@emailcheck/email-validator-js 3.4.4 → 4.0.0-beta.2

package/dist/cli/index.js

@@ -7,6 +7,7 @@ var tinyLru = require('tiny-lru');
 var psl = require('psl');
 var stringSimilarityJs = require('string-similarity-js');
 var node_dns = require('node:dns');
+var node_crypto = require('node:crypto');
 var net$1 = require('node:net');
 var tls = require('node:tls');
 
@@ -313,20 +314,11 @@ var VerificationErrorCode = /* @__PURE__ */ ((VerificationErrorCode2) => {
   VerificationErrorCode2["freeEmailProvider"] = "FREE_EMAIL_PROVIDER";
   return VerificationErrorCode2;
 })(VerificationErrorCode || {});
-var EmailProvider = /* @__PURE__ */ ((EmailProvider2) => {
-  EmailProvider2["gmail"] = "gmail";
-  EmailProvider2["hotmailB2b"] = "hotmail_b2b";
-  EmailProvider2["hotmailB2c"] = "hotmail_b2c";
-  EmailProvider2["proofpoint"] = "proofpoint";
-  EmailProvider2["mimecast"] = "mimecast";
-  EmailProvider2["yahoo"] = "yahoo";
-  EmailProvider2["everythingElse"] = "everything_else";
-  return EmailProvider2;
-})(EmailProvider || {});
 var SMTPStep = /* @__PURE__ */ ((SMTPStep2) => {
   SMTPStep2["greeting"] = "GREETING";
   SMTPStep2["ehlo"] = "EHLO";
   SMTPStep2["helo"] = "HELO";
+  SMTPStep2["startTls"] = "STARTTLS";
   SMTPStep2["mailFrom"] = "MAIL_FROM";
   SMTPStep2["rcptTo"] = "RCPT_TO";
   return SMTPStep2;
@@ -765,9 +757,9 @@ function parseCompositeNamePart(part) {
         cleaned = pureAlpha;
         confidence = 0.6;
       } else {
-        const baseMatch2 = part.match(/^([a-zA-Z]+)\d*$/);
-        if (baseMatch2) {
-          cleaned = baseMatch2[1];
+        const baseMatch = part.match(/^([a-zA-Z]+)\d*$/);
+        if (baseMatch) {
+          cleaned = baseMatch[1];
           confidence = 0.75;
         } else {
           cleaned = part;
@@ -781,9 +773,7 @@ function parseCompositeNamePart(part) {
       confidence = Math.min(1, confidence + 0.2);
     }
   }
-  const baseMatch = part.match(/^([a-zA-Z]+[a-zA-Z0-9]*?)\d*$/);
-  const base = baseMatch ? baseMatch[1] : part;
-  return { base, hasNumbers, cleaned, confidence };
+  return { hasNumbers, cleaned, confidence };
 }
 function isLikelyName(str, allowNumbers = false, allowSingleLetter = false) {
   if (!str) return false;
@@ -1037,6 +1027,9 @@ function parseDsn(reply) {
   if (!match) return null;
   return { class: Number(match[1]), subject: Number(match[2]), detail: Number(match[3]) };
 }
+function dsnToString(dsn) {
+  return `${dsn.class}.${dsn.subject}.${dsn.detail}`;
+}
 function isPolicyBlock(reply) {
   const dsn = parseDsn(reply);
   return dsn?.class === 5 && dsn?.subject === 7;
@@ -1054,6 +1047,9 @@ function isInvalidMailboxError(reply) {
   if (isPolicyBlock(reply)) return false;
   return true;
 }
+function defaultProbeLocal() {
+  return `${node_crypto.randomBytes(8).toString("hex")}-noexist`;
+}
 async function verifyMailboxSMTP(params) {
   const { local, domain, options = {} } = params;
   const mxRecords = params.mxRecords ?? [];
@@ -1067,16 +1063,30 @@ async function verifyMailboxSMTP(params) {
   const cache = options.cache;
   const log = debug ? (...args) => console.log("[SMTP]", ...args) : () => {
   };
-  const mxHost = mxRecords[0];
-  if (!mxHost) {
+  const startedAtMs = Date.now();
+  const primaryMx = mxRecords[0];
+  if (!primaryMx) {
     log("No MX records found");
-    return { smtpResult: failureResult("No MX records found"), cached: false, port: 0, portCached: false };
+    const metrics2 = makeMetrics([], 0, 0, void 0, startedAtMs);
+    return { smtpResult: failureResult("no_mx_records", metrics2), cached: false, port: 0, portCached: false };
   }
-  log(`Verifying ${local}@${domain} via ${mxHost}`);
