@wraps.dev/cli 1.6.1 → 1.6.3

package/dist/cli.js

@@ -147,7 +147,7 @@ var require_package = __commonJS({
   "package.json"(exports, module) {
     module.exports = {
       name: "@wraps.dev/cli",
-      version: "1.6.1",
+      version: "1.6.3",
       description: "CLI for deploying Wraps email infrastructure to your AWS account",
       type: "module",
       main: "./dist/cli.js",
@@ -194,7 +194,6 @@ var require_package = __commonJS({
       author: "Wraps",
       license: "MIT",
       dependencies: {
-        "@wraps/email-check": "workspace:*",
         "@aws-sdk/client-acm": "3.933.0",
         "@aws-sdk/client-cloudformation": "^3.490.0",
         "@aws-sdk/client-cloudfront": "3.933.0",
@@ -229,6 +228,7 @@ var require_package = __commonJS({
         uuid: "^11.0.3"
       },
       devDependencies: {
+        "@wraps/email-check": "workspace:*",
         "@types/args": "5.0.4",
         "@types/express": "^5.0.0",
         "@types/mailparser": "3.4.6",
@@ -4601,221 +4601,2638 @@ function buildConsolePolicyDocument(emailConfig, smsConfig) {
 
 // src/commands/email/check.ts
 init_esm_shims();
-init_events();
 import { GetEmailIdentityCommand, SESv2Client } from "@aws-sdk/client-sesv2";
 import * as clack3 from "@clack/prompts";
-import {
-  formatSpfLookupTree,
-  getExitCode,
-  runEmailCheck
-} from "@wraps/email-check";
-import pc4 from "picocolors";
-async function check(options) {
-  const startTime = Date.now();
-  let domain = options.domain;
-  if (!domain) {
-    const input = await clack3.text({
-      message: "Enter domain to check:",
-      placeholder: "example.com",
-      validate: (value) => {
-        if (!value) return "Domain is required";
-        if (!/^[a-z0-9][a-z0-9.-]*\.[a-z]{2,}$/i.test(value)) {
-          return "Invalid domain format";
-        }
-      }
+
+// ../email-check/dist/index.js
+init_esm_shims();
+import { promises as dns, Resolver } from "dns";
+import { URL } from "url";
+import * as net from "net";
+import * as tls from "tls";
+var QUICK_DKIM_SELECTORS = [
+  // Top providers (most likely to find)
+  "google",
+  "selector1",
+  "selector2",
+  "default",
+  "dkim",
+  "mail",
+  "email",
+  "s1",
+  "s2",
+  "k1",
+  // ESPs
+  "sendgrid",
+  "amazonses",
+  "mandrill",
+  "mailgun",
+  "postmark",
+  "resend",
+  "ses",
+  "sg",
+  "mg",
+  "pm",
+  // Fallbacks
+  "smtp",
+  "mta",
+  "mx",
+  "primary",
+  "main"
+];
+var QUICK_BLACKLISTS = [
+  { name: "Spamhaus ZEN", zone: "zen.spamhaus.org", priority: "critical" },
+  { name: "Spamhaus DBL", zone: "dbl.spamhaus.org", priority: "critical" },
+  { name: "Barracuda", zone: "b.barracudacentral.org", priority: "high" },
+  { name: "SpamCop", zone: "bl.spamcop.net", priority: "high" },
+  { name: "CBL", zone: "cbl.abuseat.org", priority: "high" },
+  { name: "SORBS", zone: "dnsbl.sorbs.net", priority: "medium" },
+  { name: "URIBL", zone: "multi.uribl.com", priority: "medium" },
+  { name: "SURBL", zone: "multi.surbl.org", priority: "medium" },
+  { name: "Mailspike", zone: "bl.mailspike.net", priority: "medium" },
+  { name: "Invaluement", zone: "dnsbl.invaluement.com", priority: "medium" }
+];
+var DEFAULT_DKIM_SELECTORS = [
+  // Generic / common patterns
+  "default",
+  "dkim",
+  "mail",
+  "email",
+  "smtp",
+  "mta",
+  "mx",
+  "selector",
+  "selector1",
+  "selector2",
+  "s",
+  "s1",
+  "s2",
+  "s3",
+  "k",
+  "k1",
+  "k2",
+  "k3",
+  "d",
+  "d1",
+  "d2",
+  "m",
+  "m1",
+  "m2",
+  "e",
+  "e1",
+  "e2",
+  // Google Workspace
+  "google",
+  "g",
+  "gm",
+  // Microsoft 365 (selector1, selector2 already covered)
+  // Amazon SES (note: often random, may not find)
+  "amazonses",
+  "ses",
+  // Mailgun
+  "mailo",
+  "pic",
+  "mg",
+  "mailgun",
