignmentStrict {
+			if results.DmarcRecord.DkimAlignment != nil && *results.DmarcRecord.DkimAlignment == model.DMARCRecordDkimAlignmentStrict {
 				score += 5
 			}
 			// Subdomain policy scoring (sp tag)

pkg/analyzer/dns_dmarc_test.go

@@ -25,7 +25,8 @@ import (
 	"testing"
 	"time"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
+	"git.happydns.org/happyDeliver/internal/utils"
 )
 
 func TestExtractDMARCPolicy(t *testing.T) {
@@ -228,17 +229,17 @@ func TestExtractDMARCSubdomainPolicy(t *testing.T) {
 		{
 			name:           "Subdomain policy - none",
 			record:         "v=DMARC1; p=quarantine; sp=none",
-			expectedPolicy: api.PtrTo("none"),
+			expectedPolicy: utils.PtrTo("none"),
 		},
 		{
 			name:           "Subdomain policy - quarantine",
 			record:         "v=DMARC1; p=reject; sp=quarantine",
-			expectedPolicy: api.PtrTo("quarantine"),
+			expectedPolicy: utils.PtrTo("quarantine"),
 		},
 		{
 			name:           "Subdomain policy - reject",
 			record:         "v=DMARC1; p=quarantine; sp=reject",
-			expectedPolicy: api.PtrTo("reject"),
+			expectedPolicy: utils.PtrTo("reject"),
 		},
 		{
 			name:           "No subdomain policy specified (defaults to main policy)",
@@ -248,7 +249,7 @@ func TestExtractDMARCSubdomainPolicy(t *testing.T) {
 		{
 			name:           "Complex record with subdomain policy",
 			record:         "v=DMARC1; p=reject; sp=quarantine; rua=mailto:dmarc@example.com; pct=100",
-			expectedPolicy: api.PtrTo("quarantine"),
+			expectedPolicy: utils.PtrTo("quarantine"),
 		},
 	}
 
@@ -282,22 +283,22 @@ func TestExtractDMARCPercentage(t *testing.T) {
 		{
 			name:               "Percentage - 100",
 			record:             "v=DMARC1; p=quarantine; pct=100",
-			expectedPercentage: api.PtrTo(100),
+			expectedPercentage: utils.PtrTo(100),
 		},
 		{
 			name:               "Percentage - 50",
 			record:             "v=DMARC1; p=quarantine; pct=50",
-			expectedPercentage: api.PtrTo(50),
+			expectedPercentage: utils.PtrTo(50),
 		},
 		{
 			name:               "Percentage - 25",
 			record:             "v=DMARC1; p=reject; pct=25",
-			expectedPercentage: api.PtrTo(25),
+			expectedPercentage: utils.PtrTo(25),
 		},
 		{
 			name:               "Percentage - 0",
 			record:             "v=DMARC1; p=none; pct=0",
-			expectedPercentage: api.PtrTo(0),
+			expectedPercentage: utils.PtrTo(0),
 		},
 		{
 			name:               "No percentage specified (defaults to 100)",
@@ -307,7 +308,7 @@ func TestExtractDMARCPercentage(t *testing.T) {
 		{
 			name:               "Complex record with percentage",
 			record:             "v=DMARC1; p=reject; sp=quarantine; rua=mailto:dmarc@example.com; pct=75",
-			expectedPercentage: api.PtrTo(75),
+			expectedPercentage: utils.PtrTo(75),
 		},
 		{
 			name:               "Invalid percentage > 100 (ignored)",

pkg/analyzer/dns_fcr.go

@@ -24,7 +24,7 @@ package analyzer
 import (
 	"context"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
 )
 
 // checkPTRAndForward performs reverse DNS lookup (PTR) and forward confirmation (A/AAAA)
@@ -63,7 +63,7 @@ func (d *DNSAnalyzer) checkPTRAndForward(ip string) ([]string, []string) {
 }
 
 // Proper reverse DNS (PTR) and forward-confirmed reverse DNS (FCrDNS) is important for deliverability
-func (d *DNSAnalyzer) calculatePTRScore(results *api.DNSResults, senderIP string) (score int) {
+func (d *DNSAnalyzer) calculatePTRScore(results *model.DNSResults, senderIP string) (score int) {
 	if results.PtrRecords != nil && len(*results.PtrRecords) > 0 {
 		// 50 points for having PTR records
 		score += 50

pkg/analyzer/dns_mx.go

@@ -25,36 +25,37 @@ import (
 	"context"
 	"fmt"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
+	"git.happydns.org/happyDeliver/internal/utils"
 )
 
 // checkMXRecords looks up MX records for a domain
-func (d *DNSAnalyzer) checkMXRecords(domain string) *[]api.MXRecord {
+func (d *DNSAnalyzer) checkMXRecords(domain string) *[]model.MXRecord {
 	ctx, cancel := context.WithTimeout(context.Background(), d.Timeout)
 	defer cancel()
 
 	mxRecords, err := d.resolver.LookupMX(ctx, domain)
 	if err != nil {
-		return &[]api.MXRecord{
+		return &[]model.MXRecord{
 			{
 				Valid: false,
-				Error: api.PtrTo(fmt.Sprintf("Failed to lookup MX records: %v", err)),
+				Error: utils.PtrTo(fmt.Sprintf("Failed to lookup MX records: %v", err)),
 			},
 		}
 	}
 
 	if len(mxRecords) == 0 {
-		return &[]api.MXRecord{
+		return &[]model.MXRecord{
 			{
 				Valid: false,
-				Error: api.PtrTo("No MX records found"),
+				Error: utils.PtrTo("No MX records found"),
 			},
 		}
 	}
 
-	var results []api.MXRecord
+	var results []model.MXRecord
 	for _, mx := range mxRecords {
-		results = append(results, api.MXRecord{
+		results = append(results, model.MXRecord{
 			Host:     mx.Host,
 			Priority: mx.Pref,
 			Valid:    true,
@@ -64,7 +65,7 @@ func (d *DNSAnalyzer) checkMXRecords(domain string) *[]api.MXRecord {
 	return &results
 }
 
-func (d *DNSAnalyzer) calculateMXScore(results *api.DNSResults) (score int) {
+func (d *DNSAnalyzer) calculateMXScore(results *model.DNSResults) (score int) {
 	// Having valid MX records is critical for email deliverability
 	// From domain MX records (half points) - needed for replies
 	if results.FromMxRecords != nil && len(*results.FromMxRecords) > 0 {

pkg/analyzer/dns_resolver.go

@@ -0,0 +1,80 @@
+// This file is part of the happyDeliver (R) project.
+// Copyright (c) 2025 happyDomain
+// Authors: Pierre-Olivier Mercier, et al.
+//
+// This program is offered under a commercial and under the AGPL license.
+// For commercial licensing, contact us at <contact@happydomain.org>.
+//
+// For AGPL licensing:
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+package analyzer
+
+import (
+	"context"
+	"net"
+)
+
+// DNSResolver defines the interface for DNS resolution operations.
+// This interface abstracts DNS lookups to allow for custom implementations,
+// such as mock resolvers for testing or caching resolvers for performance.
+type DNSResolver interface {
+	// LookupMX returns the DNS MX records for the given domain.
+	LookupMX(ctx context.Context, name string) ([]*net.MX, error)
+
+	// LookupTXT returns the DNS TXT records for the given domain.
+	LookupTXT(ctx context.Context, name string) ([]string, error)
+
+	// LookupAddr performs a reverse lookup for the given IP address,
+	// returning a list of hostnames mapping to that address.
+	LookupAddr(ctx context.Context, addr string) ([]string, error)
+
+	// LookupHost looks up the given hostname using the local resolver.
+	// It returns a slice of that host's addresses (IPv4 and IPv6).
+	LookupHost(ctx context.Context, host string) ([]string, error)
+}
+
+// StandardDNSResolver is the default DNS resolver implementation that uses net.Resolver.
+type StandardDNSResolver struct {
+	resolver *net.Resolver
+}
+
+// NewStandardDNSResolver creates a new StandardDNSResolver with default settings.
+func NewStandardDNSResolver() DNSResolver {
+	return &StandardDNSResolver{
+		resolver: &net.Resolver{
+			PreferGo: true,
+		},
+	}
+}
+
+// LookupMX implements DNSResolver.LookupMX using net.Resolver.
+func (r *StandardDNSResolver) LookupMX(ctx context.Context, name string) ([]*net.MX, error) {
+	return r.resolver.LookupMX(ctx, name)
+}
+
+// LookupTXT implements DNSResolver.LookupTXT using net.Resolver.
+func (r *StandardDNSResolver) LookupTXT(ctx context.Context, name string) ([]string, error) {
+	return r.resolver.LookupTXT(ctx, name)
+}
+
+// LookupAddr implements DNSResolver.LookupAddr using net.Resolver.
+func (r *StandardDNSResolver) LookupAddr(ctx context.Context, addr string) ([]string, error) {
+	return r.resolver.LookupAddr(ctx, addr)
+}
+
+// LookupHost implements DNSResolver.LookupHost using net.Resolver.
+func (r *StandardDNSResolver) LookupHost(ctx context.Context, host string) ([]string, error) {
+	return r.resolver.LookupHost(ctx, host)
+}

pkg/analyzer/dns_spf.go

@@ -27,32 +27,34 @@ import (
 	"regexp"
 	"strings"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
+	"git.happydns.org/happyDeliver/internal/utils"
 )
 
 // checkSPFRecords looks up and validates SPF records for a domain, including resolving include: directives
-func (d *DNSAnalyzer) checkSPFRecords(domain string) *[]api.SPFRecord {
+func (d *DNSAnalyzer) checkSPFRecords(domain string) *[]model.SPFRecord {
 	visited := make(map[string]bool)
-	return d.resolveSPFRecords(domain, visited, 0)
+	return d.resolveSPFRecords(domain, visited, 0, true)
 }
 
 // resolveSPFRecords recursively resolves SPF records including include: directives
-func (d *DNSAnalyzer) resolveSPFRecords(domain string, visited map[string]bool, depth int) *[]api.SPFRecord {
+// isMainRecord indicates if this is the primary domain's record (not an included one)
+func (d *DNSAnalyzer) resolveSPFRecords(domain string, visited map[string]bool, depth int, isMainRecord bool) *[]model.SPFRecord {
 	const maxDepth = 10 // Prevent infinite recursion
 
 	if depth > maxDepth {
-		return &[]api.SPFRecord{
+		return &[]model.SPFRecord{
 			{
 				Domain: &domain,
 				Valid:  false,
-				Error:  api.PtrTo("Maximum SPF include depth exceeded"),
+				Error:  utils.PtrTo("Maximum SPF include depth exceeded"),
 			},
 		}
 	}
 
 	// Prevent circular references
 	if visited[domain] {
-		return &[]api.SPFRecord{}
+		return &[]model.SPFRecord{}
 	}
 	visited[domain] = true
 
@@ -61,11 +63,11 @@ func (d *DNSAnalyzer) resolveSPFRecords(domain string, visited map[string]bool,
 
 	txtRecords, err := d.resolver.LookupTXT(ctx, domain)
 	if err != nil {
-		return &[]api.SPFRecord{
+		return &[]model.SPFRecord{
 			{
 				Domain: &domain,
 				Valid:  false,
-				Error:  api.PtrTo(fmt.Sprintf("Failed to lookup TXT records: %v", err)),
+				Error:  utils.PtrTo(fmt.Sprintf("Failed to lookup TXT records: %v", err)),
 			},
 		}
 	}
@@ -81,53 +83,53 @@ func (d *DNSAnalyzer) resolveSPFRecords(domain string, visited map[string]bool,
 	}
 
 	if spfCount == 0 {
-		return &[]api.SPFRecord{
+		return &[]model.SPFRecord{
 			{
 				Domain: &domain,
 				Valid:  false,
-				Error:  api.PtrTo("No SPF record found"),
+				Error:  utils.PtrTo("No SPF record found"),
 			},
 		}
 	}
 
-	var results []api.SPFRecord
+	var results []model.SPFRecord
 
 	if spfCount > 1 {
-		results = append(results, api.SPFRecord{
+		results = append(results, model.SPFRecord{
 			Domain: &domain,
 			Record: &spfRecord,
 			Valid:  false,
-			Error:  api.PtrTo("Multiple SPF records found (RFC violation)"),
+			Error:  utils.PtrTo("Multiple SPF records found (RFC violation)"),
 		})
 		return &results
 	}
 
 	// Basic validation
-	validationErr := d.validateSPF(spfRecord)
+	validationErr := d.validateSPF(spfRecord, isMainRecord)
 
 	// Extract the "all" mechanism qualifier
-	var allQualifier *api.SPFRecordAllQualifier
+	var allQualifier *model.SPFRecordAllQualifier
 	var errMsg *string
 
 	if validationErr != nil {
-		errMsg = api.PtrTo(validationErr.Error())
+		errMsg = utils.PtrTo(validationErr.Error())
 	} else {
 		// Extract qualifier from the "all" mechanism
 		if strings.HasSuffix(spfRecord, " -all") {
-			allQualifier = api.PtrTo(api.SPFRecordAllQualifier("-"))
+			allQualifier = utils.PtrTo(model.SPFRecordAllQualifier("-"))
 		} else if strings.HasSuffix(spfRecord, " ~all") {
-			allQualifier = api.PtrTo(api.SPFRecordAllQualifier("~"))
+			allQualifier = utils.PtrTo(model.SPFRecordAllQualifier("~"))
 		} else if strings.HasSuffix(spfRecord, " +all") {
-			allQualifier = api.PtrTo(api.SPFRecordAllQualifier("+"))
+			allQualifier = utils.PtrTo(model.SPFRecordAllQualifier("+"))
 		} else if strings.HasSuffix(spfRecord, " ?all") {
-			allQualifier = api.PtrTo(api.SPFRecordAllQualifier("?"))
+			allQualifier = utils.PtrTo(model.SPFRecordAllQualifier("?"))
 		} else if strings.HasSuffix(spfRecord, " all") {
 			// Implicit + qualifier (default)
-			allQualifier = api.PtrTo(api.SPFRecordAllQualifier("+"))
+			allQualifier = utils.PtrTo(model.SPFRecordAllQualifier("+"))
 		}
 	}
 
-	results = append(results, api.SPFRecord{
+	results = append(results, model.SPFRecord{
 		Domain:       &domain,
 		Record:       &spfRecord,
 		Valid:        validationErr == nil,
@@ -140,7 +142,7 @@ func (d *DNSAnalyzer) resolveSPFRecords(domain string, visited map[string]bool,
 	if redirectDomain != "" {
 		// redirect= replaces the current domain's policy entirely
 		// Only follow if no other mechanisms matched (per RFC 7208)
-		redirectRecords := d.resolveSPFRecords(redirectDomain, visited, depth+1)
+		redirectRecords := d.resolveSPFRecords(redirectDomain, visited, depth+1, false)
 		if redirectRecords != nil {
 			results = append(results, *redirectRecords...)
 		}
@@ -150,7 +152,7 @@ func (d *DNSAnalyzer) resolveSPFRecords(domain string, visited map[string]bool,
 	// Extract and resolve include: directives
 	includes := d.extractSPFIncludes(spfRecord)
 	for _, includeDomain := range includes {
-		includedRecords := d.resolveSPFRecords(includeDomain, visited, depth+1)
+		includedRecords := d.resolveSPFRecords(includeDomain, visited, depth+1, false)
 		if includedRecords != nil {
 			results = append(results, *includedRecords...)
 		}
@@ -190,8 +192,12 @@ func (d *DNSAnalyzer) isValidSPFMechanism(token string) error {
 
 	// Check if it's a modifier (contains =)
 	if strings.Contains(mechanism, "=") {
-		// Only allow known modifiers: redirect= and exp=
-		if strings.HasPrefix(mechanism, "redirect=") || strings.HasPrefix(mechanism, "exp=") {
+		// Allow known modifiers: redirect=, exp=, and RFC 6652 modifiers (ra=, rp=, rr=)
+		if strings.HasPrefix(mechanism, "redirect=") ||
+			strings.HasPrefix(mechanism, "exp=") ||
+			strings.HasPrefix(mechanism, "ra=") ||
+			strings.HasPrefix(mechanism, "rp=") ||
+			strings.HasPrefix(mechanism, "rr=") {
 			return nil
 		}
 
@@ -236,7 +242,8 @@ func (d *DNSAnalyzer) isValidSPFMechanism(token string) error {
 }
 
 // validateSPF performs basic SPF record validation
-func (d *DNSAnalyzer) validateSPF(record string) error {
+// isMainRecord indicates if this is the primary domain's record (not an included one)
+func (d *DNSAnalyzer) validateSPF(record string, isMainRecord bool) error {
 	// Must start with v=spf1
 	if !strings.HasPrefix(record, "v=spf1") {
 		return fmt.Errorf("SPF record must start with 'v=spf1'")
@@ -269,19 +276,22 @@ func (d *DNSAnalyzer) validateSPF(record string) error {
 		return nil
 	}
 
-	// Check for common syntax issues
-	// Should have a final mechanism (all, +all, -all, ~all, ?all)
-	validEndings := []string{" all", " +all", " -all", " ~all", " ?all"}
-	hasValidEnding := false
-	for _, ending := range validEndings {
-		if strings.HasSuffix(record, ending) {
-			hasValidEnding = true
-			break
+	// Only check for 'all' mechanism on the main record, not on included records
+	if isMainRecord {
+		// Check for common syntax issues
+		// Should have a final mechanism (all, +all, -all, ~all, ?all)
+		validEndings := []string{" all", " +all", " -all", " ~all", " ?all"}
+		hasValidEnding := false
+		for _, ending := range validEndings {
+			if strings.HasSuffix(record, ending) {
+				hasValidEnding = true
+				break
+			}
 		}
-	}
 
-	if !hasValidEnding {
-		return fmt.Errorf("SPF record should end with an 'all' mechanism (e.g., '-all', '~all') or have a 'redirect=' modifier")
+		if !hasValidEnding {
+			return fmt.Errorf("SPF record should end with an 'all' mechanism (e.g., '-all', '~all') or have a 'redirect=' modifier")
+		}
 	}
 
 	return nil
@@ -292,7 +302,7 @@ func (d *DNSAnalyzer) hasSPFStrictFail(record string) bool {
 	return strings.HasSuffix(record, " -all")
 }
 
-func (d *DNSAnalyzer) calculateSPFScore(results *api.DNSResults) (score int) {
+func (d *DNSAnalyzer) calculateSPFScore(results *model.DNSResults) (score int) {
 	// SPF is essential for email authentication
 	if results.SpfRecords != nil && len(*results.SpfRecords) > 0 {
 		// Find the main SPF record by skipping redirects

pkg/analyzer/dns_spf_test.go

@@ -122,13 +122,39 @@ func TestValidateSPF(t *testing.T) {
 			expectError: true,
 			errorMsg:    "unknown modifier",
 		},
+		{
+			name:        "Valid SPF with RFC 6652 ra modifier",
+			record:      "v=spf1 mx ra=postmaster -all",
+			expectError: false,
+		},
+		{
+			name:        "Valid SPF with RFC 6652 rp modifier",
+			record:      "v=spf1 mx rp=100 -all",
+			expectError: false,
+		},
+		{
+			name:        "Valid SPF with RFC 6652 rr modifier",
+			record:      "v=spf1 mx rr=all -all",
+			expectError: false,
+		},
+		{
+			name:        "Valid SPF with all RFC 6652 modifiers",
+			record:      "v=spf1 mx ra=postmaster rp=50 rr=fail -all",
+			expectError: false,
+		},
+		{
+			name:        "Valid SPF with RFC 6652 modifiers and redirect",
+			record:      "v=spf1 ip4:192.0.2.0/24 ra=abuse redirect=_spf.example.com",
+			expectError: false,
+		},
 	}
 
 	analyzer := NewDNSAnalyzer(5 * time.Second)
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			err := analyzer.validateSPF(tt.record)
+			// Test as main record (isMainRecord = true) since these tests check overall SPF validity
+			err := analyzer.validateSPF(tt.record, true)
 			if tt.expectError {
 				if err == nil {
 					t.Errorf("validateSPF(%q) expected error but got nil", tt.record)
@@ -144,6 +170,74 @@ func TestValidateSPF(t *testing.T) {
 	}
 }
 
+func TestValidateSPF_IncludedRecords(t *testing.T) {
+	tests := []struct {
+		name         string
+		record       string
+		isMainRecord bool
+		expectError  bool
+		errorMsg     string
+	}{
+		{
+			name:         "Main record without 'all' - should error",
+			record:       "v=spf1 include:_spf.example.com",
+			isMainRecord: true,
+			expectError:  true,
+			errorMsg:     "should end with an 'all' mechanism",
+		},
+		{
+			name:         "Included record without 'all' - should NOT error",
+			record:       "v=spf1 include:_spf.example.com",
+			isMainRecord: false,
+			expectError:  false,
+		},
+		{
+			name:         "Included record with only mechanisms - should NOT error",
+			record:       "v=spf1 ip4:192.0.2.0/24 mx",
+			isMainRecord: false,
+			expectError:  false,
+		},
+		{
+			name:         "Main record with only mechanisms - should error",
+			record:       "v=spf1 ip4:192.0.2.0/24 mx",
+			isMainRecord: true,
+			expectError:  true,
+			errorMsg:     "should end with an 'all' mechanism",
+		},
+		{
+			name:         "Included record with 'all' - valid",
+			record:       "v=spf1 ip4:192.0.2.0/24 -all",
+			isMainRecord: false,
+			expectError:  false,
+		},
+		{
+			name:         "Main record with 'all' - valid",
+			record:       "v=spf1 ip4:192.0.2.0/24 -all",
+			isMainRecord: true,
+			expectError:  false,
+		},
+	}
+
+	analyzer := NewDNSAnalyzer(5 * time.Second)
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := analyzer.validateSPF(tt.record, tt.isMainRecord)
+			if tt.expectError {
+				if err == nil {
+					t.Errorf("validateSPF(%q, isMainRecord=%v) expected error but got nil", tt.record, tt.isMainRecord)
+				} else if tt.errorMsg != "" && !strings.Contains(err.Error(), tt.errorMsg) {
+					t.Errorf("validateSPF(%q, isMainRecord=%v) error = %q, want error containing %q", tt.record, tt.isMainRecord, err.Error(), tt.errorMsg)
+				}
+			} else {
+				if err != nil {
+					t.Errorf("validateSPF(%q, isMainRecord=%v) unexpected error: %v", tt.record, tt.isMainRecord, err)
+				}
+			}
+		})
+	}
+}
+
 func TestExtractSPFRedirect(t *testing.T) {
 	tests := []struct {
 		name             string

pkg/analyzer/headers.go

@@ -31,7 +31,8 @@ import (
 
 	"golang.org/x/net/publicsuffix"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
+	"git.happydns.org/happyDeliver/internal/utils"
 )
 
 // HeaderAnalyzer analyzes email header quality and structure
@@ -43,7 +44,7 @@ func NewHeaderAnalyzer() *HeaderAnalyzer {
 }
 
 // CalculateHeaderScore evaluates email structural quality from header analysis
-func (h *HeaderAnalyzer) CalculateHeaderScore(analysis *api.HeaderAnalysis) (int, rune) {
+func (h *HeaderAnalyzer) CalculateHeaderScore(analysis *model.HeaderAnalysis) (int, rune) {
 	if analysis == nil || analysis.Headers == nil {
 		return 0, ' '
 	}
@@ -52,13 +53,14 @@ func (h *HeaderAnalyzer) CalculateHeaderScore(analysis *api.HeaderAnalysis) (int
 	maxGrade := 6
 	headers := *analysis.Headers
 
-	// RP and From alignment (20 points)
-	if analysis.DomainAlignment.Aligned != nil && *analysis.DomainAlignment.Aligned {
-		score += 20
-	} else if analysis.DomainAlignment.RelaxedAligned != nil && *analysis.DomainAlignment.RelaxedAligned {
-		score += 15
-	} else {
+	// RP and From alignment (25 points)
+	if analysis.DomainAlignment.Aligned == nil || !*analysis.DomainAlignment.RelaxedAligned {
+		// Bad domain alignment, cap grade to C
 		maxGrade -= 2
+	} else if *analysis.DomainAlignment.Aligned {
+		score += 25
+	} else if *analysis.DomainAlignment.RelaxedAligned {
+		score += 20
 	}
 
 	// Check required headers (RFC 5322) - 30 points
@@ -79,7 +81,7 @@ func (h *HeaderAnalyzer) CalculateHeaderScore(analysis *api.HeaderAnalysis) (int
 		maxGrade = 1
 	}
 
-	// Check recommended headers (20 points)
+	// Check recommended headers (15 points)
 	recommendedHeaders := []string{"subject", "to"}
 
 	// Add reply-to when from is a no-reply address
@@ -95,7 +97,7 @@ func (h *HeaderAnalyzer) CalculateHeaderScore(analysis *api.HeaderAnalysis) (int
 			presentRecommended++
 		}
 	}
-	score += presentRecommended * 20 / recommendedCount
+	score += presentRecommended * 15 / recommendedCount
 
 	if presentRecommended < recommendedCount {
 		maxGrade -= 1
@@ -108,6 +110,13 @@ func (h *HeaderAnalyzer) CalculateHeaderScore(analysis *api.HeaderAnalysis) (int
 		maxGrade -= 1
 	}
 
+	// Check MIME-Version header (-5 points if present but not "1.0")
+	if check, exists := headers["mime-version"]; exists && check.Present {
+		if check.Valid != nil && !*check.Valid {
+			score -= 5
+		}
+	}
+
 	// Check Message-ID format (10 points)
 	if check, exists := headers["message-id"]; exists && check.Present {
 		// If Valid is set and true, award points
@@ -179,7 +188,7 @@ func (h *HeaderAnalyzer) parseEmailDate(dateStr string) (time.Time, error) {
 }
 
 // isNoReplyAddress checks if a header check represents a no-reply email address
-func (h *HeaderAnalyzer) isNoReplyAddress(headerCheck api.HeaderCheck) bool {
+func (h *HeaderAnalyzer) isNoReplyAddress(headerCheck model.HeaderCheck) bool {
 	if !headerCheck.Present || headerCheck.Value == nil {
 		return false
 	}
@@ -235,18 +244,18 @@ func (h *HeaderAnalyzer) formatAddress(addr *mail.Address) string {
 }
 
 // GenerateHeaderAnalysis creates structured header analysis from email
-func (h *HeaderAnalyzer) GenerateHeaderAnalysis(email *EmailMessage) *api.HeaderAnalysis {
+func (h *HeaderAnalyzer) GenerateHeaderAnalysis(email *EmailMessage, authResults *model.AuthenticationResults) *model.HeaderAnalysis {
 	if email == nil {
 		return nil
 	}
 
-	analysis := &api.HeaderAnalysis{}
+	analysis := &model.HeaderAnalysis{}
 
 	// Check for proper MIME structure
-	analysis.HasMimeStructure = api.PtrTo(len(email.Parts) > 0)
+	analysis.HasMimeStructure = utils.PtrTo(len(email.Parts) > 0)
 
 	// Initialize headers map
-	headers := make(map[string]api.HeaderCheck)
+	headers := make(map[string]model.HeaderCheck)
 
 	// Check required headers
 	requiredHeaders := []string{"From", "To", "Date", "Message-ID", "Subject"}
@@ -265,6 +274,10 @@ func (h *HeaderAnalyzer) GenerateHeaderAnalysis(email *EmailMessage) *api.Header
 		headers[strings.ToLower(headerName)] = *check
 	}
 
+	// Check MIME-Version header (recommended but absence is not penalized)
+	mimeVersionCheck := h.checkHeader(email, "MIME-Version", "recommended")
+	headers[strings.ToLower("MIME-Version")] = *mimeVersionCheck
+
 	// Check optional headers
 	optionalHeaders := []string{"List-Unsubscribe", "List-Unsubscribe-Post"}
 	for _, headerName := range optionalHeaders {
@@ -281,7 +294,7 @@ func (h *HeaderAnalyzer) GenerateHeaderAnalysis(email *EmailMessage) *api.Header
 	}
 
 	// Domain alignment
-	domainAlignment := h.analyzeDomainAlignment(email)
+	domainAlignment := h.analyzeDomainAlignment(email, authResults)
 	if domainAlignment != nil {
 		analysis.DomainAlignment = domainAlignment
 	}
@@ -296,12 +309,12 @@ func (h *HeaderAnalyzer) GenerateHeaderAnalysis(email *EmailMessage) *api.Header
 }
 
 // checkHeader checks if a header is present and valid
-func (h *HeaderAnalyzer) checkHeader(email *EmailMessage, headerName string, importance string) *api.HeaderCheck {
+func (h *HeaderAnalyzer) checkHeader(email *EmailMessage, headerName string, importance string) *model.HeaderCheck {
 	value := email.GetHeaderValue(headerName)
 	present := email.HasHeader(headerName) && value != ""
 