+  log(`Verifying ${local}@${domain} via ${primaryMx} (mx count=${mxRecords.length})`);
   const transcript = [];
   const commands = [];
+  const probeOptions = {
+    local,
+    domain,
+    timeout,
+    tlsConfig,
+    hostname,
+    sequence,
+    log,
+    catchAllProbeLocal: options.catchAllProbeLocal,
+    pipelining: options.pipelining ?? "auto",
+    startTls: options.startTls ?? "auto"
+  };
   const verdictCache = cache ? getCacheStore(cache, "smtp") : null;
-  const verdictKey = `${mxHost}:${local}@${domain}`;
+  const verdictKey = `${primaryMx}:${local}@${domain}`;
   if (verdictCache) {
     const cachedResult = await safeCacheGet(verdictCache, verdictKey);
     if (cachedResult) {
@@ -1085,81 +1095,91 @@ async function verifyMailboxSMTP(params) {
     }
   }
   const portCache = cache ? getCacheStore(cache, "smtpPort") : null;
-  if (portCache) {
-    const cachedPort = await safeCacheGet(portCache, mxHost);
-    if (cachedPort) {
-      log(`Using cached port: ${cachedPort}`);
-      const probe = await runProbe({
-        mxHost,
-        port: cachedPort,
-        local,
-        domain,
-        timeout,
-        tlsConfig,
-        hostname,
-        sequence,
-        log
-      });
-      collectTranscript(transcript, commands, probe, cachedPort);
-      const smtpResult = toSmtpVerificationResult(
-        probe.result,
-        captureTranscript ? { transcript, commands } : void 0
-      );
-      await safeCacheSet(verdictCache, verdictKey, smtpResult);
-      return { smtpResult, cached: false, port: cachedPort, portCached: true };
-    }
-  }
-  for (const port of ports) {
-    log(`Testing port ${port}`);
-    const probe = await runProbe({ mxHost, port, local, domain, timeout, tlsConfig, hostname, sequence, log });
-    collectTranscript(transcript, commands, probe, port);
-    const smtpResult = toSmtpVerificationResult(probe.result, captureTranscript ? { transcript, commands } : void 0);
-    await safeCacheSet(verdictCache, verdictKey, smtpResult);
-    if (probe.result !== null) {
-      await safeCacheSet(portCache, mxHost, port);
-      return { smtpResult, cached: false, port, portCached: false };
+  const cachedPort = portCache ? await safeCacheGet(portCache, primaryMx) : null;
+  const mxHostsTried = [];
+  let mxAttempts = 0;
+  let portAttempts = 0;
+  let lastReason = "all_attempts_failed";
+  let lastEnhancedStatus;
+  let lastResponseCode;
+  for (const mxHost of mxRecords) {
+    mxHostsTried.push(mxHost);
+    mxAttempts++;
+    const portsForThisMx = mxHost === primaryMx && cachedPort ? [cachedPort, ...ports.filter((p) => p !== cachedPort)] : ports;
+    for (const port of portsForThisMx) {
+      portAttempts++;
+      log(`Testing ${mxHost}:${port}`);
+      const probe = await runProbe({ ...probeOptions, mxHost, port });
+      collectTranscript(transcript, commands, probe, mxHost, port);
+      lastReason = probe.reason;
+      if (probe.enhancedStatus !== void 0) lastEnhancedStatus = probe.enhancedStatus;
+      if (probe.responseCode !== void 0) lastResponseCode = probe.responseCode;
+      if (probe.result !== null) {
+        const metrics2 = makeMetrics(mxHostsTried, mxAttempts, portAttempts, mxHost, startedAtMs);
+        const smtpResult2 = toSmtpVerificationResult(probe, {
+          transcript: captureTranscript ? transcript : void 0,
+          commands: captureTranscript ? commands : void 0,
+          metrics: metrics2
+        });
+        await safeCacheSet(verdictCache, verdictKey, smtpResult2);
+        if (mxHost === primaryMx) await safeCacheSet(portCache, primaryMx, port);
+        return { smtpResult: smtpResult2, cached: false, port, portCached: cachedPort === port };
