ts/mail/security/classes.dkimverifier.ts

import { logger } from '../../logger.js';
import { SecurityLogger, SecurityLogLevel, SecurityEventType } from '../../security/index.js';
import { RustSecurityBridge } from '../../security/classes.rustsecuritybridge.js';

/**
 * Result of a DKIM verification
 */
export interface IDkimVerificationResult {
  isValid: boolean;
  domain?: string;
  selector?: string;
  status?: string;
  details?: any;
  errorMessage?: string;
  signatureFields?: Record<string, string>;
}

/**
 * DKIM verifier — delegates to the Rust security bridge.
 */
export class DKIMVerifier {
  constructor() {}

  /**
   * Verify DKIM signature for an email via Rust bridge
   */
  public async verify(
    emailData: string,
    options: {
      useCache?: boolean;
      returnDetails?: boolean;
    } = {}
  ): Promise<IDkimVerificationResult> {
    try {
      const bridge = RustSecurityBridge.getInstance();
      const results = await bridge.verifyDkim(emailData);
      const first = results[0];

      const result: IDkimVerificationResult = {
        isValid: first?.is_valid ?? false,
        domain: first?.domain ?? undefined,
        selector: first?.selector ?? undefined,
        status: first?.status ?? 'none',
        details: options.returnDetails ? results : undefined,
      };

      SecurityLogger.getInstance().logEvent({
        level: result.isValid ? SecurityLogLevel.INFO : SecurityLogLevel.WARN,
        type: SecurityEventType.DKIM,
        message: `DKIM verification ${result.isValid ? 'passed' : 'failed'} for domain ${result.domain || 'unknown'}`,
        details: { selector: result.selector, status: result.status },
        domain: result.domain || 'unknown',
        success: result.isValid
      });

      logger.log(result.isValid ? 'info' : 'warn',
        `DKIM verification: ${result.status} for domain ${result.domain || 'unknown'}`);

      return result;
    } catch (error) {
      logger.log('error', `DKIM verification failed: ${error.message}`);

      SecurityLogger.getInstance().logEvent({
        level: SecurityLogLevel.ERROR,
        type: SecurityEventType.DKIM,
        message: `DKIM verification error`,
        details: { error: error.message },
        success: false
      });

      return {
        isValid: false,
        status: 'temperror',
        errorMessage: `Verification error: ${error.message}`
      };
    }
  }

  /** No-op — Rust bridge handles its own caching */
  public clearCache(): void {}

  /** Always 0 — cache is managed by the Rust side */
  public getCacheSize(): number {
    return 0;
  }
}
feat(rust): scaffold Rust workspace and fix TypeScript build errors - Add @git.zone/tsrust with linux_amd64/linux_arm64 cross-compilation - Scaffold Rust workspace with 5 crates: mailer-core, mailer-smtp, mailer-security, mailer-napi, mailer-bin - Fix all TypeScript compilation errors for upgraded dependencies (smartfile v13, mailauth v4.13, smartproxy v23) - Replace smartfile.fs/memory with @push.rocks/smartfs throughout codebase - Fix .ts import extensions to .js for NodeNext module resolution - Update DKIMSignOptions usage to match mailauth v4.13 API - Add MTA error classes with permissive signatures for legacy SMTP client - Replace removed DcRouter/StorageManager/deliverability imports with local interfaces 2026-02-10 15:31:31 +00:00			`import { logger } from '../../logger.js';`
			`import { SecurityLogger, SecurityLogLevel, SecurityEventType } from '../../security/index.js';`
BREAKING CHANGE(rust-bridge): make Rust the primary security backend, remove all TS fallbacks Phase 3 of the Rust migration: the Rust security bridge is now mandatory and all TypeScript security fallback implementations have been removed. - UnifiedEmailServer.start() throws if Rust bridge fails to start - SpfVerifier gutted to thin wrapper (parseSpfRecord stays in TS) - DKIMVerifier gutted to thin wrapper delegating to bridge.verifyDkim() - IPReputationChecker delegates to bridge.checkIpReputation(), keeps LRU cache - DmarcVerifier keeps alignment logic (works with pre-computed results) - DKIM signing via bridge.signDkim() in all 4 locations - Removed mailauth and ip packages from plugins.ts (~1,200 lines deleted) 2026-02-10 20:30:43 +00:00			`import { RustSecurityBridge } from '../../security/classes.rustsecuritybridge.js';`
initial 2025-10-24 08:09:29 +00:00
			`/**`
			`* Result of a DKIM verification`
			`*/`
			`export interface IDkimVerificationResult {`
			`isValid: boolean;`
			`domain?: string;`
			`selector?: string;`
			`status?: string;`
			`details?: any;`
			`errorMessage?: string;`
			`signatureFields?: Record<string, string>;`
			`}`