-	importanceEnum := api.HeaderCheckImportance(importance)
-	check := &api.HeaderCheck{
+	importanceEnum := model.HeaderCheckImportance(importance)
+	check := &model.HeaderCheck{
 		Present:    present,
 		Importance: &importanceEnum,
 	}
@@ -319,12 +332,21 @@ func (h *HeaderAnalyzer) checkHeader(email *EmailMessage, headerName string, imp
 				valid = false
 				headerIssues = append(headerIssues, "Invalid Message-ID format (should be <id@domain>)")
 			}
+			if len(email.Header["Message-Id"]) > 1 {
+				valid = false
+				headerIssues = append(headerIssues, fmt.Sprintf("Multiple Message-ID headers found (%d); only one is allowed", len(email.Header["Message-Id"])))
+			}
 		case "Date":
 			// Validate date format
 			if _, err := h.parseEmailDate(value); err != nil {
 				valid = false
 				headerIssues = append(headerIssues, fmt.Sprintf("Invalid date format: %v", err))
 			}
+		case "MIME-Version":
+			if value != "1.0" {
+				valid = false
+				headerIssues = append(headerIssues, fmt.Sprintf("MIME-Version should be '1.0', got '%s'", value))
+			}
 		case "From", "To", "Cc", "Bcc", "Reply-To", "Sender", "Resent-From", "Resent-To", "Return-Path":
 			// Parse address header using net/mail and get normalized address
 			if normalizedAddr, err := h.validateAddressHeader(value); err != nil {
@@ -352,11 +374,11 @@ func (h *HeaderAnalyzer) checkHeader(email *EmailMessage, headerName string, imp
 	return check
 }
 
-// analyzeDomainAlignment checks domain alignment between headers
-func (h *HeaderAnalyzer) analyzeDomainAlignment(email *EmailMessage) *api.DomainAlignment {
-	alignment := &api.DomainAlignment{
-		Aligned:        api.PtrTo(true),
-		RelaxedAligned: api.PtrTo(true),
+// analyzeDomainAlignment checks domain alignment between headers and DKIM signatures
+func (h *HeaderAnalyzer) analyzeDomainAlignment(email *EmailMessage, authResults *model.AuthenticationResults) *model.DomainAlignment {
+	alignment := &model.DomainAlignment{
+		Aligned:        utils.PtrTo(true),
+		RelaxedAligned: utils.PtrTo(true),
 	}
 
 	// Extract From domain
@@ -383,14 +405,45 @@ func (h *HeaderAnalyzer) analyzeDomainAlignment(email *EmailMessage) *api.Domain
 		}
 	}
 
+	// Extract DKIM domains from authentication results
+	var dkimDomains []model.DKIMDomainInfo
+	if authResults != nil && authResults.Dkim != nil {
+		for _, dkim := range *authResults.Dkim {
+			if dkim.Domain != nil && *dkim.Domain != "" {
+				domain := *dkim.Domain
+				orgDomain := h.getOrganizationalDomain(domain)
+				dkimDomains = append(dkimDomains, model.DKIMDomainInfo{
+					Domain:    domain,
+					OrgDomain: orgDomain,
+				})
+			}
+		}
+	}
+	if len(dkimDomains) > 0 {
+		alignment.DkimDomains = &dkimDomains
+	}
+
 	// Check alignment (strict and relaxed)
 	issues := []string{}
-	if alignment.FromDomain != nil && alignment.ReturnPathDomain != nil {
+
+	// hasReturnPath and hasDKIM track whether we have these fields to check
+	hasReturnPath := alignment.FromDomain != nil && alignment.ReturnPathDomain != nil
+	hasDKIM := alignment.FromDomain != nil && len(dkimDomains) > 0
+
+	// If neither Return-Path nor DKIM is present, keep default alignment (true)
+	// Otherwise, at least one must be aligned for overall alignment to be true
+	strictAligned := !hasReturnPath && !hasDKIM
+	relaxedAligned := !hasReturnPath && !hasDKIM
+
+	// Check Return-Path alignment
+	rpStrictAligned := false
+	rpRelaxedAligned := false
+	if hasReturnPath {
 		fromDomain := *alignment.FromDomain
 		rpDomain := *alignment.ReturnPathDomain
 
 		// Strict alignment: exact match (case-insensitive)
-		strictAligned := strings.EqualFold(fromDomain, rpDomain)
+		rpStrictAligned = strings.EqualFold(fromDomain, rpDomain)
 
 		// Relaxed alignment: organizational domain match
 		var fromOrgDomain, rpOrgDomain string
@@ -400,20 +453,67 @@ func (h *HeaderAnalyzer) analyzeDomainAlignment(email *EmailMessage) *api.Domain
 		if alignment.ReturnPathOrgDomain != nil {
 			rpOrgDomain = *alignment.ReturnPathOrgDomain
 		}
-		relaxedAligned := strings.EqualFold(fromOrgDomain, rpOrgDomain)
+		rpRelaxedAligned = strings.EqualFold(fromOrgDomain, rpOrgDomain)
 
-		*alignment.Aligned = strictAligned
-		*alignment.RelaxedAligned = relaxedAligned
-
-		if !strictAligned {
-			if relaxedAligned {
+		if !rpStrictAligned {
+			if rpRelaxedAligned {
 				issues = append(issues, fmt.Sprintf("Return-Path domain (%s) does not exactly match From domain (%s), but satisfies relaxed alignment (organizational domain: %s)", rpDomain, fromDomain, fromOrgDomain))
 			} else {
 				issues = append(issues, fmt.Sprintf("Return-Path domain (%s) does not match From domain (%s) - neither strict nor relaxed alignment", rpDomain, fromDomain))
 			}
 		}
+
+		strictAligned = rpStrictAligned
+		relaxedAligned = rpRelaxedAligned
 	}
 
+	// Check DKIM alignment
+	dkimStrictAligned := false
+	dkimRelaxedAligned := false
+	if hasDKIM {
+		fromDomain := *alignment.FromDomain
+		var fromOrgDomain string
+		if alignment.FromOrgDomain != nil {
+			fromOrgDomain = *alignment.FromOrgDomain
+		}
+
+		for _, dkimDomain := range dkimDomains {
+			// Check strict alignment for this DKIM signature
+			if strings.EqualFold(fromDomain, dkimDomain.Domain) {
+				dkimStrictAligned = true
+			}
+
+			// Check relaxed alignment for this DKIM signature
+			if strings.EqualFold(fromOrgDomain, dkimDomain.OrgDomain) {
+				dkimRelaxedAligned = true
+			}
+		}
+
+		if !dkimStrictAligned && !dkimRelaxedAligned {
+			// List all DKIM domains that failed alignment
+			dkimDomainsList := []string{}
+			for _, dkimDomain := range dkimDomains {
+				dkimDomainsList = append(dkimDomainsList, dkimDomain.Domain)
+			}
+			issues = append(issues, fmt.Sprintf("DKIM signature domains (%s) do not align with From domain (%s) - neither strict nor relaxed alignment", strings.Join(dkimDomainsList, ", "), fromDomain))
+		} else if !dkimStrictAligned && dkimRelaxedAligned {
+			// DKIM has relaxed alignment but not strict
+			issues = append(issues, fmt.Sprintf("DKIM signature domains satisfy relaxed alignment with From domain (%s) but not strict alignment (organizational domain: %s)", fromDomain, fromOrgDomain))
+		}
+
+		// Overall alignment requires at least one method (Return-Path OR DKIM) to be aligned
+		// For DMARC compliance, at least one of SPF or DKIM must be aligned
+		if dkimStrictAligned {
+			strictAligned = true
+		}
+		if dkimRelaxedAligned {
+			relaxedAligned = true
+		}
+	}
+
+	*alignment.Aligned = strictAligned
+	*alignment.RelaxedAligned = relaxedAligned
+
 	if len(issues) > 0 {
 		alignment.Issues = &issues
 	}
@@ -461,18 +561,18 @@ func (h *HeaderAnalyzer) getOrganizationalDomain(domain string) string {
 }
 
 // findHeaderIssues identifies issues with headers
-func (h *HeaderAnalyzer) findHeaderIssues(email *EmailMessage) []api.HeaderIssue {
-	var issues []api.HeaderIssue
+func (h *HeaderAnalyzer) findHeaderIssues(email *EmailMessage) []model.HeaderIssue {
+	var issues []model.HeaderIssue
 
 	// Check for missing required headers
 	requiredHeaders := []string{"From", "Date", "Message-ID"}
 	for _, header := range requiredHeaders {
 		if !email.HasHeader(header) || email.GetHeaderValue(header) == "" {
-			issues = append(issues, api.HeaderIssue{
+			issues = append(issues, model.HeaderIssue{
 				Header:   header,
-				Severity: api.HeaderIssueSeverityCritical,
+				Severity: model.HeaderIssueSeverityCritical,
 				Message:  fmt.Sprintf("Required header '%s' is missing", header),
-				Advice:   api.PtrTo(fmt.Sprintf("Add the %s header to ensure RFC 5322 compliance", header)),
+				Advice:   utils.PtrTo(fmt.Sprintf("Add the %s header to ensure RFC 5322 compliance", header)),
 			})
 		}
 	}
@@ -480,11 +580,11 @@ func (h *HeaderAnalyzer) findHeaderIssues(email *EmailMessage) []api.HeaderIssue
 	// Check Message-ID format
 	messageID := email.GetHeaderValue("Message-ID")
 	if messageID != "" && !h.isValidMessageID(messageID) {
-		issues = append(issues, api.HeaderIssue{
+		issues = append(issues, model.HeaderIssue{
 			Header:   "Message-ID",
-			Severity: api.HeaderIssueSeverityMedium,
+			Severity: model.HeaderIssueSeverityMedium,
 			Message:  "Message-ID format is invalid",
-			Advice:   api.PtrTo("Use proper Message-ID format: <unique-id@domain.com>"),
+			Advice:   utils.PtrTo("Use proper Message-ID format: <unique-id@domain.com>"),
 		})
 	}
 
@@ -492,7 +592,7 @@ func (h *HeaderAnalyzer) findHeaderIssues(email *EmailMessage) []api.HeaderIssue
 }
 
 // parseReceivedChain extracts the chain of Received headers from an email
-func (h *HeaderAnalyzer) parseReceivedChain(email *EmailMessage) []api.ReceivedHop {
+func (h *HeaderAnalyzer) parseReceivedChain(email *EmailMessage) []model.ReceivedHop {
 	if email == nil || email.Header == nil {
 		return nil
 	}
@@ -502,7 +602,7 @@ func (h *HeaderAnalyzer) parseReceivedChain(email *EmailMessage) []api.ReceivedH
 		return nil
 	}
 
-	var chain []api.ReceivedHop
+	var chain []model.ReceivedHop
 
 	for _, receivedValue := range receivedHeaders {
 		hop := h.parseReceivedHeader(receivedValue)
@@ -515,8 +615,8 @@ func (h *HeaderAnalyzer) parseReceivedChain(email *EmailMessage) []api.ReceivedH
 }
 
 // parseReceivedHeader parses a single Received header value
-func (h *HeaderAnalyzer) parseReceivedHeader(receivedValue string) *api.ReceivedHop {
-	hop := &api.ReceivedHop{}
+func (h *HeaderAnalyzer) parseReceivedHeader(receivedValue string) *model.ReceivedHop {
+	hop := &model.ReceivedHop{}
 
 	// Normalize whitespace - Received headers can span multiple lines
 	normalized := strings.Join(strings.Fields(receivedValue), " ")

pkg/analyzer/headers_test.go

@@ -24,9 +24,10 @@ package analyzer
 import (
 	"net/mail"
 	"net/textproto"
+	"strings"
 	"testing"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
 )
 
 func TestCalculateHeaderScore(t *testing.T) {
@@ -82,8 +83,8 @@ func TestCalculateHeaderScore(t *testing.T) {
 				Date:      "Mon, 01 Jan 2024 12:00:00 +0000",
 				Parts:     []MessagePart{{ContentType: "text/plain", Content: "test"}},
 			},
-			minScore: 40,
-			maxScore: 80,
+			minScore: 80,
+			maxScore: 90,
 		},
 		{
 			name: "Invalid Message-ID format",
@@ -110,7 +111,7 @@ func TestCalculateHeaderScore(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			// Generate header analysis first
-			analysis := analyzer.GenerateHeaderAnalysis(tt.email)
+			analysis := analyzer.GenerateHeaderAnalysis(tt.email, nil)
 			score, _ := analyzer.CalculateHeaderScore(analysis)
 			if score < tt.minScore || score > tt.maxScore {
 				t.Errorf("CalculateHeaderScore() = %v, want between %v and %v", score, tt.minScore, tt.maxScore)
@@ -360,7 +361,7 @@ func TestAnalyzeDomainAlignment(t *testing.T) {
 				}),
 			}
 
-			alignment := analyzer.analyzeDomainAlignment(email)
+			alignment := analyzer.analyzeDomainAlignment(email, nil)
 
 			if alignment == nil {
 				t.Fatal("Expected non-nil alignment")
@@ -403,7 +404,7 @@ func TestParseReceivedChain(t *testing.T) {
 		name            string
 		receivedHeaders []string
 		expectedHops    int
-		validateFirst   func(*testing.T, *EmailMessage, []api.ReceivedHop)
+		validateFirst   func(*testing.T, *EmailMessage, []model.ReceivedHop)
 	}{
 		{
 			name:            "No Received headers",
@@ -416,7 +417,7 @@ func TestParseReceivedChain(t *testing.T) {
 				"from mail.example.com (mail.example.com [192.0.2.1]) by mx.receiver.com (Postfix) with ESMTPS id ABC123 for <user@receiver.com>; Mon, 01 Jan 2024 12:00:00 +0000",
 			},
 			expectedHops: 1,
-			validateFirst: func(t *testing.T, email *EmailMessage, hops []api.ReceivedHop) {
+			validateFirst: func(t *testing.T, email *EmailMessage, hops []model.ReceivedHop) {
 				if len(hops) == 0 {
 					t.Fatal("Expected at least one hop")
 				}
@@ -449,7 +450,7 @@ func TestParseReceivedChain(t *testing.T) {
 				"from mail2.example.com (mail2.example.com [192.0.2.2]) by mx2.receiver.com with SMTP id 222; Mon, 01 Jan 2024 11:59:00 +0000",
 			},
 			expectedHops: 2,
-			validateFirst: func(t *testing.T, email *EmailMessage, hops []api.ReceivedHop) {
+			validateFirst: func(t *testing.T, email *EmailMessage, hops []model.ReceivedHop) {
 				if len(hops) != 2 {
 					t.Fatalf("Expected 2 hops, got %d", len(hops))
 				}
@@ -471,7 +472,7 @@ func TestParseReceivedChain(t *testing.T) {
 				"from mail.example.com (unknown [IPv6:2607:5300:203:2818::1]) by mx.receiver.com with ESMTPS; Sun, 19 Oct 2025 09:40:33 +0000 (UTC)",
 			},
 			expectedHops: 1,
-			validateFirst: func(t *testing.T, email *EmailMessage, hops []api.ReceivedHop) {
+			validateFirst: func(t *testing.T, email *EmailMessage, hops []model.ReceivedHop) {
 				if len(hops) == 0 {
 					t.Fatal("Expected at least one hop")
 				}
@@ -498,7 +499,7 @@ func TestParseReceivedChain(t *testing.T) {
 	for <test-9a9ce364-c394-4fa9-acef-d46ff2f482bf@deliver.happydomain.org>; Sun, 19 Oct 2025 09:40:33 +0000 (UTC)`,
 			},
 			expectedHops: 1,
-			validateFirst: func(t *testing.T, email *EmailMessage, hops []api.ReceivedHop) {
+			validateFirst: func(t *testing.T, email *EmailMessage, hops []model.ReceivedHop) {
 				if len(hops) == 0 {
 					t.Fatal("Expected at least one hop")
 				}
@@ -526,7 +527,7 @@ func TestParseReceivedChain(t *testing.T) {
 				"from unknown by localhost",
 			},
 			expectedHops: 1,
-			validateFirst: func(t *testing.T, email *EmailMessage, hops []api.ReceivedHop) {
+			validateFirst: func(t *testing.T, email *EmailMessage, hops []model.ReceivedHop) {
 				if len(hops) == 0 {
 					t.Fatal("Expected at least one hop")
 				}
@@ -698,7 +699,7 @@ func TestGenerateHeaderAnalysis_WithReceivedChain(t *testing.T) {
 		"from relay.example.com (relay.example.com [192.0.2.2]) by mail.example.com with SMTP id DEF456; Mon, 01 Jan 2024 11:59:00 +0000",
 	}
 
-	analysis := analyzer.GenerateHeaderAnalysis(email)
+	analysis := analyzer.GenerateHeaderAnalysis(email, nil)
 
 	if analysis == nil {
 		t.Fatal("GenerateHeaderAnalysis returned nil")
@@ -923,3 +924,156 @@ func equalStrPtr(a, b *string) bool {
 	}
 	return *a == *b
 }
+
+func TestAnalyzeDomainAlignment_WithDKIM(t *testing.T) {
+	tests := []struct {
+		name                 string
+		fromHeader           string
+		returnPath           string
+		dkimDomains          []string
+		expectStrictAligned  bool
+		expectRelaxedAligned bool
+		expectIssuesContain  string
+	}{
+		{
+			name:                 "DKIM strict alignment with From domain",
+			fromHeader:           "sender@example.com",
+			returnPath:           "",
+			dkimDomains:          []string{"example.com"},
+			expectStrictAligned:  true,
+			expectRelaxedAligned: true,
+			expectIssuesContain:  "",
+		},
+		{
+			name:                 "DKIM relaxed alignment only",
+			fromHeader:           "sender@mail.example.com",
+			returnPath:           "",
+			dkimDomains:          []string{"example.com"},
+			expectStrictAligned:  false,
+			expectRelaxedAligned: true,
+			expectIssuesContain:  "relaxed alignment",
+		},
+		{
+			name:                 "DKIM no alignment",
+			fromHeader:           "sender@example.com",
+			returnPath:           "",
+			dkimDomains:          []string{"different.com"},
+			expectStrictAligned:  false,
+			expectRelaxedAligned: false,
+			expectIssuesContain:  "do not align",
+		},
+		{
+			name:                 "Multiple DKIM signatures - one aligns",
+			fromHeader:           "sender@example.com",
+			returnPath:           "",
+			dkimDomains:          []string{"different.com", "example.com"},
+			expectStrictAligned:  true,
+			expectRelaxedAligned: true,
+			expectIssuesContain:  "",
+		},
+		{
+			name:                 "Return-Path misaligned but DKIM aligned",
+			fromHeader:           "sender@example.com",
+			returnPath:           "bounce@different.com",
+			dkimDomains:          []string{"example.com"},
+			expectStrictAligned:  true,
+			expectRelaxedAligned: true,
+			expectIssuesContain:  "Return-Path",
+		},
+		{
+			name:                 "Return-Path aligned, no DKIM",
+			fromHeader:           "sender@example.com",
+			returnPath:           "bounce@example.com",
+			dkimDomains:          []string{},
+			expectStrictAligned:  true,
+			expectRelaxedAligned: true,
+			expectIssuesContain:  "",
+		},
+		{
+			name:                 "Both Return-Path and DKIM misaligned",
+			fromHeader:           "sender@example.com",
+			returnPath:           "bounce@other.com",
+			dkimDomains:          []string{"different.com"},
+			expectStrictAligned:  false,
+			expectRelaxedAligned: false,
+			expectIssuesContain:  "do not",
+		},
+	}
+
+	analyzer := NewHeaderAnalyzer()
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			email := &EmailMessage{
+				Header: createHeaderWithFields(map[string]string{
+					"From":        tt.fromHeader,
+					"Return-Path": tt.returnPath,
+				}),
+			}
+
+			// Create authentication results with DKIM signatures
+			var authResults *model.AuthenticationResults
+			if len(tt.dkimDomains) > 0 {
+				dkimResults := make([]model.AuthResult, 0, len(tt.dkimDomains))
+				for _, domain := range tt.dkimDomains {
+					dkimResults = append(dkimResults, model.AuthResult{
+						Result: model.AuthResultResultPass,
+						Domain: &domain,
+					})
+				}
+				authResults = &model.AuthenticationResults{
+					Dkim: &dkimResults,
+				}
+			}
+
+			alignment := analyzer.analyzeDomainAlignment(email, authResults)
+
+			if alignment == nil {
+				t.Fatal("Expected non-nil alignment")
+			}
+
+			if alignment.Aligned == nil {
+				t.Fatal("Expected non-nil Aligned field")
+			}
+
+			if *alignment.Aligned != tt.expectStrictAligned {
+				t.Errorf("Aligned = %v, want %v", *alignment.Aligned, tt.expectStrictAligned)
+			}
+
+			if alignment.RelaxedAligned == nil {
+				t.Fatal("Expected non-nil RelaxedAligned field")
+			}
+
+			if *alignment.RelaxedAligned != tt.expectRelaxedAligned {
+				t.Errorf("RelaxedAligned = %v, want %v", *alignment.RelaxedAligned, tt.expectRelaxedAligned)
+			}
+
+			// Check DKIM domains are populated
+			if len(tt.dkimDomains) > 0 {
+				if alignment.DkimDomains == nil {
+					t.Error("Expected DkimDomains to be populated")
+				} else if len(*alignment.DkimDomains) != len(tt.dkimDomains) {
+					t.Errorf("Expected %d DKIM domains, got %d", len(tt.dkimDomains), len(*alignment.DkimDomains))
+				}
+			}
+
+			// Check issues contain expected string
+			if tt.expectIssuesContain != "" {
+				if alignment.Issues == nil || len(*alignment.Issues) == 0 {
+					t.Errorf("Expected issues to contain '%s', but no issues found", tt.expectIssuesContain)
+				} else {
+					found := false
+					for _, issue := range *alignment.Issues {
+						if strings.Contains(strings.ToLower(issue), strings.ToLower(tt.expectIssuesContain)) {
+							found = true
+							break
+						}
+					}
+					if !found {
+						t.Errorf("Expected issues to contain '%s', but found: %v", tt.expectIssuesContain, *alignment.Issues)
+					}
+				}
+			}
+		})
+	}
+}

pkg/analyzer/parser.go

@@ -28,16 +28,9 @@ import (
 	"mime/multipart"
 	"net/mail"
 	"net/textproto"
-	"os"
 	"strings"
 )
 
-var hostname = ""
-
-func init() {
-	hostname, _ = os.Hostname()
-}
-
 // EmailMessage represents a parsed email message
 type EmailMessage struct {
 	Header     mail.Header
@@ -218,18 +211,18 @@ func buildRawHeaders(header mail.Header) string {
 }
 
 // GetAuthenticationResults extracts Authentication-Results headers
-// If hostname is provided, only returns headers that begin with that hostname
-func (e *EmailMessage) GetAuthenticationResults() []string {
+// If receiverHostname is provided, only returns headers that begin with that hostname
+func (e *EmailMessage) GetAuthenticationResults(receiverHostname string) []string {
 	allResults := e.Header[textproto.CanonicalMIMEHeaderKey("Authentication-Results")]
 
 	// If no hostname specified, return all results
-	if hostname == "" {
+	if receiverHostname == "" {
 		return allResults
 	}
 
 	// Filter results that begin with the specified hostname
 	var filtered []string
-	prefix := hostname + ";"
+	prefix := receiverHostname + ";"
 	for _, result := range allResults {
 		// Trim whitespace and check if it starts with hostname;
 		trimmed := strings.TrimSpace(result)
@@ -256,6 +249,33 @@ func (e *EmailMessage) GetSpamAssassinHeaders() map[string]string {
 	}
 
 	for _, headerName := range saHeaders {
+		if values, ok := e.Header[headerName]; ok && len(values) > 0 {
+			for _, value := range values {
+				if strings.TrimSpace(value) != "" {
+					headers[headerName] = value
+					break
+				}
+			}
+		} else if value := e.Header.Get(headerName); value != "" {
+			headers[headerName] = value
+		}
+	}
+
+	return headers
+}
+
+// GetRspamdHeaders extracts rspamd-related headers
+func (e *EmailMessage) GetRspamdHeaders() map[string]string {
+	headers := make(map[string]string)
+
+	rspamdHeaders := []string{
+		"X-Spamd-Result",
+		"X-Rspamd-Score",
+		"X-Rspamd-Action",
+		"X-Rspamd-Server",
+	}
+
+	for _, headerName := range rspamdHeaders {
 		if value := e.Header.Get(headerName); value != "" {
 			headers[headerName] = value
 		}
@@ -301,3 +321,20 @@ func (e *EmailMessage) GetHeaderValue(key string) string {
 func (e *EmailMessage) HasHeader(key string) bool {
 	return e.Header.Get(key) != ""
 }
+
+// GetListUnsubscribeURLs parses the List-Unsubscribe header and returns all URLs.
+// The header format is: <url1>, <url2>, ...
+func (e *EmailMessage) GetListUnsubscribeURLs() []string {
+	value := e.Header.Get("List-Unsubscribe")
+	if value == "" {
+		return nil
+	}
+	var urls []string
+	for _, part := range strings.Split(value, ",") {
+		part = strings.TrimSpace(part)
+		if strings.HasPrefix(part, "<") && strings.HasSuffix(part, ">") {
+			urls = append(urls, part[1:len(part)-1])
+		}
+	}
+	return urls
+}

pkg/analyzer/parser_test.go

@@ -120,7 +120,7 @@ Body content.
 		t.Fatalf("Failed to parse email: %v", err)
 	}
 
-	authResults := email.GetAuthenticationResults()
+	authResults := email.GetAuthenticationResults("example.com")
 	if len(authResults) != 2 {
 		t.Errorf("Expected 2 Authentication-Results headers, got: %d", len(authResults))
 	}

pkg/analyzer/rbl.go

@@ -27,17 +27,22 @@ import (
 	"net"
 	"regexp"
 	"strings"
+	"sync"
 	"time"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
+	"git.happydns.org/happyDeliver/internal/utils"
 )
 
-// RBLChecker checks IP addresses against DNS-based blacklists
-type RBLChecker struct {
-	Timeout     time.Duration
-	RBLs        []string
-	CheckAllIPs bool // Check all IPs found in headers, not just the first one
-	resolver    *net.Resolver
+// DNSListChecker checks IP addresses against DNS-based block/allow lists.
+// It handles both RBL (blacklist) and DNSWL (whitelist) semantics via flags.
+type DNSListChecker struct {
+	Timeout          time.Duration
+	Lists            []string
+	CheckAllIPs      bool // Check all IPs found in headers, not just the first one
+	filterErrorCodes bool // When true (RBL mode), treat 127.255.255.253/254/255 as operational errors
+	resolver         *net.Resolver
+	informationalSet map[string]bool // Lists whose hits don't count toward the score
 }
 
 // DefaultRBLs is a list of commonly used RBL providers
@@ -48,40 +53,83 @@ var DefaultRBLs = []string{
 	"b.barracudacentral.org", // Barracuda
 	"cbl.abuseat.org",        // CBL (Composite Blocking List)
 	"dnsbl-1.uceprotect.net", // UCEPROTECT Level 1
+	"dnsbl-2.uceprotect.net", // UCEPROTECT Level 2 (informational)
+	"dnsbl-3.uceprotect.net", // UCEPROTECT Level 3 (informational)
+	"psbl.surriel.com",       // PSBL
+	"dnsbl.dronebl.org",      // DroneBL
+	"bl.mailspike.net",       // Mailspike BL
+	"z.mailspike.net",        // Mailspike Z
+	"bl.rbl-dns.com",         // RBL-DNS
+	"bl.nszones.com",         // NSZones
+}
+
+// DefaultInformationalRBLs lists RBLs that are checked but not counted in the score.
+// These are typically broader lists where being listed is less definitive.
+var DefaultInformationalRBLs = []string{
+	"dnsbl-2.uceprotect.net", // UCEPROTECT Level 2: entire netblocks, may cause false positives
+	"dnsbl-3.uceprotect.net", // UCEPROTECT Level 3: entire ASes, too broad for scoring
+}
+
+// DefaultDNSWLs is a list of commonly used DNSWL providers
+var DefaultDNSWLs = []string{
+	"list.dnswl.org",   // DNSWL.org — the main DNS whitelist
+	"swl.spamhaus.org", // Spamhaus Safe Whitelist
 }
 
 // NewRBLChecker creates a new RBL checker with configurable timeout and RBL list
-func NewRBLChecker(timeout time.Duration, rbls []string, checkAllIPs bool) *RBLChecker {
+func NewRBLChecker(timeout time.Duration, rbls []string, checkAllIPs bool) *DNSListChecker {
 	if timeout == 0 {
-		timeout = 5 * time.Second // Default timeout
+		timeout = 5 * time.Second
 	}
 	if len(rbls) == 0 {
 		rbls = DefaultRBLs
 	}
-	return &RBLChecker{
-		Timeout:     timeout,
-		RBLs:        rbls,
-		CheckAllIPs: checkAllIPs,
-		resolver: &net.Resolver{
-			PreferGo: true,
-		},
+	informationalSet := make(map[string]bool, len(DefaultInformationalRBLs))
+	for _, rbl := range DefaultInformationalRBLs {
+		informationalSet[rbl] = true
+	}
+	return &DNSListChecker{
+		Timeout:          timeout,
+		Lists:            rbls,
+		CheckAllIPs:      checkAllIPs,
+		filterErrorCodes: true,
+		resolver:         &net.Resolver{PreferGo: true},
+		informationalSet: informationalSet,
 	}
 }
 