+      }
     }
   }
-  log("All ports failed");
+  log(`All MX\xD7port attempts failed (mx=${mxAttempts}, port=${portAttempts})`);
+  const metrics = makeMetrics(mxHostsTried, mxAttempts, portAttempts, void 0, startedAtMs);
+  const smtpResult = {
+    ...failureResult(lastReason, metrics),
+    ...lastEnhancedStatus !== void 0 ? { enhancedStatus: lastEnhancedStatus } : {},
+    ...lastResponseCode !== void 0 ? { responseCode: lastResponseCode } : {},
+    ...captureTranscript ? { transcript: [...transcript], commands: [...commands] } : {}
+  };
+  return { smtpResult, cached: false, port: 0, portCached: false };
+}
+function makeMetrics(mxHostsTried, mxAttempts, portAttempts, mxHostUsed, startedAtMs) {
   return {
-    smtpResult: {
-      ...failureResult("All SMTP connection attempts failed"),
-      ...captureTranscript ? { transcript: [...transcript], commands: [...commands] } : {}
-    },
-    cached: false,
-    port: 0,
-    portCached: false
+    mxAttempts,
+    portAttempts,
+    mxHostsTried: [...mxHostsTried],
+    ...mxHostUsed !== void 0 ? { mxHostUsed } : {},
+    totalDurationMs: Date.now() - startedAtMs
   };
 }
-function collectTranscript(transcript, commands, probe, port) {
-  for (const line of probe.transcript) transcript.push(`${port}|s| ${line}`);
-  for (const cmd of probe.commands) commands.push(`${port}|c| ${cmd}`);
+function collectTranscript(transcript, commands, probe, mxHost, port) {
+  const prefix = `${mxHost}:${port}`;
+  for (const line of probe.transcript) transcript.push(`${prefix}|s| ${line}`);
+  for (const cmd of probe.commands) commands.push(`${prefix}|c| ${cmd}`);
 }
-function failureResult(error) {
+function failureResult(reason, metrics) {
   return {
     canConnectSmtp: false,
     hasFullInbox: false,
     isCatchAll: false,
     isDeliverable: false,
     isDisabled: false,
-    error,
-    providerUsed: EmailProvider.everythingElse,
-    checkedAt: Date.now()
+    error: reason,
+    checkedAt: Date.now(),
+    metrics
   };
 }
-function toSmtpVerificationResult(result, capture) {
-  const base = {
+function toSmtpVerificationResult(probe, extras) {
+  const result = probe.result;
+  const out = {
     canConnectSmtp: result !== null,
-    hasFullInbox: false,
-    isCatchAll: false,
+    hasFullInbox: probe.reason === "over_quota",
+    isCatchAll: probe.isCatchAll ?? false,
     isDeliverable: result === true,
     isDisabled: result === false,
-    error: result === true ? void 0 : result === null ? "ambiguous" : "not_found",
-    providerUsed: EmailProvider.everythingElse,
-    checkedAt: Date.now()
+    error: result === true ? void 0 : probe.reason,
+    checkedAt: Date.now(),
+    metrics: extras.metrics,
+    ...probe.enhancedStatus !== void 0 ? { enhancedStatus: probe.enhancedStatus } : {},
+    ...probe.responseCode !== void 0 ? { responseCode: probe.responseCode } : {}
   };
-  if (!capture) return base;
-  return { ...base, transcript: [...capture.transcript], commands: [...capture.commands] };
+  if (extras.transcript) out.transcript = [...extras.transcript];
+  if (extras.commands) out.commands = [...extras.commands];
+  return out;
 }
 async function safeCacheGet(store, key) {
   if (!store) return null;
@@ -1186,9 +1206,31 @@ class SMTPProbeConnection {
     this.buffer = "";
     this.resolved = false;
     this.currentStepIndex = 0;
-    /** Server lines + client commands captured unconditionally (cost is trivial). */
+    /** True between sending STARTTLS and the TLS handshake completing. */
+    this.tlsUpgrading = false;
+    /**
+     * True when we sent the second EHLO after a successful STARTTLS upgrade.