+  // SendGrid
+  "sendgrid",
+  "sg",
+  "smtpapi",
+  // Mailchimp / Mandrill
+  "mandrill",
+  "mailchimp",
+  "mc",
+  "mte1",
+  "mte2",
+  // HubSpot
+  "hs1",
+  "hs2",
+  "hubspot",
+  "hubspotemail",
+  // Klaviyo
+  "kl",
+  "kl2",
+  "klaviyo",
+  // Intercom
+  "intercom",
+  "ic",
+  // Zendesk
+  "zendesk",
+  "zendesk1",
+  "zendesk2",
+  "zd",
+  // Salesforce
+  "sf",
+  "sf1",
+  "sf2",
+  "salesforce",
+  // Zoho
+  "zoho",
+  "zmail",
+  "zm",
+  // Fastmail
+  "fm1",
+  "fm2",
+  "fm3",
+  "mesmtp",
+  // Proton
+  "protonmail",
+  "protonmail2",
+  "protonmail3",
+  // Mailerlite
+  "ml",
+  "litesrv",
+  "mailerlite",
+  // ConvertKit
+  "ck",
+  "ck1",
+  "ck2",
+  "convertkit",
+  // ActiveCampaign
+  "ac",
+  "ac1",
+  "ac2",
+  "dk",
+  "activecampaign",
+  // Customer.io
+  "cio",
+  "customerio",
+  // Postmark
+  "pm",
+  "postmark",
+  // SparkPost
+  "sparkpost",
+  "sp",
+  "sp1",
+  "sp2",
+  // SendPulse
+  "sendpulse",
+  // MailerSend
+  "ms",
+  "mailersend",
+  // Loops
+  "loops",
+  // Resend
+  "resend",
+  // Campaign Monitor
+  "cm",
+  "cmail",
+  // Drip
+  "drip",
+  // Brevo (Sendinblue)
+  "sibmail",
+  "brevo",
+  // Mailjet
+  "mailjet",
+  "mj",
+  // Constant Contact
+  "cc",
+  "ctct",
+  "ctct1",
+  "ctct2",
+  // AWeber
+  "aweber",
+  "aw",
+  // GetResponse
+  "getresponse",
+  "gr",
+  // Moosend
+  "moosend",
+  // Omnisend
+  "omnisend",
+  // Keap / Infusionsoft
+  "infusionsoft",
+  "keap",
+  // Twilio SendGrid
+  "twilio",
+  // Elastic Email
+  "elastic",
+  "ee",
+  // Pepipost
+  "pepipost",
+  // SMTP.com
+  "smtpcom",
+  // Generic fallbacks
+  "primary",
+  "main",
+  "prod",
+  "live",
+  "api",
+  "bulk",
+  "transactional",
+  "marketing"
+];
+var DOMAIN_BLACKLISTS = [
+  { name: "Spamhaus DBL", zone: "dbl.spamhaus.org", priority: "critical" },
+  { name: "SURBL Multi", zone: "multi.surbl.org", priority: "high" },
+  { name: "URIBL Black", zone: "black.uribl.com", priority: "high" },
+  { name: "URIBL Grey", zone: "grey.uribl.com", priority: "medium" },
+  { name: "URIBL Red", zone: "red.uribl.com", priority: "high" },
+  { name: "URIBL Multi", zone: "multi.uribl.com", priority: "high" },
+  { name: "Spamcop URI", zone: "bl.spamcop.net", priority: "high" },
+  { name: "DBL Abuse.ch", zone: "dbl.abuse.ch", priority: "medium" },
+  { name: "FRESH URI", zone: "fresh.spameatingmonkey.net", priority: "low" },
+  { name: "Mailspike Z", zone: "z.mailspike.net", priority: "medium" },
+  { name: "SEM Fresh", zone: "fresh.spameatingmonkey.net", priority: "low" },
+  { name: "SEM URI", zone: "uribl.spameatingmonkey.net", priority: "medium" }
+];
+var IP_BLACKLISTS = [
+  // Spamhaus (most important)
+  { name: "Spamhaus ZEN", zone: "zen.spamhaus.org", priority: "critical" },
+  { name: "Spamhaus SBL", zone: "sbl.spamhaus.org", priority: "critical" },
+  { name: "Spamhaus XBL", zone: "xbl.spamhaus.org", priority: "critical" },
+  { name: "Spamhaus PBL", zone: "pbl.spamhaus.org", priority: "high" },
+  { name: "Spamhaus CSS", zone: "sbl-xbl.spamhaus.org", priority: "critical" },
+  // Major lists
+  { name: "Barracuda", zone: "b.barracudacentral.org", priority: "high" },
+  { name: "SpamCop", zone: "bl.spamcop.net", priority: "high" },
+  { name: "CBL", zone: "cbl.abuseat.org", priority: "high" },
+  // Secondary lists
+  { name: "SORBS", zone: "dnsbl.sorbs.net", priority: "medium" },
+  { name: "SORBS Spam", zone: "spam.dnsbl.sorbs.net", priority: "medium" },
+  {
+    name: "SORBS Recent",
+    zone: "recent.spam.dnsbl.sorbs.net",
+    priority: "medium"
+  },
+  { name: "SORBS Web", zone: "web.dnsbl.sorbs.net", priority: "medium" },
+  { name: "SORBS New", zone: "new.spam.dnsbl.sorbs.net", priority: "low" },
