BREAKING CHANGE(smartmta): Rebrand package to @push.rocks/smartmta, add consolidated email security verification and IPC handler

2026-02-10 16:25:55 +00:00
parent 199b9b79d2
commit 8293663619
17 changed files with 1183 additions and 383 deletions
--- a/.gitea/release-template.md
+++ b/.gitea/release-template.md
@@ -6,7 +6,7 @@ Pre-compiled binaries for multiple platforms.
 #### Option 1: Via npm (recommended)
 ```bash
-npm install -g @serve.zone/mailer
+npm install -g @push.rocks/smartmta
 ```
 #### Option 2: Direct binary download
--- a/changelog.md
+++ b/changelog.md
@@ -1,5 +1,15 @@
 # Changelog
 ## 2026-02-10 - 2.0.0 - BREAKING CHANGE(smartmta)
 Rebrand package to @push.rocks/smartmta, add consolidated email security verification and IPC handler
 - Package renamed from @serve.zone/mailer to @push.rocks/smartmta (package.json, commitinfo, README and homepage/bugs/repository URLs updated) — breaking for consumers who import by package name.
 - Added new compound email security API verify_email_security that runs DKIM, SPF and DMARC in a single call (rust/crates/mailer-security/src/verify.rs) and exposed it from the mailer-security crate.
 - Added IPC handler "verifyEmail" in mailer-bin to call the new verify_email_security function from the Rust side.
 - Refactored DKIM and SPF code to convert mail-auth outputs to serializable results (dkim_outputs_to_results and SpfResult::from_output) and wired them into the combined verifier.
 - Updated TypeScript plugin exports and dependencies: added @push.rocks/smartrust and exported smartrust in ts/plugins.ts.
 - Large README overhaul to reflect rebranding, install instructions, architecture and legal/company info.
 ## 2026-02-10 - 1.3.1 - fix(deps)
 add workspace dependency entries for multiple crates across mailer-bin, mailer-core, and mailer-security
--- a/dist_ts/00_commitinfo_data.js
+++ b/dist_ts/00_commitinfo_data.js
@@ -2,8 +2,8 @@
 * autocreated commitinfo by @push.rocks/commitinfo
 */
 export const commitinfo = {
-    name: '@serve.zone/mailer',
+    name: '@push.rocks/smartmta',
-    version: '1.3.0',
+    version: '1.3.1',
-    description: 'Enterprise mail server with SMTP, HTTP API, and DNS management - built for serve.zone infrastructure'
+    description: 'A high-performance, enterprise-grade Mail Transfer Agent (MTA) built from scratch in TypeScript with Rust acceleration.'
 };
 //# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiMDBfY29tbWl0aW5mb19kYXRhLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vdHMvMDBfY29tbWl0aW5mb19kYXRhLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBOztHQUVHO0FBQ0gsTUFBTSxDQUFDLE1BQU0sVUFBVSxHQUFHO0lBQ3hCLElBQUksRUFBRSxvQkFBb0I7SUFDMUIsT0FBTyxFQUFFLE9BQU87SUFDaEIsV0FBVyxFQUFFLHNHQUFzRztDQUNwSCxDQUFBIn0=
--- a/package.json
+++ b/package.json
@@ -1,30 +1,30 @@
 {
-  "name": "@serve.zone/mailer",
+  "name": "@push.rocks/smartmta",
  "version": "1.3.1",
-  "description": "Enterprise mail server with SMTP, HTTP API, and DNS management - built for serve.zone infrastructure",
+  "description": "A high-performance, enterprise-grade Mail Transfer Agent (MTA) built from scratch in TypeScript with Rust acceleration.",
  "keywords": [
-    "mailer",
+    "mta",
    "smtp",
    "email",
    "mail server",
-    "mailgun",
+    "mail transfer agent",
    "dkim",
    "spf",
    "dmarc",
    "dns",
    "cloudflare",
-    "daemon service",
+    "typescript",
-    "api",
+    "rust"
    "serve.zone"
  ],
-  "homepage": "https://code.foss.global/serve.zone/mailer",
+  "homepage": "https://code.foss.global/push.rocks/smartmta",
  "bugs": {
-    "url": "https://code.foss.global/serve.zone/mailer/issues"
+    "url": "https://code.foss.global/push.rocks/smartmta/issues"
  },
  "repository": {
    "type": "git",
-    "url": "git+https://code.foss.global/serve.zone/mailer.git"
+    "url": "git+https://code.foss.global/push.rocks/smartmta.git"
  },
-  "author": "Serve Zone",
+  "author": "Task Venture Capital GmbH",
  "license": "MIT",
  "type": "module",
  "bin": {
@@ -66,6 +66,7 @@
    "@push.rocks/smartproxy": "^23.1.0",
    "@push.rocks/smartrequest": "^5.0.1",
    "@push.rocks/smartrule": "^2.0.1",
    "@push.rocks/smartrust": "^1.1.1",
    "@push.rocks/smartrx": "^3.0.10",
    "@push.rocks/smartunique": "^3.0.9",
    "@serve.zone/interfaces": "^5.0.4",
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -74,6 +74,9 @@ importers:
      '@push.rocks/smartrule':
        specifier: ^2.0.1
        version: 2.0.1
      '@push.rocks/smartrust':
        specifier: ^1.1.1
        version: 1.1.1
      '@push.rocks/smartrx':
        specifier: ^3.0.10
        version: 3.0.10
--- a/readme.md
+++ b/readme.md
@@ -1,361 +1,479 @@
-# @serve.zone/mailer
+# @push.rocks/smartmta
-> Enterprise mail server with SMTP, HTTP API, and DNS management
+A high-performance, enterprise-grade Mail Transfer Agent (MTA) built from scratch in TypeScript with Rust acceleration — no nodemailer, no shortcuts. 🚀
-[![License](https://img.shields.io/badge/license-MIT-blue.svg)](license)
+## Issue Reporting and Security
-[![Version](https://img.shields.io/badge/version-1.0.0-green.svg)](package.json)
+
 For reporting bugs, issues, or security vulnerabilities, please visit [community.foss.global/](https://community.foss.global/). This is the central community hub for all issue reporting. Developers who sign and comply with our contribution agreement and go through identification can also get a [code.foss.global/](https://code.foss.global/) account to submit Pull Requests directly.
 ## Install
 ```bash
 pnpm install @push.rocks/smartmta
 # or
 npm install @push.rocks/smartmta
 ```
 ## Overview
-`@serve.zone/mailer` is a comprehensive mail server solution built with Deno, featuring:
+`@push.rocks/smartmta` is a **complete mail server solution** — SMTP server, SMTP client, email security, content scanning, and delivery management — all built with a custom SMTP implementation. No wrappers around nodemailer. No half-measures.