+     * The EHLO response arrives while `currentStepIndex` is still on `startTls`
+     * — this flag tells the dispatcher to advance past startTls when the
+     * post-upgrade EHLO returns 250, instead of treating it as a STARTTLS
+     * acknowledgement.
+     */
+    this.postUpgradeReEhlo = false;
     this.transcript = [];
     this.commands = [];
+    // ── EHLO capability advertisement ────────────────────────────────────────
+    this.supportsPipelining = false;
+    this.supportsStartTls = false;
+    this.dualPhase = "idle";
+    this.realOutcome = "pending";
+    this.probeOutcome = "pending";
+    this.dualPipelined = false;
+    /**
+     * Pipelined-only escape hatch. When the real RCPT is rejected mid-batched-
+     * envelope, the probe + RSET are already on the wire; we stash the verdict
+     * and commit it after the response loop drains.
+     */
+    this.pendingDecision = null;
     this.onData = (data) => {
       if (this.resolved) return;
       this.resetStepTimer();
@@ -1200,7 +1242,7 @@ class SMTPProbeConnection {
         this.processLine(line);
       }
     };
-    const defaultSteps = [SMTPStep.greeting, SMTPStep.ehlo, SMTPStep.mailFrom, SMTPStep.rcptTo];
+    const defaultSteps = [SMTPStep.greeting, SMTPStep.ehlo, SMTPStep.startTls, SMTPStep.mailFrom, SMTPStep.rcptTo];
     this.steps = [...p.sequence?.steps ?? defaultSteps];
     this.isTLS = PORT_TLS[p.port] === true;
     const servername = isIPAddress(p.mxHost) ? void 0 : p.mxHost;
@@ -1211,6 +1253,7 @@ class SMTPProbeConnection {
       minVersion: "TLSv1.2",
       ...typeof p.tlsConfig === "object" ? p.tlsConfig : {}
     };
+    this.probeLocal = p.catchAllProbeLocal ? p.catchAllProbeLocal(p.local, p.domain) : defaultProbeLocal();
   }
   run() {
     return new Promise((resolve) => {
@@ -1219,7 +1262,8 @@ class SMTPProbeConnection {
         this.connect();
         this.armConnectionTimer();
       } catch (error) {
-        this.finish(null, `connect_throw:${error instanceof Error ? error.message : "unknown"}`);
+        this.p.log(`connect threw: ${error instanceof Error ? error.message : "unknown"}`);
+        this.finish(null, "connection_error");
       }
     });
   }
@@ -1265,49 +1309,167 @@ class SMTPProbeConnection {
     switch (step) {
       case SMTPStep.greeting:
         return;
+      // server-driven; nothing to send
       case SMTPStep.ehlo:
         this.send(`EHLO ${this.p.hostname}`);
         return;
       case SMTPStep.helo:
         this.send(`HELO ${this.p.hostname}`);
         return;
+      case SMTPStep.startTls:
+        this.executeStartTls();
+        return;
       case SMTPStep.mailFrom: {
         const from = this.p.sequence?.from ?? `<${this.p.local}@${this.p.domain}>`;
         this.send(`MAIL FROM:${from}`);
         return;
       }
       case SMTPStep.rcptTo:
-        this.send(`RCPT TO:<${this.p.local}@${this.p.domain}>`);
+        this.executeEnvelope();
         return;
     }
   }
+  /**
+   * Conditional STARTTLS upgrade. Skipped (advances to next step) when:
+   *   - already TLS (implicit-TLS port like 465 or already-upgraded)
+   *   - `startTls === 'never'`
+   *   - `startTls === 'auto'` AND the MX didn't advertise STARTTLS in EHLO
+   *
+   * Sends `STARTTLS` and waits for 220 when:
+   *   - `startTls === 'force'` (regardless of advertisement)
+   *   - `startTls === 'auto'` AND the MX advertised it
+   *
+   * On 220, `tls.connect()` wraps the existing socket. After the handshake
+   * we re-EHLO (mandatory per RFC 3207 §4.2 — pre-TLS state must be
+   * discarded) before continuing to MAIL FROM.