-// RBLResults represents the results of RBL checks
-type RBLResults struct {
-	Checks      map[string][]api.BlacklistCheck // Map of IP -> list of RBL checks for that IP
-	IPsChecked  []string
-	ListedCount int
+// NewDNSWLChecker creates a new DNSWL checker with configurable timeout and DNSWL list
+func NewDNSWLChecker(timeout time.Duration, dnswls []string, checkAllIPs bool) *DNSListChecker {
+	if timeout == 0 {
+		timeout = 5 * time.Second
+	}
+	if len(dnswls) == 0 {
+		dnswls = DefaultDNSWLs
+	}
+	return &DNSListChecker{
+		Timeout:          timeout,
+		Lists:            dnswls,
+		CheckAllIPs:      checkAllIPs,
+		filterErrorCodes: false,
+		resolver:         &net.Resolver{PreferGo: true},
+		informationalSet: make(map[string]bool),
+	}
 }
 
-// CheckEmail checks all IPs found in the email headers against RBLs
-func (r *RBLChecker) CheckEmail(email *EmailMessage) *RBLResults {
-	results := &RBLResults{
-		Checks: make(map[string][]api.BlacklistCheck),
+// DNSListResults represents the results of DNS list checks
+type DNSListResults struct {
+	Checks              map[string][]model.BlacklistCheck // Map of IP -> list of checks for that IP
+	IPsChecked          []string
+	ListedCount         int // Total listings including informational entries
+	RelevantListedCount int // Listings on scoring (non-informational) lists only
+}
+
+// CheckEmail checks all IPs found in the email headers against the configured lists
+func (r *DNSListChecker) CheckEmail(email *EmailMessage) *DNSListResults {
+	results := &DNSListResults{
+		Checks: make(map[string][]model.BlacklistCheck),
 	}
 
-	// Extract IPs from Received headers
 	ips := r.extractIPs(email)
 	if len(ips) == 0 {
 		return results
@@ -89,17 +137,18 @@ func (r *RBLChecker) CheckEmail(email *EmailMessage) *RBLResults {
 
 	results.IPsChecked = ips
 
-	// Check each IP against all RBLs
 	for _, ip := range ips {
-		for _, rbl := range r.RBLs {
-			check := r.checkIP(ip, rbl)
+		for _, list := range r.Lists {
+			check := r.checkIP(ip, list)
 			results.Checks[ip] = append(results.Checks[ip], check)
 			if check.Listed {
 				results.ListedCount++
+				if !r.informationalSet[list] {
+					results.RelevantListedCount++
+				}
 			}
 		}
 
-		// Only check the first IP unless CheckAllIPs is enabled
 		if !r.CheckAllIPs {
 			break
 		}
@@ -108,28 +157,48 @@ func (r *RBLChecker) CheckEmail(email *EmailMessage) *RBLResults {
 	return results
 }
 
+// CheckIP checks a single IP address against all configured lists in parallel
+func (r *DNSListChecker) CheckIP(ip string) ([]model.BlacklistCheck, int, error) {
+	if !r.isPublicIP(ip) {
+		return nil, 0, fmt.Errorf("invalid or non-public IP address: %s", ip)
+	}
+
+	checks := make([]model.BlacklistCheck, len(r.Lists))
+	var wg sync.WaitGroup
+
+	for i, list := range r.Lists {
+		wg.Add(1)
+		go func(i int, list string) {
+			defer wg.Done()
+			checks[i] = r.checkIP(ip, list)
+		}(i, list)
+	}
+	wg.Wait()
+
+	listedCount := 0
+	for _, check := range checks {
+		if check.Listed {
+			listedCount++
+		}
+	}
+
+	return checks, listedCount, nil
+}
+
 // extractIPs extracts IP addresses from Received headers
-func (r *RBLChecker) extractIPs(email *EmailMessage) []string {
+func (r *DNSListChecker) extractIPs(email *EmailMessage) []string {
 	var ips []string
 	seenIPs := make(map[string]bool)
 
-	// Get all Received headers
 	receivedHeaders := email.Header["Received"]
-
-	// Regex patterns for IP addresses
-	// Match IPv4: xxx.xxx.xxx.xxx
 	ipv4Pattern := regexp.MustCompile(`\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b`)
 
-	// Look for IPs in Received headers
 	for _, received := range receivedHeaders {
-		// Find all IPv4 addresses
 		matches := ipv4Pattern.FindAllString(received, -1)
 		for _, match := range matches {
-			// Skip private/reserved IPs
 			if !r.isPublicIP(match) {
 				continue
 			}
-			// Avoid duplicates
 			if !seenIPs[match] {
 				ips = append(ips, match)
 				seenIPs[match] = true
@@ -137,13 +206,10 @@ func (r *RBLChecker) extractIPs(email *EmailMessage) []string {
 		}
 	}
 
-	// If no IPs found in Received headers, try X-Originating-IP
 	if len(ips) == 0 {
 		originatingIP := email.Header.Get("X-Originating-IP")
 		if originatingIP != "" {
-			// Extract IP from formats like "[192.0.2.1]" or "192.0.2.1"
 			cleanIP := strings.TrimSuffix(strings.TrimPrefix(originatingIP, "["), "]")
-			// Remove any whitespace
 			cleanIP = strings.TrimSpace(cleanIP)
 			matches := ipv4Pattern.FindString(cleanIP)
 			if matches != "" && r.isPublicIP(matches) {
@@ -156,19 +222,16 @@ func (r *RBLChecker) extractIPs(email *EmailMessage) []string {
 }
 
 // isPublicIP checks if an IP address is public (not private, loopback, or reserved)
-func (r *RBLChecker) isPublicIP(ipStr string) bool {
+func (r *DNSListChecker) isPublicIP(ipStr string) bool {
 	ip := net.ParseIP(ipStr)
 	if ip == nil {
 		return false
 	}
 
-	// Check if it's a private network
 	if ip.IsPrivate() || ip.IsLoopback() || ip.IsLinkLocalUnicast() || ip.IsLinkLocalMulticast() {
 		return false
 	}
 
-	// Additional checks for reserved ranges
-	// 0.0.0.0/8, 192.0.0.0/24, 192.0.2.0/24 (TEST-NET-1), 198.51.100.0/24 (TEST-NET-2), 203.0.113.0/24 (TEST-NET-3)
 	if ip.IsUnspecified() {
 		return false
 	}
@@ -176,51 +239,43 @@ func (r *RBLChecker) isPublicIP(ipStr string) bool {
 	return true
 }
 
-// checkIP checks a single IP against a single RBL
-func (r *RBLChecker) checkIP(ip, rbl string) api.BlacklistCheck {
-	check := api.BlacklistCheck{
-		Rbl: rbl,
+// checkIP checks a single IP against a single DNS list
+func (r *DNSListChecker) checkIP(ip, list string) model.BlacklistCheck {
+	check := model.BlacklistCheck{
+		Rbl: list,
 	}
 
-	// Reverse the IP for DNSBL query
 	reversedIP := r.reverseIP(ip)
 	if reversedIP == "" {
-		check.Error = api.PtrTo("Failed to reverse IP address")
+		check.Error = utils.PtrTo("Failed to reverse IP address")
 		return check
 	}
 
-	// Construct DNSBL query: reversed-ip.rbl-domain
-	query := fmt.Sprintf("%s.%s", reversedIP, rbl)
+	query := fmt.Sprintf("%s.%s", reversedIP, list)
 
-	// Perform DNS lookup with timeout
 	ctx, cancel := context.WithTimeout(context.Background(), r.Timeout)
 	defer cancel()
 
 	addrs, err := r.resolver.LookupHost(ctx, query)
 	if err != nil {
-		// Most likely not listed (NXDOMAIN)
 		if dnsErr, ok := err.(*net.DNSError); ok {
 			if dnsErr.IsNotFound {
 				check.Listed = false
 				return check
 			}
 		}
-		// Other DNS errors
-		check.Error = api.PtrTo(fmt.Sprintf("DNS lookup failed: %v", err))
+		check.Error = utils.PtrTo(fmt.Sprintf("DNS lookup failed: %v", err))
 		return check
 	}
 
-	// If we got a response, check the return code
 	if len(addrs) > 0 {
-		check.Response = api.PtrTo(addrs[0]) // Return code (e.g., 127.0.0.2)
+		check.Response = utils.PtrTo(addrs[0])
 
-		// Check for RBL error codes: 127.255.255.253, 127.255.255.254, 127.255.255.255
-		// These indicate RBL operational issues, not actual listings
-		if addrs[0] == "127.255.255.253" || addrs[0] == "127.255.255.254" || addrs[0] == "127.255.255.255" {
+		// In RBL mode, 127.255.255.253/254/255 indicate operational errors, not real listings.
+		if r.filterErrorCodes && (addrs[0] == "127.255.255.253" || addrs[0] == "127.255.255.254" || addrs[0] == "127.255.255.255") {
 			check.Listed = false
-			check.Error = api.PtrTo(fmt.Sprintf("RBL %s returned error code %s (RBL operational issue)", rbl, addrs[0]))
+			check.Error = utils.PtrTo(fmt.Sprintf("RBL %s returned error code %s (RBL operational issue)", list, addrs[0]))
 		} else {
-			// Normal listing response
 			check.Listed = true
 		}
 	}
@@ -228,44 +283,58 @@ func (r *RBLChecker) checkIP(ip, rbl string) api.BlacklistCheck {
 	return check
 }
 
-// reverseIP reverses an IPv4 address for DNSBL queries
+// reverseIP reverses an IPv4 address for DNSBL/DNSWL queries
 // Example: 192.0.2.1 -> 1.2.0.192
-func (r *RBLChecker) reverseIP(ipStr string) string {
+func (r *DNSListChecker) reverseIP(ipStr string) string {
 	ip := net.ParseIP(ipStr)
 	if ip == nil {
 		return ""
 	}
 
-	// Convert to IPv4
 	ipv4 := ip.To4()
 	if ipv4 == nil {
 		return "" // IPv6 not supported yet
 	}
 
-	// Reverse the octets
 	return fmt.Sprintf("%d.%d.%d.%d", ipv4[3], ipv4[2], ipv4[1], ipv4[0])
 }
 
-// CalculateRBLScore calculates the blacklist contribution to deliverability
-func (r *RBLChecker) CalculateRBLScore(results *RBLResults) (int, string) {
+// CalculateScore calculates the list contribution to deliverability.
+// Informational lists are not counted in the score.
+func (r *DNSListChecker) CalculateScore(results *DNSListResults, forWhitelist bool) (int, string) {
+	scoringListCount := len(r.Lists) - len(r.informationalSet)
+
+	if forWhitelist {
+		if results.ListedCount >= scoringListCount {
+			return 100, "A++"
+		} else if results.ListedCount > 0 {
+			return 100, "A+"
+		} else {
+			return 95, "A"
+		}
+	}
+
 	if results == nil || len(results.IPsChecked) == 0 {
-		// No IPs to check, give benefit of doubt
 		return 100, ""
 	}
 
-	percentage := 100 - results.ListedCount*100/len(r.RBLs)
+	if results.ListedCount <= 0 {
+		return 100, "A+"
+	}
+
+	percentage := 100 - results.RelevantListedCount*100/scoringListCount
 	return percentage, ScoreToGrade(percentage)
 }
 
-// GetUniqueListedIPs returns a list of unique IPs that are listed on at least one RBL
-func (r *RBLChecker) GetUniqueListedIPs(results *RBLResults) []string {
+// GetUniqueListedIPs returns a list of unique IPs that are listed on at least one entry
+func (r *DNSListChecker) GetUniqueListedIPs(results *DNSListResults) []string {
 	var listedIPs []string
 
-	for ip, rblChecks := range results.Checks {
-		for _, check := range rblChecks {
+	for ip, checks := range results.Checks {
+		for _, check := range checks {
 			if check.Listed {
 				listedIPs = append(listedIPs, ip)
-				break // Only add the IP once
+				break
 			}
 		}
 	}
@@ -273,17 +342,17 @@ func (r *RBLChecker) GetUniqueListedIPs(results *RBLResults) []string {
 	return listedIPs
 }
 
-// GetRBLsForIP returns all RBLs that list a specific IP
-func (r *RBLChecker) GetRBLsForIP(results *RBLResults, ip string) []string {
-	var rbls []string
+// GetListsForIP returns all lists that match a specific IP
+func (r *DNSListChecker) GetListsForIP(results *DNSListResults, ip string) []string {
+	var lists []string
 
-	if rblChecks, exists := results.Checks[ip]; exists {
-		for _, check := range rblChecks {
+	if checks, exists := results.Checks[ip]; exists {
+		for _, check := range checks {
 			if check.Listed {
-				rbls = append(rbls, check.Rbl)
+				lists = append(lists, check.Rbl)
 			}
 		}
 	}
 
-	return rbls
+	return lists
 }

pkg/analyzer/rbl_test.go

@@ -26,7 +26,7 @@ import (
 	"testing"
 	"time"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
 )
 
 func TestNewRBLChecker(t *testing.T) {
@@ -59,8 +59,8 @@ func TestNewRBLChecker(t *testing.T) {
 			if checker.Timeout != tt.expectedTimeout {
 				t.Errorf("Timeout = %v, want %v", checker.Timeout, tt.expectedTimeout)
 			}
-			if len(checker.RBLs) != tt.expectedRBLs {
-				t.Errorf("RBLs count = %d, want %d", len(checker.RBLs), tt.expectedRBLs)
+			if len(checker.Lists) != tt.expectedRBLs {
+				t.Errorf("RBLs count = %d, want %d", len(checker.Lists), tt.expectedRBLs)
 			}
 			if checker.resolver == nil {
 				t.Error("Resolver should not be nil")
@@ -265,7 +265,7 @@ func TestExtractIPs(t *testing.T) {
 func TestGetBlacklistScore(t *testing.T) {
 	tests := []struct {
 		name          string
-		results       *RBLResults
+		results       *DNSListResults
 		expectedScore int
 	}{
 		{
@@ -275,14 +275,14 @@ func TestGetBlacklistScore(t *testing.T) {
 		},
 		{
 			name: "No IPs checked",
-			results: &RBLResults{
+			results: &DNSListResults{
 				IPsChecked: []string{},
 			},
 			expectedScore: 100,
 		},
 		{
 			name: "Not listed on any RBL",
-			results: &RBLResults{
+			results: &DNSListResults{
 				IPsChecked:  []string{"198.51.100.1"},
 				ListedCount: 0,
 			},
@@ -290,7 +290,7 @@ func TestGetBlacklistScore(t *testing.T) {
 		},
 		{
 			name: "Listed on 1 RBL",
-			results: &RBLResults{
+			results: &DNSListResults{
 				IPsChecked:  []string{"198.51.100.1"},
 				ListedCount: 1,
 			},
@@ -298,7 +298,7 @@ func TestGetBlacklistScore(t *testing.T) {
 		},
 		{
 			name: "Listed on 2 RBLs",
-			results: &RBLResults{
+			results: &DNSListResults{
 				IPsChecked:  []string{"198.51.100.1"},
 				ListedCount: 2,
 			},
@@ -306,7 +306,7 @@ func TestGetBlacklistScore(t *testing.T) {
 		},
 		{
 			name: "Listed on 3 RBLs",
-			results: &RBLResults{
+			results: &DNSListResults{
 				IPsChecked:  []string{"198.51.100.1"},
 				ListedCount: 3,
 			},
@@ -314,7 +314,7 @@ func TestGetBlacklistScore(t *testing.T) {
 		},
 		{
 			name: "Listed on 4+ RBLs",
-			results: &RBLResults{
+			results: &DNSListResults{
 				IPsChecked:  []string{"198.51.100.1"},
 				ListedCount: 4,
 			},
@@ -326,7 +326,7 @@ func TestGetBlacklistScore(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			score, _ := checker.CalculateRBLScore(tt.results)
+			score, _ := checker.CalculateScore(tt.results)
 			if score != tt.expectedScore {
 				t.Errorf("GetBlacklistScore() = %v, want %v", score, tt.expectedScore)
 			}
@@ -335,8 +335,8 @@ func TestGetBlacklistScore(t *testing.T) {
 }
 
 func TestGetUniqueListedIPs(t *testing.T) {
-	results := &RBLResults{
-		Checks: map[string][]api.BlacklistCheck{
+	results := &DNSListResults{
+		Checks: map[string][]model.BlacklistCheck{
 			"198.51.100.1": {
 				{Rbl: "zen.spamhaus.org", Listed: true},
 				{Rbl: "bl.spamcop.net", Listed: true},
@@ -363,8 +363,8 @@ func TestGetUniqueListedIPs(t *testing.T) {
 }
 
 func TestGetRBLsForIP(t *testing.T) {
-	results := &RBLResults{
-		Checks: map[string][]api.BlacklistCheck{
+	results := &DNSListResults{
+		Checks: map[string][]model.BlacklistCheck{
 			"198.51.100.1": {
 				{Rbl: "zen.spamhaus.org", Listed: true},
 				{Rbl: "bl.spamcop.net", Listed: true},
@@ -402,7 +402,7 @@ func TestGetRBLsForIP(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			rbls := checker.GetRBLsForIP(results, tt.ip)
+			rbls := checker.GetListsForIP(results, tt.ip)
 
 			if len(rbls) != len(tt.expectedRBLs) {
 				t.Errorf("Got %d RBLs, want %d", len(rbls), len(tt.expectedRBLs))

pkg/analyzer/report.go

@@ -24,7 +24,7 @@ package analyzer
 import (
 	"time"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
 	"git.happydns.org/happyDeliver/internal/utils"
 	"github.com/google/uuid"
 )
@@ -33,24 +33,31 @@ import (
 type ReportGenerator struct {
 	authAnalyzer    *AuthenticationAnalyzer
 	spamAnalyzer    *SpamAssassinAnalyzer
+	rspamdAnalyzer  *RspamdAnalyzer
 	dnsAnalyzer     *DNSAnalyzer
-	rblChecker      *RBLChecker
+	rblChecker      *DNSListChecker
+	dnswlChecker    *DNSListChecker
 	contentAnalyzer *ContentAnalyzer
 	headerAnalyzer  *HeaderAnalyzer
 }
 
 // NewReportGenerator creates a new report generator
 func NewReportGenerator(
+	receiverHostname string,
 	dnsTimeout time.Duration,
 	httpTimeout time.Duration,
 	rbls []string,
+	dnswls []string,
 	checkAllIPs bool,
+	rspamdAPIURL string,
 ) *ReportGenerator {
 	return &ReportGenerator{
-		authAnalyzer:    NewAuthenticationAnalyzer(),
+		authAnalyzer:    NewAuthenticationAnalyzer(receiverHostname),
 		spamAnalyzer:    NewSpamAssassinAnalyzer(),
+		rspamdAnalyzer:  NewRspamdAnalyzer(LoadRspamdSymbols(rspamdAPIURL)),
 		dnsAnalyzer:     NewDNSAnalyzer(dnsTimeout),
 		rblChecker:      NewRBLChecker(dnsTimeout, rbls, checkAllIPs),
+		dnswlChecker:    NewDNSWLChecker(dnsTimeout, dnswls, checkAllIPs),
 		contentAnalyzer: NewContentAnalyzer(httpTimeout),
 		headerAnalyzer:  NewHeaderAnalyzer(),
 	}
@@ -59,12 +66,14 @@ func NewReportGenerator(
 // AnalysisResults contains all intermediate analysis results
 type AnalysisResults struct {
 	Email          *EmailMessage
-	Authentication *api.AuthenticationResults
+	Authentication *model.AuthenticationResults
 	Content        *ContentResults
-	DNS            *api.DNSResults
-	Headers        *api.HeaderAnalysis
-	RBL            *RBLResults
-	SpamAssassin   *api.SpamAssassinResult
+	DNS            *model.DNSResults
+	Headers        *model.HeaderAnalysis
+	RBL            *DNSListResults
+	DNSWL          *DNSListResults
+	SpamAssassin   *model.SpamAssassinResult
+	Rspamd         *model.RspamdResult
 }
 
 // AnalyzeEmail performs complete email analysis
@@ -75,21 +84,23 @@ func (r *ReportGenerator) AnalyzeEmail(email *EmailMessage) *AnalysisResults {
 
 	// Run all analyzers
 	results.Authentication = r.authAnalyzer.AnalyzeAuthentication(email)
-	results.Headers = r.headerAnalyzer.GenerateHeaderAnalysis(email)
-	results.DNS = r.dnsAnalyzer.AnalyzeDNS(email, results.Authentication, results.Headers)
+	results.Headers = r.headerAnalyzer.GenerateHeaderAnalysis(email, results.Authentication)
+	results.DNS = r.dnsAnalyzer.AnalyzeDNS(email, results.Headers)
 	results.RBL = r.rblChecker.CheckEmail(email)
+	results.DNSWL = r.dnswlChecker.CheckEmail(email)
 	results.SpamAssassin = r.spamAnalyzer.AnalyzeSpamAssassin(email)
+	results.Rspamd = r.rspamdAnalyzer.AnalyzeRspamd(email)
 	results.Content = r.contentAnalyzer.AnalyzeContent(email)
 
 	return results
 }
 
 // GenerateReport creates a complete API report from analysis results
-func (r *ReportGenerator) GenerateReport(testID uuid.UUID, results *AnalysisResults) *api.Report {
+func (r *ReportGenerator) GenerateReport(testID uuid.UUID, results *AnalysisResults) *model.Report {
 	reportID := uuid.New()
 	now := time.Now()
 
-	report := &api.Report{
+	report := &model.Report{
 		Id:        utils.UUIDToBase32(reportID),
 		TestId:    utils.UUIDToBase32(testID),
 		CreatedAt: now,
@@ -130,29 +141,47 @@ func (r *ReportGenerator) GenerateReport(testID uuid.UUID, results *AnalysisResu
 
 	blacklistScore := 0
 	var blacklistGrade string
+	var whitelistGrade string
 	if results.RBL != nil {
-		blacklistScore, blacklistGrade = r.rblChecker.CalculateRBLScore(results.RBL)
+		blacklistScore, blacklistGrade = r.rblChecker.CalculateScore(results.RBL, false)
+		_, whitelistGrade = r.dnswlChecker.CalculateScore(results.DNSWL, true)
 	}
 
-	spamScore := 0
+	saScore, saGrade := r.spamAnalyzer.CalculateSpamAssassinScore(results.SpamAssassin)
+	rspamdScore, rspamdGrade := r.rspamdAnalyzer.CalculateRspamdScore(results.Rspamd)
+
+	// Combine SpamAssassin and rspamd scores 50/50.
+	// If only one filter ran (the other returns "" grade), use that filter's score alone.
+	var spamScore int
 	var spamGrade string
-	if results.SpamAssassin != nil {
-		spamScore, spamGrade = r.spamAnalyzer.CalculateSpamAssassinScore(results.SpamAssassin)
+	switch {
+	case saGrade == "" && rspamdGrade == "":
+		spamScore = 0
+		spamGrade = ""
+	case saGrade == "":
+		spamScore = rspamdScore
+		spamGrade = rspamdGrade
+	case rspamdGrade == "":
+		spamScore = saScore
+		spamGrade = saGrade
+	default:
+		spamScore = (saScore + rspamdScore) / 2
+		spamGrade = MinGrade(saGrade, rspamdGrade)
 	}
 
-	report.Summary = &api.ScoreSummary{
+	report.Summary = &model.ScoreSummary{
 		DnsScore:            dnsScore,
-		DnsGrade:            api.ScoreSummaryDnsGrade(dnsGrade),
+		DnsGrade:            model.ScoreSummaryDnsGrade(dnsGrade),
 		AuthenticationScore: authScore,
-		AuthenticationGrade: api.ScoreSummaryAuthenticationGrade(authGrade),
+		AuthenticationGrade: model.ScoreSummaryAuthenticationGrade(authGrade),
 		BlacklistScore:      blacklistScore,
-		BlacklistGrade:      api.ScoreSummaryBlacklistGrade(blacklistGrade),
+		BlacklistGrade:      model.ScoreSummaryBlacklistGrade(MinGrade(blacklistGrade, whitelistGrade)),
 		ContentScore:        contentScore,
-		ContentGrade:        api.ScoreSummaryContentGrade(contentGrade),
+		ContentGrade:        model.ScoreSummaryContentGrade(contentGrade),
 		HeaderScore:         headerScore,
-		HeaderGrade:         api.ScoreSummaryHeaderGrade(headerGrade),
+		HeaderGrade:         model.ScoreSummaryHeaderGrade(headerGrade),
 		SpamScore:           spamScore,
-		SpamGrade:           api.ScoreSummarySpamGrade(spamGrade),
+		SpamGrade:           model.ScoreSummarySpamGrade(spamGrade),
 	}
 
 	// Add authentication results
@@ -177,9 +206,27 @@ func (r *ReportGenerator) GenerateReport(testID uuid.UUID, results *AnalysisResu
 		report.Blacklists = &results.RBL.Checks
 	}
 
-	// Add SpamAssassin result
+	// Add whitelist checks as a map of IP -> array of BlacklistCheck (informational only)
+	if results.DNSWL != nil && len(results.DNSWL.Checks) > 0 {
+		report.Whitelists = &results.DNSWL.Checks
+	}
+
+	// Add SpamAssassin result with individual deliverability score
+	if results.SpamAssassin != nil {
+		saGradeTyped := model.SpamAssassinResultDeliverabilityGrade(saGrade)
+		results.SpamAssassin.DeliverabilityScore = utils.PtrTo(saScore)
+		results.SpamAssassin.DeliverabilityGrade = &saGradeTyped
+	}
 	report.Spamassassin = results.SpamAssassin
 
+	// Add rspamd result with individual deliverability score
+	if results.Rspamd != nil {
+		rspamdGradeTyped := model.RspamdResultDeliverabilityGrade(rspamdGrade)
+		results.Rspamd.DeliverabilityScore = utils.PtrTo(rspamdScore)
+		results.Rspamd.DeliverabilityGrade = &rspamdGradeTyped
+	}
+	report.Rspamd = results.Rspamd
+
 	// Add raw headers
 	if results.Email != nil && results.Email.RawHeaders != "" {
 		report.RawHeaders = &results.Email.RawHeaders
@@ -241,7 +288,7 @@ func (r *ReportGenerator) GenerateReport(testID uuid.UUID, results *AnalysisResu
 		}
 
 		if minusGrade < 255 {
-			report.Grade = api.ReportGrade(string([]byte{'A' + minusGrade}))
+			report.Grade = model.ReportGrade(string([]byte{'A' + minusGrade}))
 		}
 	}
 

pkg/analyzer/report_test.go

@@ -32,7 +32,7 @@ import (
 )
 
 func TestNewReportGenerator(t *testing.T) {
-	gen := NewReportGenerator(10*time.Second, 10*time.Second, DefaultRBLs, false)
+	gen := NewReportGenerator("", 10*time.Second, 10*time.Second, DefaultRBLs, DefaultDNSWLs, false, "")
 	if gen == nil {
 		t.Fatal("Expected report generator, got nil")
 	}
@@ -55,7 +55,7 @@ func TestNewReportGenerator(t *testing.T) {
 }
 
 func TestAnalyzeEmail(t *testing.T) {
-	gen := NewReportGenerator(10*time.Second, 10*time.Second, DefaultRBLs, false)
+	gen := NewReportGenerator("", 10*time.Second, 10*time.Second, DefaultRBLs, DefaultDNSWLs, false, "")
 
 	email := createTestEmail()
 
@@ -75,7 +75,7 @@ func TestAnalyzeEmail(t *testing.T) {
 }
 
 func TestGenerateReport(t *testing.T) {
-	gen := NewReportGenerator(10*time.Second, 10*time.Second, DefaultRBLs, false)
+	gen := NewReportGenerator("", 10*time.Second, 10*time.Second, DefaultRBLs, DefaultDNSWLs, false, "")
 	testID := uuid.New()
 
 	email := createTestEmail()
@@ -130,7 +130,7 @@ func TestGenerateReport(t *testing.T) {
 }
 
 func TestGenerateReportWithSpamAssassin(t *testing.T) {
-	gen := NewReportGenerator(10*time.Second, 10*time.Second, DefaultRBLs, false)
+	gen := NewReportGenerator("", 10*time.Second, 10*time.Second, DefaultRBLs, DefaultDNSWLs, false, "")
 	testID := uuid.New()
 
 	email := createTestEmailWithSpamAssassin()
@@ -150,7 +150,7 @@ func TestGenerateReportWithSpamAssassin(t *testing.T) {
 }
 
 func TestGenerateRawEmail(t *testing.T) {
-	gen := NewReportGenerator(10*time.Second, 10*time.Second, DefaultRBLs, false)
+	gen := NewReportGenerator("", 10*time.Second, 10*time.Second, DefaultRBLs, DefaultDNSWLs, false, "")
 
 	tests := []struct {
 		name     string

pkg/analyzer/rspamd-symbols-README.md

@@ -0,0 +1,21 @@
+# rspamd-symbols.json
+
+This file contains rspamd symbol descriptions, embedded into the binary at compile time as a fallback when no rspamd API URL is configured.
+
+## How to update
+
+Fetch the latest symbols from a running rspamd instance:
+
+```sh
+curl http://127.0.0.1:11334/symbols > rspamd-symbols.json
+```
+
+Or with docker:
+
+```sh
+docker run --rm --name rspamd --pull always rspamd/rspamd
+docker exec -u 0 rspamd apt install -y curl
+docker exec rspamd curl http://127.0.0.1:11334/symbols > rspamd-symbols.json
+```
+
+Then rebuild the project.