- **SMTP Server & Client** - Full-featured SMTP implementation for sending and receiving emails
+### ✨ What's Inside
 - **HTTP REST API** - Mailgun-compatible API for programmatic email management
 - **DNS Management** - Automatic DNS setup via Cloudflare API
 - **DKIM/SPF/DMARC** - Complete email authentication and security
 - **Daemon Service** - Systemd integration for production deployments
 - **CLI Interface** - Command-line management of all features
-## Architecture
+| Module | What It Does |
 |---|---|
 | **SMTP Server** | RFC 5321-compliant server with TLS/STARTTLS, authentication, pipelining |
 | **SMTP Client** | Outbound delivery with connection pooling, retry logic, TLS negotiation |
 | **DKIM** | Key generation, signing, and verification — per domain |
 | **SPF** | Full SPF record validation |
 | **DMARC** | Policy enforcement and verification |
 | **Email Router** | Pattern-based routing with priority, forward/deliver/reject/process actions |
 | **Bounce Manager** | Automatic bounce detection, classification (hard/soft), and tracking |
 | **Content Scanner** | Spam, phishing, malware, XSS, and suspicious link detection |
 | **IP Reputation** | DNSBL checks, proxy/TOR/VPN detection, risk scoring |
 | **Rate Limiter** | Hierarchical rate limiting (global, per-domain, per-sender) |
 | **Delivery Queue** | Persistent queue with exponential backoff retry |
 | **Template Engine** | Email templates with variable substitution |
 | **Domain Registry** | Multi-domain management with per-domain configuration |
 | **DNS Manager** | Automatic DNS record management with Cloudflare API integration |
 | **Rust Accelerator** | Performance-critical operations (DKIM, MIME, validation) in Rust via IPC |
-### Technology Stack
+### 🏗️ Architecture
 - **Runtime**: Deno (compiles to standalone binaries)
 - **Language**: TypeScript
 - **Distribution**: npm (via binary wrappers)
 - **Service**: systemd daemon
 - **DNS**: Cloudflare API integration
 ### Project Structure
 ```
-mailer/
+┌─────────────────────────────────────────────────────┐
-├── bin/                    # npm binary wrappers
+│                  UnifiedEmailServer                  │
-├── scripts/                # Build scripts
+│  (orchestrates all components, emits events)         │
-├── ts/                     # TypeScript source
+├──────────┬──────────┬───────────┬───────────────────┤
-│   ├── mail/              # Email implementation (ported from dcrouter)
+│  SMTP    │  Email   │ Security  │    Delivery       │
-│   │   ├── core/          # Email classes, validation, templates
+│  Server  │  Router  │  Stack    │    System         │
-│   │   ├── delivery/      # SMTP client/server, queues
+│  ┌─────┐ │  ┌─────┐ │ ┌──────┐  │  ┌─────────────┐ │
-│   │   ├── routing/       # Email routing, domain config
+│  │ TLS │ │  │Match│ │ │ DKIM │  │  │ Queue       │ │
-│   │   └── security/      # DKIM, SPF, DMARC
+│  │ Auth│ │  │Route│ │ │ SPF  │  │  │ Rate Limit  │ │
-│   ├── api/               # HTTP REST API (Mailgun-compatible)
+│  │ Cmd │ │  │ Act │ │ │DMARC │  │  │ SMTP Client │ │
-│   ├── dns/               # DNS management + Cloudflare
+│  │ Data│ │  │     │ │ │IPRep │  │  │ Retry Logic │ │
-│   ├── daemon/            # Systemd service management
+│  └─────┘ │  └─────┘ │ │Scan  │  │  └─────────────┘ │
-│   ├── config/            # Configuration system
+│          │          │ └──────┘  │                   │
-│   └── cli/               # Command-line interface
+├──────────┴──────────┴───────────┴───────────────────┤
-├── test/                  # Test suite
+│             Rust Acceleration Layer                  │
-├── deno.json              # Deno configuration
+│  (mailer-core, mailer-security via smartrust IPC)    │
-├── package.json           # npm metadata
+└─────────────────────────────────────────────────────┘
 └── mod.ts                 # Main entry point
 ```
 ## Installation
 ### Via npm (recommended)
 ```bash
 npm install -g @serve.zone/mailer
 ```
 ### From source
 ```bash
 git clone https://code.foss.global/serve.zone/mailer
 cd mailer
 deno task compile
 ```
 ## Usage
-### CLI Commands
+### 🔧 Setting Up the Email Server
-#### Service Management
+The central entry point is `UnifiedEmailServer`, which orchestrates SMTP, routing, security, and delivery:
 ```bash
 # Start the mailer daemon
 sudo mailer service start
 # Stop the daemon
 sudo mailer service stop
 # Restart the daemon
 sudo mailer service restart
 # Check status
 mailer service status
 # Enable systemd service
 sudo mailer service enable
 # Disable systemd service
 sudo mailer service disable
 ```
 #### Domain Management
 ```bash
 # Add a domain
 mailer domain add example.com
 # Remove a domain
 mailer domain remove example.com
 # List all domains
 mailer domain list
 ```
 #### DNS Management
 ```bash
 # Auto-configure DNS via Cloudflare
 mailer dns setup example.com
 # Validate DNS configuration
 mailer dns validate example.com
 # Show required DNS records
 mailer dns show example.com
 ```
 #### Sending Email
 ```bash
 # Send email via CLI
 mailer send \\
  --from sender@example.com \\
  --to recipient@example.com \\
  --subject "Hello" \\
  --text "World"
 ```
 #### Configuration
 ```bash
 # Show current configuration
 mailer config show
 # Set configuration value
 mailer config set smtpPort 25
 mailer config set apiPort 8080
 mailer config set hostname mail.example.com
 ```
 ### HTTP API
 The mailer provides a Mailgun-compatible REST API:
 #### Send Email
 ```bash
 POST /v1/messages
 Content-Type: application/json
 {
  "from": "sender@example.com",
  "to": "recipient@example.com",
  "subject": "Hello",
  "text": "World",
  "html": "<p>World</p>"
 }
 ```
 #### List Domains
 ```bash
 GET /v1/domains
 ```
 #### Manage SMTP Credentials
 ```bash
 GET /v1/domains/:domain/credentials
 POST /v1/domains/:domain/credentials
 DELETE /v1/domains/:domain/credentials/:id
 ```
 #### Email Events
 ```bash
 GET /v1/events
 ```
 ### Programmatic Usage
 ```typescript
-import { Email, SmtpClient } from '@serve.zone/mailer';
+import { UnifiedEmailServer } from '@push.rocks/smartmta';
-// Create an email
+const emailServer = new UnifiedEmailServer(dcRouterRef, {
-const email = new Email({
+  ports: [25, 587, 465],
-  from: 'sender@example.com',
+  hostname: 'mail.example.com',
-  to: 'recipient@example.com',
+  domains: [
-  subject: 'Hello from Mailer',
+    {
-  text: 'This is a test email',
+      domain: 'example.com',
-  html: '<p>This is a test email</p>',
+      dnsMode: 'external-dns',
      dkim: {
        selector: 'default',
        keySize: 2048,
        rotateKeys: true,
        rotationInterval: 90,
      },
      rateLimits: {
        maxMessagesPerMinute: 100,
        maxRecipientsPerMessage: 50,