			`/**`
BREAKING CHANGE(rust-bridge): make Rust the primary security backend, remove all TS fallbacks Phase 3 of the Rust migration: the Rust security bridge is now mandatory and all TypeScript security fallback implementations have been removed. - UnifiedEmailServer.start() throws if Rust bridge fails to start - SpfVerifier gutted to thin wrapper (parseSpfRecord stays in TS) - DKIMVerifier gutted to thin wrapper delegating to bridge.verifyDkim() - IPReputationChecker delegates to bridge.checkIpReputation(), keeps LRU cache - DmarcVerifier keeps alignment logic (works with pre-computed results) - DKIM signing via bridge.signDkim() in all 4 locations - Removed mailauth and ip packages from plugins.ts (~1,200 lines deleted) 2026-02-10 20:30:43 +00:00			`* DKIM verifier — delegates to the Rust security bridge.`
initial 2025-10-24 08:09:29 +00:00			`*/`
			`export class DKIMVerifier {`
BREAKING CHANGE(rust-bridge): make Rust the primary security backend, remove all TS fallbacks Phase 3 of the Rust migration: the Rust security bridge is now mandatory and all TypeScript security fallback implementations have been removed. - UnifiedEmailServer.start() throws if Rust bridge fails to start - SpfVerifier gutted to thin wrapper (parseSpfRecord stays in TS) - DKIMVerifier gutted to thin wrapper delegating to bridge.verifyDkim() - IPReputationChecker delegates to bridge.checkIpReputation(), keeps LRU cache - DmarcVerifier keeps alignment logic (works with pre-computed results) - DKIM signing via bridge.signDkim() in all 4 locations - Removed mailauth and ip packages from plugins.ts (~1,200 lines deleted) 2026-02-10 20:30:43 +00:00			`constructor() {}`
initial 2025-10-24 08:09:29 +00:00
			`/**`
BREAKING CHANGE(rust-bridge): make Rust the primary security backend, remove all TS fallbacks Phase 3 of the Rust migration: the Rust security bridge is now mandatory and all TypeScript security fallback implementations have been removed. - UnifiedEmailServer.start() throws if Rust bridge fails to start - SpfVerifier gutted to thin wrapper (parseSpfRecord stays in TS) - DKIMVerifier gutted to thin wrapper delegating to bridge.verifyDkim() - IPReputationChecker delegates to bridge.checkIpReputation(), keeps LRU cache - DmarcVerifier keeps alignment logic (works with pre-computed results) - DKIM signing via bridge.signDkim() in all 4 locations - Removed mailauth and ip packages from plugins.ts (~1,200 lines deleted) 2026-02-10 20:30:43 +00:00			`* Verify DKIM signature for an email via Rust bridge`
initial 2025-10-24 08:09:29 +00:00			`*/`
			`public async verify(`
			`emailData: string,`
			`options: {`
			`useCache?: boolean;`
			`returnDetails?: boolean;`
			`} = {}`
			`): Promise<IDkimVerificationResult> {`
			`try {`
BREAKING CHANGE(rust-bridge): make Rust the primary security backend, remove all TS fallbacks Phase 3 of the Rust migration: the Rust security bridge is now mandatory and all TypeScript security fallback implementations have been removed. - UnifiedEmailServer.start() throws if Rust bridge fails to start - SpfVerifier gutted to thin wrapper (parseSpfRecord stays in TS) - DKIMVerifier gutted to thin wrapper delegating to bridge.verifyDkim() - IPReputationChecker delegates to bridge.checkIpReputation(), keeps LRU cache - DmarcVerifier keeps alignment logic (works with pre-computed results) - DKIM signing via bridge.signDkim() in all 4 locations - Removed mailauth and ip packages from plugins.ts (~1,200 lines deleted) 2026-02-10 20:30:43 +00:00			`const bridge = RustSecurityBridge.getInstance();`
			`const results = await bridge.verifyDkim(emailData);`
			`const first = results[0];`