pkg/analyzer/rspamd.go

@@ -0,0 +1,174 @@
+// This file is part of the happyDeliver (R) project.
+// Copyright (c) 2026 happyDomain
+// Authors: Pierre-Olivier Mercier, et al.
+//
+// This program is offered under a commercial and under the AGPL license.
+// For commercial licensing, contact us at <contact@happydomain.org>.
+//
+// For AGPL licensing:
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+package analyzer
+
+import (
+	"math"
+	"regexp"
+	"strconv"
+	"strings"
+
+	"git.happydns.org/happyDeliver/internal/model"
+)
+
+// Default rspamd action thresholds (rspamd built-in defaults)
+const (
+	rspamdDefaultRejectThreshold    float32 = 15
+	rspamdDefaultAddHeaderThreshold float32 = 6
+)
+
+// RspamdAnalyzer analyzes rspamd results from email headers
+type RspamdAnalyzer struct {
+	symbols map[string]string
+}
+
+// NewRspamdAnalyzer creates a new rspamd analyzer with optional symbol descriptions
+func NewRspamdAnalyzer(symbols map[string]string) *RspamdAnalyzer {
+	return &RspamdAnalyzer{symbols: symbols}
+}
+
+// AnalyzeRspamd extracts and analyzes rspamd results from email headers
+func (a *RspamdAnalyzer) AnalyzeRspamd(email *EmailMessage) *model.RspamdResult {
+	headers := email.GetRspamdHeaders()
+	if len(headers) == 0 {
+		return nil
+	}
+
+	// Require at least X-Spamd-Result or X-Rspamd-Score to produce a meaningful report
+	_, hasSpamdResult := headers["X-Spamd-Result"]
+	_, hasRspamdScore := headers["X-Rspamd-Score"]
+	if !hasSpamdResult && !hasRspamdScore {
+		return nil
+	}
+
+	result := &model.RspamdResult{
+		Symbols: make(map[string]model.SpamTestDetail),
+	}
+
+	// Parse X-Spamd-Result header (primary source for score, threshold, and symbols)
+	// Format: "default: False [-3.91 / 15.00];\n\tSYMBOL(score)[params]; ..."
+	if spamdResult, ok := headers["X-Spamd-Result"]; ok {
+		report := strings.ReplaceAll(spamdResult, "; ", ";\n")
+		result.Report = &report
+		a.parseSpamdResult(spamdResult, result)
+	}
+
+	// Parse X-Rspamd-Score as override/fallback for score
+	if scoreHeader, ok := headers["X-Rspamd-Score"]; ok {
+		if score, err := strconv.ParseFloat(strings.TrimSpace(scoreHeader), 64); err == nil {
+			result.Score = float32(score)
+		}
+	}
+
+	// Parse X-Rspamd-Server
+	if serverHeader, ok := headers["X-Rspamd-Server"]; ok {
+		server := strings.TrimSpace(serverHeader)
+		result.Server = &server
+	}
+
+	// Populate symbol descriptions from the lookup map
+	if a.symbols != nil {
+		for name, sym := range result.Symbols {
+			if desc, ok := a.symbols[name]; ok {
+				sym.Description = &desc
+				result.Symbols[name] = sym
+			}
+		}
+	}
+
+	// Derive IsSpam from score vs reject threshold.
+	if result.Threshold > 0 {
+		result.IsSpam = result.Score >= result.Threshold
+	} else {
+		result.IsSpam = result.Score >= rspamdDefaultAddHeaderThreshold
+	}
+
+	return result
+}
+
+// parseSpamdResult parses the X-Spamd-Result header
+// Format: "default: False [-3.91 / 15.00];\n\tSYMBOL(score)[params]; ..."
+func (a *RspamdAnalyzer) parseSpamdResult(header string, result *model.RspamdResult) {
+	// Extract score and threshold from the first line
+	// e.g. "default: False [-3.91 / 15.00]"
+	scoreRe := regexp.MustCompile(`\[\s*(-?\d+\.?\d*)\s*/\s*(-?\d+\.?\d*)\s*\]`)
+	if matches := scoreRe.FindStringSubmatch(header); len(matches) > 2 {
+		if score, err := strconv.ParseFloat(matches[1], 64); err == nil {
+			result.Score = float32(score)
+		}
+		if threshold, err := strconv.ParseFloat(matches[2], 64); err == nil {
+			result.Threshold = float32(threshold)
+
+			// No threshold? use default AddHeaderThreshold
+			if result.Threshold <= 0 {
+				result.Threshold = rspamdDefaultAddHeaderThreshold
+			}
+		}
+	}
+
+	// Parse is_spam from header (before we may get action from X-Rspamd-Action)
+	firstLine := strings.SplitN(header, ";", 2)[0]
+	if strings.Contains(firstLine, ": True") || strings.Contains(firstLine, ": true") {
+		result.IsSpam = true
+	}
+
+	// Parse symbols: SYMBOL(score)[params]
+	// Each symbol entry is separated by ";", so within each part we use a
+	// greedy match to capture params that may contain nested brackets.
+	symbolRe := regexp.MustCompile(`(\w+)\((-?\d+\.?\d*)\)(?:\[(.*)\])?`)
+	for _, part := range strings.Split(header, ";") {
+		part = strings.TrimSpace(part)
+		matches := symbolRe.FindStringSubmatch(part)
+		if len(matches) > 2 {
+			name := matches[1]
+			score, _ := strconv.ParseFloat(matches[2], 64)
+			sym := model.SpamTestDetail{
+				Name:  name,
+				Score: float32(score),
+			}
+			if len(matches) > 3 && matches[3] != "" {
+				params := matches[3]
+				sym.Params = &params
+			}
+			result.Symbols[name] = sym
+		}
+	}
+}
+
+// CalculateRspamdScore calculates the rspamd contribution to deliverability (0-100 scale)
+func (a *RspamdAnalyzer) CalculateRspamdScore(result *model.RspamdResult) (int, string) {
+	if result == nil {
+		return 100, "" // rspamd not installed
+	}
+
+	threshold := result.Threshold
+	percentage := 100 - int(math.Round(float64(result.Score*100/(2*threshold))))
+
+	if percentage > 100 {
+		return 100, "A+"
+	} else if percentage < 0 {
+		return 0, "F"
+	}
+
+	// Linear scale between 0 and threshold
+	return percentage, ScoreToGrade(percentage)
+}

pkg/analyzer/rspamd_symbols.go

@@ -0,0 +1,105 @@
+// This file is part of the happyDeliver (R) project.
+// Copyright (c) 2026 happyDomain
+// Authors: Pierre-Olivier Mercier, et al.
+//
+// This program is offered under a commercial and under the AGPL license.
+// For commercial licensing, contact us at <contact@happydomain.org>.
+//
+// For AGPL licensing:
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+package analyzer
+
+import (
+	_ "embed"
+	"encoding/json"
+	"io"
+	"log"
+	"net/http"
+	"strings"
+	"time"
+)
+
+//go:embed rspamd-symbols.json
+var embeddedRspamdSymbols []byte
+
+// rspamdSymbolGroup represents a group of rspamd symbols from the API/embedded JSON.
+type rspamdSymbolGroup struct {
+	Group string              `json:"group"`
+	Rules []rspamdSymbolEntry `json:"rules"`
+}
+
+// rspamdSymbolEntry represents a single rspamd symbol entry.
+type rspamdSymbolEntry struct {
+	Symbol      string  `json:"symbol"`
+	Description string  `json:"description"`
+	Weight      float64 `json:"weight"`
+}
+
+// parseRspamdSymbolsJSON parses the rspamd symbols JSON into a name->description map.
+func parseRspamdSymbolsJSON(data []byte) map[string]string {
+	var groups []rspamdSymbolGroup
+	if err := json.Unmarshal(data, &groups); err != nil {
+		log.Printf("Failed to parse rspamd symbols JSON: %v", err)
+		return nil
+	}
+
+	symbols := make(map[string]string, len(groups)*10)
+	for _, g := range groups {
+		for _, r := range g.Rules {
+			if r.Description != "" {
+				symbols[r.Symbol] = r.Description
+			}
+		}
+	}
+	return symbols
+}
+
+// LoadRspamdSymbols loads rspamd symbol descriptions.
+// If apiURL is non-empty, it fetches from the rspamd API first, falling back to the embedded list on error.
+func LoadRspamdSymbols(apiURL string) map[string]string {
+	if apiURL != "" {
+		if symbols := fetchRspamdSymbols(apiURL); symbols != nil {
+			return symbols
+		}
+		log.Printf("Failed to fetch rspamd symbols from %s, using embedded list", apiURL)
+	}
+	return parseRspamdSymbolsJSON(embeddedRspamdSymbols)
+}
+
+// fetchRspamdSymbols fetches symbol descriptions from the rspamd API.
+func fetchRspamdSymbols(apiURL string) map[string]string {
+	url := strings.TrimRight(apiURL, "/") + "/symbols"
+
+	client := &http.Client{Timeout: 10 * time.Second}
+	resp, err := client.Get(url)
+	if err != nil {
+		log.Printf("Error fetching rspamd symbols: %v", err)
+		return nil
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		log.Printf("rspamd API returned status %d", resp.StatusCode)
+		return nil
+	}
+
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		log.Printf("Error reading rspamd symbols response: %v", err)
+		return nil
+	}
+
+	return parseRspamdSymbolsJSON(body)
+}

pkg/analyzer/rspamd_test.go

@@ -0,0 +1,414 @@
+// This file is part of the happyDeliver (R) project.
+// Copyright (c) 2026 happyDomain
+// Authors: Pierre-Olivier Mercier, et al.
+//
+// This program is offered under a commercial and under the AGPL license.
+// For commercial licensing, contact us at <contact@happydomain.org>.
+//
+// For AGPL licensing:
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+package analyzer
+
+import (
+	"bytes"
+	"net/mail"
+	"testing"
+
+	"git.happydns.org/happyDeliver/internal/model"
+)
+
+func TestAnalyzeRspamdNoHeaders(t *testing.T) {
+	analyzer := NewRspamdAnalyzer(nil)
+	email := &EmailMessage{Header: make(mail.Header)}
+
+	result := analyzer.AnalyzeRspamd(email)
+
+	if result != nil {
+		t.Errorf("Expected nil for email without rspamd headers, got %+v", result)
+	}
+}
+
+func TestParseSpamdResult(t *testing.T) {
+	tests := []struct {
+		name               string
+		header             string
+		expectedScore      float32
+		expectedThreshold  float32
+		expectedIsSpam     bool
+		expectedSymbols    map[string]float32
+		expectedSymParams  map[string]string
+	}{
+		{
+			name:              "Clean email negative score",
+			header:            "default: False [-3.91 / 15.00];\n\tDATE_IN_PAST(0.10); ALL_TRUSTED(-1.00)[trusted]",
+			expectedScore:     -3.91,
+			expectedThreshold: 15.00,
+			expectedIsSpam:    false,
+			expectedSymbols: map[string]float32{
+				"DATE_IN_PAST": 0.10,
+				"ALL_TRUSTED":  -1.00,
+			},
+			expectedSymParams: map[string]string{
+				"ALL_TRUSTED": "trusted",
+			},
+		},
+		{
+			name:              "Spam email True flag",
+			header:            "default: True [16.50 / 15.00];\n\tBAYES_99(5.00)[1.00]; SPOOFED_SENDER(3.50)",
+			expectedScore:     16.50,
+			expectedThreshold: 15.00,
+			expectedIsSpam:    true,
+			expectedSymbols: map[string]float32{
+				"BAYES_99":        5.00,
+				"SPOOFED_SENDER":  3.50,
+			},
+			expectedSymParams: map[string]string{
+				"BAYES_99": "1.00",
+			},
+		},
+		{
+			name:              "Zero threshold uses default",
+			header:            "default: False [1.00 / 0.00]",
+			expectedScore:     1.00,
+			expectedThreshold: rspamdDefaultAddHeaderThreshold,
+			expectedIsSpam:    false,
+			expectedSymbols:   map[string]float32{},
+		},
+		{
+			name:              "Symbol without params",
+			header:            "default: False [2.00 / 15.00];\n\tMISSING_DATE(1.00)",
+			expectedScore:     2.00,
+			expectedThreshold: 15.00,
+			expectedIsSpam:    false,
+			expectedSymbols: map[string]float32{
+				"MISSING_DATE": 1.00,
+			},
+		},
+		{
+			name:              "Case-insensitive true flag",
+			header:            "default: true [8.00 / 6.00]",
+			expectedScore:     8.00,
+			expectedThreshold: 6.00,
+			expectedIsSpam:    true,
+			expectedSymbols:   map[string]float32{},
+		},
+		{
+			name: "Zero threshold with symbols containing nested brackets in params",
+			header: "default: False [0.90 / 0.00];\n" +
+				"\tARC_REJECT(1.00)[cannot verify 1 of 1 signatures: {[1] = sig:mail-tester.local:signature has incorrect length: 12}];\n" +
+				"\tMIME_GOOD(-0.10)[multipart/alternative,text/plain];\n" +
+				"\tMIME_TRACE(0.00)[0:+,1:+,2:~]",
+			expectedScore:     0.90,
+			expectedThreshold: rspamdDefaultAddHeaderThreshold,
+			expectedIsSpam:    false,
+			expectedSymbols: map[string]float32{
+				"ARC_REJECT": 1.00,
+				"MIME_GOOD":  -0.10,
+				"MIME_TRACE": 0.00,
+			},
+			expectedSymParams: map[string]string{
+				"ARC_REJECT": "cannot verify 1 of 1 signatures: {[1] = sig:mail-tester.local:signature has incorrect length: 12}",
+				"MIME_GOOD":  "multipart/alternative,text/plain",
+				"MIME_TRACE": "0:+,1:+,2:~",
+			},
+		},
+	}
+
+	analyzer := NewRspamdAnalyzer(nil)
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := &model.RspamdResult{
+				Symbols: make(map[string]model.SpamTestDetail),
+			}
+			analyzer.parseSpamdResult(tt.header, result)
+
+			if result.Score != tt.expectedScore {
+				t.Errorf("Score = %v, want %v", result.Score, tt.expectedScore)
+			}
+			if result.Threshold != tt.expectedThreshold {
+				t.Errorf("Threshold = %v, want %v", result.Threshold, tt.expectedThreshold)
+			}
+			if result.IsSpam != tt.expectedIsSpam {
+				t.Errorf("IsSpam = %v, want %v", result.IsSpam, tt.expectedIsSpam)
+			}
+			for symName, expectedScore := range tt.expectedSymbols {
+				sym, ok := result.Symbols[symName]
+				if !ok {
+					t.Errorf("Symbol %s not found", symName)
+					continue
+				}
+				if sym.Score != expectedScore {
+					t.Errorf("Symbol %s score = %v, want %v", symName, sym.Score, expectedScore)
+				}
+			}
+			for symName, expectedParam := range tt.expectedSymParams {
+				sym, ok := result.Symbols[symName]
+				if !ok {
+					t.Errorf("Symbol %s not found for params check", symName)
+					continue
+				}
+				if sym.Params == nil {
+					t.Errorf("Symbol %s params = nil, want %q", symName, expectedParam)
+				} else if *sym.Params != expectedParam {
+					t.Errorf("Symbol %s params = %q, want %q", symName, *sym.Params, expectedParam)
+				}
+			}
+		})
+	}
+}
+
+func TestAnalyzeRspamd(t *testing.T) {
+	tests := []struct {
+		name              string
+		headers           map[string]string
+		expectedScore     float32
+		expectedThreshold float32
+		expectedIsSpam    bool
+		expectedServer    *string
+		expectedSymCount  int
+	}{
+		{
+			name: "Full headers clean email",
+			headers: map[string]string{
+				"X-Spamd-Result": "default: False [-3.91 / 15.00];\n\tALL_TRUSTED(-1.00)[local]",
+				"X-Rspamd-Score": "-3.91",
+				"X-Rspamd-Server": "mail.example.com",
+			},
+			expectedScore:     -3.91,
+			expectedThreshold: 15.00,
+			expectedIsSpam:    false,
+			expectedServer:    func() *string { s := "mail.example.com"; return &s }(),
+			expectedSymCount:  1,
+		},
+		{
+			name: "X-Rspamd-Score overrides spamd result score",
+			headers: map[string]string{
+				"X-Spamd-Result": "default: False [2.00 / 15.00]",
+				"X-Rspamd-Score": "3.50",
+			},
+			expectedScore:     3.50,
+			expectedThreshold: 15.00,
+			expectedIsSpam:    false,
+		},
+		{
+			name: "Spam email above threshold",
+			headers: map[string]string{
+				"X-Spamd-Result": "default: True [16.00 / 15.00];\n\tBAYES_99(5.00)",
+				"X-Rspamd-Score": "16.00",
+			},
+			expectedScore:     16.00,
+			expectedThreshold: 15.00,
+			expectedIsSpam:    true,
+			expectedSymCount:  1,
+		},
+		{
+			name: "No X-Spamd-Result, only X-Rspamd-Score below default threshold",
+			headers: map[string]string{
+				"X-Rspamd-Score": "2.00",
+			},
+			expectedScore:  2.00,
+			expectedIsSpam: false,
+		},
+		{
+			name: "No X-Spamd-Result, X-Rspamd-Score above default add-header threshold",
+			headers: map[string]string{
+				"X-Rspamd-Score": "7.00",
+			},
+			expectedScore:  7.00,
+			expectedIsSpam: true,
+		},
+		{
+			name: "Server header is trimmed",
+			headers: map[string]string{
+				"X-Rspamd-Score":  "1.00",
+				"X-Rspamd-Server": "  rspamd-01  ",
+			},
+			expectedScore:  1.00,
+			expectedServer: func() *string { s := "rspamd-01"; return &s }(),
+		},
+	}
+
+	analyzer := NewRspamdAnalyzer(nil)
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			email := &EmailMessage{Header: make(mail.Header)}
+			for k, v := range tt.headers {
+				email.Header[k] = []string{v}
+			}
+
+			result := analyzer.AnalyzeRspamd(email)
+
+			if result == nil {
+				t.Fatal("Expected non-nil result")
+			}
+			if result.Score != tt.expectedScore {
+				t.Errorf("Score = %v, want %v", result.Score, tt.expectedScore)
+			}
+			if tt.expectedThreshold > 0 && result.Threshold != tt.expectedThreshold {
+				t.Errorf("Threshold = %v, want %v", result.Threshold, tt.expectedThreshold)
+			}
+			if result.IsSpam != tt.expectedIsSpam {
+				t.Errorf("IsSpam = %v, want %v", result.IsSpam, tt.expectedIsSpam)
+			}
+			if tt.expectedServer != nil {
+				if result.Server == nil {
+					t.Errorf("Server = nil, want %q", *tt.expectedServer)
+				} else if *result.Server != *tt.expectedServer {
+					t.Errorf("Server = %q, want %q", *result.Server, *tt.expectedServer)
+				}
+			}
+			if tt.expectedSymCount > 0 && len(result.Symbols) != tt.expectedSymCount {
+				t.Errorf("Symbol count = %d, want %d", len(result.Symbols), tt.expectedSymCount)
+			}
+		})
+	}
+}
+
+func TestCalculateRspamdScore(t *testing.T) {
+	tests := []struct {
+		name          string
+		result        *model.RspamdResult
+		expectedScore int
+		expectedGrade string
+	}{
+		{
+			name:          "Nil result (rspamd not installed)",
+			result:        nil,
+			expectedScore: 100,
+			expectedGrade: "",
+		},
+		{
+			name: "Score well below threshold",
+			result: &model.RspamdResult{
+				Score:     -3.91,
+				Threshold: 15.00,
+			},
+			expectedScore: 100,
+			expectedGrade: "A+",
+		},
+		{
+			name: "Score at zero",
+			result: &model.RspamdResult{
+				Score:     0,
+				Threshold: 15.00,
+			},
+			// 100 - round(0*100/30) = 100 → hits ScoreToGrade(100) = "A"
+			expectedScore: 100,
+			expectedGrade: "A",
+		},
+		{
+			name: "Score at threshold (half of 2*threshold)",
+			result: &model.RspamdResult{
+				Score:     15.00,
+				Threshold: 15.00,
+			},
+			// 100 - round(15*100/(2*15)) = 100 - 50 = 50
+			expectedScore: 50,
+		},
+		{
+			name: "Score above 2*threshold",
+			result: &model.RspamdResult{
+				Score:     31.00,
+				Threshold: 15.00,
+			},
+			expectedScore: 0,
+			expectedGrade: "F",
+		},
+		{
+			name: "Score exactly at 2*threshold",
+			result: &model.RspamdResult{
+				Score:     30.00,
+				Threshold: 15.00,
+			},
+			// 100 - round(30*100/30) = 100 - 100 = 0
+			expectedScore: 0,
+			expectedGrade: "F",
+		},
+	}
+
+	analyzer := NewRspamdAnalyzer(nil)
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			score, grade := analyzer.CalculateRspamdScore(tt.result)
+
+			if score != tt.expectedScore {
+				t.Errorf("Score = %d, want %d", score, tt.expectedScore)
+			}
+			if tt.expectedGrade != "" && grade != tt.expectedGrade {
+				t.Errorf("Grade = %q, want %q", grade, tt.expectedGrade)
+			}
+		})
+	}
+}
+
+const sampleEmailWithRspamdHeaders = `X-Spamd-Result: default: False [-3.91 / 15.00];
+	BAYES_HAM(-3.00)[99%];
+	RCVD_IN_DNSWL_MED(-0.01)[1.2.3.4:from];
+	R_DKIM_ALLOW(-0.20)[example.com:s=dkim];
+	FROM_HAS_DN(0.00)[];
+	MIME_GOOD(-0.10)[text/plain];
+X-Rspamd-Score: -3.91
+X-Rspamd-Server: rspamd-01.example.com
+Date: Mon, 09 Mar 2026 10:00:00 +0000
+From: sender@example.com
+To: test@happydomain.org
+Subject: Test email
+Message-ID: <test123@example.com>
+MIME-Version: 1.0
+Content-Type: text/plain
+
+Hello world`
+
+func TestAnalyzeRspamdRealEmail(t *testing.T) {
+	email, err := ParseEmail(bytes.NewBufferString(sampleEmailWithRspamdHeaders))
+	if err != nil {
+		t.Fatalf("Failed to parse email: %v", err)
+	}
+
+	analyzer := NewRspamdAnalyzer(nil)
+	result := analyzer.AnalyzeRspamd(email)
+
+	if result == nil {
+		t.Fatal("Expected non-nil result")
+	}
+	if result.IsSpam {
+		t.Error("Expected IsSpam=false")
+	}
+	if result.Score != -3.91 {
+		t.Errorf("Score = %v, want -3.91", result.Score)
+	}
+	if result.Threshold != 15.00 {
+		t.Errorf("Threshold = %v, want 15.00", result.Threshold)
+	}
+	if result.Server == nil || *result.Server != "rspamd-01.example.com" {
+		t.Errorf("Server = %v, want \"rspamd-01.example.com\"", result.Server)
+	}
+
+	expectedSymbols := []string{"BAYES_HAM", "RCVD_IN_DNSWL_MED", "R_DKIM_ALLOW", "FROM_HAS_DN", "MIME_GOOD"}
+	for _, sym := range expectedSymbols {
+		if _, ok := result.Symbols[sym]; !ok {
+			t.Errorf("Symbol %s not found", sym)
+		}
+	}
+
+	score, _ := analyzer.CalculateRspamdScore(result)
+	if score != 100 {
+		t.Errorf("CalculateRspamdScore = %d, want 100", score)
+	}
+}
+

pkg/analyzer/scoring.go

@@ -22,7 +22,7 @@
 package analyzer
 
 import (
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
 )
 
 // ScoreToGrade converts a percentage score (0-100) to a letter grade
@@ -45,7 +45,57 @@ func ScoreToGrade(score int) string {
 	}
 }
 
-// ScoreToReportGrade converts a percentage score to an api.ReportGrade
-func ScoreToReportGrade(score int) api.ReportGrade {
-	return api.ReportGrade(ScoreToGrade(score))
+// ScoreToGradeKind converts a percentage score (0-100) to a letter grade, be kind in gradation
+func ScoreToGradeKind(score int) string {
+	switch {
+	case score > 100:
+		return "A+"
+	case score >= 90:
+		return "A"
+	case score >= 80:
+		return "B"
+	case score >= 60:
+		return "C"
+	case score >= 45:
+		return "D"
+	case score >= 30:
+		return "E"
+	default:
+		return "F"
+	}
+}
+
+// ScoreToReportGrade converts a percentage score to an model.ReportGrade
+func ScoreToReportGrade(score int) model.ReportGrade {
+	return model.ReportGrade(ScoreToGrade(score))
+}
+
+// gradeRank returns a numeric rank for a grade (lower = worse)
+func gradeRank(grade string) int {
+	switch grade {
+	case "A++":
+		return 7
+	case "A+":
+		return 6
+	case "A":
+		return 5
+	case "B":
+		return 4
+	case "C":
+		return 3
+	case "D":
+		return 2
+	case "E":
+		return 1
+	default:
+		return 0
+	}
+}
+
+// MinGrade returns the minimal (worse) grade between the two given grades
+func MinGrade(a, b string) string {
+	if gradeRank(a) <= gradeRank(b) {
+		return a
+	}
+	return b
 }

pkg/analyzer/spamassassin.go

@@ -27,7 +27,8 @@ import (
 	"strconv"
 	"strings"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
+	"git.happydns.org/happyDeliver/internal/utils"
 )
 
 // SpamAssassinAnalyzer analyzes SpamAssassin results from email headers
@@ -39,18 +40,26 @@ func NewSpamAssassinAnalyzer() *SpamAssassinAnalyzer {
 }
 
 // AnalyzeSpamAssassin extracts and analyzes SpamAssassin results from email headers
-func (a *SpamAssassinAnalyzer) AnalyzeSpamAssassin(email *EmailMessage) *api.SpamAssassinResult {
+func (a *SpamAssassinAnalyzer) AnalyzeSpamAssassin(email *EmailMessage) *model.SpamAssassinResult {
 	headers := email.GetSpamAssassinHeaders()
 	if len(headers) == 0 {
 		return nil
 	}
 
-	result := &api.SpamAssassinResult{
-		TestDetails: make(map[string]api.SpamTestDetail),
+	// Require at least X-Spam-Status, X-Spam-Score, or X-Spam-Flag to produce a meaningful report
+	_, hasStatus := headers["X-Spam-Status"]
+	_, hasScore := headers["X-Spam-Score"]
+	_, hasFlag := headers["X-Spam-Flag"]
+	if !hasStatus && !hasScore && !hasFlag {
+		return nil
+	}
+
+	result := &model.SpamAssassinResult{
+		TestDetails: make(map[string]model.SpamTestDetail),
 	}
 
 	// Parse X-Spam-Status header
-	if statusHeader, ok := headers["X-Spam-Status"]; ok {
+	if statusHeader, ok := headers["X-Spam-Status"]; ok && statusHeader != "" {
 		a.parseSpamStatus(statusHeader, result)
 	}
 
@@ -68,13 +77,13 @@ func (a *SpamAssassinAnalyzer) AnalyzeSpamAssassin(email *EmailMessage) *api.Spa
 
 	// Parse X-Spam-Report header for detailed test results
 	if reportHeader, ok := headers["X-Spam-Report"]; ok {
-		result.Report = api.PtrTo(strings.Replace(reportHeader, " * ", "\n* ", -1))
+		result.Report = utils.PtrTo(strings.Replace(reportHeader, " * ", "\n* ", -1))
 		a.parseSpamReport(reportHeader, result)
 	}
 
 	// Parse X-Spam-Checker-Version
 	if versionHeader, ok := headers["X-Spam-Checker-Version"]; ok {
-		result.Version = api.PtrTo(strings.TrimSpace(versionHeader))
+		result.Version = utils.PtrTo(strings.TrimSpace(versionHeader))
 	}
 
 	return result
@@ -82,7 +91,7 @@ func (a *SpamAssassinAnalyzer) AnalyzeSpamAssassin(email *EmailMessage) *api.Spa
 