      },
    },
  ],
  routes: [
    {
      name: 'catch-all-forward',
      priority: 10,
      match: {
        recipients: '*@example.com',
      },
      action: {
        type: 'forward',
        forward: {
          host: 'internal-mail.example.com',
          port: 25,
        },
      },
    },
    {
      name: 'reject-spam-senders',
      priority: 100,
      match: {
        senders: '*@spamdomain.com',
      },
      action: {
        type: 'reject',
        reject: {
          code: 550,
          message: 'Sender rejected by policy',
        },
      },
    },
  ],
  auth: {
    required: false,
    methods: ['PLAIN', 'LOGIN'],
    users: [{ username: 'outbound', password: 'secret' }],
  },
  tls: {
    certPath: '/etc/ssl/mail.crt',
    keyPath: '/etc/ssl/mail.key',
  },
  maxMessageSize: 25 * 1024 * 1024, // 25 MB
  maxClients: 500,
 });
-// Send via SMTP
+await emailServer.start();
-const client = new SmtpClient({
+```
 ### 📧 Sending Emails with the SMTP Client
 Create and send emails using the built-in SMTP client with connection pooling:
 ```typescript
 import { Email, createSmtpClient } from '@push.rocks/smartmta';
 // Create a client with connection pooling
 const client = createSmtpClient({
  host: 'smtp.example.com',
  port: 587,
-  secure: true,
+  secure: false,     // will upgrade via STARTTLS
  pool: true,
  maxConnections: 5,
  auth: {
-    user: 'username',
+    user: 'sender@example.com',
-    pass: 'password',
+    pass: 'your-password',
  },
 });
-await client.sendMail(email);
+// Build an email
-```
+const email = new Email({
-
+  from: 'sender@example.com',
-## Configuration
+  to: ['recipient@example.com'],
-
+  cc: ['cc@example.com'],
-Configuration is stored in `~/.mailer/config.json`:
+  subject: 'Hello from smartmta!',
-
+  text: 'Plain text body',
-```json
+  html: '<h1>Hello!</h1><p>HTML body with <strong>formatting</strong></p>',
-{
+  priority: 'high',
-  "domains": [
+  attachments: [
    {
-      "domain": "example.com",
+      filename: 'report.pdf',
-      "dnsMode": "external-dns",
+      content: pdfBuffer,
-      "cloudflare": {
+      contentType: 'application/pdf',
-        "apiToken": "your-cloudflare-token"
+    },
      }
    }
  ],
-  "apiKeys": ["api-key-1", "api-key-2"],
+});
-  "smtpPort": 25,
+
-  "apiPort": 8080,
+// Send it
-  "hostname": "mail.example.com"
+const result = await client.sendMail(email);
-}
+console.log(`Message sent: ${result.messageId}`);
 ```
-## DNS Setup
+### 🔐 DKIM Signing
-The mailer requires the following DNS records for each domain:
+Automatic DKIM key generation, storage, and signing per domain:
-### MX Record
+```typescript
-```
+import { DKIMCreator } from '@push.rocks/smartmta';
-Type: MX
+
-Name: @
+const dkimCreator = new DKIMCreator('/path/to/keys');
-Value: mail.example.com
+
-Priority: 10
+// Auto-generate keys if they don't exist
-TTL: 3600
+await dkimCreator.handleDKIMKeysForDomain('example.com');
 // Get the DNS record you need to publish
 const dnsRecord = await dkimCreator.getDNSRecordForDomain('example.com');
 console.log(dnsRecord);
 // → { type: 'TXT', name: 'default._domainkey.example.com', value: 'v=DKIM1; k=rsa; p=...' }
 // Sign an email
 const signedEmail = await dkimCreator.signEmail(email);
 ```
-### A Record
+### 🛡️ Email Authentication (SPF, DKIM, DMARC)
-```
+
-Type: A
+Verify incoming emails against all three authentication standards:
-Name: mail
+
-Value: <your-server-ip>
+```typescript
-TTL: 3600
+import { DKIMVerifier, SpfVerifier, DmarcVerifier } from '@push.rocks/smartmta';
 // SPF verification
 const spfVerifier = new SpfVerifier();
 const spfResult = await spfVerifier.verify(senderIP, senderDomain, ehloHostname);
 // → { result: 'pass' | 'fail' | 'softfail' | 'neutral' | 'none' | 'temperror' | 'permerror' }
 // DKIM verification
 const dkimVerifier = new DKIMVerifier();
 const dkimResult = await dkimVerifier.verify(rawEmailContent);
 // DMARC verification
 const dmarcVerifier = new DmarcVerifier();
 const dmarcResult = await dmarcVerifier.verify(fromDomain, spfResult, dkimResult);
 ```
-### SPF Record
+### 🔀 Email Routing
-```
+
-Type: TXT
+Pattern-based routing engine with priority ordering and flexible match criteria:
-Name: @
+
-Value: v=spf1 mx ip4:<your-server-ip> ~all
+```typescript
-TTL: 3600
+import { EmailRouter } from '@push.rocks/smartmta';
 const router = new EmailRouter([
  {
    name: 'admin-mail',
    priority: 100,
    match: {
      recipients: 'admin@example.com',
      authenticated: true,
    },
    action: {
      type: 'deliver',
    },
  },
  {
    name: 'external-forward',
    priority: 50,
    match: {
      recipients: '*@example.com',
      sizeRange: { max: 10 * 1024 * 1024 },  // under 10MB
    },
    action: {
      type: 'forward',
      forward: {
        host: 'backend-mail.internal',
        port: 25,
        preserveHeaders: true,
      },
    },
  },
  {
    name: 'process-with-scanning',
    priority: 10,
    match: {
      recipients: '*@*',
    },
    action: {
      type: 'process',
      process: {
        scan: true,
        dkim: true,
        queue: 'normal',
      },
    },
  },
 ]);
 // Routes are evaluated by priority (highest first)
 const matchedRoute = router.route(email, context);
 ```
-### DKIM Record
+### 🕵️ Content Scanning
-```
+
-Type: TXT
+Built-in content scanner for detecting spam, phishing, malware, and other threats:
-Name: default._domainkey
+
-Value: <dkim-public-key>
+```typescript
-TTL: 3600
+import { ContentScanner } from '@push.rocks/smartmta';
 const scanner = new ContentScanner({
  scanSubject: true,
  scanBody: true,
  scanAttachments: true,
  blockExecutables: true,
  blockMacros: true,
  minThreatScore: 30,
  highThreatScore: 70,
  customRules: [
    {
      pattern: /bitcoin.*wallet/i,
      type: 'scam',
      score: 80,
      description: 'Cryptocurrency scam pattern',
    },
  ],
 });
 const result = await scanner.scan(email);
 // → { isClean: false, threatScore: 85, threatType: 'phishing', scannedElements: [...] }
 ```
-### DMARC Record
+### 🌐 IP Reputation Checking
-```
+
-Type: TXT
+Check sender IP addresses against DNSBL blacklists and classify IP types:
-Name: _dmarc
+
-Value: v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com
+```typescript
-TTL: 3600
+import { IPReputationChecker } from '@push.rocks/smartmta';
 const ipChecker = new IPReputationChecker({
  enableDNSBL: true,
  dnsblServers: ['zen.spamhaus.org', 'bl.spamcop.net'],
  cacheTTL: 24 * 60 * 60 * 1000,  // 24 hours
 });
 const reputation = await ipChecker.checkReputation('192.168.1.1');
 // → { score: 85, isSpam: false, isProxy: false, isTor: false, blacklists: [] }
 ```
-Use `mailer dns setup <domain>` to automatically configure these via Cloudflare.