+  { name: "Passive Spam Block", zone: "psbl.surriel.com", priority: "medium" },
+  { name: "UCEPROTECT 1", zone: "dnsbl-1.uceprotect.net", priority: "medium" },
+  { name: "UCEPROTECT 2", zone: "dnsbl-2.uceprotect.net", priority: "low" },
+  { name: "UCEPROTECT 3", zone: "dnsbl-3.uceprotect.net", priority: "low" },
+  { name: "WPBL", zone: "db.wpbl.info", priority: "medium" },
+  { name: "Mailspike BL", zone: "bl.mailspike.net", priority: "medium" },
+  { name: "Mailspike Z", zone: "z.mailspike.net", priority: "medium" },
+  // Additional lists
+  { name: "JustSpam", zone: "dnsbl.justspam.org", priority: "low" },
+  {
+    name: "Hostkarma Black",
+    zone: "hostkarma.junkemailfilter.com",
+    priority: "low"
+  },
+  { name: "Invaluement", zone: "dnsbl.invaluement.com", priority: "medium" },
+  { name: "Truncate", zone: "truncate.gbudb.net", priority: "low" },
+  { name: "SpamRATS NoPtr", zone: "noptr.spamrats.com", priority: "low" },
+  { name: "SpamRATS Dyna", zone: "dyna.spamrats.com", priority: "low" },
+  { name: "SpamRATS Auth", zone: "auth.spamrats.com", priority: "low" },
+  { name: "SpamRATS Spam", zone: "spam.spamrats.com", priority: "low" },
+  { name: "BlockList.de", zone: "bl.blocklist.de", priority: "medium" },
+  { name: "DroneBL", zone: "dnsbl.dronebl.org", priority: "low" },
+  { name: "InterServer", zone: "rbl.interserver.net", priority: "low" },
+  // Reputation lists
+  { name: "NiX Spam", zone: "ix.dnsbl.manitu.net", priority: "low" },
+  { name: "Composite BL", zone: "cbl.anti-spam.org.cn", priority: "low" }
+];
+var DEFAULT_TIMEOUT2 = 5e3;
+var SPF_LOOKUP_LIMIT = 10;
+var DKIM_BATCH_SIZE = 10;
+var BLACKLIST_BATCH_SIZE = 20;
+var SPAMHAUS_RETURN_CODES = {
+  "127.0.0.2": "SBL - Spamhaus Block List (known spam source)",
+  "127.0.0.3": "SBL - Spamhaus Block List CSS (snowshoe spam)",
+  "127.0.0.4": "XBL - CBL (hijacked machine, compromised)",
+  "127.0.0.5": "XBL - Njabl (open relay)",
+  "127.0.0.6": "XBL - Njabl (spam source)",
+  "127.0.0.9": "SBL - Spamhaus DROP (hijacked space)",
+  "127.0.0.10": "PBL - Spamhaus Policy Block List (dynamic IP)",
+  "127.0.0.11": "PBL - Spamhaus Policy Block List (ISP maintained)"
+};
+function createNodeDnsProvider(options = {}) {
+  const timeout = options.timeout ?? DEFAULT_TIMEOUT2;
+  const resolver = new Resolver();
+  if (options.servers && options.servers.length > 0) {
+    resolver.setServers(options.servers);
+  }
+  async function withTimeout(promise, operation) {
+    const timeoutPromise = new Promise((_, reject) => {
+      setTimeout(() => {
+        reject(new Error(`DNS ${operation} timed out after ${timeout}ms`));
+      }, timeout);
     });
-    if (clack3.isCancel(input)) {
-      clack3.cancel("Operation cancelled");
-      process.exit(0);
-    }
-    domain = input;
-  }
-  if (!options.json) {
-    clack3.intro(pc4.bold("Wraps Email Check"));
-    console.log();
-  }
-  const spinner4 = options.json ? null : clack3.spinner();
-  spinner4?.start(`Checking ${pc4.cyan(domain)}...`);
-  let dkimSelectors;
-  if (!options.dkimSelector) {
-    const sesTokens = await tryGetSesDkimTokens(domain);
-    if (sesTokens.length > 0) {
-      dkimSelectors = sesTokens;
-    }
+    return Promise.race([promise, timeoutPromise]);
   }
-  try {
-    const result = await runEmailCheck(domain, {
-      quick: options.quick,
-      verbose: options.verbose,
-      dkimSelector: options.dkimSelector,
-      dkimSelectors,
-      // Use SES tokens if found
-      skipBlacklists: options.skipBlacklists,
-      skipTls: options.skipTls,
-      timeout: options.timeout
-    });
-    spinner4?.stop(`Check complete in ${result.duration}ms`);
-    if (options.json) {
-      console.log(JSON.stringify(result, null, 2));
-    } else {