+   */
+  executeStartTls() {
+    const mode = this.p.startTls;
+    const wantsUpgrade = !this.isTLS && mode !== "never" && (mode === "force" || mode === "auto" && this.supportsStartTls);
+    if (!wantsUpgrade) {
+      this.nextStep();
+      return;
+    }
+    this.send("STARTTLS");
+  }
+  /**
+   * Wrap the plaintext socket with TLS in place. Called after the server
+   * answers our STARTTLS with 220. Detaches the plaintext-socket listeners
+   * (TLS owns the underlying transport now), re-installs them on the wrapped
+   * socket, resets EHLO-derived capabilities, and re-issues EHLO once the
+   * handshake completes (RFC 3207 §4.2 mandates re-EHLO after upgrade —
+   * pre-TLS state must be discarded).
+   */
+  upgradeToTls() {
+    const plainSocket = this.socket;
+    if (!plainSocket) {
+      this.finish(null, "tls_upgrade_failed");
+      return;
+    }
+    const detach = plainSocket.removeAllListeners;
+    if (typeof detach === "function") {
+      detach.call(plainSocket, "data");
+      detach.call(plainSocket, "error");
+      detach.call(plainSocket, "close");
+      detach.call(plainSocket, "timeout");
+    }
+    try {
+      plainSocket.setTimeout(0);
+    } catch {
+    }
+    this.tlsUpgrading = true;
+    const servername = isIPAddress(this.p.mxHost) ? void 0 : this.p.mxHost;
+    const tlsSocket = tls__namespace.connect({ ...this.tlsOptions, socket: plainSocket, servername }, () => {
+      this.tlsUpgrading = false;
+      this.isTLS = true;
+      this.buffer = "";
+      this.supportsStartTls = false;
+      this.supportsPipelining = false;
+      this.postUpgradeReEhlo = true;
+      this.send(`EHLO ${this.p.hostname}`);
+    });
+    this.socket = tlsSocket;
+    this.socket.on("data", this.onData);
+    this.socket.on("error", () => {
+      this.finish(null, this.tlsUpgrading ? "tls_handshake_failed" : "connection_error");
+    });
+    this.socket.on("close", () => this.finish(null, "connection_closed"));
+    this.socket.setTimeout(this.p.timeout, () => this.finish(null, "socket_timeout"));
+  }
+  /**
+   * Send the dual-probe envelope (real RCPT + probe RCPT + RSET). Pipelined
+   * when the MX advertised PIPELINING (or `pipelining: 'force'`); sequential
+   * otherwise.
+   */
+  executeEnvelope() {
+    const wantsPipelining = this.p.pipelining === "force" || this.p.pipelining === "auto" && this.supportsPipelining;
+    const realCmd = `RCPT TO:<${this.p.local}@${this.p.domain}>`;
+    if (wantsPipelining) {
+      this.dualPipelined = true;
+      const probeCmd = `RCPT TO:<${this.probeLocal}@${this.p.domain}>`;
+      const rsetCmd = "RSET";
+      this.commands.push(realCmd, probeCmd, rsetCmd);
+      this.p.log(`\u2192 ${realCmd}`);
+      this.p.log(`\u2192 ${probeCmd}`);
+      this.p.log(`\u2192 ${rsetCmd}`);
+      this.socket?.write(`${realCmd}\r
+${probeCmd}\r
+${rsetCmd}\r
+`);
+      this.dualPhase = "rcpt_real";
+      return;
+    }
+    this.dualPipelined = false;
+    this.send(realCmd);
+    this.dualPhase = "rcpt_real";
+  }
   processLine(line) {
     if (this.resolved) return;
     this.transcript.push(line);
     this.p.log(`\u2190 ${line}`);
-    if (isHighVolume(line)) {
-      this.finish(true, "high_volume");
-      return;
-    }
-    if (isOverQuota(line)) {
-      this.finish(false, "over_quota");