+### ⏱️ Rate Limiting
-## Development
+Hierarchical rate limiting to protect your server and maintain deliverability:
-### Prerequisites
+```typescript
 import { UnifiedRateLimiter } from '@push.rocks/smartmta';
- Deno 1.40+
+const rateLimiter = new UnifiedRateLimiter({
- Node.js 14+ (for npm distribution)
+  global: {
-
+    maxPerMinute: 1000,
-### Build
+    maxPerHour: 10000,
-
+  },
-```bash
+  perDomain: {
-# Compile for all platforms
+    'example.com': {
-deno task compile
+      maxPerMinute: 100,
-
+      maxPerHour: 1000,
-# Run in development mode
+    },
-deno task dev
+  },
-
+  perSender: {
-# Run tests
+    maxPerMinute: 20,
-deno task test
+    maxPerHour: 200,
-
+  },
-# Format code
+});
 deno task fmt
 # Lint code
 deno task lint
 ```
-### Ported Components
+### 📬 Bounce Management
-The mail implementation is ported from [dcrouter](https://code.foss.global/serve.zone/dcrouter) and adapted for Deno:
+Automatic bounce detection, classification, and tracking:
- ✅ Email core (Email, EmailValidator, BounceManager, TemplateManager)
+```typescript
- ✅ SMTP Server (with TLS support)
+import { BounceManager } from '@push.rocks/smartmta';
 - ✅ SMTP Client (with connection pooling)
 - ✅ Email routing and domain management
 - ✅ DKIM signing and verification
 - ✅ SPF and DMARC validation
 - ✅ Delivery queues and rate limiting
-## Roadmap
+const bounceManager = new BounceManager();
-### Phase 1 - Core Functionality (Current)
+// Process an SMTP failure
- [x] Project structure and build system
+const bounce = await bounceManager.processSmtpFailure(
- [x] Port mail implementation from dcrouter
+  'recipient@example.com',
- [x] CLI interface
+  '550 5.1.1 User unknown',
- [x] Configuration management
+  { originalEmailId: 'msg-123' }
- [x] DNS management basics
+);
- [ ] Cloudflare DNS integration
+// → { bounceType: 'invalid_recipient', bounceCategory: 'hard', ... }
 - [ ] HTTP REST API implementation
 - [ ] Systemd service integration
-### Phase 2 - Production Ready
+// Check if an address is known to bounce
- [ ] Comprehensive testing
+const shouldSuppress = bounceManager.shouldSuppressDelivery('recipient@example.com');
- [ ] Documentation
+```
 - [ ] Performance optimization
 - [ ] Security hardening
 - [ ] Monitoring and logging
-### Phase 3 - Advanced Features
+### 📝 Email Templates
 - [ ] Webhook support
 - [ ] Email templates
 - [ ] Analytics and reporting
 - [ ] Multi-tenancy
 - [ ] Load balancing
-## License
+Template engine with variable substitution for transactional and notification emails:
-MIT © Serve Zone
+```typescript
 import { TemplateManager } from '@push.rocks/smartmta';
-## Contributing
+const templates = new TemplateManager({
  from: 'noreply@example.com',
  footerHtml: '<p>© 2026 Example Corp</p>',
 });
-Contributions are welcome! Please see our [contributing guidelines](https://code.foss.global/serve.zone/mailer/contributing).
+// Register a template
 templates.registerTemplate({
  id: 'welcome',
  name: 'Welcome Email',
  description: 'Sent to new users',
  from: 'welcome@example.com',
  subject: 'Welcome, {{name}}!',
  bodyHtml: '<h1>Welcome, {{name}}!</h1><p>Your account is ready.</p>',
  bodyText: 'Welcome, {{name}}! Your account is ready.',
  category: 'transactional',
 });
-## Support
+// Render and send
 const email = templates.renderTemplate('welcome', {
  to: 'newuser@example.com',
  variables: { name: 'Alice' },
 });
 ```
- Documentation: https://code.foss.global/serve.zone/mailer
+### 🌍 DNS Management with Cloudflare
 - Issues: https://code.foss.global/serve.zone/mailer/issues
 - Email: support@serve.zone
-## Acknowledgments
+Automatic DNS record setup for MX, SPF, DKIM, and DMARC via the Cloudflare API:
- Mail implementation ported from [dcrouter](https://code.foss.global/serve.zone/dcrouter)
+```typescript
- Inspired by [Mailgun](https://www.mailgun.com/) API design
+import { DnsManager } from '@push.rocks/smartmta';
- Built with [Deno](https://deno.land/)
+
 const dnsManager = new DnsManager({
  domains: [
    {
      domain: 'example.com',
      dnsMode: 'external-dns',  // managed via Cloudflare API
    },
  ],
 });
 // Auto-configure all required DNS records
 await dnsManager.setupDnsForDomain('example.com', {
  serverIp: '203.0.113.10',
  mxHostname: 'mail.example.com',
 });
 ```
 ## 🦀 Rust Acceleration
 Performance-critical operations are implemented in Rust and communicate with the TypeScript runtime via `@push.rocks/smartrust` (JSON-over-stdin/stdout IPC):
 - **mailer-core**: Email type validation, MIME building, bounce detection
 - **mailer-security**: DKIM signing/verification, SPF checks, DMARC policy, IP reputation/DNSBL
 The Rust workspace is at `rust/` with five crates:
 | Crate | Status | Purpose |
 |---|---|---|
 | `mailer-core` | ✅ Complete | Email types, validation, MIME, bounce detection |
 | `mailer-security` | ✅ Complete | DKIM, SPF, DMARC, IP reputation |
 | `mailer-bin` | ✅ Complete | CLI + smartrust IPC bridge |
 | `mailer-smtp` | 🔜 Phase 2 | SMTP protocol in Rust |
 | `mailer-napi` | 🔜 Phase 2 | Native Node.js addon |
 ## Project Structure
 ```
 smartmta/
 ├── ts/                            # TypeScript source
 │   ├── mail/
 │   │   ├── core/                  # Email, EmailValidator, BounceManager, TemplateManager
 │   │   ├── delivery/              # DeliverySystem, Queue, RateLimiter
 │   │   │   ├── smtpclient/        # SMTP client with connection pooling
 │   │   │   └── smtpserver/        # SMTP server with TLS, auth, pipelining
 │   │   ├── routing/               # UnifiedEmailServer, EmailRouter, DomainRegistry, DnsManager
 │   │   └── security/              # DKIMCreator, DKIMVerifier, SpfVerifier, DmarcVerifier
 │   └── security/                  # ContentScanner, IPReputationChecker, SecurityLogger
 ├── rust/                          # Rust workspace
 │   └── crates/                    # mailer-core, mailer-security, mailer-bin, mailer-smtp, mailer-napi
 ├── test/                          # Comprehensive test suite (RFC compliance, security, performance, edge cases)
 └── dist_ts/                       # Compiled output
 ```
 ## License and Legal Information
 This repository contains open-source code licensed under the MIT License. A copy of the license can be found in the [LICENSE](./LICENSE) file.
 **Please note:** The MIT License does not grant permission to use the trade names, trademarks, service marks, or product names of the project, except as required for reasonable and customary use in describing the origin of the work and reproducing the content of the NOTICE file.
 ### Trademarks
 This project is owned and maintained by Task Venture Capital GmbH. The names and logos associated with Task Venture Capital GmbH and any related products or services are trademarks of Task Venture Capital GmbH or third parties, and are not included within the scope of the MIT license granted herein.
 Use of these trademarks must comply with Task Venture Capital GmbH's Trademark Guidelines or the guidelines of the respective third-party owners, and any usage must be approved in writing. Third-party trademarks used herein are the property of their respective owners and used only in a descriptive manner, e.g. for an implementation of an API or similar.
 ### Company Information
 Task Venture Capital GmbH
 Registered at District Court Bremen HRB 35230 HB, Germany
 For any legal inquiries or further information, please contact us via email at hello@task.vc.
 By using this repository, you acknowledge that you have read this section, agree to comply with its terms, and understand that the licensing of the code does not imply endorsement by Task Venture Capital GmbH of any derivative works.