-      displayResults(result, options);
-    }
-    const duration = Date.now() - startTime;
-    trackCommand("email:check", {
-      success: true,
-      duration_ms: duration,
-      grade: result.score.grade
-    });
-    process.exit(getExitCode(result.score.grade));
-  } catch (error) {
-    spinner4?.stop("Check failed");
-    if (options.json) {
-      console.log(JSON.stringify({ error: error.message }));
-    } else {
-      clack3.log.error(error.message);
+  async function resolveTxt(domain) {
+    try {
+      const records = await withTimeout(
+        dns.resolveTxt(domain),
+        `TXT lookup for ${domain}`
+      );
+      return records;
+    } catch (error) {
+      if (error.code === "ENODATA" || error.code === "ENOTFOUND") {
+        return [];
+      }
+      throw error;
     }
-    const duration = Date.now() - startTime;
-    trackCommand("email:check", {
-      success: false,
-      duration_ms: duration,
-      error: error.message
-    });
-    process.exit(4);
   }
-}
-function displayResults(result, options) {
-  const { score, spf, dkim, dmarc, mx, blacklist } = result;
-  console.log();
-  displayScoreBox(result.domain, score.finalScore, score.grade, options.quick);
-  console.log();
-  console.log(pc4.bold("AUTHENTICATION"));
-  console.log();
-  displaySpfResult(spf, options.verbose);
-  displayDkimResult(dkim, options.verbose);
-  displayDmarcResult(dmarc);
-  console.log();
-  console.log(pc4.bold("INFRASTRUCTURE"));
-  console.log();
-  displayMxResult(mx);
-  displayMxTlsResult(result);
-  displayReverseDnsResult(result);
-  displayIpv6Result(result);
-  console.log();
-  console.log(pc4.bold("REPUTATION"));
-  console.log();
-  displayBlacklistResult(blacklist, options.quick);
-  displayDomainAgeResult(result);
-  if (result.dnssec.enabled || result.caa.configured || result.mtaSts.configured || result.tlsRpt.configured) {
-    console.log();
-    console.log(pc4.bold("SECURITY"));
-    console.log();
-    if (result.dnssec.enabled) {
-      const status2 = result.dnssec.valid ? pc4.green("\u2713") : pc4.red("\u2717");
-      console.log(
-        `  ${status2} ${pc4.dim("DNSSEC")}           ${result.dnssec.valid ? "Enabled and validated" : "Broken"}`
-      );
-    } else {
-      console.log(
-        `  ${pc4.dim("\u25CB")} ${pc4.dim("DNSSEC")}           Not configured`
+  async function resolveMx(domain) {
+    try {
+      const records = await withTimeout(
+        dns.resolveMx(domain),
+        `MX lookup for ${domain}`
       );
+      return records.sort((a, b) => a.priority - b.priority);
+    } catch (error) {
+      if (error.code === "ENODATA" || error.code === "ENOTFOUND") {
+        return [];
+      }
+      throw error;
     }
-    if (result.caa.configured) {
-      console.log(
-        `  ${pc4.green("\u2713")} ${pc4.dim("CAA")}              Configured (${result.caa.allowedIssuers.join(", ")})`
-      );
-    } else {
-      console.log(
-        `  ${pc4.dim("\u25CB")} ${pc4.dim("CAA")}              Not configured`
+  }
+  async function resolveA(domain) {
+    try {
+      const records = await withTimeout(
+        dns.resolve4(domain),
+        `A lookup for ${domain}`
       );
+      return records;
+    } catch (error) {
+      if (error.code === "ENODATA" || error.code === "ENOTFOUND") {
+        return [];
+      }
+      throw error;
     }
-    if (result.mtaSts.configured) {
-      const mode = result.mtaSts.policy?.mode || "unknown";
-      console.log(
-        `  ${pc4.green("\u2713")} ${pc4.dim("MTA-STS")}          ${mode === "enforce" ? "Enforcing mode" : `${mode} mode`}`
-      );
-    } else {
-      console.log(
-        `  ${pc4.dim("\u25CB")} ${pc4.dim("MTA-STS")}          Not configured`
+  }