 // parseSpamStatus parses the X-Spam-Status header
 // Format: Yes/No, score=5.5 required=5.0 tests=TEST1,TEST2,TEST3 autolearn=no
-func (a *SpamAssassinAnalyzer) parseSpamStatus(header string, result *api.SpamAssassinResult) {
+func (a *SpamAssassinAnalyzer) parseSpamStatus(header string, result *model.SpamAssassinResult) {
 	// Check if spam (first word)
 	parts := strings.SplitN(header, ",", 2)
 	if len(parts) > 0 {
@@ -126,7 +135,7 @@ func (a *SpamAssassinAnalyzer) parseSpamStatus(header string, result *api.SpamAs
 // *  0.0 TEST_NAME Description line 1
 // *      continuation line 2
 // *      continuation line 3
-func (a *SpamAssassinAnalyzer) parseSpamReport(report string, result *api.SpamAssassinResult) {
+func (a *SpamAssassinAnalyzer) parseSpamReport(report string, result *model.SpamAssassinResult) {
 	segments := strings.Split(report, "*")
 
 	// Regex to match test lines: score TEST_NAME Description
@@ -148,7 +157,7 @@ func (a *SpamAssassinAnalyzer) parseSpamReport(report string, result *api.SpamAs
 			// Save previous test if exists
 			if currentTestName != "" {
 				description := strings.TrimSpace(currentDescription.String())
-				detail := api.SpamTestDetail{
+				detail := model.SpamTestDetail{
 					Name:        currentTestName,
 					Score:       result.TestDetails[currentTestName].Score,
 					Description: &description,
@@ -166,7 +175,7 @@ func (a *SpamAssassinAnalyzer) parseSpamReport(report string, result *api.SpamAs
 			currentDescription.WriteString(description)
 
 			// Initialize with score
-			result.TestDetails[testName] = api.SpamTestDetail{
+			result.TestDetails[testName] = model.SpamTestDetail{
 				Name:  testName,
 				Score: float32(score),
 			}
@@ -183,7 +192,7 @@ func (a *SpamAssassinAnalyzer) parseSpamReport(report string, result *api.SpamAs
 	// Save the last test if exists
 	if currentTestName != "" {
 		description := strings.TrimSpace(currentDescription.String())
-		detail := api.SpamTestDetail{
+		detail := model.SpamTestDetail{
 			Name:        currentTestName,
 			Score:       result.TestDetails[currentTestName].Score,
 			Description: &description,
@@ -193,7 +202,7 @@ func (a *SpamAssassinAnalyzer) parseSpamReport(report string, result *api.SpamAs
 }
 
 // CalculateSpamAssassinScore calculates the SpamAssassin contribution to deliverability
-func (a *SpamAssassinAnalyzer) CalculateSpamAssassinScore(result *api.SpamAssassinResult) (int, string) {
+func (a *SpamAssassinAnalyzer) CalculateSpamAssassinScore(result *model.SpamAssassinResult) (int, string) {
 	if result == nil {
 		return 100, "" // No spam scan results, assume good
 	}

pkg/analyzer/spamassassin_test.go

@@ -27,7 +27,8 @@ import (
 	"strings"
 	"testing"
 
-	"git.happydns.org/happyDeliver/internal/api"
+	"git.happydns.org/happyDeliver/internal/model"
+	"git.happydns.org/happyDeliver/internal/utils"
 )
 
 func TestParseSpamStatus(t *testing.T) {
@@ -77,8 +78,8 @@ func TestParseSpamStatus(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			result := &api.SpamAssassinResult{
-				TestDetails: make(map[string]api.SpamTestDetail),
+			result := &model.SpamAssassinResult{
+				TestDetails: make(map[string]model.SpamTestDetail),
 			}
 			analyzer.parseSpamStatus(tt.header, result)
 
@@ -115,27 +116,27 @@ func TestParseSpamReport(t *testing.T) {
 `
 
 	analyzer := NewSpamAssassinAnalyzer()
-	result := &api.SpamAssassinResult{
-		TestDetails: make(map[string]api.SpamTestDetail),
+	result := &model.SpamAssassinResult{
+		TestDetails: make(map[string]model.SpamTestDetail),
 	}
 
 	analyzer.parseSpamReport(report, result)
 
-	expectedTests := map[string]api.SpamTestDetail{
+	expectedTests := map[string]model.SpamTestDetail{
 		"BAYES_99": {
 			Name:        "BAYES_99",
 			Score:       5.0,
-			Description: api.PtrTo("Bayes spam probability is 99 to 100%"),
+			Description: utils.PtrTo("Bayes spam probability is 99 to 100%"),
 		},
 		"SPOOFED_SENDER": {
 			Name:        "SPOOFED_SENDER",
 			Score:       3.5,
-			Description: api.PtrTo("From address doesn't match envelope sender"),
+			Description: utils.PtrTo("From address doesn't match envelope sender"),
 		},
 		"ALL_TRUSTED": {
 			Name:        "ALL_TRUSTED",
 			Score:       -1.0,
-			Description: api.PtrTo("All mail servers are trusted"),
+			Description: utils.PtrTo("All mail servers are trusted"),
 		},
 	}
 
@@ -157,7 +158,7 @@ func TestParseSpamReport(t *testing.T) {
 func TestGetSpamAssassinScore(t *testing.T) {
 	tests := []struct {
 		name          string
-		result        *api.SpamAssassinResult
+		result        *model.SpamAssassinResult
 		expectedScore int
 		minScore      int
 		maxScore      int
@@ -169,7 +170,7 @@ func TestGetSpamAssassinScore(t *testing.T) {
 		},
 		{
 			name: "Excellent score (negative)",
-			result: &api.SpamAssassinResult{
+			result: &model.SpamAssassinResult{
 				Score:         -2.5,
 				RequiredScore: 5.0,
 			},
@@ -177,7 +178,7 @@ func TestGetSpamAssassinScore(t *testing.T) {
 		},
 		{
 			name: "Good score (below threshold)",
-			result: &api.SpamAssassinResult{
+			result: &model.SpamAssassinResult{
 				Score:         2.0,
 				RequiredScore: 5.0,
 			},
@@ -185,7 +186,7 @@ func TestGetSpamAssassinScore(t *testing.T) {
 		},
 		{
 			name: "Score at threshold",
-			result: &api.SpamAssassinResult{
+			result: &model.SpamAssassinResult{
 				Score:         5.0,
 				RequiredScore: 5.0,
 			},
@@ -193,7 +194,7 @@ func TestGetSpamAssassinScore(t *testing.T) {
 		},
 		{
 			name: "Above threshold (spam)",
-			result: &api.SpamAssassinResult{
+			result: &model.SpamAssassinResult{
 				Score:         6.0,
 				RequiredScore: 5.0,
 			},
@@ -201,7 +202,7 @@ func TestGetSpamAssassinScore(t *testing.T) {
 		},
 		{
 			name: "High spam score",
-			result: &api.SpamAssassinResult{
+			result: &model.SpamAssassinResult{
 				Score:         12.0,
 				RequiredScore: 5.0,
 			},
@@ -209,7 +210,7 @@ func TestGetSpamAssassinScore(t *testing.T) {
 		},
 		{
 			name: "Very high spam score",
-			result: &api.SpamAssassinResult{
+			result: &model.SpamAssassinResult{
 				Score:         20.0,
 				RequiredScore: 5.0,
 			},

web/package.json

@@ -16,24 +16,24 @@
         "generate:api": "openapi-ts"
     },
     "devDependencies": {
-        "@eslint/compat": "^1.4.0",
-        "@eslint/js": "^9.36.0",
-        "@hey-api/openapi-ts": "0.86.4",
+        "@eslint/compat": "^2.0.0",
+        "@eslint/js": "^10.0.0",
+        "@hey-api/openapi-ts": "0.86.10",
         "@sveltejs/adapter-static": "^3.0.9",
         "@sveltejs/kit": "^2.43.2",
-        "@sveltejs/vite-plugin-svelte": "^6.2.0",
-        "@types/node": "^22",
-        "eslint": "^9.38.0",
+        "@sveltejs/vite-plugin-svelte": "^7.0.0",
+        "@types/node": "^24.0.0",
+        "eslint": "^10.0.0",
         "eslint-config-prettier": "^10.1.8",
         "eslint-plugin-svelte": "^3.12.4",
-        "globals": "^16.4.0",
+        "globals": "^17.0.0",
         "prettier": "^3.6.2",
         "prettier-plugin-svelte": "^3.4.0",
         "svelte": "^5.39.5",
         "svelte-check": "^4.3.2",
         "typescript": "^5.9.2",
         "typescript-eslint": "^8.44.1",
-        "vite": "^7.1.10",
+        "vite": "^8.0.0",
         "vitest": "^3.2.4"
     },
     "dependencies": {

web/routes.go

@@ -27,7 +27,6 @@ import (
 	"fmt"
 	"io"
 	"io/fs"
-	"io/ioutil"
 	"log"
 	"net/http"
 	"net/url"
@@ -63,6 +62,18 @@ func DeclareRoutes(cfg *config.Config, router *gin.Engine) {
 		appConfig["survey_url"] = cfg.SurveyURL.String()
 	}
 
+	if len(cfg.Analysis.RBLs) > 0 {
+		appConfig["rbls"] = cfg.Analysis.RBLs
+	}
+
+	if cfg.CustomLogoURL != "" {
+		appConfig["custom_logo_url"] = cfg.CustomLogoURL
+	}
+
+	if !cfg.DisableTestList {
+		appConfig["test_list_enabled"] = true
+	}
+
 	if appcfg, err := json.MarshalIndent(appConfig, "", "  "); err != nil {
 		log.Println("Unable to generate JSON config to inject in web application")
 	} else {
@@ -82,6 +93,13 @@ func DeclareRoutes(cfg *config.Config, router *gin.Engine) {
 	router.GET("/_app/immutable/*_", func(c *gin.Context) { c.Writer.Header().Set("Cache-Control", "public, max-age=604800, immutable") }, serveOrReverse("", cfg))
 
 	router.GET("/", serveOrReverse("/", cfg))
+	router.GET("/blacklist/", serveOrReverse("/", cfg))
+	router.GET("/blacklist/:ip", serveOrReverse("/", cfg))
+	router.GET("/domain/", serveOrReverse("/", cfg))
+	router.GET("/domain/:domain", serveOrReverse("/", cfg))
+	router.GET("/test/", serveOrReverse("/", cfg))
+	router.GET("/test/:testid", serveOrReverse("/", cfg))
+	router.GET("/history/", serveOrReverse("/", cfg))
 	router.GET("/favicon.png", func(c *gin.Context) { c.Writer.Header().Set("Cache-Control", "public, max-age=604800, immutable") }, serveOrReverse("", cfg))
 	router.GET("/img/*path", serveOrReverse("", cfg))
 
@@ -130,7 +148,7 @@ func serveOrReverse(forced_url string, cfg *config.Config) gin.HandlerFunc {
 							}
 						}
 
-						v, _ := ioutil.ReadAll(resp.Body)
+						v, _ := io.ReadAll(resp.Body)
 
 						v2 := strings.Replace(strings.Replace(string(v), "</head>", `{{ .Head }}<meta property="og:url" content="{{ .RootURL }}"></head>`, 1), "</body>", "{{ .Body }}</body>", 1)
 
@@ -157,7 +175,7 @@ func serveOrReverse(forced_url string, cfg *config.Config) gin.HandlerFunc {
 			if indexTpl == nil {
 				// Create template from file
 				f, _ := Assets.Open("index.html")
-				v, _ := ioutil.ReadAll(f)
+				v, _ := io.ReadAll(f)
 
 				v2 := strings.Replace(strings.Replace(string(v), "</head>", `{{ .Head }}<meta property="og:url" content="{{ .RootURL }}"></head>`, 1), "</body>", "{{ .Body }}</body>", 1)
 

web/src/app.css

@@ -1,6 +1,9 @@
 :root {
     --bs-primary: #1cb487;
     --bs-primary-rgb: 28, 180, 135;
+    --bs-link-color-rgb: 28, 180, 135;
+    --bs-link-hover-color-rgb: 17, 112, 84;
+    --bs-tertiary-bg: #e7e8e8;
 }
 
 body {
@@ -8,6 +11,10 @@ body {
         -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial, sans-serif;
 }
 
+.bg-tertiary {
+    background-color: var(--bs-tertiary-bg);
+}
+
 /* Animations */
 @keyframes fadeIn {
     from {

web/src/lib/components/AuthenticationCard.svelte

@@ -13,13 +13,26 @@
 
     let { authentication, authenticationGrade, authenticationScore, dnsResults }: Props = $props();
 
+    let allRequiredMissing = $derived(
+        !authentication.spf &&
+            (!authentication.dkim || authentication.dkim.length === 0) &&
+            !authentication.dmarc,
+    );
+
     function getAuthResultClass(result: string, noneIsFail: boolean): string {
         switch (result) {
             case "pass":
+            case "domain_pass":
+            case "orgdomain_pass":
                 return "text-success";
+            case "permerror":
+            case "error":
             case "fail":
             case "missing":
             case "invalid":
+            case "null":
+            case "null_smtp":
+            case "null_header":
                 return "text-danger";
             case "softfail":
             case "neutral":
@@ -36,12 +49,19 @@
     function getAuthResultIcon(result: string, noneIsFail: boolean): string {
         switch (result) {
             case "pass":
+            case "domain_pass":
+            case "orgdomain_pass":
                 return "bi-check-circle-fill";
             case "fail":
                 return "bi-x-circle-fill";
             case "softfail":
             case "neutral":
             case "invalid":
+            case "null":
+            case "permerror":
+            case "error":
+            case "null_smtp":
+            case "null_header":
                 return "bi-exclamation-circle-fill";
             case "missing":
                 return "bi-dash-circle-fill";
@@ -83,280 +103,465 @@
             </span>
         </h4>
     </div>
+    {#if allRequiredMissing}
+        <div class="card-body border-bottom">
+            <div class="alert alert-warning mb-0">
+                <i class="bi bi-exclamation-triangle-fill me-2"></i>
+                <strong>No authentication results found.</strong>
+                <p class="mb-0 mt-1">
+                    This usually means either:
+                </p>
+                <ul class="mb-0 mt-1">
+                    <li>
+                        The receiving mail server is not configured to verify email authentication
+                        (no <code>Authentication-Results</code> header was found in the message).
+                    </li>
+                    <li>
+                        The <code>Authentication-Results</code> header exists but the receiver
+                        hostname does not match the configured
+                        <code>--receiver-hostname</code> value.
+                    </li>
+                </ul>
+            </div>
+        </div>
+    {/if}
     <div class="list-group list-group-flush">
-            <!-- IPREV -->
-            {#if authentication.iprev}
-                <div class="list-group-item" id="authentication-iprev">
-                    <div class="d-flex align-items-start">
-                        <i class="bi {getAuthResultIcon(authentication.iprev.result, true)} {getAuthResultClass(authentication.iprev.result, true)} me-2 fs-5"></i>
-                        <div>
-                            <strong>IP Reverse DNS</strong>
-                            <span class="text-uppercase ms-2 {getAuthResultClass(authentication.iprev.result, true)}">
-                                {authentication.iprev.result}
-                            </span>
-                            {#if authentication.iprev.ip}
-                                <div class="small">
-                                    <strong>IP Address:</strong>
-                                    <span class="text-muted">{authentication.iprev.ip}</span>
-                                </div>
-                            {/if}
-                            {#if authentication.iprev.hostname}
-                                <div class="small">
-                                    <strong>Hostname:</strong>
-                                    <span class="text-muted">{authentication.iprev.hostname}</span>
-                                </div>
-                            {/if}
-                            {#if authentication.iprev.details}
-                                <pre class="p-2 mb-0 {$theme === 'light' ? 'bg-light' : 'bg-secondary'} text-muted small" style="white-space: pre-wrap">{authentication.iprev.details}</pre>
-                            {/if}
-                        </div>
+        <!-- IPREV -->
+        {#if authentication.iprev}
+            <div class="list-group-item" id="authentication-iprev">
+                <div class="d-flex align-items-start">
+                    <i
+                        class="bi {getAuthResultIcon(
+                            authentication.iprev.result,
+                            true,
+                        )} {getAuthResultClass(authentication.iprev.result, true)} me-2 fs-5"
+                    ></i>
+                    <div>
+                        <strong>IP Reverse DNS</strong>
+                        <span
+                            class="text-uppercase ms-2 {getAuthResultClass(
+                                authentication.iprev.result,
+                                true,
+                            )}"
+                        >
+                            {authentication.iprev.result}
+                        </span>
+                        {#if authentication.iprev.ip}
+                            <div class="small">
+                                <strong>IP Address:</strong>
+                                <span class="text-muted">{authentication.iprev.ip}</span>
+                            </div>
+                        {/if}
+                        {#if authentication.iprev.hostname}
+                            <div class="small">
+                                <strong>Hostname:</strong>
+                                <span class="text-muted">{authentication.iprev.hostname}</span>
+                            </div>
+                        {/if}
+                        {#if authentication.iprev.details}
+                            <pre
+                                class="p-2 mb-0 {$theme === 'light'
+                                    ? 'bg-light'
+                                    : 'bg-secondary'} text-muted small"
+                                style="white-space: pre-wrap">{authentication.iprev.details}</pre>
+                        {/if}
                     </div>
                 </div>
-            {/if}
-
-            <!-- SPF (Required) -->
-            <div class="list-group-item">
-                <div class="d-flex align-items-start" id="authentication-spf">
-                    {#if authentication.spf}
-                        <i class="bi {getAuthResultIcon(authentication.spf.result, true)} {getAuthResultClass(authentication.spf.result, true)} me-2 fs-5"></i>
-                        <div>
-                            <strong>SPF</strong>
-                            <span class="text-uppercase ms-2 {getAuthResultClass(authentication.spf.result, true)}">
-                                {authentication.spf.result}
-                            </span>
-                            {#if authentication.spf.domain}
-                                <div class="small">
-                                    <strong>Domain:</strong>
-                                    <span class="text-muted">{authentication.spf.domain}</span>
-                                </div>
-                            {/if}
-                            {#if authentication.spf.details}
-                                <pre class="p-2 mb-0 {$theme === 'light' ? 'bg-light' : 'bg-secondary'} text-muted small" style="white-space: pre-wrap">{authentication.spf.details}</pre>
-                            {/if}
-                        </div>
-                    {:else}
-                        <i class="bi {getAuthResultIcon('missing', true)} {getAuthResultClass('missing', true)} me-2 fs-5"></i>
-                        <div>
-                            <strong>SPF</strong>
-                            <span class="text-uppercase ms-2 {getAuthResultClass('missing', true)}">
-                                {getAuthResultText('missing')}
-                            </span>
-                            <div class="text-muted small">SPF record is required for proper email authentication</div>
-                        </div>
-                    {/if}
-                </div>
             </div>
+        {/if}
 
-            <!-- DKIM (Required) -->
-            <div class="list-group-item" id="authentication-dkim">
-                {#if authentication.dkim && authentication.dkim.length > 0}
-                    {#each authentication.dkim as dkim, i}
-                        <div class="d-flex align-items-start" class:mt-3={i > 0}>
-                            <i class="bi {getAuthResultIcon(dkim.result, true)} {getAuthResultClass(dkim.result, true)} me-2 fs-5"></i>
-                            <div>
-                                <strong>DKIM{authentication.dkim.length > 1 ? ` #${i + 1}` : ''}</strong>
-                                <span class="text-uppercase ms-2 {getAuthResultClass(dkim.result, true)}">
-                                    {dkim.result}
-                                </span>
-                                {#if dkim.domain}
-                                    <div class="small">
-                                        <strong>Domain:</strong>
-                                        <span class="text-muted">{dkim.domain}</span>
-                                    </div>
-                                {/if}
-                                {#if dkim.selector}
-                                    <div class="small">
-                                        <strong>Selector:</strong>
-                                        <span class="text-muted">{dkim.selector}</span>
-                                    </div>
-                                {/if}
-                                {#if dkim.details}
-                                    <pre class="p-2 mb-0 {$theme === 'light' ? 'bg-light' : 'bg-secondary'} text-muted small" style="white-space: pre-wrap">{dkim.details}</pre>
-                                {/if}
+        <!-- SPF (Required) -->
+        <div class="list-group-item">
+            <div class="d-flex align-items-start" id="authentication-spf">
+                {#if authentication.spf}
+                    <i
+                        class="bi {getAuthResultIcon(
+                            authentication.spf.result,
+                            true,
+                        )} {getAuthResultClass(authentication.spf.result, true)} me-2 fs-5"
+                    ></i>
+                    <div>
+                        <strong>SPF</strong>
+                        <span
+                            class="text-uppercase ms-2 {getAuthResultClass(
+                                authentication.spf.result,
+                                true,
+                            )}"
+                        >
+                            {authentication.spf.result}
+                        </span>
+                        {#if authentication.spf.domain}
+                            <div class="small">
+                                <strong>Domain:</strong>
+                                <span class="text-muted">{authentication.spf.domain}</span>
                             </div>
-                        </div>
-                    {/each}
+                        {/if}
+                        {#if authentication.spf.details}
+                            <pre
+                                class="p-2 mb-0 {$theme === 'light'
+                                    ? 'bg-light'
+                                    : 'bg-secondary'} text-muted small"
+                                style="white-space: pre-wrap">{authentication.spf.details}</pre>
+                        {/if}
+                    </div>
                 {:else}
-                    <div class="d-flex align-items-start">
-                        <i class="bi {getAuthResultIcon('missing', true)} {getAuthResultClass('missing', true)} me-2 fs-5"></i>
-                        <div>
-                            <strong>DKIM</strong>
-                            <span class="text-uppercase ms-2 {getAuthResultClass('missing', true)}">
-                                {getAuthResultText('missing')}
-                            </span>
-                            <div class="text-muted small">DKIM signature is required for proper email authentication</div>
+                    <i
+                        class="bi {getAuthResultIcon('missing', true)} {getAuthResultClass(
+                            'missing',
+                            true,
+                        )} me-2 fs-5"
+                    ></i>
+                    <div>
+                        <strong>SPF</strong>
+                        <span class="text-uppercase ms-2 {getAuthResultClass('missing', true)}">
+                            {getAuthResultText("missing")}
+                        </span>
+                        <div class="text-muted small">
+                            SPF record is required for proper email authentication
                         </div>
                     </div>
                 {/if}
             </div>
+        </div>
 
-            <!-- X-Google-DKIM (Optional) -->
-            {#if authentication.x_google_dkim}
-                <div class="list-group-item" id="authentication-x-google-dkim">
-                    <div class="d-flex align-items-start">
-                        <i class="bi {getAuthResultIcon(authentication.x_google_dkim.result, false)} {getAuthResultClass(authentication.x_google_dkim.result, false)} me-2 fs-5"></i>
+        <!-- DKIM (Required) -->
+        <div class="list-group-item" id="authentication-dkim">
+            {#if authentication.dkim && authentication.dkim.length > 0}
+                {#each authentication.dkim as dkim, i}
+                    <div class="d-flex align-items-start" class:mt-3={i > 0}>
+                        <i
+                            class="bi {getAuthResultIcon(dkim.result, true)} {getAuthResultClass(
+                                dkim.result,
+                                true,
+                            )} me-2 fs-5"
+                        ></i>
                         <div>
-                            <strong>X-Google-DKIM</strong>
-                            <span class="text-uppercase ms-2 {getAuthResultClass(authentication.x_google_dkim.result, false)}">
-                                {authentication.x_google_dkim.result}
+                            <strong>DKIM{authentication.dkim.length > 1 ? ` #${i + 1}` : ""}</strong
+                            >
+                            <span
+                                class="text-uppercase ms-2 {getAuthResultClass(dkim.result, true)}"
+                            >
+                                {dkim.result}
                             </span>
-                            {#if authentication.x_google_dkim.domain}
+                            {#if dkim.domain}
                                 <div class="small">
                                     <strong>Domain:</strong>
-                                    <span class="text-muted">{authentication.x_google_dkim.domain}</span>
+                                    <span class="text-muted">{dkim.domain}</span>
                                 </div>
                             {/if}
-                            {#if authentication.x_google_dkim.selector}
+                            {#if dkim.selector}
                                 <div class="small">
                                     <strong>Selector:</strong>
-                                    <span class="text-muted">{authentication.x_google_dkim.selector}</span>
+                                    <span class="text-muted">{dkim.selector}</span>
                                 </div>
                             {/if}
-                            {#if authentication.x_google_dkim.details}
-                                <pre class="p-2 mb-0 {$theme === 'light' ? 'bg-light' : 'bg-secondary'} text-muted small" style="white-space: pre-wrap">{authentication.x_google_dkim.details}</pre>
+                            {#if dkim.details}
+                                <pre
+                                    class="p-2 mb-0 {$theme === 'light'
+                                        ? 'bg-light'
+                                        : 'bg-secondary'} text-muted small"
+                                    style="white-space: pre-wrap">{dkim.details}</pre>
                             {/if}
                         </div>
                     </div>
-                </div>
-            {/if}
-
-            <!-- X-Aligned-From (Disabled) -->
-            {#if authentication.x_aligned_from}
-                <div class="list-group-item" id="authentication-x-aligned-from">
-                    <div class="d-flex align-items-start">
-                        <i class="bi {getAuthResultIcon(authentication.x_aligned_from.result, false)} {getAuthResultClass(authentication.x_aligned_from.result, false)} me-2 fs-5"></i>
-                        <div>
-                            <strong>X-Aligned-From</strong>
-                            <span class="text-uppercase ms-2 {getAuthResultClass(authentication.x_aligned_from.result, false)}">
-                                {authentication.x_aligned_from.result}
-                            </span>
-                            {#if authentication.x_aligned_from.domain}
-                                <div class="small">
-                                    <strong>Domain:</strong>
-                                    <span class="text-muted">{authentication.x_aligned_from.domain}</span>
-                                </div>
-                            {/if}
-                            {#if authentication.x_aligned_from.details}
-                                <pre class="p-2 mb-0 {$theme === 'light' ? 'bg-light' : 'bg-secondary'} text-muted small" style="white-space: pre-wrap">{authentication.x_aligned_from.details}</pre>
-                            {/if}
-                        </div>
-                    </div>
-                </div>
-            {/if}
-
-            <!-- DMARC (Required) -->
-            <div class="list-group-item" id="authentication-dmarc">
+                {/each}
+            {:else}
                 <div class="d-flex align-items-start">
-                    {#if authentication.dmarc}
-                        <i class="bi {getAuthResultIcon(authentication.dmarc.result, true)} {getAuthResultClass(authentication.dmarc.result, true)} me-2 fs-5"></i>
-                        <div>
-                            <strong>DMARC</strong>
-                            <span class="text-uppercase ms-2 {getAuthResultClass(authentication.dmarc.result, true)}">
-                                {authentication.dmarc.result}
-                            </span>
-                            {#if authentication.dmarc.domain}
-                                <div class="small">
-                                    <strong>Domain:</strong>
-                                    <span class="text-muted">{authentication.dmarc.domain}</span>
-                                </div>
-                            {/if}
-                            {#snippet DMARCPolicy(policy: string)}
-                                <div class="small">
-                                    <strong>Policy:</strong>
-                                    <span
-                                        class="fw-bold"
-                                        class:text-success={policy == "reject"}
-                                        class:text-warning={policy == "quarantine"}
-                                        class:text-danger={policy == "none"}
-                                        class:bg-warning={policy != "none" && policy != "quarantine" && policy != "reject"}
-                                    >
-                                        {policy}
-                                    </span>
-                                </div>
-                            {/snippet}
-                            {#if authentication.dmarc.result != "none"}
-                                {#if authentication.dmarc.details && authentication.dmarc.details.indexOf("policy.published-domain-policy=") > 0}
-                                    {@const policy = authentication.dmarc.details.replace(/^.*policy.published-domain-policy=([^\s]+).*$/, "$1")}
-                                    {@render DMARCPolicy(policy)}
-                                {:else if authentication.dmarc.domain && dnsResults?.dmarc_record?.policy}
-                                    {@render DMARCPolicy(dnsResults.dmarc_record.policy)}
-                                {/if}
-                            {/if}
-                            {#if authentication.dmarc.details}
-                                <pre class="p-2 mb-0 {$theme === 'light' ? 'bg-light' : 'bg-secondary'} text-muted small" style="white-space: pre-wrap">{authentication.dmarc.details}</pre>
-                            {/if}
+                    <i
+                        class="bi {getAuthResultIcon('missing', true)} {getAuthResultClass(
+                            'missing',
+                            true,
+                        )} me-2 fs-5"
+                    ></i>
+                    <div>
+                        <strong>DKIM</strong>
+                        <span class="text-uppercase ms-2 {getAuthResultClass('missing', true)}">
+                            {getAuthResultText("missing")}
+                        </span>
+                        <div class="text-muted small">
+                            DKIM signature is required for proper email authentication
                         </div>
-                    {:else}
-                        <i class="bi {getAuthResultIcon('missing', true)} {getAuthResultClass('missing', true)} me-2 fs-5"></i>
-                        <div>
-                            <strong>DMARC</strong>
-                            <span class="text-uppercase ms-2 {getAuthResultClass('missing', true)}">
-                                {getAuthResultText('missing')}
-                            </span>
-                            <div class="text-muted small">DMARC policy is required for proper email authentication</div>
-                        </div>
-                    {/if}
+                    </div>
+                </div>
+            {/if}
+        </div>
+
+        <!-- X-Google-DKIM (Optional) -->
+        {#if authentication.x_google_dkim}
+            <div class="list-group-item" id="authentication-x-google-dkim">
+                <div class="d-flex align-items-start">
+                    <i
+                        class="bi {getAuthResultIcon(
+                            authentication.x_google_dkim.result,
+                            false,
+                        )} {getAuthResultClass(
+                            authentication.x_google_dkim.result,
+                            false,
+                        )} me-2 fs-5"
+                    ></i>
+                    <div>
+                        <strong>X-Google-DKIM</strong>
+                        <i
+                            class="bi bi-info-circle text-muted ms-1"
+                            title="Google's internal DKIM signature for messages routed through Gmail infrastructure"
+                        ></i>
+                        <span
+                            class="text-uppercase ms-2 {getAuthResultClass(
+                                authentication.x_google_dkim.result,
+                                false,
+                            )}"
+                        >
+                            {authentication.x_google_dkim.result}
+                        </span>
+                        {#if authentication.x_google_dkim.domain}
+                            <div class="small">
+                                <strong>Domain:</strong>
+                                <span class="text-muted">{authentication.x_google_dkim.domain}</span
+                                >
+                            </div>
+                        {/if}
+                        {#if authentication.x_google_dkim.selector}
+                            <div class="small">
+                                <strong>Selector:</strong>
+                                <span class="text-muted"
+                                    >{authentication.x_google_dkim.selector}</span
+                                >
+                            </div>
+                        {/if}
+                        {#if authentication.x_google_dkim.details}
+                            <pre
+                                class="p-2 mb-0 {$theme === 'light'
+                                    ? 'bg-light'
+                                    : 'bg-secondary'} text-muted small"
+                                style="white-space: pre-wrap">{authentication.x_google_dkim
+                                    .details}</pre>
+                        {/if}
+                    </div>
                 </div>
             </div>
+        {/if}
 