--- a/rust/crates/mailer-bin/src/main.rs
+++ b/rust/crates/mailer-bin/src/main.rs
@@ -491,6 +491,75 @@ async fn handle_ipc_request(req: &IpcRequest) -> IpcResponse {
            }
        }
        "verifyEmail" => {
            let raw_message = req
                .params
                .get("rawMessage")
                .and_then(|v| v.as_str())
                .unwrap_or("");
            let ip_str = req.params.get("ip").and_then(|v| v.as_str()).unwrap_or("");
            let helo = req
                .params
                .get("heloDomain")
                .and_then(|v| v.as_str())
                .unwrap_or("");
            let hostname = req
                .params
                .get("hostname")
                .and_then(|v| v.as_str())
                .unwrap_or("localhost");
            let mail_from = req
                .params
                .get("mailFrom")
                .and_then(|v| v.as_str())
                .unwrap_or("");
            match ip_str.parse::<IpAddr>() {
                Ok(ip_addr) => {
                    let authenticator = match mailer_security::default_authenticator() {
                        Ok(a) => a,
                        Err(e) => {
                            return IpcResponse {
                                id: req.id.clone(),
                                success: false,
                                result: None,
                                error: Some(format!("Authenticator error: {}", e)),
                            };
                        }
                    };
                    match mailer_security::verify_email_security(
                        raw_message.as_bytes(),
                        ip_addr,
                        helo,
                        hostname,
                        mail_from,
                        &authenticator,
                    )
                    .await
                    {
                        Ok(result) => IpcResponse {
                            id: req.id.clone(),
                            success: true,
                            result: Some(serde_json::to_value(&result).unwrap()),
                            error: None,
                        },
                        Err(e) => IpcResponse {
                            id: req.id.clone(),
                            success: false,
                            result: None,
                            error: Some(e.to_string()),
                        },
                    }
                }
                Err(e) => IpcResponse {
                    id: req.id.clone(),
                    success: false,
                    result: None,
                    error: Some(format!("Invalid IP address: {}", e)),
                },
            }
        }
        "checkSpf" => {
            let ip_str = req.params.get("ip").and_then(|v| v.as_str()).unwrap_or("");
            let helo = req
--- a/rust/crates/mailer-security/src/dkim.rs
+++ b/rust/crates/mailer-security/src/dkim.rs
@@ -1,7 +1,7 @@
 use mail_auth::common::crypto::{RsaKey, Sha256};
 use mail_auth::common::headers::HeaderWriter;
 use mail_auth::dkim::{Canonicalization, DkimSigner};
-use mail_auth::{AuthenticatedMessage, DkimResult, MessageAuthenticator};
+use mail_auth::{AuthenticatedMessage, DkimOutput, DkimResult, MessageAuthenticator};
 use rustls_pki_types::{PrivateKeyDer, PrivatePkcs1KeyDer, pem::PemObject};
 use serde::{Deserialize, Serialize};
@@ -22,33 +22,23 @@ pub struct DkimVerificationResult {
    pub details: Option<String>,
 }
-/// Verify DKIM signatures on a raw email message.
+/// Convert raw `mail-auth` DKIM outputs to our serializable results.
 ///
-/// Uses the `mail-auth` crate which performs full RFC 6376 verification
+/// This is used internally by `verify_dkim` and by the compound `verify_email_security`.
-/// including DNS lookups for the public key.
+pub fn dkim_outputs_to_results(dkim_outputs: &[DkimOutput<'_>]) -> Vec<DkimVerificationResult> {
 pub async fn verify_dkim(
    raw_message: &[u8],
    authenticator: &MessageAuthenticator,
 ) -> Result<Vec<DkimVerificationResult>> {
    let message = AuthenticatedMessage::parse(raw_message)
        .ok_or_else(|| SecurityError::Parse("Failed to parse email for DKIM verification".into()))?;
    let dkim_outputs = authenticator.verify_dkim(&message).await;
    let mut results = Vec::new();
    if dkim_outputs.is_empty() {
-        results.push(DkimVerificationResult {
+        return vec![DkimVerificationResult {
            is_valid: false,
            domain: None,
            selector: None,
            status: "none".to_string(),
            details: Some("No DKIM signatures found".to_string()),
-        });
+        }];
        return Ok(results);
    }
-    for output in &dkim_outputs {
+    dkim_outputs
        .iter()
        .map(|output| {
            let (is_valid, status, details) = match output.result() {
                DkimResult::Pass => (true, "pass", None),
                DkimResult::Neutral(err) => (false, "neutral", Some(err.to_string())),
@@ -63,16 +53,30 @@ pub async fn verify_dkim(
                .map(|sig| (Some(sig.d.clone()), Some(sig.s.clone())))
                .unwrap_or((None, None));
-        results.push(DkimVerificationResult {
+            DkimVerificationResult {
                is_valid,
                domain,
                selector,
                status: status.to_string(),
                details,
        });
            }
        })
        .collect()
 }
-    Ok(results)
+/// Verify DKIM signatures on a raw email message.
 ///
 /// Uses the `mail-auth` crate which performs full RFC 6376 verification
 /// including DNS lookups for the public key.
 pub async fn verify_dkim(
    raw_message: &[u8],
    authenticator: &MessageAuthenticator,
 ) -> Result<Vec<DkimVerificationResult>> {
    let message = AuthenticatedMessage::parse(raw_message)
        .ok_or_else(|| SecurityError::Parse("Failed to parse email for DKIM verification".into()))?;
    let dkim_outputs = authenticator.verify_dkim(&message).await;
    Ok(dkim_outputs_to_results(&dkim_outputs))
 }
 /// Sign a raw email message with DKIM (RSA-SHA256).
--- a/rust/crates/mailer-security/src/lib.rs
+++ b/rust/crates/mailer-security/src/lib.rs
@@ -5,10 +5,12 @@ pub mod dmarc;
 pub mod error;
 pub mod ip_reputation;
 pub mod spf;
 pub mod verify;
 // Re-exports for convenience
-pub use dkim::{dkim_dns_record_value, sign_dkim, verify_dkim, DkimVerificationResult};
+pub use dkim::{dkim_dns_record_value, dkim_outputs_to_results, sign_dkim, verify_dkim, DkimVerificationResult};
 pub use dmarc::{check_dmarc, DmarcPolicy, DmarcResult};
 pub use verify::{verify_email_security, EmailSecurityResult};
 pub use error::{Result, SecurityError};
 pub use ip_reputation::{
    check_dnsbl, check_reputation, risk_level, DnsblResult, IpType, ReputationResult, RiskLevel,
--- a/rust/crates/mailer-security/src/spf.rs
+++ b/rust/crates/mailer-security/src/spf.rs
@@ -23,6 +23,28 @@ impl SpfResult {
    pub fn passed(&self) -> bool {
        self.result == "pass"
    }
    /// Create an `SpfResult` from a raw `mail-auth` `SpfOutput`.
    ///
    /// Used by the compound `verify_email_security` to avoid re-doing the SPF query.
    pub fn from_output(output: &mail_auth::SpfOutput, ip: IpAddr) -> Self {
        let result_str = match output.result() {
            MailAuthSpfResult::Pass => "pass",
            MailAuthSpfResult::Fail => "fail",
            MailAuthSpfResult::SoftFail => "softfail",
            MailAuthSpfResult::Neutral => "neutral",
            MailAuthSpfResult::TempError => "temperror",
            MailAuthSpfResult::PermError => "permerror",
            MailAuthSpfResult::None => "none",
        };
        SpfResult {
            result: result_str.to_string(),
            domain: output.domain().to_string(),
            ip: ip.to_string(),
            explanation: output.explanation().map(|s| s.to_string()),
        }
    }
 }
 /// Check SPF for a given sender IP, HELO domain, and MAIL FROM address.
--- a/rust/crates/mailer-security/src/verify.rs
+++ b/rust/crates/mailer-security/src/verify.rs
@@ -0,0 +1,115 @@
 //! Compound email security verification.
 //!
 //! Runs DKIM, SPF, and DMARC verification in a single call, avoiding multiple
 //! IPC round-trips and handling the internal `mail-auth` types that DMARC needs.
 use mail_auth::spf::verify::SpfParameters;
 use mail_auth::{AuthenticatedMessage, MessageAuthenticator};
 use serde::{Deserialize, Serialize};
 use std::net::IpAddr;
 use crate::dkim::DkimVerificationResult;
 use crate::dmarc::{check_dmarc, DmarcResult};
 use crate::error::{Result, SecurityError};
 use crate::spf::SpfResult;
 /// Combined result of DKIM + SPF + DMARC verification.
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct EmailSecurityResult {
    pub dkim: Vec<DkimVerificationResult>,
    pub spf: Option<SpfResult>,
    pub dmarc: Option<DmarcResult>,
 }
 /// Run all email security checks (DKIM, SPF, DMARC) in one call.
 ///
 /// This is the preferred entry point for inbound email verification because:
 /// 1. DMARC requires raw `mail-auth` DKIM/SPF outputs (not our serialized types).