+  async function resolveAaaa(domain) {
+    try {
+      const records = await withTimeout(
+        dns.resolve6(domain),
+        `AAAA lookup for ${domain}`
       );
+      return records;
+    } catch (error) {
+      if (error.code === "ENODATA" || error.code === "ENOTFOUND") {
+        return [];
+      }
+      throw error;
     }
-    if (result.tlsRpt.configured) {
-      console.log(
-        `  ${pc4.green("\u2713")} ${pc4.dim("TLS-RPT")}          Configured`
-      );
-    } else {
-      console.log(
-        `  ${pc4.dim("\u25CB")} ${pc4.dim("TLS-RPT")}          Not configured`
+  }
+  async function resolvePtr(ip) {
+    try {
+      const records = await withTimeout(
+        dns.reverse(ip),
+        `PTR lookup for ${ip}`
       );
+      return records;
+    } catch (error) {
+      if (error.code === "ENODATA" || error.code === "ENOTFOUND" || error.code === "ENOENT") {
+        return [];
+      }
+      throw error;
     }
   }
-  const criticalDeductions = score.deductions.filter((d) => d.points >= 20);
-  const warningDeductions = score.deductions.filter(
-    (d) => d.points >= 5 && d.points < 20
-  );
-  if (criticalDeductions.length > 0 || warningDeductions.length > 0) {
-    console.log();
-    console.log(pc4.dim("\u2500".repeat(78)));
-    console.log();
-    console.log(
-      pc4.bold(
-        `ISSUES (${criticalDeductions.length} critical, ${warningDeductions.length} warnings)`
-      )
-    );
-    console.log();
-    if (criticalDeductions.length > 0) {
-      console.log(pc4.red("\u274C CRITICAL"));
-      console.log();
-      for (let i = 0; i < criticalDeductions.length; i++) {
-        const d = criticalDeductions[i];
-        console.log(
-          `  ${i + 1}. ${d.reason} (${pc4.red(`-${d.points} points`)})`
-        );
-        console.log();
-        console.log(`     ${getFixSuggestion(d.check, d.reason)}`);
-        console.log();
+  async function resolveCaa(domain) {
+    try {
+      const records = await withTimeout(
+        dns.resolveCaa(domain),
+        `CAA lookup for ${domain}`
+      );
+      return records.map((r) => {
+        let tag = "issue";
+        let value = "";
+        if (r.issue !== void 0) {
+          tag = "issue";
+          value = r.issue;
+        } else if (r.issuewild !== void 0) {
+          tag = "issuewild";
+          value = r.issuewild;
+        } else if (r.iodef !== void 0) {
+          tag = "iodef";
+          value = r.iodef;
+        }
+        return {
+          flags: r.critical,
+          tag,
+          value
+        };
+      });
+    } catch (error) {
+      if (error.code === "ENODATA" || error.code === "ENOTFOUND") {
+        return [];
       }
+      throw error;
     }
-    if (warningDeductions.length > 0) {
-      console.log(pc4.yellow("\u26A0\uFE0F  WARNINGS"));
-      console.log();
-      for (let i = 0; i < warningDeductions.length; i++) {
-        const d = warningDeductions[i];
-        console.log(`  ${criticalDeductions.length + i + 1}. ${d.reason}`);
-        console.log();
+  }
+  async function resolveCname(domain) {
+    try {
+      const records = await withTimeout(
+        dns.resolveCname(domain),
+        `CNAME lookup for ${domain}`
+      );
+      return records;
+    } catch (error) {
+      if (error.code === "ENODATA" || error.code === "ENOTFOUND") {
+        return [];
       }
+      throw error;
     }
   }
-  console.log();
-  console.log(pc4.dim("\u2500".repeat(78)));
-  console.log();
-  if (score.grade === "A" || score.grade === "B") {
-    console.log(
-      pc4.green(
-        "\u2705 " + (score.grade === "A" ? "Excellent! Your email configuration follows all best practices." : "Good! Your email configuration is solid with minor improvements possible.")