-            <!-- BIMI (Optional) -->
-            <div class="list-group-item" id="authentication-bimi">
+        <!-- X-Aligned-From (Disabled) -->
+        {#if authentication.x_aligned_from}
+            <div class="list-group-item" id="authentication-x-aligned-from">
                 <div class="d-flex align-items-start">
-                    {#if authentication.bimi && authentication.bimi.result != "none"}
-                        <i class="bi {getAuthResultIcon(authentication.bimi.result, false)} {getAuthResultClass(authentication.bimi.result, false)} me-2 fs-5"></i>
-                        <div>
-                            <strong>BIMI</strong>
-                            <span class="text-uppercase ms-2 {getAuthResultClass(authentication.bimi.result, false)}">
-                                {authentication.bimi.result}
-                            </span>
-                            {#if authentication.bimi.details}
-                                <pre class="p-2 mb-0 {$theme === 'light' ? 'bg-light' : 'bg-secondary'} text-muted small" style="white-space: pre-wrap">{authentication.bimi.details}</pre>
-                            {/if}
-                        </div>
-                    {:else if authentication.bimi && authentication.bimi.result == "none"}
-                        <i class="bi bi-exclamation-circle-fill text-warning me-2 fs-5"></i>
-                        <div>
-                            <strong>BIMI</strong>
-                            <span class="text-uppercase ms-2 text-warning">
-                                NONE
-                            </span>
-                            <div class="text-muted small">Brand Indicators for Message Identification</div>
-                            {#if authentication.bimi.details}
-                                <pre class="p-2 mb-0 {$theme === 'light' ? 'bg-light' : 'bg-secondary'} text-muted small" style="white-space: pre-wrap">{authentication.bimi.details}</pre>
-                            {/if}
-                        </div>
-                    {:else}
-                        <i class="bi bi-info-circle text-muted me-2 fs-5"></i>
-                        <div>
-                            <strong>BIMI</strong>
-                            <span class="text-uppercase ms-2 text-muted">
-                                Optional
-                            </span>
-                            <div class="text-muted small">Brand Indicators for Message Identification (optional enhancement)</div>
-                        </div>
-                    {/if}
-                </div>
-            </div>
-
-            <!-- ARC (Optional) -->
-            {#if authentication.arc}
-                <div class="list-group-item" id="authentication-arc">
-                    <div class="d-flex align-items-start">
-                        <i class="bi {getAuthResultIcon(authentication.arc.result, false)} {getAuthResultClass(authentication.arc.result, false)} me-2 fs-5"></i>
-                        <div>
-                            <strong>ARC</strong>
-                            <span class="text-uppercase ms-2 {getAuthResultClass(authentication.arc.result, false)}">
-                                {authentication.arc.result}
-                            </span>
-                            {#if authentication.arc.chain_length}
-                                <div class="text-muted small">Chain length: {authentication.arc.chain_length}</div>
-                            {/if}
-                            {#if authentication.arc.details}
-                                <pre class="p-2 mb-0 {$theme === 'light' ? 'bg-light' : 'bg-secondary'} text-muted small" style="white-space: pre-wrap">{authentication.arc.details}</pre>
-                            {/if}
-                        </div>
+                    <i
+                        class="bi {getAuthResultIcon(
+                            authentication.x_aligned_from.result,
+                            false,
+                        )} {getAuthResultClass(
+                            authentication.x_aligned_from.result,
+                            false,
+                        )} me-2 fs-5"
+                    ></i>
+                    <div>
+                        <strong>X-Aligned-From</strong>
+                        <i
+                            class="bi bi-info-circle text-muted ms-1"
+                            title="Check that Mail From and Header From addresses are in alignment. See Domain Alignment section."
+                        ></i>
+                        <span
+                            class="text-uppercase ms-2 {getAuthResultClass(
+                                authentication.x_aligned_from.result,
+                                false,
+                            )}"
+                        >
+                            {authentication.x_aligned_from.result}
+                        </span>
+                        {#if authentication.x_aligned_from.domain}
+                            <div class="small">
+                                <strong>Domain:</strong>
+                                <span class="text-muted"
+                                    >{authentication.x_aligned_from.domain}</span
+                                >
+                            </div>
+                        {/if}
+                        {#if authentication.x_aligned_from.details}
+                            <pre
+                                class="p-2 mb-0 {$theme === 'light'
+                                    ? 'bg-light'
+                                    : 'bg-secondary'} text-muted small"
+                                style="white-space: pre-wrap">{authentication.x_aligned_from
+                                    .details}</pre>
+                        {/if}
                     </div>
                 </div>
-            {/if}
+            </div>
+        {/if}
+
+        <!-- DMARC (Required) -->
+        <div class="list-group-item" id="authentication-dmarc">
+            <div class="d-flex align-items-start">
+                {#if authentication.dmarc}
+                    <i
+                        class="bi {getAuthResultIcon(
+                            authentication.dmarc.result,
+                            true,
+                        )} {getAuthResultClass(authentication.dmarc.result, true)} me-2 fs-5"
+                    ></i>
+                    <div>
+                        <strong>DMARC</strong>
+                        <span
+                            class="text-uppercase ms-2 {getAuthResultClass(
+                                authentication.dmarc.result,
+                                true,
+                            )}"
+                        >
+                            {authentication.dmarc.result}
+                        </span>
+                        {#if authentication.dmarc.domain}
+                            <div class="small">
+                                <strong>Domain:</strong>
+                                <span class="text-muted">{authentication.dmarc.domain}</span>
+                            </div>
+                        {/if}
+                        {#snippet DMARCPolicy(policy: string)}
+                            <div class="small">
+                                <strong>Policy:</strong>
+                                <span
+                                    class="fw-bold"
+                                    class:text-success={policy == "reject"}
+                                    class:text-warning={policy == "quarantine"}
+                                    class:text-danger={policy == "none"}
+                                    class:bg-warning={policy != "none" &&
+                                        policy != "quarantine" &&
+                                        policy != "reject"}
+                                >
+                                    {policy}
+                                </span>
+                            </div>
+                        {/snippet}
+                        {#if authentication.dmarc.result != "none"}
+                            {#if authentication.dmarc.details && authentication.dmarc.details.indexOf("policy.published-domain-policy=") > 0}
+                                {@const policy = authentication.dmarc.details.replace(
+                                    /^.*policy.published-domain-policy=([^\s]+).*$/,
+                                    "$1",
+                                )}
+                                {@render DMARCPolicy(policy)}
+                            {:else if authentication.dmarc.domain && dnsResults?.dmarc_record?.policy}
+                                {@render DMARCPolicy(dnsResults.dmarc_record.policy)}
+                            {/if}
+                        {/if}
+                        {#if authentication.dmarc.details}
+                            <pre
+                                class="p-2 mb-0 {$theme === 'light'
+                                    ? 'bg-light'
+                                    : 'bg-secondary'} text-muted small"
+                                style="white-space: pre-wrap">{authentication.dmarc.details}</pre>
+                        {/if}
+                    </div>
+                {:else}
+                    <i
+                        class="bi {getAuthResultIcon('missing', true)} {getAuthResultClass(
+                            'missing',
+                            true,
+                        )} me-2 fs-5"
+                    ></i>
+                    <div>
+                        <strong>DMARC</strong>
+                        <span class="text-uppercase ms-2 {getAuthResultClass('missing', true)}">
+                            {getAuthResultText("missing")}
+                        </span>
+                        <div class="text-muted small">
+                            DMARC policy is required for proper email authentication
+                        </div>
+                    </div>
+                {/if}
+            </div>
+        </div>
+
+        <!-- BIMI (Optional) -->
+        <div class="list-group-item" id="authentication-bimi">
+            <div class="d-flex align-items-start">
+                {#if authentication.bimi && authentication.bimi.result != "none"}
+                    <i
+                        class="bi {getAuthResultIcon(
+                            authentication.bimi.result,
+                            false,
+                        )} {getAuthResultClass(authentication.bimi.result, false)} me-2 fs-5"
+                    ></i>
+                    <div>
+                        <strong>BIMI</strong>
+                        <span
+                            class="text-uppercase ms-2 {getAuthResultClass(
+                                authentication.bimi.result,
+                                false,
+                            )}"
+                        >
+                            {authentication.bimi.result}
+                        </span>
+                        {#if authentication.bimi.details}
+                            <pre
+                                class="p-2 mb-0 {$theme === 'light'
+                                    ? 'bg-light'
+                                    : 'bg-secondary'} text-muted small"
+                                style="white-space: pre-wrap">{authentication.bimi.details}</pre>
+                        {/if}
+                    </div>
+                {:else if authentication.bimi && authentication.bimi.result == "none"}
+                    <i class="bi bi-exclamation-circle-fill text-warning me-2 fs-5"></i>
+                    <div>
+                        <strong>BIMI</strong>
+                        <span class="text-uppercase ms-2 text-warning"> NONE </span>
+                        <div class="text-muted small">
+                            Brand Indicators for Message Identification
+                        </div>
+                        {#if authentication.bimi.details}
+                            <pre
+                                class="p-2 mb-0 {$theme === 'light'
+                                    ? 'bg-light'
+                                    : 'bg-secondary'} text-muted small"
+                                style="white-space: pre-wrap">{authentication.bimi.details}</pre>
+                        {/if}
+                    </div>
+                {:else}
+                    <i class="bi bi-info-circle text-muted me-2 fs-5"></i>
+                    <div>
+                        <strong>BIMI</strong>
+                        <span class="text-uppercase ms-2 text-muted"> Optional </span>
+                        <div class="text-muted small">
+                            Brand Indicators for Message Identification (optional enhancement)
+                        </div>
+                    </div>
+                {/if}
+            </div>
+        </div>
+
+        <!-- ARC (Optional) -->
+        {#if authentication.arc}
+            <div class="list-group-item" id="authentication-arc">
+                <div class="d-flex align-items-start">
+                    <i
+                        class="bi {getAuthResultIcon(
+                            authentication.arc.result,
+                            false,
+                        )} {getAuthResultClass(authentication.arc.result, false)} me-2 fs-5"
+                    ></i>
+                    <div>
+                        <strong>ARC</strong>
+                        <span
+                            class="text-uppercase ms-2 {getAuthResultClass(
+                                authentication.arc.result,
+                                false,
+                            )}"
+                        >
+                            {authentication.arc.result}
+                        </span>
+                        {#if authentication.arc.chain_length}
+                            <div class="text-muted small">
+                                Chain length: {authentication.arc.chain_length}
+                            </div>
+                        {/if}
+                        {#if authentication.arc.details}
+                            <pre
+                                class="p-2 mb-0 {$theme === 'light'
+                                    ? 'bg-light'
+                                    : 'bg-secondary'} text-muted small"
+                                style="white-space: pre-wrap">{authentication.arc.details}</pre>
+                        {/if}
+                    </div>
+                </div>
+            </div>
+        {/if}
     </div>
 </div>

web/src/lib/components/BlacklistCard.svelte

@@ -1,27 +1,21 @@
 <script lang="ts">
-    import type { BlacklistCheck, ReceivedHop } from "$lib/api/types.gen";
+    import type { BlacklistCheck } from "$lib/api/types.gen";
     import { getScoreColorClass } from "$lib/score";
     import { theme } from "$lib/stores/theme";
     import GradeDisplay from "./GradeDisplay.svelte";
-    import EmailPathCard from "./EmailPathCard.svelte";
 
     interface Props {
         blacklists: Record<string, BlacklistCheck[]>;
         blacklistGrade?: string;
         blacklistScore?: number;
-        receivedChain?: ReceivedHop[];
     }
 
-    let { blacklists, blacklistGrade, blacklistScore, receivedChain }: Props = $props();
+    let { blacklists, blacklistGrade, blacklistScore }: Props = $props();
 </script>
 
 <div class="card shadow-sm" id="rbl-details">
-    <div
-        class="card-header"
-        class:bg-white={$theme === 'light'}
-        class:bg-dark={$theme !== 'light'}
-    >
-        <h4 class="mb-0 d-flex justify-content-between align-items-center">
+    <div class="card-header" class:bg-white={$theme === "light"} class:bg-dark={$theme !== "light"}>
+        <h4 class="mb-0 d-flex flex-wrap justify-content-between align-items-center">
             <span>
                 <i class="bi bi-shield-exclamation me-2"></i>
                 Blacklist Checks
@@ -39,11 +33,7 @@
         </h4>
     </div>
     <div class="card-body">
-        {#if receivedChain}
-            <EmailPathCard {receivedChain} />
-        {/if}
-
-        <div class="row row-cols-1 row-cols-lg-2">
+        <div class="row row-cols-1 row-cols-lg-2 overflow-auto">
             {#each Object.entries(blacklists) as [ip, checks]}
                 <div class="col mb-3">
                     <h5 class="text-muted">
@@ -54,9 +44,19 @@
                         <tbody>
                             {#each checks as check}
                                 <tr>
-                                    <td title={check.response || '-'}>
-                                        <span class="badge {check.listed ? 'bg-danger' : check.error ? 'bg-dark' : 'bg-success'}">
-                                            {check.error ? 'Error' : (check.listed ? 'Listed' : 'Clean')}
+                                    <td title={check.response || "-"}>
+                                        <span
+                                            class="badge {check.listed
+                                                ? 'bg-danger'
+                                                : check.error
+                                                  ? 'bg-dark'
+                                                  : 'bg-success'}"
+                                        >
+                                            {check.error
+                                                ? "Error"
+                                                : check.listed
+                                                  ? "Listed"
+                                                  : "Clean"}
                                         </span>
                                     </td>
                                     <td><code>{check.rbl}</code></td>

web/src/lib/components/ContentAnalysisCard.svelte

@@ -36,16 +36,28 @@
         <div class="row mb-3">
             <div class="col-md-6">
                 <div class="d-flex align-items-center mb-2">
-                    <i class="bi {contentAnalysis.has_html ? 'bi-check-circle text-success' : 'bi-x-circle text-muted'} me-2"></i>
+                    <i
+                        class="bi {contentAnalysis.has_html
+                            ? 'bi-check-circle text-success'
+                            : 'bi-x-circle text-muted'} me-2"
+                    ></i>
                     <span>HTML Part</span>
                 </div>
                 <div class="d-flex align-items-center mb-2">
-                    <i class="bi {contentAnalysis.has_plaintext ? 'bi-check-circle text-success' : 'bi-x-circle text-muted'} me-2"></i>
+                    <i
+                        class="bi {contentAnalysis.has_plaintext
+                            ? 'bi-check-circle text-success'
+                            : 'bi-x-circle text-muted'} me-2"
+                    ></i>
                     <span>Plaintext Part</span>
                 </div>
-                {#if typeof contentAnalysis.has_unsubscribe_link === 'boolean'}
+                {#if typeof contentAnalysis.has_unsubscribe_link === "boolean"}
                     <div class="d-flex align-items-center mb-2">
-                        <i class="bi {contentAnalysis.has_unsubscribe_link ? 'bi-check-circle text-success' : 'bi-x-circle text-warning'} me-2"></i>
+                        <i
+                            class="bi {contentAnalysis.has_unsubscribe_link
+                                ? 'bi-check-circle text-success'
+                                : 'bi-x-circle text-warning'} me-2"
+                        ></i>
                         <span>Unsubscribe Link</span>
                     </div>
                 {/if}
@@ -74,7 +86,14 @@
             <div class="mt-3">
                 <h5>Content Issues</h5>
                 {#each contentAnalysis.html_issues as issue}
-                    <div class="alert alert-{issue.severity === 'critical' || issue.severity === 'high' ? 'danger' : issue.severity === 'medium' ? 'warning' : 'info'} py-2 px-3 mb-2">
+                    <div
+                        class="alert alert-{issue.severity === 'critical' ||
+                        issue.severity === 'high'
+                            ? 'danger'
+                            : issue.severity === 'medium'
+                              ? 'warning'
+                              : 'info'} py-2 px-3 mb-2"
+                    >
                         <div class="d-flex justify-content-between align-items-start">
                             <div>
                                 <strong>{issue.type}</strong>
@@ -118,11 +137,17 @@
                                         {/if}
                                     </td>
                                     <td>
-                                        <span class="badge {link.status === 'valid' ? 'bg-success' : link.status === 'broken' ? 'bg-danger' : 'bg-warning'}">
+                                        <span
+                                            class="badge {link.status === 'valid'
+                                                ? 'bg-success'
+                                                : link.status === 'broken'
+                                                  ? 'bg-danger'
+                                                  : 'bg-warning'}"
+                                        >
                                             {link.status}
                                         </span>
                                     </td>
-                                    <td>{link.http_code || '-'}</td>
+                                    <td>{link.http_code || "-"}</td>
                                 </tr>
                             {/each}
                         </tbody>
@@ -146,11 +171,11 @@
                         <tbody>
                             {#each contentAnalysis.images as image}
                                 <tr>
-                                    <td><small class="text-break">{image.src || '-'}</small></td>
+                                    <td><small class="text-break">{image.src || "-"}</small></td>
                                     <td>
                                         {#if image.has_alt}
                                             <i class="bi bi-check-circle text-success me-1"></i>
-                                            <small>{image.alt_text || 'Present'}</small>
+                                            <small>{image.alt_text || "Present"}</small>
                                         {:else}
                                             <i class="bi bi-x-circle text-warning me-1"></i>
                                             <small class="text-muted">Missing</small>

web/src/lib/components/DmarcRecordDisplay.svelte

@@ -34,9 +34,10 @@
         </div>
         <div class="card-body">
             <p class="card-text small text-muted mb-2">
-                DMARC builds on SPF and DKIM by telling receiving servers what to do with emails
-                that fail authentication checks. It also enables reporting so you can monitor your
-                email security.
+                DMARC enforces domain alignment requirements (regardless of the policy). It builds
+                on SPF and DKIM by telling receiving servers what to do with emails that fail
+                authentication checks. It also enables reporting so you can monitor your email
+                security.
             </p>
 
             <hr />

web/src/lib/components/DnsRecordsCard.svelte

@@ -1,15 +1,15 @@
 <script lang="ts">
-    import type { DomainAlignment, DnsResults, ReceivedHop } from "$lib/api/types.gen";
+    import type { DnsResults, DomainAlignment, ReceivedHop } from "$lib/api/types.gen";
     import { getScoreColorClass } from "$lib/score";
     import { theme } from "$lib/stores/theme";
-    import GradeDisplay from "./GradeDisplay.svelte";
-    import MxRecordsDisplay from "./MxRecordsDisplay.svelte";
-    import SpfRecordsDisplay from "./SpfRecordsDisplay.svelte";
+    import BimiRecordDisplay from "./BimiRecordDisplay.svelte";
     import DkimRecordsDisplay from "./DkimRecordsDisplay.svelte";
     import DmarcRecordDisplay from "./DmarcRecordDisplay.svelte";
-    import BimiRecordDisplay from "./BimiRecordDisplay.svelte";
-    import PtrRecordsDisplay from "./PtrRecordsDisplay.svelte";
+    import GradeDisplay from "./GradeDisplay.svelte";
+    import MxRecordsDisplay from "./MxRecordsDisplay.svelte";
     import PtrForwardRecordsDisplay from "./PtrForwardRecordsDisplay.svelte";
+    import PtrRecordsDisplay from "./PtrRecordsDisplay.svelte";
+    import SpfRecordsDisplay from "./SpfRecordsDisplay.svelte";
 
     interface Props {
         domainAlignment?: DomainAlignment;
@@ -17,9 +17,17 @@
         dnsGrade?: string;
         dnsScore?: number;
         receivedChain?: ReceivedHop[];
+        domainOnly?: boolean; // If true, only shows domain-level DNS records (no PTR, no DKIM, simplified view)
     }
 
-    let { domainAlignment, dnsResults, dnsGrade, dnsScore, receivedChain }: Props = $props();
+    let {
+        domainAlignment,
+        dnsResults,
+        dnsGrade,
+        dnsScore,
+        receivedChain,
+        domainOnly = false,
+    }: Props = $props();
 
     // Extract sender IP from first hop
     const senderIp = $derived(
@@ -61,69 +69,85 @@
                 </div>
             {/if}
 
-            <!-- Reverse IP Section -->
-            {#if receivedChain && receivedChain.length > 0}
-                <div class="mb-3 d-flex align-items-center gap-2">
-                    <h4 class="mb-0 text-truncate">
-                        Received from: <code>{receivedChain[0].from} ({receivedChain[0].reverse || "Unknown"} [{receivedChain[0].ip}])</code>
-                    </h4>
-                </div>
-            {/if}
+            {#if !domainOnly}
+                <!-- Reverse IP Section -->
+                {#if receivedChain && receivedChain.length > 0}
+                    <div class="mb-3 d-flex align-items-center gap-2">
+                        <h4 class="mb-0 text-truncate">
+                            Received from: <code
+                                >{receivedChain[0].from} ({receivedChain[0].reverse || "Unknown"} [{receivedChain[0]
+                                    .ip}])</code
+                            >
+                        </h4>
+                    </div>
+                {/if}
 
-            <!-- PTR Records Section -->
-            <PtrRecordsDisplay ptrRecords={dnsResults.ptr_records} {senderIp} />
+                <!-- PTR Records Section -->
+                <PtrRecordsDisplay ptrRecords={dnsResults.ptr_records} {senderIp} />
 
-            <!-- Forward-Confirmed Reverse DNS -->
-            <PtrForwardRecordsDisplay
-                ptrRecords={dnsResults.ptr_records}
-                ptrForwardRecords={dnsResults.ptr_forward_records}
-                {senderIp}
-            />
-
-            <hr class="my-4" />
-
-            <!-- Return-Path Domain Section -->
-            <div class="mb-3">
-                <div class="d-flex align-items-center gap-2 flex-wrap">
-                    <h4 class="mb-0 text-truncate">
-                        Return-Path Domain: <code>{dnsResults.rp_domain || dnsResults.from_domain}</code>
-                    </h4>
-                    {#if (domainAlignment && !domainAlignment.aligned && !domainAlignment.relaxed_aligned) || (domainAlignment && !domainAlignment.aligned && domainAlignment.relaxed_aligned && dnsResults.dmarc_record && dnsResults.dmarc_record.spf_alignment === "strict") || (!domainAlignment && dnsResults.rp_domain && dnsResults.rp_domain !== dnsResults.from_domain)}
-                        <span class="badge bg-danger ms-2"><i class="bi bi-exclamation-triangle-fill"></i> Differs from From domain</span>
-                        <small>
-                            <i class="bi bi-chevron-right"></i>
-                            <a href="#domain-alignment">See domain alignment</a>
-                        </small>
-                    {:else}
-                        <span class="badge bg-success ms-2">Same as From domain</span>
-                    {/if}
-                </div>
-            </div>
-
-            <!-- MX Records for Return-Path Domain -->
-            {#if dnsResults.rp_mx_records && dnsResults.rp_mx_records.length > 0}
-                <MxRecordsDisplay
-                    class="mb-4"
-                    mxRecords={dnsResults.rp_mx_records}
-                    title="Mail Exchange Records for Return-Path Domain"
-                    description="These MX records handle bounce messages and non-delivery reports."
+                <!-- Forward-Confirmed Reverse DNS -->
+                <PtrForwardRecordsDisplay
+                    ptrRecords={dnsResults.ptr_records}
+                    ptrForwardRecords={dnsResults.ptr_forward_records}
+                    {senderIp}
                 />
+
+                <hr class="my-4" />
+
+                <!-- Return-Path Domain Section -->
+                <div class="mb-3">
+                    <div class="d-flex align-items-center gap-2 flex-wrap">
+                        <h4 class="mb-0 text-truncate">
+                            Return-Path Domain:
+                            <code>{dnsResults.rp_domain || dnsResults.from_domain}</code>
+                        </h4>
+                        {#if (domainAlignment && !domainAlignment.aligned && !domainAlignment.relaxed_aligned) || (domainAlignment && !domainAlignment.aligned && domainAlignment.relaxed_aligned && dnsResults.dmarc_record && dnsResults.dmarc_record.spf_alignment === "strict") || (!domainAlignment && dnsResults.rp_domain && dnsResults.rp_domain !== dnsResults.from_domain)}
+                            <span class="badge bg-danger ms-2">
+                                <i class="bi bi-exclamation-triangle-fill"></i> Differs from From domain
+                            </span>
+                            <small>
+                                <i class="bi bi-chevron-right"></i>
+                                <a href="#domain-alignment">See domain alignment</a>
+                            </small>
+                        {:else}
+                            <span class="badge bg-success ms-2">Same as From domain</span>
+                        {/if}
+                    </div>
+                </div>
+
+                <!-- MX Records for Return-Path Domain -->
+                {#if dnsResults.rp_mx_records && dnsResults.rp_mx_records.length > 0}
+                    <MxRecordsDisplay
+                        class="mb-4"
+                        mxRecords={dnsResults.rp_mx_records}
+                        title="Mail Exchange Records for Return-Path Domain"
+                        description="These MX records handle bounce messages and non-delivery reports."
+                    />
+                {/if}
             {/if}
 
             <!-- SPF Records (for Return-Path Domain) -->
-            <SpfRecordsDisplay spfRecords={dnsResults.spf_records} dmarcRecord={dnsResults.dmarc_record} />
+            <SpfRecordsDisplay
+                spfRecords={dnsResults.spf_records}
+                dmarcRecord={dnsResults.dmarc_record}
+            />
 
-            <hr class="my-4">
+            {#if !domainOnly}
+                <hr class="my-4" />
 
-            <!-- From Domain Section -->
-            <div class="mb-3 d-flex align-items-center gap-2">
-                <h4 class="mb-0 text-truncate">
-                    From Domain: <code>{dnsResults.from_domain}</code>
-                </h4>
-                {#if dnsResults.rp_domain && dnsResults.rp_domain !== dnsResults.from_domain}
-                    <span class="badge bg-danger ms-2"><i class="bi bi-exclamation-triangle-fill"></i> Differs from Return-Path domain</span>
-                {/if}
-            </div>
+                <!-- From Domain Section -->
+                <div class="mb-3 d-flex align-items-center gap-2">
+                    <h4 class="mb-0 text-truncate">
+                        From Domain: <code>{dnsResults.from_domain}</code>
+                    </h4>
+                    {#if dnsResults.rp_domain && dnsResults.rp_domain !== dnsResults.from_domain}
+                        <span class="badge bg-danger ms-2">
+                            <i class="bi bi-exclamation-triangle-fill"></i> Differs from Return-Path
+                            domain
+                        </span>
+                    {/if}
+                </div>
+            {/if}
 
             <!-- MX Records for From Domain -->
             {#if dnsResults.from_mx_records && dnsResults.from_mx_records.length > 0}
@@ -135,8 +159,10 @@
                 />
             {/if}
 
-            <!-- DKIM Records -->
-            <DkimRecordsDisplay dkimRecords={dnsResults.dkim_records} />
+            {#if !domainOnly}
+                <!-- DKIM Records -->
+                <DkimRecordsDisplay dkimRecords={dnsResults.dkim_records} />
+            {/if}
 
             <!-- DMARC Record -->
             <DmarcRecordDisplay dmarcRecord={dnsResults.dmarc_record} />

web/src/lib/components/EmailPathCard.svelte

@@ -1,5 +1,6 @@
 <script lang="ts">
     import type { ReceivedHop } from "$lib/api/types.gen";
+    import { theme } from "$lib/stores/theme";
 
     interface Props {
         receivedChain: ReceivedHop[];
@@ -9,23 +10,42 @@
 </script>
 