			`const result: IDkimVerificationResult = {`
			`isValid: first?.is_valid ?? false,`
			`domain: first?.domain ?? undefined,`
			`selector: first?.selector ?? undefined,`
			`status: first?.status ?? 'none',`
			`details: options.returnDetails ? results : undefined,`
			`};`
initial 2025-10-24 08:09:29 +00:00
BREAKING CHANGE(rust-bridge): make Rust the primary security backend, remove all TS fallbacks Phase 3 of the Rust migration: the Rust security bridge is now mandatory and all TypeScript security fallback implementations have been removed. - UnifiedEmailServer.start() throws if Rust bridge fails to start - SpfVerifier gutted to thin wrapper (parseSpfRecord stays in TS) - DKIMVerifier gutted to thin wrapper delegating to bridge.verifyDkim() - IPReputationChecker delegates to bridge.checkIpReputation(), keeps LRU cache - DmarcVerifier keeps alignment logic (works with pre-computed results) - DKIM signing via bridge.signDkim() in all 4 locations - Removed mailauth and ip packages from plugins.ts (~1,200 lines deleted) 2026-02-10 20:30:43 +00:00			`SecurityLogger.getInstance().logEvent({`
			`level: result.isValid ? SecurityLogLevel.INFO : SecurityLogLevel.WARN,`
			`type: SecurityEventType.DKIM,`
			message: `DKIM verification ${result.isValid ? 'passed' : 'failed'} for domain ${result.domain \|\| 'unknown'}`,
			`details: { selector: result.selector, status: result.status },`
			`domain: result.domain \|\| 'unknown',`
			`success: result.isValid`
			`});`
initial 2025-10-24 08:09:29 +00:00
BREAKING CHANGE(rust-bridge): make Rust the primary security backend, remove all TS fallbacks Phase 3 of the Rust migration: the Rust security bridge is now mandatory and all TypeScript security fallback implementations have been removed. - UnifiedEmailServer.start() throws if Rust bridge fails to start - SpfVerifier gutted to thin wrapper (parseSpfRecord stays in TS) - DKIMVerifier gutted to thin wrapper delegating to bridge.verifyDkim() - IPReputationChecker delegates to bridge.checkIpReputation(), keeps LRU cache - DmarcVerifier keeps alignment logic (works with pre-computed results) - DKIM signing via bridge.signDkim() in all 4 locations - Removed mailauth and ip packages from plugins.ts (~1,200 lines deleted) 2026-02-10 20:30:43 +00:00			`logger.log(result.isValid ? 'info' : 'warn',`
			`DKIM verification: ${result.status} for domain ${result.domain \|\| 'unknown'}`);
initial 2025-10-24 08:09:29 +00:00
BREAKING CHANGE(rust-bridge): make Rust the primary security backend, remove all TS fallbacks Phase 3 of the Rust migration: the Rust security bridge is now mandatory and all TypeScript security fallback implementations have been removed. - UnifiedEmailServer.start() throws if Rust bridge fails to start - SpfVerifier gutted to thin wrapper (parseSpfRecord stays in TS) - DKIMVerifier gutted to thin wrapper delegating to bridge.verifyDkim() - IPReputationChecker delegates to bridge.checkIpReputation(), keeps LRU cache - DmarcVerifier keeps alignment logic (works with pre-computed results) - DKIM signing via bridge.signDkim() in all 4 locations - Removed mailauth and ip packages from plugins.ts (~1,200 lines deleted) 2026-02-10 20:30:43 +00:00			`return result;`
initial 2025-10-24 08:09:29 +00:00			`} catch (error) {`
BREAKING CHANGE(rust-bridge): make Rust the primary security backend, remove all TS fallbacks Phase 3 of the Rust migration: the Rust security bridge is now mandatory and all TypeScript security fallback implementations have been removed. - UnifiedEmailServer.start() throws if Rust bridge fails to start - SpfVerifier gutted to thin wrapper (parseSpfRecord stays in TS) - DKIMVerifier gutted to thin wrapper delegating to bridge.verifyDkim() - IPReputationChecker delegates to bridge.checkIpReputation(), keeps LRU cache - DmarcVerifier keeps alignment logic (works with pre-computed results) - DKIM signing via bridge.signDkim() in all 4 locations - Removed mailauth and ip packages from plugins.ts (~1,200 lines deleted) 2026-02-10 20:30:43 +00:00			logger.log('error', `DKIM verification failed: ${error.message}`);