-      return;
+    const codeStr = line.slice(0, 3);
+    const numericCode = /^\d{3}$/.test(codeStr) ? parseInt(codeStr, 10) : null;
+    if (numericCode !== null) this.lastResponseCode = numericCode;
+    const dsn = parseDsn(line);
+    if (dsn) this.lastEnhancedStatus = dsnToString(dsn);
+    if (this.dualPhase === "idle" || this.dualPhase === "rcpt_real") {
+      if (isHighVolume(line)) {
+        this.finish(true, "high_volume");
+        return;
+      }
+      if (isOverQuota(line)) {
+        this.isCatchAllFlag = false;
+        this.finish(false, "over_quota");
+        return;
+      }
+      if (isInvalidMailboxError(line)) {
+        this.isCatchAllFlag = false;
+        this.finish(false, "not_found");
+        return;
+      }
     }
-    if (isInvalidMailboxError(line)) {
-      this.finish(false, "not_found");
+    if (MULTILINE_RE.test(line)) {
+      const step = this.steps[this.currentStepIndex];
+      const isEhloLike = step === SMTPStep.ehlo || step === SMTPStep.helo || step === SMTPStep.startTls && this.postUpgradeReEhlo;
+      if (isEhloLike && line.startsWith("250-")) {
+        const upper = line.toUpperCase();
+        if (upper.includes("PIPELINING")) this.supportsPipelining = true;
+        if (upper.includes("STARTTLS")) this.supportsStartTls = true;
+      }
       return;
     }
-    if (MULTILINE_RE.test(line)) return;
-    const code = line.slice(0, 3);
-    const numericCode = /^\d{3}$/.test(code) ? parseInt(code, 10) : null;
     if (numericCode === null) {
       this.finish(null, "unrecognized_response");
       return;
     }
-    this.dispatch(numericCode);
+    this.dispatch(numericCode, line);
   }
-  dispatch(code) {
+  dispatch(code, line) {
     const step = this.steps[this.currentStepIndex];
+    if (this.dualPhase !== "idle" && step === SMTPStep.rcptTo) {
+      this.handleEnvelopeReply(code, line);
+      return;
+    }
     switch (step) {
       case SMTPStep.greeting:
         if (code === 220) this.nextStep();
@@ -1321,16 +1483,109 @@ class SMTPProbeConnection {
         if (code === 250) this.nextStep();
         else this.finish(null, "helo_failed");
         return;
+      case SMTPStep.startTls:
+        if (this.postUpgradeReEhlo) {
+          this.postUpgradeReEhlo = false;
+          if (code === 250) this.nextStep();
+          else this.finish(null, "ehlo_failed");
+          return;
+        }
+        if (code === 220) {
+          this.upgradeToTls();
+        } else {
+          this.finish(null, "tls_upgrade_failed");
+        }
+        return;
       case SMTPStep.mailFrom:
         if (code === 250) this.nextStep();
         else this.finish(null, "mail_from_rejected");
         return;
       case SMTPStep.rcptTo:
-        if (code === 250 || code === 251) this.finish(true, "valid");
-        else if (code === 552 || code === 452) this.finish(false, "over_quota");
-        else if (code >= 400 && code < 500) this.finish(null, "temporary_failure");
-        else this.finish(null, "ambiguous");
+        this.handleEnvelopeReply(code, line);
+        return;
+    }
+  }
+  /**
+   * Dual-probe / pipelined-envelope reply router. Demuxes server replies for
+   * the three queued commands (real RCPT, probe RCPT, RSET) and resolves
+   * with the catch-all-aware verdict.