 /// 2. A single call avoids 3 sequential IPC round-trips.
 ///
 /// # Arguments
 /// * `raw_message` - The raw RFC 5322 message bytes
 /// * `ip` - The connecting client's IP address
 /// * `helo_domain` - The domain from the SMTP EHLO/HELO command
 /// * `host_domain` - Your receiving server's hostname
 /// * `mail_from` - The full MAIL FROM address (e.g. "sender@example.com")
 /// * `authenticator` - The `MessageAuthenticator` for DNS lookups
 pub async fn verify_email_security(
    raw_message: &[u8],
    ip: IpAddr,
    helo_domain: &str,
    host_domain: &str,
    mail_from: &str,
    authenticator: &MessageAuthenticator,
 ) -> Result<EmailSecurityResult> {
    // Parse the message once for all checks
    let message = AuthenticatedMessage::parse(raw_message)
        .ok_or_else(|| SecurityError::Parse("Failed to parse email message".into()))?;
    // --- DKIM verification ---
    let dkim_outputs = authenticator.verify_dkim(&message).await;
    let dkim_results = crate::dkim::dkim_outputs_to_results(&dkim_outputs);
    // --- SPF verification ---
    let spf_output = authenticator
        .verify_spf(SpfParameters::verify_mail_from(
            ip,
            helo_domain,
            host_domain,
            mail_from,
        ))
        .await;
    let spf_result = SpfResult::from_output(&spf_output, ip);
    // --- DMARC verification (needs raw dkim_outputs + spf_output) ---
    let mail_from_domain = mail_from
        .rsplit_once('@')
        .map(|(_, d)| d)
        .unwrap_or(helo_domain);
    let dmarc_result = check_dmarc(
        raw_message,
        &dkim_outputs,
        &spf_output,
        mail_from_domain,
        authenticator,
    )
    .await
    .ok(); // DMARC failure is non-fatal; we still return DKIM + SPF results
    Ok(EmailSecurityResult {
        dkim: dkim_results,
        spf: Some(spf_result),
        dmarc: dmarc_result,
    })
 }
 #[cfg(test)]
 mod tests {
    use super::*;
    #[test]
    fn test_email_security_result_serialization() {
        let result = EmailSecurityResult {
            dkim: vec![DkimVerificationResult {
                is_valid: false,
                domain: None,
                selector: None,
                status: "none".to_string(),
                details: Some("No DKIM signatures".to_string()),
            }],
            spf: Some(SpfResult {
                result: "none".to_string(),
                domain: "example.com".to_string(),
                ip: "1.2.3.4".to_string(),
                explanation: None,
            }),
            dmarc: None,
        };
        let json = serde_json::to_string(&result).unwrap();
        assert!(json.contains("\"dkim\""));
        assert!(json.contains("\"spf\""));
        assert!(json.contains("\"dmarc\":null"));
    }
 }
--- a/ts/00_commitinfo_data.ts
+++ b/ts/00_commitinfo_data.ts
@@ -2,7 +2,7 @@
 * autocreated commitinfo by @push.rocks/commitinfo
 */
 export const commitinfo = {
-  name: '@serve.zone/mailer',
+  name: '@push.rocks/smartmta',
-  version: '1.3.1',
+  version: '2.0.0',
-  description: 'Enterprise mail server with SMTP, HTTP API, and DNS management - built for serve.zone infrastructure'
+  description: 'A high-performance, enterprise-grade Mail Transfer Agent (MTA) built from scratch in TypeScript with Rust acceleration.'
 }
--- a/ts/mail/routing/classes.unified.email.server.ts
+++ b/ts/mail/routing/classes.unified.email.server.ts
@@ -9,6 +9,7 @@ import {
 } from '../../security/index.js';
 import { DKIMCreator } from '../security/classes.dkimcreator.js';
 import { IPReputationChecker } from '../../security/classes.ipreputationchecker.js';
 import { RustSecurityBridge } from '../../security/classes.rustsecuritybridge.js';
 // Deliverability types (IPWarmupManager and SenderReputationMonitor are optional external modules)
 interface IIPWarmupConfig {
  enabled?: boolean;
@@ -192,7 +193,8 @@ export class UnifiedEmailServer extends EventEmitter {
  // Add components needed for sending and securing emails
  public dkimCreator: DKIMCreator;
-  private ipReputationChecker: IPReputationChecker; // TODO: Implement IP reputation checks in processEmailByMode
+  private rustBridge: RustSecurityBridge;
  private ipReputationChecker: IPReputationChecker;
  private bounceManager: BounceManager;
  private ipWarmupManager: IPWarmupManager | null;
  private senderReputationMonitor: SenderReputationMonitor | null;
@@ -217,6 +219,9 @@ export class UnifiedEmailServer extends EventEmitter {
      socketTimeout: options.socketTimeout || 60000 // 1 minute
    };
    // Initialize Rust security bridge (singleton)
    this.rustBridge = RustSecurityBridge.getInstance();
    // Initialize DKIM creator with storage manager
    this.dkimCreator = new DKIMCreator(paths.keysDir, dcRouter.storageManager);
@@ -361,6 +366,14 @@ export class UnifiedEmailServer extends EventEmitter {
      await this.deliverySystem.start();
      logger.log('info', 'Email delivery system started');
      // Start Rust security bridge (non-blocking — server works without it)
      const bridgeOk = await this.rustBridge.start();
      if (bridgeOk) {
        logger.log('info', 'Rust security bridge started — using Rust for DKIM/SPF/DMARC verification');
      } else {
        logger.log('warn', 'Rust security bridge unavailable — falling back to TypeScript security verification');
      }
      // Set up DKIM for all domains
      await this.setupDkimForDomains();
      logger.log('info', 'DKIM configuration completed for all domains');
@@ -417,12 +430,40 @@ export class UnifiedEmailServer extends EventEmitter {
              verifyDmarc: true
            }
          },
-          // These will be implemented in the real integration:
+          // Security verification delegated to the Rust bridge when available
          dkimVerifier: {
-            verify: async () => ({ isValid: true, domain: '' })
+            verify: async (rawMessage: string) => {
              if (this.rustBridge.running) {
                try {
                  const results = await this.rustBridge.verifyDkim(rawMessage);
                  const first = results[0];
                  return { isValid: first?.is_valid ?? false, domain: first?.domain ?? '' };
                } catch (err) {
                  logger.log('warn', `Rust DKIM verification failed, accepting: ${(err as Error).message}`);
                  return { isValid: true, domain: '' };
                }
              }
              return { isValid: true, domain: '' }; // No bridge — accept
            }
          },
          spfVerifier: {
-            verifyAndApply: async () => true
+            verifyAndApply: async (session: any) => {
              if (this.rustBridge.running && session?.remoteAddress && session.remoteAddress !== '127.0.0.1') {
                try {
                  const result = await this.rustBridge.checkSpf({
                    ip: session.remoteAddress,
                    heloDomain: session.clientHostname || '',
                    hostname: this.options.hostname,
                    mailFrom: session.envelope?.mailFrom?.address || session.mailFrom || '',
                  });
                  return result.result === 'pass' || result.result === 'none' || result.result === 'neutral';
                } catch (err) {
                  logger.log('warn', `Rust SPF check failed, accepting: ${(err as Error).message}`);
                  return true;
                }
              }
              return true; // No bridge or localhost — accept
            }
          },
          dmarcVerifier: {
            verify: async () => ({}),
@@ -553,6 +594,9 @@ export class UnifiedEmailServer extends EventEmitter {
      // Clear the servers array - servers will be garbage collected
      this.servers = [];
      // Stop Rust security bridge
      await this.rustBridge.stop();
      // Stop the delivery system
      if (this.deliverySystem) {
        await this.deliverySystem.stop();
@@ -588,6 +632,63 @@ export class UnifiedEmailServer extends EventEmitter {
  /**
   * Verify inbound email security (DKIM/SPF/DMARC) using the Rust bridge.