-      )
-    );
-  } else {
-    console.log(
-      pc4.yellow(
-        "Need help fixing these? Deploy Wraps to manage your email infrastructure:"
-      )
-    );
-    console.log();
-    console.log(`  ${pc4.cyan("npx @wraps.dev/cli email init")}`);
-  }
-  console.log();
-  console.log(`Share: ${pc4.cyan(`https://wraps.dev/check/${result.domain}`)}`);
-  console.log();
+  return {
+    resolveTxt,
+    resolveMx,
+    resolveA,
+    resolveAaaa,
+    resolvePtr,
+    resolveCaa,
+    resolveCname
+  };
 }
-function displayScoreBox(domain, score, grade, quick) {
-  const width = 78;
-  const bar = "\u2588".repeat(Math.round(score / 100 * 60));
-  const emptyBar = "\u2591".repeat(60 - bar.length);
-  const gradeColor = grade === "A" || grade === "B" ? pc4.green : grade === "C" ? pc4.yellow : grade === "D" ? pc4.magenta : pc4.red;
-  console.log(pc4.dim("\u256D" + "\u2500".repeat(width - 2) + "\u256E"));
-  console.log(pc4.dim("\u2502") + " ".repeat(width - 2) + pc4.dim("\u2502"));
-  console.log(
-    pc4.dim("\u2502") + "   " + pc4.bold(`wraps email check${quick ? " --quick" : ""}`) + " ".repeat(width - 25 - (quick ? 8 : 0)) + pc4.dim("\u2502")
+var nodeDns = createNodeDnsProvider();
+var currentProvider = nodeDns;
+async function resolveTxtRecords(domain) {
+  const records = await currentProvider.resolveTxt(domain);
+  return records.map((parts) => parts.join(""));
+}
+async function resolveMxRecords(domain) {
+  return currentProvider.resolveMx(domain);
+}
+async function resolveARecords(domain) {
+  return currentProvider.resolveA(domain);
+}
+async function resolveAaaaRecords(domain) {
+  return currentProvider.resolveAaaa(domain);
+}
+async function resolvePtrRecords(ip) {
+  return currentProvider.resolvePtr(ip);
+}
+async function findSpfRecord(domain) {
+  const txtRecords = await resolveTxtRecords(domain);
+  return txtRecords.filter((r) => r.startsWith("v=spf1 ") || r === "v=spf1");
+}
+async function findDkimRecord(domain, selector) {
+  const dkimDomain = `${selector}._domainkey.${domain}`;
+  const txtRecords = await resolveTxtRecords(dkimDomain);
+  const dkimRecord = txtRecords.find(
+    (r) => r.startsWith("v=DKIM1") || r.includes("p=")
+  );
+  return dkimRecord || null;
+}
+async function findDmarcRecord(domain) {
+  const dmarcDomain = `_dmarc.${domain}`;
+  const txtRecords = await resolveTxtRecords(dmarcDomain);
+  const dmarcRecord = txtRecords.find((r) => r.startsWith("v=DMARC1"));
+  return dmarcRecord || null;
+}
+async function batchDnsQuery(items, queryFn, concurrency = 10) {
+  const results = [];
+  for (let i = 0; i < items.length; i += concurrency) {
+    const batch = items.slice(i, i + concurrency);
+    const batchResults = await Promise.all(batch.map(queryFn));
+    results.push(...batchResults);
+  }
+  return results;
+}
+function toAsciiDomain(domain) {
+  try {
+    const url = new URL(`http://${domain.toLowerCase()}`);
+    return url.hostname;
+  } catch {
+    return domain.toLowerCase();
+  }
+}
+function isValidDomain(domain) {
+  if (!domain || domain.length > 253) return false;
+  const asciiDomain = toAsciiDomain(domain);
+  const labels = asciiDomain.split(".");
+  if (labels.length < 2) return false;
+  for (const label of labels) {
+    if (!label || label.length > 63) return false;
+    if (!/^[a-z0-9]([a-z0-9-]*[a-z0-9])?$/i.test(label)) return false;
+  }
+  return true;
+}
+function isIpAddress(str) {
+  return isIpv4(str) || isIpv6(str);
+}
+function isIpv4(str) {
+  const parts = str.split(".");
+  if (parts.length !== 4) return false;
+  return parts.every((part) => {
+    const num = Number.parseInt(part, 10);
+    return !Number.isNaN(num) && num >= 0 && num <= 255 && part === String(num);
+  });