 {#if receivedChain && receivedChain.length > 0}
-    <div class="mb-3" id="email-path">
-        <h5>Email Path (Received Chain)</h5>
-        <div class="list-group">
+    <div class="card shadow-sm" id="email-path">
+        <div
+            class="card-header"
+            class:bg-white={$theme === "light"}
+            class:bg-dark={$theme !== "light"}
+        >
+            <h4 class="mb-0">
+                <i class="bi bi-pin-map me-2"></i>
+                Email Path
+            </h4>
+        </div>
+        <div class="list-group list-group-flush">
             {#each receivedChain as hop, i}
                 <div class="list-group-item">
                     <div class="d-flex w-100 justify-content-between">
                         <h6 class="mb-1">
                             <span class="badge bg-primary me-2">{receivedChain.length - i}</span>
-                            {hop.reverse || '-'} {#if hop.ip}<span class="text-muted">({hop.ip})</span>{/if} → {hop.by || 'Unknown'}
+                            {hop.reverse || "-"}
+                            {#if hop.ip}<span class="text-muted">({hop.ip})</span>{/if} → {hop.by ||
+                                "Unknown"}
                         </h6>
-                        <small class="text-muted" title={hop.timestamp}>{hop.timestamp ? new Intl.DateTimeFormat('default', { dateStyle: 'long', 'timeStyle': 'short' }).format(new Date(hop.timestamp)) : '-'}</small>
+                        <small class="text-muted" title={hop.timestamp}>
+                            {hop.timestamp
+                                ? new Intl.DateTimeFormat("default", {
+                                      dateStyle: "long",
+                                      timeStyle: "short",
+                                  }).format(new Date(hop.timestamp))
+                                : "-"}
+                        </small>
                     </div>
-                    {#if hop.with || hop.id}
+                    {#if hop.with || hop.id || hop.from}
                         <p class="mb-1 small d-flex gap-3">
                             {#if hop.with}
                                 <span>
-                                    <span class="text-muted">Protocol:</span> <code>{hop.with}</code>
+                                    <span class="text-muted">Protocol:</span>
+                                    <code>{hop.with}</code>
                                 </span>
                             {/if}
                             {#if hop.id}

web/src/lib/components/GradeDisplay.svelte

@@ -44,10 +44,7 @@
     }
 </script>
 
-<strong
-    class={getSizeClass(size)}
-    style="color: {getGradeColor(grade)}; font-weight: 700;"
->
+<strong class={getSizeClass(size)} style="color: {getGradeColor(grade)}; font-weight: 700;">
     {#if grade}
         {grade}
     {:else}

web/src/lib/components/HeaderAnalysisCard.svelte

@@ -1,5 +1,5 @@
 <script lang="ts">
-    import type { AuthResult, DmarcRecord, HeaderAnalysis } from "$lib/api/types.gen";
+    import type { DmarcRecord, HeaderAnalysis } from "$lib/api/types.gen";
     import { getScoreColorClass } from "$lib/score";
     import { theme } from "$lib/stores/theme";
     import GradeDisplay from "./GradeDisplay.svelte";
@@ -9,10 +9,9 @@
         headerAnalysis: HeaderAnalysis;
         headerGrade?: string;
         headerScore?: number;
-        xAlignedFrom?: AuthResult;
     }
 
-    let { dmarcRecord, headerAnalysis, headerGrade, headerScore, xAlignedFrom }: Props = $props();
+    let { dmarcRecord, headerAnalysis, headerGrade, headerScore }: Props = $props();
 </script>
 
 <div class="card shadow-sm" id="header-details">
@@ -39,7 +38,14 @@
             <div class="mb-3">
                 <h5>Issues</h5>
                 {#each headerAnalysis.issues as issue}
-                    <div class="alert alert-{issue.severity === 'critical' || issue.severity === 'high' ? 'danger' : issue.severity === 'medium' ? 'warning' : 'info'} py-2 px-3 mb-2">
+                    <div
+                        class="alert alert-{issue.severity === 'critical' ||
+                        issue.severity === 'high'
+                            ? 'danger'
+                            : issue.severity === 'medium'
+                              ? 'warning'
+                              : 'info'} py-2 px-3 mb-2"
+                    >
                         <div class="d-flex justify-content-between align-items-start">
                             <div>
                                 <strong>{issue.header}</strong>
@@ -59,80 +65,282 @@
         {/if}
 
         {#if headerAnalysis.domain_alignment}
+            {@const spfStrictAligned =
+                headerAnalysis.domain_alignment.from_domain ===
+                headerAnalysis.domain_alignment.return_path_domain}
+            {@const spfRelaxedAligned =
+                headerAnalysis.domain_alignment.from_org_domain ===
+                headerAnalysis.domain_alignment.return_path_org_domain}
             <div class="card mb-3" id="domain-alignment">
                 <div class="card-header">
                     <h5 class="mb-0">
-                        {#if xAlignedFrom}
-                            <i class="bi {xAlignedFrom.result == "pass" ? 'bi-check-circle-fill text-success' : 'bi-x-circle-fill text-danger'}"></i>
-                        {:else}
-                            <i class="bi {headerAnalysis.domain_alignment.aligned ? 'bi-check-circle-fill text-success' : headerAnalysis.domain_alignment.relaxed_aligned ? 'bi-check-circle text-info' : 'bi-x-circle-fill text-danger'}"></i>
-                        {/if}
+                        <i
+                            class="bi {headerAnalysis.domain_alignment.aligned
+                                ? 'bi-check-circle-fill text-success'
+                                : headerAnalysis.domain_alignment.relaxed_aligned
+                                  ? 'bi-check-circle text-info'
+                                  : 'bi-x-circle-fill text-danger'}"
+                        ></i>
                         Domain Alignment
                     </h5>
                 </div>
                 <div class="card-body">
-                    <p class="card-text small text-muted mb-3">
-                        Domain alignment ensures that the visible "From" domain matches the domain used for authentication (Return-Path). Proper alignment is crucial for DMARC compliance and helps prevent email spoofing by verifying that the sender domain is consistent across all authentication layers.
+                    <p class="card-text small text-muted">
+                        Domain alignment ensures that the visible "From" domain matches the domain
+                        used for authentication (Return-Path or DKIM signature). Proper alignment is
+                        crucial for DMARC compliance, regardless of the policy. It helps prevent
+                        email spoofing by verifying that the sender domain is consistent across all
+                        authentication layers. Only one of the following lines needs to pass.
                     </p>
-                    <div class="row">
-                        <div class="col-md-3">
-                            <small class="text-muted">Strict Alignment</small>
-                            <div>
-                                <span class="badge" class:bg-success={headerAnalysis.domain_alignment.aligned} class:bg-danger={!headerAnalysis.domain_alignment.aligned}>
-                                    <i class="bi {headerAnalysis.domain_alignment.aligned ? 'bi-check-circle-fill' : 'bi-x-circle-fill'} me-1"></i>
-                                    <strong>{headerAnalysis.domain_alignment.aligned ? 'Pass' : 'Fail'}</strong>
-                                </span>
-                            </div>
-                            <div class="small text-muted mt-1">Exact domain match</div>
-                        </div>
-                        <div class="col-md-3">
-                            <small class="text-muted">Relaxed Alignment</small>
-                            <div>
-                                <span class="badge" class:bg-success={headerAnalysis.domain_alignment.relaxed_aligned} class:bg-danger={!headerAnalysis.domain_alignment.relaxed_aligned}>
-                                    <i class="bi {headerAnalysis.domain_alignment.relaxed_aligned ? 'bi-check-circle-fill' : 'bi-x-circle-fill'} me-1"></i>
-                                    <strong>{headerAnalysis.domain_alignment.relaxed_aligned ? 'Pass' : 'Fail'}</strong>
-                                </span>
-                            </div>
-                            <div class="small text-muted mt-1">Organizational domain match</div>
-                        </div>
-                        <div class="col-md-3">
-                            <small class="text-muted">From Domain</small>
-                            <div><code>{headerAnalysis.domain_alignment.from_domain || '-'}</code></div>
-                            {#if headerAnalysis.domain_alignment.from_org_domain && headerAnalysis.domain_alignment.from_org_domain !== headerAnalysis.domain_alignment.from_domain}
-                                <div class="small text-muted mt-1">Org: <code>{headerAnalysis.domain_alignment.from_org_domain}</code></div>
-                            {/if}
-                        </div>
-                        <div class="col-md-3">
-                            <small class="text-muted">Return-Path Domain</small>
-                            <div><code>{headerAnalysis.domain_alignment.return_path_domain || '-'}</code></div>
-                            {#if headerAnalysis.domain_alignment.return_path_org_domain && headerAnalysis.domain_alignment.return_path_org_domain !== headerAnalysis.domain_alignment.return_path_domain}
-                                <div class="small text-muted mt-1">Org: <code>{headerAnalysis.domain_alignment.return_path_org_domain}</code></div>
-                            {/if}
-                        </div>
-                    </div>
                     {#if headerAnalysis.domain_alignment.issues && headerAnalysis.domain_alignment.issues.length > 0}
                         <div class="mt-3">
                             {#each headerAnalysis.domain_alignment.issues as issue}
-                                <div class="alert alert-{headerAnalysis.domain_alignment.relaxed_aligned ? 'info' : 'warning'} py-2 small mb-2">
-                                    <i class="bi bi-{headerAnalysis.domain_alignment.relaxed_aligned ? 'info-circle' : 'exclamation-triangle'} me-1"></i>
+                                <div
+                                    class="alert alert-{headerAnalysis.domain_alignment
+                                        .relaxed_aligned
+                                        ? 'info'
+                                        : 'warning'} py-2 small mb-2"
+                                >
+                                    <i
+                                        class="bi bi-{headerAnalysis.domain_alignment
+                                            .relaxed_aligned
+                                            ? 'info-circle'
+                                            : 'exclamation-triangle'} me-1"
+                                    ></i>
                                     {issue}
                                 </div>
                             {/each}
                         </div>
                     {/if}
+                </div>
+                <div class="list-group list-group-flush">
+                    <div class="list-group-item d-flex ps-0">
+                        <div
+                            class="d-flex align-items-center justify-content-center"
+                            style="writing-mode: vertical-rl; transform: rotate(180deg); font-size: 1.5rem; font-weight: bold; min-width: 3rem;"
+                        >
+                            SPF
+                        </div>
+                        <div class="flex-fill">
+                            <div class="row flex-grow-1">
+                                <div class="col-md-3">
+                                    <small class="text-muted">Strict Alignment</small>
+                                    <div>
+                                        <span
+                                            class="badge"
+                                            class:bg-success={spfStrictAligned}
+                                            class:bg-danger={!spfStrictAligned}
+                                        >
+                                            <i
+                                                class="bi {spfStrictAligned
+                                                    ? 'bi-check-circle-fill'
+                                                    : 'bi-x-circle-fill'} me-1"
+                                            ></i>
+                                            <strong>{spfStrictAligned ? "Pass" : "Fail"}</strong>
+                                        </span>
+                                    </div>
+                                    <div class="small text-muted mt-1">Exact domain match</div>
+                                </div>
+                                <div class="col-md-3">
+                                    <small class="text-muted">Relaxed Alignment</small>
+                                    <div>
+                                        <span
+                                            class="badge"
+                                            class:bg-success={spfRelaxedAligned}
+                                            class:bg-danger={!spfRelaxedAligned}
+                                        >
+                                            <i
+                                                class="bi {spfRelaxedAligned
+                                                    ? 'bi-check-circle-fill'
+                                                    : 'bi-x-circle-fill'} me-1"
+                                            ></i>
+                                            <strong>{spfRelaxedAligned ? "Pass" : "Fail"}</strong>
+                                        </span>
+                                    </div>
+                                    <div class="small text-muted mt-1">
+                                        Organizational domain match
+                                    </div>
+                                </div>
+                                <div class="col-md-3">
+                                    <small class="text-muted">From Domain</small>
+                                    <div>
+                                        <code>
+                                            {headerAnalysis.domain_alignment.from_domain || "-"}
+                                        </code>
+                                    </div>
+                                    {#if headerAnalysis.domain_alignment.from_org_domain && headerAnalysis.domain_alignment.from_org_domain !== headerAnalysis.domain_alignment.from_domain}
+                                        <div class="small text-muted mt-1">
+                                            Org:
+                                            <code>
+                                                {headerAnalysis.domain_alignment.from_org_domain}
+                                            </code>
+                                        </div>
+                                    {/if}
+                                </div>
+                                <div class="col-md-3">
+                                    <small class="text-muted">Return-Path Domain</small>
+                                    <div>
+                                        <code>
+                                            {headerAnalysis.domain_alignment.return_path_domain ||
+                                                "-"}
+                                        </code>
+                                    </div>
+                                    {#if headerAnalysis.domain_alignment.return_path_org_domain && headerAnalysis.domain_alignment.return_path_org_domain !== headerAnalysis.domain_alignment.return_path_domain}
+                                        <div class="small text-muted mt-1">
+                                            Org:
+                                            <code>
+                                                {headerAnalysis.domain_alignment
+                                                    .return_path_org_domain}
+                                            </code>
+                                        </div>
+                                    {/if}
+                                </div>
+                            </div>
 
-                    <!-- Alignment Information based on DMARC policy -->
-                    {#if dmarcRecord && headerAnalysis.domain_alignment.return_path_domain && headerAnalysis.domain_alignment.return_path_domain !== headerAnalysis.domain_alignment.from_domain}
-                        <div class="alert mt-2 mb-0 small py-2 {dmarcRecord.spf_alignment === 'strict' ? 'alert-warning' : 'alert-info'}">
-                            {#if dmarcRecord.spf_alignment === 'strict'}
-                                <i class="bi bi-exclamation-triangle me-1"></i>
-                                <strong>Strict SPF alignment required</strong> — Your DMARC policy requires exact domain match. The Return-Path domain must exactly match the From domain for SPF to pass DMARC alignment.
-                            {:else}
-                                <i class="bi bi-info-circle me-1"></i>
-                                <strong>Relaxed SPF alignment allowed</strong> — Your DMARC policy allows organizational domain matching. As long as both domains share the same organizational domain (e.g., mail.example.com and example.com), SPF alignment can pass.
+                            <!-- Alignment Information based on DMARC policy -->
+                            {#if dmarcRecord && headerAnalysis.domain_alignment.return_path_domain && headerAnalysis.domain_alignment.return_path_domain !== headerAnalysis.domain_alignment.from_domain}
+                                <div
+                                    class="alert mt-2 mb-0 small py-2 {dmarcRecord.spf_alignment ===
+                                    'strict'
+                                        ? 'alert-warning'
+                                        : 'alert-info'}"
+                                >
+                                    {#if dmarcRecord.spf_alignment === "strict"}
+                                        <i class="bi bi-exclamation-triangle me-1"></i>
+                                        <strong>Strict SPF alignment required</strong> — Your DMARC policy
+                                        requires exact domain match. The Return-Path domain must exactly
+                                        match the From domain for SPF to pass DMARC alignment.
+                                    {:else}
+                                        <i class="bi bi-info-circle me-1"></i>
+                                        <strong>Relaxed SPF alignment allowed</strong> — Your DMARC policy
+                                        allows organizational domain matching. As long as both domains
+                                        share the same organizational domain (e.g., mail.example.com
+                                        and example.com), SPF alignment can pass.
+                                    {/if}
+                                </div>
                             {/if}
                         </div>
-                    {/if}
+                    </div>
+
+                    {#each headerAnalysis.domain_alignment.dkim_domains as dkim_domain}
+                        {@const dkim_aligned =
+                            dkim_domain.domain === headerAnalysis.domain_alignment.from_domain}
+                        {@const dkim_relaxed_aligned =
+                            dkim_domain.org_domain ===
+                            headerAnalysis.domain_alignment.from_org_domain}
+                        <div class="list-group-item d-flex ps-0">
+                            <div
+                                class="d-flex align-items-center justify-content-center"
+                                style="writing-mode: vertical-rl; transform: rotate(180deg); font-size: 1.5rem; font-weight: bold; min-width: 3rem;"
+                            >
+                                DKIM
+                            </div>
+                            <div class="flex-fill">
+                                <div class="flex-fill">
+                                    <div class="row flex-grow-1">
+                                        <div class="col-md-3">
+                                            <small class="text-muted">Strict Alignment</small>
+                                            <div>
+                                                <span
+                                                    class="badge"
+                                                    class:bg-success={dkim_aligned}
+                                                    class:bg-danger={!dkim_aligned}
+                                                >
+                                                    <i
+                                                        class="bi {dkim_aligned
+                                                            ? 'bi-check-circle-fill'
+                                                            : 'bi-x-circle-fill'} me-1"
+                                                    ></i>
+                                                    <strong>{dkim_aligned ? "Pass" : "Fail"}</strong
+                                                    >
+                                                </span>
+                                            </div>
+                                            <div class="small text-muted mt-1">
+                                                Exact domain match
+                                            </div>
+                                        </div>
+                                        <div class="col-md-3">
+                                            <small class="text-muted">Relaxed Alignment</small>
+                                            <div>
+                                                <span
+                                                    class="badge"
+                                                    class:bg-success={dkim_relaxed_aligned}
+                                                    class:bg-danger={!dkim_relaxed_aligned}
+                                                >
+                                                    <i
+                                                        class="bi {dkim_relaxed_aligned
+                                                            ? 'bi-check-circle-fill'
+                                                            : 'bi-x-circle-fill'} me-1"
+                                                    ></i>
+                                                    <strong
+                                                        >{dkim_relaxed_aligned
+                                                            ? "Pass"
+                                                            : "Fail"}</strong
+                                                    >
+                                                </span>
+                                            </div>
+                                            <div class="small text-muted mt-1">
+                                                Organizational domain match
+                                            </div>
+                                        </div>
+                                        <div class="col-md-3">
+                                            <small class="text-muted">From Domain</small>
+                                            <div>
+                                                <code
+                                                    >{headerAnalysis.domain_alignment.from_domain ||
+                                                        "-"}</code
+                                                >
+                                            </div>
+                                            {#if headerAnalysis.domain_alignment.from_org_domain && headerAnalysis.domain_alignment.from_org_domain !== headerAnalysis.domain_alignment.from_domain}
+                                                <div class="small text-muted mt-1">
+                                                    Org: <code
+                                                        >{headerAnalysis.domain_alignment
+                                                            .from_org_domain}</code
+                                                    >
+                                                </div>
+                                            {/if}
+                                        </div>
+                                        <div class="col-md-3">
+                                            <small class="text-muted">Signature Domain</small>
+                                            <div><code>{dkim_domain.domain || "-"}</code></div>
+                                            {#if dkim_domain.domain !== dkim_domain.org_domain}
+                                                <div class="small text-muted mt-1">
+                                                    Org: <code>{dkim_domain.org_domain}</code>
+                                                </div>
+                                            {/if}
+                                        </div>
+                                    </div>
+
+                                    <!-- Alignment Information based on DMARC policy -->
+                                    {#if dmarcRecord && dkim_domain.domain !== headerAnalysis.domain_alignment.from_domain}
+                                        {#if dkim_domain.org_domain === headerAnalysis.domain_alignment.from_org_domain}
+                                            <div
+                                                class="alert mt-2 mb-0 small py-2 {dmarcRecord.dkim_alignment ===
+                                                'strict'
+                                                    ? 'alert-warning'
+                                                    : 'alert-info'}"
+                                            >
+                                                {#if dmarcRecord.dkim_alignment === "strict"}
+                                                    <i class="bi bi-exclamation-triangle me-1"></i>
+                                                    <strong>Strict DKIM alignment required</strong> —
+                                                    Your DMARC policy requires exact domain match. The
+                                                    DKIM signature domain must exactly match the From
+                                                    domain for DKIM to pass DMARC alignment.
+                                                {:else}
+                                                    <i class="bi bi-info-circle me-1"></i>
+                                                    <strong>Relaxed DKIM alignment allowed</strong> —
+                                                    Your DMARC policy allows organizational domain matching.
+                                                    As long as both domains share the same organizational
+                                                    domain (e.g., mail.example.com and example.com),
+                                                    DKIM alignment can pass.
+                                                {/if}
+                                            </div>
+                                        {/if}
+                                    {/if}
+                                </div>
+                            </div>
+                        </div>
+                    {/each}
                 </div>
             </div>
         {/if}
@@ -153,9 +361,9 @@
                         </thead>
                         <tbody>
                             {#each Object.entries(headerAnalysis.headers).sort((a, b) => {
-                                const importanceOrder = { 'required': 0, 'recommended': 1, 'optional': 2, 'newsletter': 3 };
-                                const aImportance = importanceOrder[a[1].importance || 'optional'];
-                                const bImportance = importanceOrder[b[1].importance || 'optional'];
+                                const importanceOrder = { required: 0, recommended: 1, optional: 2, newsletter: 3 };
+                                const aImportance = importanceOrder[a[1].importance || "optional"];
+                                const bImportance = importanceOrder[b[1].importance || "optional"];
                                 return aImportance - bImportance;
                             }) as [name, check]}
                                 <tr>
@@ -164,23 +372,39 @@
                                     </td>
                                     <td>
                                         {#if check.importance}
-                                            <small class="text-{check.importance === 'required' ? 'danger' : check.importance === 'recommended' ? 'warning' : 'secondary'}">
+                                            <small
+                                                class="text-{check.importance === 'required'
+                                                    ? 'danger'
+                                                    : check.importance === 'recommended'
+                                                      ? 'warning'
+                                                      : 'secondary'}"
+                                            >
                                                 {check.importance}
                                             </small>
                                         {/if}
                                     </td>
                                     <td>
-                                        <i class="bi {check.present ? 'bi-check-circle text-success' : 'bi-x-circle text-danger'}"></i>
+                                        <i
+                                            class="bi {check.present
+                                                ? 'bi-check-circle text-success'
+                                                : 'bi-x-circle text-danger'}"
+                                        ></i>
                                     </td>
                                     <td>
                                         {#if check.present && check.valid !== undefined}
-                                            <i class="bi {check.valid ? 'bi-check-circle text-success' : 'bi-x-circle text-warning'}"></i>
+                                            <i
+                                                class="bi {check.valid
+                                                    ? 'bi-check-circle text-success'
+                                                    : 'bi-x-circle text-warning'}"
+                                            ></i>
                                         {:else}
                                             -
                                         {/if}
                                     </td>
                                     <td>
-                                        <small class="text-muted text-truncate" title={check.value}>{check.value || '-'}</small>
+                                        <small class="text-muted text-truncate" title={check.value}
+                                            >{check.value || "-"}</small
+                                        >
                                         {#if check.issues && check.issues.length > 0}
                                             {#each check.issues as issue}
                                                 <div class="text-warning small">

web/src/lib/components/HistoryTable.svelte

@@ -0,0 +1,72 @@
+<script lang="ts">
+    import { goto } from "$app/navigation";
+
+    import type { TestSummary } from "$lib/api/types.gen";
+    import GradeDisplay from "./GradeDisplay.svelte";
+
+    interface Props {
+        tests: TestSummary[];
+    }
+
+    let { tests }: Props = $props();
+
+    function formatDate(dateStr: string): string {
+        const date = new Date(dateStr);
+        return date.toLocaleDateString(undefined, {
+            year: "numeric",
+            month: "short",
+            day: "numeric",
+            hour: "2-digit",
+            minute: "2-digit",
+        });
+    }
+</script>
+
+<div class="table-responsive shadow-sm">
+    <table class="table table-hover mb-0 align-middle">
+        <thead>
+            <tr>
+                <th class="ps-4" style="width: 80px;">Grade</th>
+                <th style="width: 80px;">Score</th>
+                <th>Domain</th>
+                <th>Date</th>
+                <th style="width: 50px;"></th>
+            </tr>
+        </thead>
+        <tbody>
+            {#each tests as test}
+                <tr class="cursor-pointer" onclick={() => goto(`/test/${test.test_id}`)}>
+                    <td class="ps-4">
+                        <GradeDisplay grade={test.grade} size="small" />
+                    </td>
+                    <td>
+                        <span class="badge bg-secondary">{test.score}%</span>
+                    </td>
+                    <td>
+                        {#if test.from_domain}
+                            <code>{test.from_domain}</code>
+                        {:else}
+                            <span class="text-muted">-</span>
+                        {/if}
+                    </td>
+                    <td class="text-muted">
+                        {formatDate(test.created_at)}
+                    </td>
+                    <td>
+                        <i class="bi bi-chevron-right text-muted"></i>
+                    </td>
+                </tr>
+            {/each}
+        </tbody>
+    </table>
+</div>
+
+<style>
+    .cursor-pointer {
+        cursor: pointer;
+    }
+
+    .cursor-pointer:hover td {
+        background-color: var(--bs-tertiary-bg);
+    }
+</style>

web/src/lib/components/MxRecordsDisplay.svelte

@@ -1,5 +1,6 @@
 <script lang="ts">
     import type { ClassValue } from "svelte/elements";
+
     import type { MxRecord } from "$lib/api/types.gen";
 
     interface Props {

web/src/lib/components/PtrForwardRecordsDisplay.svelte

@@ -21,6 +21,11 @@
     );
 
     const hasForwardRecords = $derived(ptrForwardRecords && ptrForwardRecords.length > 0);
+
+    let showDifferent = $state(false);
+    const differentCount = $derived(
+        ptrForwardRecords ? ptrForwardRecords.filter((ip) => ip !== senderIp).length : 0,
+    );
 </script>
 