   * Falls back gracefully if the bridge is not running.
   */
  private async verifyInboundSecurity(email: Email, session: IExtendedSmtpSession): Promise<void> {
    if (!this.rustBridge.running) {
      return; // Bridge not available — skip verification
    }
    try {
      const rawMessage = session.emailData || email.toRFC822String();
      const result = await this.rustBridge.verifyEmail({
        rawMessage,
        ip: session.remoteAddress,
        heloDomain: session.clientHostname || '',
        hostname: this.options.hostname,
        mailFrom: session.envelope?.mailFrom?.address || session.mailFrom || '',
      });
      // Apply DKIM result headers
      if (result.dkim && result.dkim.length > 0) {
        const dkimSummary = result.dkim
          .map(d => `${d.status}${d.domain ? ` (${d.domain})` : ''}`)
          .join(', ');
        email.setHeader('X-DKIM-Result', dkimSummary);
      }
      // Apply SPF result header
      if (result.spf) {
        email.setHeader('Received-SPF', `${result.spf.result} (domain: ${result.spf.domain}, ip: ${result.spf.ip})`);
        // Mark as spam on SPF hard fail
        if (result.spf.result === 'fail') {
          email.mightBeSpam = true;
          logger.log('warn', `SPF fail for ${session.remoteAddress} — marking as potential spam`);
        }
      }
      // Apply DMARC result header and policy
      if (result.dmarc) {
        email.setHeader('X-DMARC-Result', `${result.dmarc.action} (policy=${result.dmarc.policy}, dkim=${result.dmarc.dkim_result}, spf=${result.dmarc.spf_result})`);
        if (result.dmarc.action === 'reject') {
          email.mightBeSpam = true;
          logger.log('warn', `DMARC reject for domain ${result.dmarc.domain} — marking as spam`);
        } else if (result.dmarc.action === 'quarantine') {
          email.mightBeSpam = true;
          logger.log('info', `DMARC quarantine for domain ${result.dmarc.domain} — marking as potential spam`);
        }
      }
      logger.log('info', `Inbound security verified for email from ${session.remoteAddress}: DKIM=${result.dkim?.[0]?.status ?? 'none'}, SPF=${result.spf?.result ?? 'none'}, DMARC=${result.dmarc?.action ?? 'none'}`);
    } catch (err) {
      logger.log('warn', `Inbound security verification failed: ${(err as Error).message} — accepting email`);
    }
  }
  /**
   * Process email based on routing rules
   */
@@ -618,6 +719,11 @@ export class UnifiedEmailServer extends EventEmitter {
      email = emailData;
    }
    // Run inbound security verification (DKIM/SPF/DMARC) via Rust bridge
    if (session.remoteAddress && session.remoteAddress !== '127.0.0.1') {
      await this.verifyInboundSecurity(email, session);
    }
    // First check if this is a bounce notification email
    // Look for common bounce notification subject patterns
    const subject = email.subject || '';
--- a/ts/plugins.ts
+++ b/ts/plugins.ts
@@ -58,12 +58,13 @@ import * as smartproxy from '@push.rocks/smartproxy';
 import * as smartpromise from '@push.rocks/smartpromise';
 import * as smartrequest from '@push.rocks/smartrequest';
 import * as smartrule from '@push.rocks/smartrule';
 import * as smartrust from '@push.rocks/smartrust';
 import * as smartrx from '@push.rocks/smartrx';
 import * as smartunique from '@push.rocks/smartunique';
 export const smartfs = new SmartFs(new SmartFsProviderNode());
-export { projectinfo, qenv, smartacme, smartdata, smartdns, smartfile, SmartFs, smartguard, smartjwt, smartlog, smartmail, smartmetrics, smartnetwork, smartpath, smartproxy, smartpromise, smartrequest, smartrule, smartrx, smartunique };
+export { projectinfo, qenv, smartacme, smartdata, smartdns, smartfile, SmartFs, smartguard, smartjwt, smartlog, smartmail, smartmetrics, smartnetwork, smartpath, smartproxy, smartpromise, smartrequest, smartrule, smartrust, smartrx, smartunique };
 // Define SmartLog types for use in error handling
 export type TLogLevel = 'error' | 'warn' | 'info' | 'success' | 'debug';
--- a/ts/security/classes.ipreputationchecker.ts
+++ b/ts/security/classes.ipreputationchecker.ts
@@ -2,6 +2,7 @@ import * as plugins from '../plugins.js';
 import * as paths from '../paths.js';
 import { logger } from '../logger.js';
 import { SecurityLogger, SecurityLogLevel, SecurityEventType } from './classes.securitylogger.js';
 import { RustSecurityBridge } from './classes.rustsecuritybridge.js';
 import { LRUCache } from 'lru-cache';
 /**
@@ -167,7 +168,36 @@ export class IPReputationChecker {
        return cachedResult;
      }
-      // Initialize empty result
+      // Try Rust bridge first (parallel DNSBL via tokio — faster than Node sequential DNS)
      const bridge = RustSecurityBridge.getInstance();
      if (bridge.running) {
        try {
          const rustResult = await bridge.checkIpReputation(ip);
          const result: IReputationResult = {
            score: rustResult.score,
            isSpam: rustResult.listed_count > 0,
            isProxy: rustResult.ip_type === 'proxy',
            isTor: rustResult.ip_type === 'tor',
            isVPN: rustResult.ip_type === 'vpn',
            blacklists: rustResult.dnsbl_results
              .filter(d => d.listed)
              .map(d => d.server),
            timestamp: Date.now(),
          };
          this.reputationCache.set(ip, result);
          if (this.options.enableLocalCache) {
            this.saveCache().catch(error => {
              logger.log('error', `Failed to save IP reputation cache: ${error.message}`);
            });
          }
          this.logReputationCheck(ip, result);
          return result;
        } catch (err) {
          logger.log('warn', `Rust IP reputation check failed, falling back to TS: ${(err as Error).message}`);
        }
      }
      // Fallback: TypeScript DNSBL implementation
      const result: IReputationResult = {
        score: 100, // Start with perfect score
        isSpam: false,
--- a/ts/security/classes.rustsecuritybridge.ts
+++ b/ts/security/classes.rustsecuritybridge.ts
@@ -0,0 +1,307 @@
 import * as plugins from '../plugins.js';
 import * as paths from '../paths.js';
 import { logger } from '../logger.js';
 // ---------------------------------------------------------------------------
 // IPC command type map — mirrors the methods in mailer-bin's management mode
 // ---------------------------------------------------------------------------
 interface IDkimVerificationResult {
  is_valid: boolean;
  domain: string | null;
  selector: string | null;
  status: string;
  details: string | null;
 }
 interface ISpfResult {
  result: string;
  domain: string;
  ip: string;
  explanation: string | null;
 }
 interface IDmarcResult {
  passed: boolean;
  policy: string;
  domain: string;
  dkim_result: string;
  spf_result: string;
  action: string;
  details: string | null;
 }
 interface IEmailSecurityResult {
  dkim: IDkimVerificationResult[];
  spf: ISpfResult | null;
  dmarc: IDmarcResult | null;
 }
 interface IValidationResult {
  valid: boolean;
  formatValid: boolean;
  score: number;
  error: string | null;
 }
 interface IBounceDetection {
  bounce_type: string;
  severity: string;
  category: string;
  should_retry: boolean;
  recommended_action: string;
  details: string;
 }
 interface IReputationResult {
  ip: string;
  score: number;
  risk_level: string;
  ip_type: string;
  dnsbl_results: Array<{ server: string; listed: boolean; response: string | null }>;
  listed_count: number;
  total_checked: number;
 }
 interface IVersionInfo {
  bin: string;
  core: string;
  security: string;
  smtp: string;
 }
 /**
 * Type-safe command map for the mailer-bin IPC bridge.