+}
+function isIpv6(str) {
+  const ipv6Pattern = /^(?:(?:[0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}|(?:[0-9a-fA-F]{1,4}:){1,7}:|(?:[0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|(?:[0-9a-fA-F]{1,4}:){1,5}(?::[0-9a-fA-F]{1,4}){1,2}|(?:[0-9a-fA-F]{1,4}:){1,4}(?::[0-9a-fA-F]{1,4}){1,3}|(?:[0-9a-fA-F]{1,4}:){1,3}(?::[0-9a-fA-F]{1,4}){1,4}|(?:[0-9a-fA-F]{1,4}:){1,2}(?::[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:(?:(?::[0-9a-fA-F]{1,4}){1,6})|:(?:(?::[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(?::[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]+|::(?:ffff(?::0{1,4})?:)?(?:(?:25[0-5]|(?:2[0-4]|1?[0-9])?[0-9])\.){3}(?:25[0-5]|(?:2[0-4]|1?[0-9])?[0-9])|(?:[0-9a-fA-F]{1,4}:){1,4}:(?:(?:25[0-5]|(?:2[0-4]|1?[0-9])?[0-9])\.){3}(?:25[0-5]|(?:2[0-4]|1?[0-9])?[0-9]))$/;
+  return ipv6Pattern.test(str);
+}
+function reverseIp(ip) {
+  if (isIpv4(ip)) {
+    return ip.split(".").reverse().join(".");
+  }
+  throw new Error("IPv6 reverse not yet implemented");
+}
+function isLocalhost(ip) {
+  if (isIpv4(ip)) {
+    return ip === "127.0.0.1" || ip.startsWith("127.");
+  }
+  return ip === "::1" || ip === "0:0:0:0:0:0:0:1";
+}
+var TEST_RETURN_CODES = /* @__PURE__ */ new Set([
+  "127.0.0.1",
+  // Generic test response / query confirmation
+  "127.0.1.255",
+  // Spamhaus DBL test/error response
+  "127.255.255.252",
+  // DNS resolver test
+  "127.255.255.254",
+  // URIBL test response
+  "127.255.255.255"
+  // Reserved/test
+]);
+function isTestResponse(returnCode) {
+  return TEST_RETURN_CODES.has(returnCode);
+}
+async function checkBlacklist(options) {
+  const { quick = false, skip = false, domain, ips = [] } = options;
+  const result = {
+    domainChecks: {
+      checked: 0,
+      listed: [],
+      clean: [],
+      errors: [],
+      timeouts: []
+    },
+    ipChecks: {
+      checked: 0,
+      listed: [],
+      clean: [],
+      errors: [],
+      timeouts: []
+    },
+    overallClean: true,
+    quickMode: quick
+  };
+  if (skip) {
+    return result;
+  }
+  const domainBlacklists = quick ? QUICK_BLACKLISTS.slice(0, 5) : DOMAIN_BLACKLISTS;
+  const ipBlacklists = quick ? QUICK_BLACKLISTS : IP_BLACKLISTS;
+  await checkDomainBlacklists(domain, domainBlacklists, result);
+  if (ips.length > 0) {
+    await checkIpBlacklists(ips, ipBlacklists, result);
+  }
+  result.overallClean = result.domainChecks.listed.length === 0 && result.ipChecks.listed.length === 0;
+  return result;
+}
+async function checkDomainBlacklists(domain, blacklists, result) {
+  const checks = blacklists.map((bl) => ({
+    blacklist: bl,
+    query: `${domain}.${bl.zone}`
+  }));
+  await batchDnsQuery(
+    checks,
+    async (check2) => {
+      result.domainChecks.checked++;
+      try {
+        const records = await resolveARecords(check2.query);
+        const firstRecord = records[0];
+        if (records.length > 0 && firstRecord && !isTestResponse(firstRecord)) {
+          const listing = createListing(
+            check2.blacklist,
+            "domain",
+            domain,
+            firstRecord
+          );
+          result.domainChecks.listed.push(listing);
+          result.overallClean = false;
+        } else {
+          result.domainChecks.clean.push(check2.blacklist.name);
+        }
+      } catch (error) {
+        if (error.message?.includes("timed out")) {
+          result.domainChecks.timeouts.push(check2.blacklist.name);
+        } else if (error.code !== "ENOTFOUND" && error.code !== "ENODATA") {
+          result.domainChecks.errors.push(
+            `${check2.blacklist.name}: ${error.message}`
+          );
+        } else {
+          result.domainChecks.clean.push(check2.blacklist.name);