+   */
+  handleEnvelopeReply(code, line) {
+    if (this.dualPhase === "rcpt_real") {
+      this.realOutcome = classifyRcpt(code);
+      if (code === 552 || code === 452 || isOverQuota(line)) {
+        this.isCatchAllFlag = false;
+        if (this.dualPipelined) {
+          this.pendingDecision = { result: false, reason: "over_quota" };
+          this.dualPhase = "rcpt_probe";
+          return;
+        }
+        this.finish(false, "over_quota");
+        return;
+      }
+      if (this.realOutcome === "soft_reject") {
+        if (this.dualPipelined) {
+          this.pendingDecision = { result: null, reason: "temporary_failure" };
+          this.dualPhase = "rcpt_probe";
+          return;
+        }
+        this.finish(null, "temporary_failure");
         return;
+      }
+      if (this.realOutcome === "hard_reject") {
+        const reason = isInvalidMailboxError(line) ? "not_found" : "ambiguous";
+        const result = reason === "not_found" ? false : null;
+        this.isCatchAllFlag = false;
+        if (this.dualPipelined) {
+          this.pendingDecision = { result, reason };
+          this.dualPhase = "rcpt_probe";
+          return;
+        }
+        this.finish(result, reason);
+        return;
+      }
+      if (this.dualPipelined) {
+        this.dualPhase = "rcpt_probe";
+      } else {
+        this.send(`RCPT TO:<${this.probeLocal}@${this.p.domain}>`);
+        this.dualPhase = "rcpt_probe";
+      }
+      return;
+    }
+    if (this.dualPhase === "rcpt_probe") {
+      this.probeOutcome = classifyRcpt(code);
+      if (this.dualPipelined) {
+        this.dualPhase = "rset";
+      } else {
+        this.send("RSET");
+        this.dualPhase = "rset";
+      }
+      return;
+    }
+    if (this.dualPhase === "rset") {
+      if (this.pendingDecision) {
+        this.finish(this.pendingDecision.result, this.pendingDecision.reason);
+        return;
+      }
+      this.decideDualProbe();
+      return;
+    }
+  }
+  /** Final decision after both RCPT outcomes are known. Catch-all only when both 250. */
+  decideDualProbe() {
+    if (this.realOutcome === "accept" && this.probeOutcome === "accept") {
+      this.isCatchAllFlag = true;
+      this.finish(true, "valid");
+    } else if (this.realOutcome === "accept") {
+      this.isCatchAllFlag = false;
+      this.finish(true, "valid");
+    } else if (this.realOutcome === "hard_reject") {
+      this.isCatchAllFlag = false;
+      this.finish(false, "not_found");
+    } else if (this.realOutcome === "soft_reject") {
+      this.finish(null, "temporary_failure");
+    } else {
+      this.finish(null, "ambiguous");
     }
   }
   finish(result, reason) {
@@ -1349,9 +1604,22 @@ class SMTPProbeConnection {
     }
     const drain = setTimeout(() => this.socket?.destroy(), QUIT_DRAIN_MS);
     drain.unref?.();
-    this.resolveFn({ result, transcript: this.transcript, commands: this.commands });
+    this.resolveFn({
+      result,
+      reason,
+      ...this.lastEnhancedStatus !== void 0 ? { enhancedStatus: this.lastEnhancedStatus } : {},
+      ...this.lastResponseCode !== void 0 ? { responseCode: this.lastResponseCode } : {},
+      ...this.isCatchAllFlag !== void 0 ? { isCatchAll: this.isCatchAllFlag } : {},
+      transcript: this.transcript,
+      commands: this.commands
+    });
   }
 }
+function classifyRcpt(code) {
+  if (code === 250 || code === 251) return "accept";
+  if (code >= 400 && code < 500) return "soft_reject";
+  return "hard_reject";
+}
 
 class ArrayTranscriptCollector {
   constructor() {
@@ -2021,12 +2289,11 @@ async function verifyEmail(params) {
   const skipMx = (params.skipMxForDisposable ?? false) && result.isDisposable;
   const skipWhois = (params.skipDomainWhoisForDisposable ?? false) && result.isDisposable;
   await runWhoisChecks(domain, params, result, skipWhois, log, collector);
-  if ((params.verifyMx ?? true) || (params.verifySmtp ?? false)) {
-    if (skipMx) {
-      log(`[verifyEmail] skipping MX/SMTP for disposable: ${params.emailAddress}`);
-    } else {
-      await runMxAndSmtp(local, domain, params, result, log, collector);
-    }
+  const wantsMxOrSmtp = (params.verifyMx ?? true) || (params.verifySmtp ?? false);
+  if (wantsMxOrSmtp && skipMx) {
+    log(`[verifyEmail] skipping MX/SMTP for disposable: ${params.emailAddress}`);
+  } else if (wantsMxOrSmtp) {
+    await runMxAndSmtp(local, domain, params, result, log, collector);
   }
   result.metadata.verificationTime = Date.now() - startTime;
   if (captureTranscript) result.transcript = collector.steps;