 {#if ptrRecords && ptrRecords.length > 0}
@@ -63,15 +68,31 @@
                     <div class="mb-2">
                         <strong>Forward Resolution (A/AAAA):</strong>
                         {#each ptrForwardRecords as ip}
-                            <div class="d-flex gap-2 align-items-center mt-1">
-                                {#if senderIp && ip === senderIp}
-                                    <span class="badge bg-success">Match</span>
-                                {:else}
-                                    <span class="badge bg-warning">Different</span>
-                                {/if}
-                                <code>{ip}</code>
-                            </div>
+                            {#if ip === senderIp || !fcrDnsIsValid || showDifferent}
+                                <div class="d-flex gap-2 align-items-center mt-1">
+                                    {#if senderIp && ip === senderIp}
+                                        <span class="badge bg-success">Match</span>
+                                    {:else}
+                                        <span class="badge bg-secondary">Different</span>
+                                    {/if}
+                                    <code>{ip}</code>
+                                </div>
+                            {/if}
                         {/each}
+                        {#if fcrDnsIsValid && differentCount > 0}
+                            <div class="mt-1">
+                                <button
+                                    class="btn btn-link btn-sm p-0 text-muted"
+                                    onclick={() => (showDifferent = !showDifferent)}
+                                >
+                                    {#if showDifferent}
+                                        Hide other IPs
+                                    {:else}
+                                        Show {differentCount} other IP{differentCount > 1 ? 's' : ''} (not the sender)
+                                    {/if}
+                                </button>
+                            </div>
+                        {/if}
                     </div>
                     {#if fcrDnsIsValid}
                         <div class="alert alert-success mb-0 mt-2">

web/src/lib/components/RspamdCard.svelte

@@ -0,0 +1,153 @@
+<script lang="ts">
+    import type { RspamdResult } from "$lib/api/types.gen";
+    import { getScoreColorClass } from "$lib/score";
+    import { theme } from "$lib/stores/theme";
+    import GradeDisplay from "./GradeDisplay.svelte";
+
+    interface Props {
+        rspamd: RspamdResult;
+    }
+
+    let { rspamd }: Props = $props();
+
+    // Derive effective action from score vs known rspamd default thresholds.
+    // The action header is unreliable in milter setups (always "no action").
+    const RSPAMD_GREYLIST_THRESHOLD = 4;
+    const RSPAMD_ADD_HEADER_THRESHOLD = 6;
+
+    const effectiveAction = $derived.by(() => {
+        const rejectThreshold = rspamd.threshold > 0 ? rspamd.threshold : 15;
+        if (rspamd.score >= rejectThreshold) return { label: "Reject", cls: "bg-danger" };
+        if (rspamd.score >= RSPAMD_ADD_HEADER_THRESHOLD)
+            return { label: "Add header", cls: "bg-warning text-dark" };
+        if (rspamd.score >= RSPAMD_GREYLIST_THRESHOLD)
+            return { label: "Greylist", cls: "bg-warning text-dark" };
+        return { label: "No action", cls: "bg-success" };
+    });
+</script>
+
+<div class="card shadow-sm" id="rspamd-details">
+    <div class="card-header {$theme === 'light' ? 'bg-white' : 'bg-dark'}">
+        <h4 class="mb-0 d-flex justify-content-between align-items-center">
+            <span>
+                <i class="bi bi-bug me-2"></i>
+                rspamd Analysis
+            </span>
+            <span>
+                {#if rspamd.deliverability_score !== undefined}
+                    <span class="badge bg-{getScoreColorClass(rspamd.deliverability_score)}">
+                        {rspamd.deliverability_score}%
+                    </span>
+                {/if}
+                {#if rspamd.deliverability_grade !== undefined}
+                    <GradeDisplay grade={rspamd.deliverability_grade} size="small" />
+                {/if}
+            </span>
+        </h4>
+    </div>
+    <div class="card-body">
+        <div class="row mb-3">
+            <div class="col-md-4">
+                <strong>Score:</strong>
+                <span class={rspamd.is_spam ? "text-danger" : "text-success"}>
+                    {rspamd.score.toFixed(2)} / {rspamd.threshold.toFixed(1)}
+                </span>
+            </div>
+            <div class="col-md-4">
+                <strong>Classified as:</strong>
+                <span class="badge {rspamd.is_spam ? 'bg-danger' : 'bg-success'} ms-2">
+                    {rspamd.is_spam ? "SPAM" : "HAM"}
+                </span>
+            </div>
+            <div class="col-md-4">
+                <strong>Action:</strong>
+                <span class="badge {effectiveAction.cls} ms-2">
+                    {effectiveAction.label}
+                </span>
+            </div>
+        </div>
+
+        {#if rspamd.symbols && Object.keys(rspamd.symbols).length > 0}
+            <div class="mb-3">
+                <div class="table-responsive mt-2">
+                    <table class="table table-sm table-hover">
+                        <thead>
+                            <tr>
+                                <th>Symbol</th>
+                                <th class="text-end">Score</th>
+                                <th>Description</th>
+                            </tr>
+                        </thead>
+                        <tbody>
+                            {#each Object.entries(rspamd.symbols).sort(([, a], [, b]) => b.score - a.score) as [symbolName, symbol]}
+                                <tr
+                                    class={symbol.score > 0
+                                        ? "table-warning"
+                                        : symbol.score < 0
+                                          ? "table-success"
+                                          : ""}
+                                >
+                                    <td>
+                                        <span class="font-monospace">{symbolName}</span>
+                                        {#if symbol.params}
+                                            <small class="d-block text-muted">
+                                                {symbol.params}
+                                            </small>
+                                        {/if}
+                                    </td>
+                                    <td class="text-end">
+                                        <span
+                                            class={symbol.score > 0
+                                                ? "text-danger fw-bold"
+                                                : symbol.score < 0
+                                                  ? "text-success fw-bold"
+                                                  : "text-muted"}
+                                        >
+                                            {symbol.score > 0 ? "+" : ""}{symbol.score.toFixed(2)}
+                                        </span>
+                                    </td>
+                                    <td class="small text-muted">{symbol.description ?? ""}</td>
+                                </tr>
+                            {/each}
+                        </tbody>
+                    </table>
+                </div>
+            </div>
+        {/if}
+
+        {#if rspamd.report}
+            <details class="mt-3">
+                <summary class="cursor-pointer fw-bold">Raw Report</summary>
+                <pre
+                    class="mt-2 small {$theme === 'light'
+                        ? 'bg-light'
+                        : 'bg-secondary'} p-3 rounded">{rspamd.report}</pre>
+            </details>
+        {/if}
+    </div>
+</div>
+
+<style>
+    .cursor-pointer {
+        cursor: pointer;
+    }
+
+    details summary {
+        user-select: none;
+    }
+
+    details summary:hover {
+        color: var(--bs-primary);
+    }
+
+    /* Darker table colors in dark mode */
+    :global([data-bs-theme="dark"]) .table-warning {
+        --bs-table-bg: rgba(255, 193, 7, 0.2);
+        --bs-table-border-color: rgba(255, 193, 7, 0.3);
+    }
+
+    :global([data-bs-theme="dark"]) .table-success {
+        --bs-table-bg: rgba(25, 135, 84, 0.2);
+        --bs-table-border-color: rgba(25, 135, 84, 0.3);
+    }
+</style>

web/src/lib/components/ScoreCard.svelte

@@ -1,7 +1,7 @@
 <script lang="ts">
     import type { ScoreSummary } from "$lib/api/types.gen";
-    import GradeDisplay from "./GradeDisplay.svelte";
     import { theme } from "$lib/stores/theme";
+    import GradeDisplay from "./GradeDisplay.svelte";
 
     interface Props {
         grade: string;
@@ -58,13 +58,10 @@
                     <a href="#dns-details" class="text-decoration-none">
                         <div
                             class="p-2 rounded text-center summary-card"
-                            class:bg-light={$theme === 'light'}
-                            class:bg-secondary={$theme !== 'light'}
+                            class:bg-light={$theme === "light"}
+                            class:bg-secondary={$theme !== "light"}
                         >
-                            <GradeDisplay
-                                grade={summary.dns_grade}
-                                score={summary.dns_score}
-                            />
+                            <GradeDisplay grade={summary.dns_grade} score={summary.dns_score} />
                             <small class="text-muted d-block">DNS</small>
                         </div>
                     </a>
@@ -73,8 +70,8 @@
                     <a href="#authentication-details" class="text-decoration-none">
                         <div
                             class="p-2 rounded text-center summary-card"
-                            class:bg-light={$theme === 'light'}
-                            class:bg-secondary={$theme !== 'light'}
+                            class:bg-light={$theme === "light"}
+                            class:bg-secondary={$theme !== "light"}
                         >
                             <GradeDisplay
                                 grade={summary.authentication_grade}
@@ -88,8 +85,8 @@
                     <a href="#rbl-details" class="text-decoration-none">
                         <div
                             class="p-2 rounded text-center summary-card"
-                            class:bg-light={$theme === 'light'}
-                            class:bg-secondary={$theme !== 'light'}
+                            class:bg-light={$theme === "light"}
+                            class:bg-secondary={$theme !== "light"}
                         >
                             <GradeDisplay
                                 grade={summary.blacklist_grade}
@@ -103,8 +100,8 @@
                     <a href="#header-details" class="text-decoration-none">
                         <div
                             class="p-2 rounded text-center summary-card"
-                            class:bg-light={$theme === 'light'}
-                            class:bg-secondary={$theme !== 'light'}
+                            class:bg-light={$theme === "light"}
+                            class:bg-secondary={$theme !== "light"}
                         >
                             <GradeDisplay
                                 grade={summary.header_grade}
@@ -118,13 +115,10 @@
                     <a href="#spam-details" class="text-decoration-none">
                         <div
                             class="p-2 rounded text-center summary-card"
-                            class:bg-light={$theme === 'light'}
-                            class:bg-secondary={$theme !== 'light'}
+                            class:bg-light={$theme === "light"}
+                            class:bg-secondary={$theme !== "light"}
                         >
-                            <GradeDisplay
-                                grade={summary.spam_grade}
-                                score={summary.spam_score}
-                            />
+                            <GradeDisplay grade={summary.spam_grade} score={summary.spam_score} />
                             <small class="text-muted d-block">Spam Score</small>
                         </div>
                     </a>
@@ -133,8 +127,8 @@
                     <a href="#content-details" class="text-decoration-none">
                         <div
                             class="p-2 rounded text-center summary-card"
-                            class:bg-light={$theme === 'light'}
-                            class:bg-secondary={$theme !== 'light'}
+                            class:bg-light={$theme === "light"}
+                            class:bg-secondary={$theme !== "light"}
                         >
                             <GradeDisplay
                                 grade={summary.content_grade}

web/src/lib/components/SpamAssassinCard.svelte

@@ -6,11 +6,9 @@
 
     interface Props {
         spamassassin: SpamAssassinResult;
-        spamGrade?: string;
-        spamScore?: number;
     }
 
-    let { spamassassin, spamGrade, spamScore }: Props = $props();
+    let { spamassassin }: Props = $props();
 </script>
 
 <div class="card shadow-sm" id="spam-details">
@@ -21,13 +19,13 @@
                 SpamAssassin Analysis
             </span>
             <span>
-                {#if spamScore !== undefined}
-                    <span class="badge bg-{getScoreColorClass(spamScore)}">
-                        {spamScore}%
+                {#if spamassassin.deliverability_score !== undefined}
+                    <span class="badge bg-{getScoreColorClass(spamassassin.deliverability_score)}">
+                        {spamassassin.deliverability_score}%
                     </span>
                 {/if}
-                {#if spamGrade !== undefined}
-                    <GradeDisplay grade={spamGrade} size="small" />
+                {#if spamassassin.deliverability_grade !== undefined}
+                    <GradeDisplay grade={spamassassin.deliverability_grade} size="small" />
                 {/if}
             </span>
         </h4>
@@ -61,14 +59,26 @@
                         </thead>
                         <tbody>
                             {#each Object.entries(spamassassin.test_details) as [testName, detail]}
-                                <tr class={detail.score > 0 ? 'table-warning' : detail.score < 0 ? 'table-success' : ''}>
+                                <tr
+                                    class={detail.score > 0
+                                        ? "table-warning"
+                                        : detail.score < 0
+                                          ? "table-success"
+                                          : ""}
+                                >
                                     <td class="font-monospace">{testName}</td>
                                     <td class="text-end">
-                                        <span class={detail.score > 0 ? 'text-danger fw-bold' : detail.score < 0 ? 'text-success fw-bold' : 'text-muted'}>
-                                            {detail.score > 0 ? '+' : ''}{detail.score.toFixed(1)}
+                                        <span
+                                            class={detail.score > 0
+                                                ? "text-danger fw-bold"
+                                                : detail.score < 0
+                                                  ? "text-success fw-bold"
+                                                  : "text-muted"}
+                                        >
+                                            {detail.score > 0 ? "+" : ""}{detail.score.toFixed(1)}
                                         </span>
                                     </td>
-                                    <td class="small">{detail.description || ''}</td>
+                                    <td class="small">{detail.description || ""}</td>
                                 </tr>
                             {/each}
                         </tbody>
@@ -80,7 +90,11 @@
                 <strong>Tests Triggered:</strong>
                 <div class="mt-2">
                     {#each spamassassin.tests as test}
-                        <span class="badge {$theme === 'light' ? 'bg-light text-dark' : 'bg-secondary'} me-1 mb-1">{test}</span>
+                        <span
+                            class="badge {$theme === 'light'
+                                ? 'bg-light text-dark'
+                                : 'bg-secondary'} me-1 mb-1">{test}</span
+                        >
                     {/each}
                 </div>
             </div>
@@ -89,7 +103,10 @@
         {#if spamassassin.report}
             <details class="mt-3">
                 <summary class="cursor-pointer fw-bold">Raw Report</summary>
-                <pre class="mt-2 small {$theme === 'light' ? 'bg-light' : 'bg-secondary'} p-3 rounded">{spamassassin.report}</pre>
+                <pre
+                    class="mt-2 small {$theme === 'light'
+                        ? 'bg-light'
+                        : 'bg-secondary'} p-3 rounded">{spamassassin.report}</pre>
             </details>
         {/if}
     </div>

web/src/lib/components/SpfRecordsDisplay.svelte

@@ -11,8 +11,8 @@
     // Check if DMARC has strict policy (quarantine or reject)
     const dmarcStrict = $derived(
         dmarcRecord?.valid &&
-        dmarcRecord?.policy &&
-        (dmarcRecord.policy === "quarantine" || dmarcRecord.policy === "reject")
+            dmarcRecord?.policy &&
+            (dmarcRecord.policy === "quarantine" || dmarcRecord.policy === "reject"),
     );
 
     // Compute overall validity
@@ -43,7 +43,11 @@
             <span class="badge bg-secondary">SPF</span>
         </div>
         <div class="card-body">
-            <p class="card-text small text-muted mb-0">SPF specifies which mail servers are authorized to send emails on behalf of your domain. Receiving servers check the sender's IP address against your SPF record to prevent email spoofing.</p>
+            <p class="card-text small text-muted mb-0">
+                SPF specifies which mail servers are authorized to send emails on behalf of your
+                domain. Receiving servers check the sender's IP address against your SPF record to
+                prevent email spoofing.
+            </p>
         </div>
         <div class="list-group list-group-flush">
             {#each spfRecords as spf, index}
@@ -76,18 +80,31 @@
                             {:else if spf.all_qualifier === "?"}
                                 <span class="badge bg-warning">Neutral (?all)</span>
                             {/if}
-                            {#if index === 0 || (index === 1 && spfRecords[0].record?.includes('redirect='))}
-                                <div class="alert small mt-2" class:alert-warning={spf.all_qualifier !== '-'} class:alert-success={spf.all_qualifier === '-'}>
-                                    {#if spf.all_qualifier === '-'}
-                                        All unauthorized servers will be rejected. This is the recommended strict policy.
+                            {#if index === 0 || (index === 1 && spfRecords[0].record?.includes("redirect="))}
+                                <div
+                                    class="alert small mt-2"
+                                    class:alert-warning={spf.all_qualifier !== "-"}
+                                    class:alert-success={spf.all_qualifier === "-"}
+                                >
+                                    {#if spf.all_qualifier === "-"}
+                                        All unauthorized servers will be rejected. This is the
+                                        recommended strict policy.
                                     {:else if dmarcStrict}
-                                        While your DMARC {dmarcRecord?.policy} policy provides some protection, consider using <code>-all</code> for better security with some old mailbox providers.
-                                    {:else if spf.all_qualifier === '~'}
-                                        Unauthorized servers will softfail. Consider using <code>-all</code> for stricter policy, though this rarely affects legitimate email deliverability.
-                                    {:else if spf.all_qualifier === '+'}
-                                        All servers are allowed to send email. This severely weakens email authentication. Use <code>-all</code> for strict policy.
-                                    {:else if spf.all_qualifier === '?'}
-                                        No statement about unauthorized servers. Use <code>-all</code> for strict policy to prevent spoofing.
+                                        While your DMARC {dmarcRecord?.policy} policy provides some protection,
+                                        consider using <code>-all</code> for better security with some
+                                        old mailbox providers.
+                                    {:else if spf.all_qualifier === "~"}
+                                        Unauthorized servers will softfail. Consider using <code
+                                            >-all</code
+                                        > for stricter policy, though this rarely affects legitimate
+                                        email deliverability.
+                                    {:else if spf.all_qualifier === "+"}
+                                        All servers are allowed to send email. This severely weakens
+                                        email authentication. Use <code>-all</code> for strict policy.
+                                    {:else if spf.all_qualifier === "?"}
+                                        No statement about unauthorized servers. Use <code
+                                            >-all</code
+                                        > for strict policy to prevent spoofing.
                                     {/if}
                                 </div>
                             {/if}
@@ -95,14 +112,16 @@
                     {/if}
                     {#if spf.record}
                         <div class="mb-2">
-                            <strong>Record:</strong><br>
+                            <strong>Record:</strong><br />
                             <code class="d-block mt-1 text-break">{spf.record}</code>
                         </div>
                     {/if}
                     {#if spf.error}
                         <div class="alert alert-{spf.valid ? 'warning' : 'danger'} mb-0 mt-2">
-                            <i class="bi bi-{spf.valid ? 'exclamation-triangle' : 'x-circle'} me-1"></i>
-                            <strong>{spf.valid ? 'Warning:' : 'Error:'}</strong> {spf.error}
+                            <i class="bi bi-{spf.valid ? 'exclamation-triangle' : 'x-circle'} me-1"
+                            ></i>
+                            <strong>{spf.valid ? "Warning:" : "Error:"}</strong>
+                            {spf.error}
                         </div>
                     {/if}
                 </div>

web/src/lib/components/SummaryCard.svelte

@@ -25,16 +25,32 @@
 
         // Email sender information
         const mailFrom = report.header_analysis?.headers?.from?.value || "an unknown sender";
-        const hasDkim = report.authentication?.dkim && report.authentication?.dkim.length > 0;
-        const dkimPassed = hasDkim && report.authentication?.dkim?.some((d) => d.result === "pass");
+        const hasDkim =
+            report.dns_results?.dkim_records && report.dns_results?.dkim_records?.length > 0;
+        const dkimPassed =
+            report.authentication?.dkim &&
+            report.authentication?.dkim.length > 0 &&
+            report.authentication?.dkim?.some((d) => d.result === "pass");
 
         segments.push({ text: "Received a " });
         segments.push({
-            text: dkimPassed ? "DKIM-signed" : "non-DKIM-signed",
-            highlight: { color: dkimPassed ? "good" : "danger", bold: true },
-            link: "#authentication-dkim",
+            text: hasDkim ? "DKIM-signed" : "non-DKIM-signed",
+            highlight: {
+                color: hasDkim ? (dkimPassed ? "good" : "warning") : "danger",
+                bold: true,
+            },
+            link: hasDkim && dkimPassed ? "#authentication-dkim" : "#dns-details",
         });
-        segments.push({ text: " email from " });
+        segments.push({ text: " email" });
+        if (hasDkim && !dkimPassed) {
+            segments.push({ text: " with " });
+            segments.push({
+                text: "an invalid signature",
+                highlight: { color: "danger", bold: true },
+                link: "#authentication-dkim",
+            });
+        }
+        segments.push({ text: " from " });
         segments.push({
             text: mailFrom,
             highlight: { emphasis: true },
@@ -113,7 +129,7 @@
             } else if (spfResult === "temperror" || spfResult === "permerror") {
                 segments.push({
                     text: "encountered an error",
-                    highlight: { color: "warning", bold: true },
+                    highlight: { color: "danger", bold: true },
                     link: "#authentication-spf",
                 });
                 segments.push({ text: ", check your SPF record configuration" });
@@ -130,6 +146,25 @@
             }
         }
 
+        // SPF DNS record check
+        const spfRecords = report.dns_results?.spf_records;
+        if (spfRecords && spfRecords.length > 0) {
+            const invalidSpfRecords = spfRecords.filter((r) => !r.valid && r.record);
+            if (invalidSpfRecords.length > 0) {
+                segments.push({ text: ". Your SPF record" });
+                if (invalidSpfRecords.length > 1) {
+                    segments.push({ text: "s are " });
+                } else {
+                    segments.push({ text: " is " });
+                }
+                segments.push({
+                    text: "invalid",
+                    highlight: { color: "danger", bold: true },
+                    link: "#dns-spf",
+                });
+            }
+        }
+
         // IP Reverse DNS (iprev) check
         const iprevResult = report.authentication?.iprev;
         if (iprevResult) {
@@ -217,6 +252,28 @@
             }
         }
 
+        // DKIM DNS record check
+        const dkimRecords = report.dns_results?.dkim_records;
+        if (dkimRecords && Object.keys(dkimRecords).length > 0) {
+            const invalidDkimKeys = Object.entries(dkimRecords)
+                .filter(([_, record]) => !record.valid && record.record)
+                .map(([key, _]) => key);
+
+            if (invalidDkimKeys.length > 0) {
+                segments.push({ text: ". Your DKIM record" });
+                if (invalidDkimKeys.length > 1) {
+                    segments.push({ text: "s are " });
+                } else {
+                    segments.push({ text: " is " });
+                }
+                segments.push({
+                    text: "invalid",
+                    highlight: { color: "danger", bold: true },
+                    link: "#dns-dkim",
+                });
+            }
+        }
+
         // DMARC policy check
         const dmarcRecord = report.dns_results?.dmarc_record;
         if (dmarcRecord) {
@@ -235,9 +292,9 @@
                 segments.push({ text: "none", highlight: { monospace: true, bold: true } });
                 segments.push({ text: "' policy", highlight: { bold: true } });
             } else if (!dmarcRecord.valid) {
-                segments.push({ text: ". Your DMARC record has " });
+                segments.push({ text: ". Your DMARC record is " });
                 segments.push({
-                    text: "issues",
+                    text: "invalid",
                     highlight: { color: "danger", bold: true },
                     link: "#dns-dmarc",
                 });
@@ -277,7 +334,9 @@
         // BIMI
         const bimiResult = report.authentication?.bimi;
         if (
-            (dmarcRecord && dmarcRecord.valid && dmarcRecord.policy != "none") &&
+            dmarcRecord &&
+            dmarcRecord.valid &&
+            dmarcRecord.policy != "none" &&
             (!bimiResult || bimiResult.result !== "skipped")
         ) {
             const bimiRecord = report.dns_results?.bimi_record;
@@ -288,8 +347,15 @@
                     highlight: { color: "good", bold: true },
                     link: "#dns-bimi",
                 });
-                if (bimiResult.details && bimiResult.details.indexOf("declined") == 0) {
+                if (bimiResult?.details && bimiResult.details.indexOf("declined") == 0) {
                     segments.push({ text: " declined to participate" });
+                } else if (bimiResult?.result === "fail") {
+                    segments.push({ text: " but " });
+                    segments.push({
+                        text: "has issues",
+                        highlight: { color: "danger", bold: true },
+                        link: "#authentication-bimi",
+                    });
                 } else {
                     segments.push({ text: " for brand indicator display" });
                 }
@@ -372,6 +438,17 @@
             });
         }
 
+        // One-click unsubscribe check
+        const unsubscribeMethods = report.content_analysis?.unsubscribe_methods;
+        if (unsubscribeMethods && unsubscribeMethods.length > 0 && !unsubscribeMethods.includes("one-click")) {
+            segments.push({ text: ". This email could benefit from " });
+            segments.push({
+                text: "one-click unsubscribe",
+                highlight: { color: "warning", bold: true },
+                link: "#content-details",
+            });
+        }
+
         // Content/spam assessment
         const spamAssassin = report.spamassassin;
         const contentScore = report.summary?.content_score || 0;
@@ -475,19 +552,39 @@
                 {#if segment.link}
                     <a
                         href={segment.link}
-                        class="summary-link {segment.highlight ? getColorClass(segment.highlight.color) : ''} {segment.highlight?.bold ? 'highlighted' : ''} {segment.highlight?.emphasis ? 'fst-italic' : ''} {segment.highlight?.monospace ? 'font-monospace' : ''}"
+                        class="summary-link {segment.highlight
+                            ? getColorClass(segment.highlight.color)
+                            : ''} {segment.highlight?.bold ? 'highlighted' : ''} {segment.highlight
+                            ?.emphasis
+                            ? 'fst-italic'
+                            : ''} {segment.highlight?.monospace ? 'font-monospace' : ''}"
                     >
                         {segment.text}
                     </a>
                 {:else if segment.highlight}
-                    <span class="{getColorClass(segment.highlight.color)} {segment.highlight.bold ? 'highlighted' : ''} {segment.highlight?.emphasis ? 'fst-italic' : ''} {segment.highlight?.monospace ? 'font-monospace' : ''}">
+                    <span
+                        class="{getColorClass(segment.highlight.color)} {segment.highlight.bold
+                            ? 'highlighted'
+                            : ''} {segment.highlight?.emphasis ? 'fst-italic' : ''} {segment
+                            .highlight?.monospace
+                            ? 'font-monospace'
+                            : ''}"
+                    >
                         {segment.text}
                     </span>
                 {:else}
                     {segment.text}
                 {/if}
             {/each}
-            Overall, your email received a grade <GradeDisplay grade={report.grade} score={report.score} size="inline" />{#if report.grade == "A" || report.grade == "A+"}, well done 🎉{:else if report.grade == "C" || report.grade == "D"}: you should try to increase your score to ensure inbox delivery.{:else if report.grade == "E"}: you could have delivery issues with common providers.{:else if report.grade == "F"}: it will most likely be rejected by most providers.{:else}!{/if} Check the details below 🔽
+            Overall, your email received a grade <GradeDisplay
+                grade={report.grade}
+                score={report.score}
+                size="inline"
+            />{#if report.grade == "A" || report.grade == "A+"}, well done 🎉{:else if report.grade == "C" || report.grade == "D"}:
+                you should try to increase your score to ensure inbox delivery.{:else if report.grade == "E"}:
+                you could have delivery issues with common providers.{:else if report.grade == "F"}:
+                it will most likely be rejected by most providers.{:else}!{/if} Check the details below
+            🔽
         </p>
         {@render children?.()}
     </div>

web/src/lib/components/WhitelistCard.svelte

@@ -0,0 +1,62 @@
+<script lang="ts">
+    import type { BlacklistCheck } from "$lib/api/types.gen";
+    import { theme } from "$lib/stores/theme";
+
+    interface Props {
+        whitelists: Record<string, BlacklistCheck[]>;
+    }
+
+    let { whitelists }: Props = $props();
+</script>
+
+<div class="card shadow-sm" id="dnswl-details">
+    <div class="card-header" class:bg-white={$theme === "light"} class:bg-dark={$theme !== "light"}>
+        <h4 class="mb-0 d-flex flex-wrap justify-content-between align-items-center">
+            <span>
+                <i class="bi bi-shield-check me-2"></i>
+                Whitelist Checks
+            </span>
+            <span class="badge bg-info text-white">Informational</span>
+        </h4>
+    </div>
+    <div class="card-body">
+        <p class="text-muted small mb-3">
+            DNS whitelists identify trusted senders. Being listed here is a positive signal, but has
+            no impact on the overall score.
+        </p>
+
+        <div class="row row-cols-1 row-cols-lg-2 overflow-auto">
+            {#each Object.entries(whitelists) as [ip, checks]}
+                <div class="col mb-3">
+                    <h5 class="text-muted">
+                        <i class="bi bi-hdd-network me-1"></i>
+                        {ip}
+                    </h5>
+                    <table class="table table-sm table-striped table-hover mb-0">
+                        <tbody>
+                            {#each checks as check}
+                                <tr>
+                                    <td title={check.response || "-"}>
+                                        <span
+                                            class="badge"
+                                            class:bg-success={check.listed}
+                                            class:bg-dark={check.error}
+                                            class:bg-secondary={!check.listed && !check.error}
+                                        >
+                                            {check.error
+                                                ? "Error"
+                                                : check.listed
+                                                  ? "Listed"
+                                                  : "Not listed"}
+                                        </span>
+                                    </td>
+                                    <td><code>{check.rbl}</code></td>
+                                </tr>
+                            {/each}
+                        </tbody>
+                    </table>
+                </div>
+            {/each}
+        </div>
+    </div>
+</div>

web/src/lib/components/index.ts

@@ -1,17 +1,28 @@
 // Component exports
-export { default as FeatureCard } from "./FeatureCard.svelte";
-export { default as HowItWorksStep } from "./HowItWorksStep.svelte";
-export { default as ScoreCard } from "./ScoreCard.svelte";
-export { default as SummaryCard } from "./SummaryCard.svelte";
-export { default as SpamAssassinCard } from "./SpamAssassinCard.svelte";
-export { default as EmailAddressDisplay } from "./EmailAddressDisplay.svelte";
-export { default as PendingState } from "./PendingState.svelte";
 export { default as AuthenticationCard } from "./AuthenticationCard.svelte";
-export { default as DnsRecordsCard } from "./DnsRecordsCard.svelte";
+export { default as BimiRecordDisplay } from "./BimiRecordDisplay.svelte";
 export { default as BlacklistCard } from "./BlacklistCard.svelte";
 export { default as ContentAnalysisCard } from "./ContentAnalysisCard.svelte";
-export { default as HeaderAnalysisCard } from "./HeaderAnalysisCard.svelte";
-export { default as PtrRecordsDisplay } from "./PtrRecordsDisplay.svelte";
-export { default as PtrForwardRecordsDisplay } from "./PtrForwardRecordsDisplay.svelte";
-export { default as TinySurvey } from "./TinySurvey.svelte";
+export { default as DkimRecordsDisplay } from "./DkimRecordsDisplay.svelte";
+export { default as DmarcRecordDisplay } from "./DmarcRecordDisplay.svelte";
+export { default as DnsRecordsCard } from "./DnsRecordsCard.svelte";
+export { default as EmailAddressDisplay } from "./EmailAddressDisplay.svelte";
+export { default as EmailPathCard } from "./EmailPathCard.svelte";
 export { default as ErrorDisplay } from "./ErrorDisplay.svelte";
+export { default as FeatureCard } from "./FeatureCard.svelte";
+export { default as GradeDisplay } from "./GradeDisplay.svelte";
+export { default as HeaderAnalysisCard } from "./HeaderAnalysisCard.svelte";
+export { default as HowItWorksStep } from "./HowItWorksStep.svelte";
+export { default as Logo } from "./Logo.svelte";
+export { default as MxRecordsDisplay } from "./MxRecordsDisplay.svelte";
+export { default as PendingState } from "./PendingState.svelte";
+export { default as PtrForwardRecordsDisplay } from "./PtrForwardRecordsDisplay.svelte";
+export { default as PtrRecordsDisplay } from "./PtrRecordsDisplay.svelte";
+export { default as ScoreCard } from "./ScoreCard.svelte";
+export { default as RspamdCard } from "./RspamdCard.svelte";
+export { default as SpamAssassinCard } from "./SpamAssassinCard.svelte";
+export { default as SpfRecordsDisplay } from "./SpfRecordsDisplay.svelte";
+export { default as SummaryCard } from "./SummaryCard.svelte";
+export { default as HistoryTable } from "./HistoryTable.svelte";
+export { default as TinySurvey } from "./TinySurvey.svelte";
+export { default as WhitelistCard } from "./WhitelistCard.svelte";

web/src/lib/stores/config.ts

@@ -24,11 +24,15 @@ import { writable } from "svelte/store";
 interface AppConfig {
     report_retention?: number;
     survey_url?: string;
+    custom_logo_url?: string;
+    rbls?: string[];
+    test_list_enabled?: boolean;
 }
 
 const defaultConfig: AppConfig = {
     report_retention: 0,
     survey_url: "",
+    rbls: [],
 };
 
 function getConfigFromScriptTag(): AppConfig | null {