 */
 type TMailerCommands = {
  ping: {
    params: Record<string, never>;
    result: { pong: boolean };
  };
  version: {
    params: Record<string, never>;
    result: IVersionInfo;
  };
  validateEmail: {
    params: { email: string };
    result: IValidationResult;
  };
  detectBounce: {
    params: { smtpResponse?: string; diagnosticCode?: string; statusCode?: string };
    result: IBounceDetection;
  };
  checkIpReputation: {
    params: { ip: string };
    result: IReputationResult;
  };
  verifyDkim: {
    params: { rawMessage: string };
    result: IDkimVerificationResult[];
  };
  signDkim: {
    params: { rawMessage: string; domain: string; selector?: string; privateKey: string };
    result: { header: string; signedMessage: string };
  };
  checkSpf: {
    params: { ip: string; heloDomain: string; hostname?: string; mailFrom: string };
    result: ISpfResult;
  };
  verifyEmail: {
    params: {
      rawMessage: string;
      ip: string;
      heloDomain: string;
      hostname?: string;
      mailFrom: string;
    };
    result: IEmailSecurityResult;
  };
 };
 // ---------------------------------------------------------------------------
 // RustSecurityBridge — singleton wrapper around smartrust.RustBridge
 // ---------------------------------------------------------------------------
 /**
 * Bridge between TypeScript and the Rust `mailer-bin` binary.
 *
 * Uses `@push.rocks/smartrust` for JSON-over-stdin/stdout IPC.
 * Singleton — access via `RustSecurityBridge.getInstance()`.
 */
 export class RustSecurityBridge {
  private static instance: RustSecurityBridge | null = null;
  private bridge: InstanceType<typeof plugins.smartrust.RustBridge<TMailerCommands>>;
  private _running = false;
  private constructor() {
    this.bridge = new plugins.smartrust.RustBridge<TMailerCommands>({
      binaryName: 'mailer-bin',
      cliArgs: ['--management'],
      requestTimeoutMs: 30_000,
      readyTimeoutMs: 10_000,
      localPaths: [
        plugins.path.join(paths.packageDir, 'dist_rust', 'mailer-bin'),
        plugins.path.join(paths.packageDir, 'rust', 'target', 'release', 'mailer-bin'),
        plugins.path.join(paths.packageDir, 'rust', 'target', 'debug', 'mailer-bin'),
      ],
      searchSystemPath: false,
    });
    // Forward lifecycle events
    this.bridge.on('ready', () => {
      this._running = true;
      logger.log('info', 'Rust security bridge is ready');
    });
    this.bridge.on('exit', (code: number | null, signal: string | null) => {
      this._running = false;
      logger.log('warn', `Rust security bridge exited (code=${code}, signal=${signal})`);
    });
    this.bridge.on('stderr', (line: string) => {
      logger.log('debug', `[rust-bridge] ${line}`);
    });
  }
  /** Get or create the singleton instance. */
  public static getInstance(): RustSecurityBridge {
    if (!RustSecurityBridge.instance) {
      RustSecurityBridge.instance = new RustSecurityBridge();
    }
    return RustSecurityBridge.instance;
  }
  /** Whether the Rust process is currently running and accepting commands. */
  public get running(): boolean {
    return this._running;
  }
  // -----------------------------------------------------------------------
  // Lifecycle
  // -----------------------------------------------------------------------
  /**
   * Spawn the Rust binary and wait for the ready signal.
   * @returns `true` if the binary started successfully, `false` otherwise.
   */
  public async start(): Promise<boolean> {
    if (this._running) {
      return true;
    }
    try {
      const ok = await this.bridge.spawn();
      this._running = ok;
      if (ok) {
        logger.log('info', 'Rust security bridge started');
      } else {
        logger.log('warn', 'Rust security bridge failed to start (binary not found or timeout)');
      }
      return ok;
    } catch (err) {
      logger.log('error', `Failed to start Rust security bridge: ${(err as Error).message}`);
      return false;
    }
  }
  /** Kill the Rust process. */
  public async stop(): Promise<void> {
    if (!this._running) {
      return;
    }
    try {
      this.bridge.kill();
      this._running = false;
      logger.log('info', 'Rust security bridge stopped');
    } catch (err) {
      logger.log('error', `Error stopping Rust security bridge: ${(err as Error).message}`);
    }
  }
  // -----------------------------------------------------------------------
  // Commands — thin typed wrappers over sendCommand
  // -----------------------------------------------------------------------
  /** Ping the Rust process. */
  public async ping(): Promise<boolean> {
    const res = await this.bridge.sendCommand('ping', {} as any);
    return res?.pong === true;
  }
  /** Get version information for all Rust crates. */
  public async getVersion(): Promise<IVersionInfo> {
    return this.bridge.sendCommand('version', {} as any);
  }
  /** Validate an email address. */
  public async validateEmail(email: string): Promise<IValidationResult> {
    return this.bridge.sendCommand('validateEmail', { email });
  }
  /** Detect bounce type from SMTP response / diagnostic code. */
  public async detectBounce(opts: {
    smtpResponse?: string;
    diagnosticCode?: string;
    statusCode?: string;
  }): Promise<IBounceDetection> {
    return this.bridge.sendCommand('detectBounce', opts);
  }
  /** Check IP reputation via DNSBL. */
  public async checkIpReputation(ip: string): Promise<IReputationResult> {
    return this.bridge.sendCommand('checkIpReputation', { ip });
  }
  /** Verify DKIM signatures on a raw email message. */
  public async verifyDkim(rawMessage: string): Promise<IDkimVerificationResult[]> {
    return this.bridge.sendCommand('verifyDkim', { rawMessage });
  }
  /** Sign an email with DKIM. */
  public async signDkim(opts: {
    rawMessage: string;
    domain: string;
    selector?: string;
    privateKey: string;
  }): Promise<{ header: string; signedMessage: string }> {
    return this.bridge.sendCommand('signDkim', opts);
  }
  /** Check SPF for a sender. */
  public async checkSpf(opts: {
    ip: string;
    heloDomain: string;
    hostname?: string;
    mailFrom: string;
  }): Promise<ISpfResult> {
    return this.bridge.sendCommand('checkSpf', opts);
  }
  /**
   * Compound email security verification: DKIM + SPF + DMARC in one IPC call.
   *
   * This is the preferred method for inbound email verification — it avoids
   * 3 sequential round-trips and correctly passes raw mail-auth types internally.
   */
  public async verifyEmail(opts: {
    rawMessage: string;
    ip: string;
    heloDomain: string;
    hostname?: string;
    mailFrom: string;
  }): Promise<IEmailSecurityResult> {
    return this.bridge.sendCommand('verifyEmail', opts);
  }
 }
 // Re-export interfaces for consumers
 export type {
  IDkimVerificationResult,
  ISpfResult,
  IDmarcResult,
  IEmailSecurityResult,
  IValidationResult,
  IBounceDetection,
  IReputationResult as IRustReputationResult,
  IVersionInfo,
 };
--- a/ts/security/index.ts
+++ b/ts/security/index.ts
@@ -19,3 +19,15 @@ export {
  type IScanResult,
  type IContentScannerOptions
 } from './classes.contentscanner.js';
 export {
  RustSecurityBridge,
  type IDkimVerificationResult,
  type ISpfResult,
  type IDmarcResult,
  type IEmailSecurityResult,
  type IValidationResult,
  type IBounceDetection,
  type IRustReputationResult,
  type IVersionInfo,
 } from './classes.rustsecuritybridge.js';