initial 2025-10-24 08:09:29 +00:00			`SecurityLogger.getInstance().logEvent({`
			`level: SecurityLogLevel.ERROR,`
			`type: SecurityEventType.DKIM,`
BREAKING CHANGE(rust-bridge): make Rust the primary security backend, remove all TS fallbacks Phase 3 of the Rust migration: the Rust security bridge is now mandatory and all TypeScript security fallback implementations have been removed. - UnifiedEmailServer.start() throws if Rust bridge fails to start - SpfVerifier gutted to thin wrapper (parseSpfRecord stays in TS) - DKIMVerifier gutted to thin wrapper delegating to bridge.verifyDkim() - IPReputationChecker delegates to bridge.checkIpReputation(), keeps LRU cache - DmarcVerifier keeps alignment logic (works with pre-computed results) - DKIM signing via bridge.signDkim() in all 4 locations - Removed mailauth and ip packages from plugins.ts (~1,200 lines deleted) 2026-02-10 20:30:43 +00:00			message: `DKIM verification error`,
initial 2025-10-24 08:09:29 +00:00			`details: { error: error.message },`
			`success: false`
			`});`
BREAKING CHANGE(rust-bridge): make Rust the primary security backend, remove all TS fallbacks Phase 3 of the Rust migration: the Rust security bridge is now mandatory and all TypeScript security fallback implementations have been removed. - UnifiedEmailServer.start() throws if Rust bridge fails to start - SpfVerifier gutted to thin wrapper (parseSpfRecord stays in TS) - DKIMVerifier gutted to thin wrapper delegating to bridge.verifyDkim() - IPReputationChecker delegates to bridge.checkIpReputation(), keeps LRU cache - DmarcVerifier keeps alignment logic (works with pre-computed results) - DKIM signing via bridge.signDkim() in all 4 locations - Removed mailauth and ip packages from plugins.ts (~1,200 lines deleted) 2026-02-10 20:30:43 +00:00
initial 2025-10-24 08:09:29 +00:00			`return {`
			`isValid: false,`
			`status: 'temperror',`
BREAKING CHANGE(rust-bridge): make Rust the primary security backend, remove all TS fallbacks Phase 3 of the Rust migration: the Rust security bridge is now mandatory and all TypeScript security fallback implementations have been removed. - UnifiedEmailServer.start() throws if Rust bridge fails to start - SpfVerifier gutted to thin wrapper (parseSpfRecord stays in TS) - DKIMVerifier gutted to thin wrapper delegating to bridge.verifyDkim() - IPReputationChecker delegates to bridge.checkIpReputation(), keeps LRU cache - DmarcVerifier keeps alignment logic (works with pre-computed results) - DKIM signing via bridge.signDkim() in all 4 locations - Removed mailauth and ip packages from plugins.ts (~1,200 lines deleted) 2026-02-10 20:30:43 +00:00			errorMessage: `Verification error: ${error.message}`
initial 2025-10-24 08:09:29 +00:00			`};`
			`}`
			`}`

BREAKING CHANGE(rust-bridge): make Rust the primary security backend, remove all TS fallbacks Phase 3 of the Rust migration: the Rust security bridge is now mandatory and all TypeScript security fallback implementations have been removed. - UnifiedEmailServer.start() throws if Rust bridge fails to start - SpfVerifier gutted to thin wrapper (parseSpfRecord stays in TS) - DKIMVerifier gutted to thin wrapper delegating to bridge.verifyDkim() - IPReputationChecker delegates to bridge.checkIpReputation(), keeps LRU cache - DmarcVerifier keeps alignment logic (works with pre-computed results) - DKIM signing via bridge.signDkim() in all 4 locations - Removed mailauth and ip packages from plugins.ts (~1,200 lines deleted) 2026-02-10 20:30:43 +00:00			`/** No-op — Rust bridge handles its own caching */`
			`public clearCache(): void {}`

			`/** Always 0 — cache is managed by the Rust side */`
initial 2025-10-24 08:09:29 +00:00			`public getCacheSize(): number {`
BREAKING CHANGE(rust-bridge): make Rust the primary security backend, remove all TS fallbacks Phase 3 of the Rust migration: the Rust security bridge is now mandatory and all TypeScript security fallback implementations have been removed. - UnifiedEmailServer.start() throws if Rust bridge fails to start - SpfVerifier gutted to thin wrapper (parseSpfRecord stays in TS) - DKIMVerifier gutted to thin wrapper delegating to bridge.verifyDkim() - IPReputationChecker delegates to bridge.checkIpReputation(), keeps LRU cache - DmarcVerifier keeps alignment logic (works with pre-computed results) - DKIM signing via bridge.signDkim() in all 4 locations - Removed mailauth and ip packages from plugins.ts (~1,200 lines deleted) 2026-02-10 20:30:43 +00:00			`return 0;`
initial 2025-10-24 08:09:29 +00:00			`}`
BREAKING CHANGE(rust-bridge): make Rust the primary security backend, remove all TS fallbacks Phase 3 of the Rust migration: the Rust security bridge is now mandatory and all TypeScript security fallback implementations have been removed. - UnifiedEmailServer.start() throws if Rust bridge fails to start - SpfVerifier gutted to thin wrapper (parseSpfRecord stays in TS) - DKIMVerifier gutted to thin wrapper delegating to bridge.verifyDkim() - IPReputationChecker delegates to bridge.checkIpReputation(), keeps LRU cache - DmarcVerifier keeps alignment logic (works with pre-computed results) - DKIM signing via bridge.signDkim() in all 4 locations - Removed mailauth and ip packages from plugins.ts (~1,200 lines deleted) 2026-02-10 20:30:43 +00:00			`}`