+        }
+      }
+    },
+    BLACKLIST_BATCH_SIZE
+  );
+}
+async function checkIpBlacklists(ips, blacklists, result) {
+  const ipv4Ips = ips.filter(isIpv4);
+  for (const ip of ipv4Ips) {
+    const reversedIp = reverseIp(ip);
+    const checks = blacklists.map((bl) => ({
+      blacklist: bl,
+      query: `${reversedIp}.${bl.zone}`,
+      ip
+    }));
+    await batchDnsQuery(
+      checks,
+      async (check2) => {
+        result.ipChecks.checked++;
+        try {
+          const records = await resolveARecords(check2.query);
+          const firstRecord = records[0];
+          if (records.length > 0 && firstRecord && !isTestResponse(firstRecord)) {
+            const listing = createListing(
+              check2.blacklist,
+              "ip",
+              check2.ip,
+              firstRecord
+            );
+            result.ipChecks.listed.push(listing);
+            result.overallClean = false;
+          } else {
+            result.ipChecks.clean.push(check2.blacklist.name);
+          }
+        } catch (error) {
+          if (error.message?.includes("timed out")) {
+            result.ipChecks.timeouts.push(check2.blacklist.name);
+          } else if (error.code !== "ENOTFOUND" && error.code !== "ENODATA") {
+            result.ipChecks.errors.push(
+              `${check2.blacklist.name}: ${error.message}`
+            );
+          } else {
+            result.ipChecks.clean.push(check2.blacklist.name);
+          }
+        }
+      },
+      BLACKLIST_BATCH_SIZE
+    );
+  }
+}
+function createListing(blacklist, type, target, returnCode) {
+  return {
+    blacklist: blacklist.name,
+    zone: blacklist.zone,
+    priority: blacklist.priority || "medium",
+    type,
+    target,
+    returnCode,
+    meaning: getMeaning(blacklist.zone, returnCode),
+    delistUrl: getDelistUrl(blacklist.zone)
+  };
+}
+function getMeaning(zone, returnCode) {
+  if (zone.includes("spamhaus")) {
+    return SPAMHAUS_RETURN_CODES[returnCode] || `Listed (${returnCode})`;
+  }
+  if (returnCode === "127.0.0.2") {
+    return "Listed as spam source";
+  }
+  if (returnCode === "127.0.0.3") {
+    return "Listed as spam source (elevated threat)";
+  }
+  return `Listed (${returnCode})`;
+}
+function getDelistUrl(zone) {
+  const delistUrls = {
+    "zen.spamhaus.org": "https://check.spamhaus.org/",
+    "dbl.spamhaus.org": "https://check.spamhaus.org/",
+    "sbl.spamhaus.org": "https://check.spamhaus.org/",
+    "xbl.spamhaus.org": "https://check.spamhaus.org/",
+    "pbl.spamhaus.org": "https://check.spamhaus.org/",
+    "b.barracudacentral.org": "https://www.barracudacentral.org/lookups",
+    "bl.spamcop.net": "https://www.spamcop.net/bl.shtml",
+    "cbl.abuseat.org": "https://cbl.abuseat.org/lookup.cgi",
+    "dnsbl.sorbs.net": "http://www.sorbs.net/lookup.shtml"
+  };
+  return delistUrls[zone] || null;
+}
+async function checkDkim(domain, options = {}) {
+  const {
+    quick = false,
+    selector,
+    selectors: customSelectors,
+    verbose = false,
+    detectedProvider
+  } = options;
+  let selectorsToCheck;
+  if (selector) {
+    selectorsToCheck = [selector];
+  } else if (customSelectors && customSelectors.length > 0) {
+    selectorsToCheck = customSelectors;
+  } else if (quick) {
+    selectorsToCheck = [...QUICK_DKIM_SELECTORS];
+  } else {
+    selectorsToCheck = [...DEFAULT_DKIM_SELECTORS];
+  }
+  const result = {
+    found: false,
+    selectors: [],
+    selectorsChecked: 0,
+    earlyExit: false,
+    warnings: []
+  };
+  let foundValid = false;
+  for (let i = 0; i < selectorsToCheck.length; i += DKIM_BATCH_SIZE) {
+    if (foundValid && !verbose) {
+      result.earlyExit = true;
+      break;
+    }
+    const batch = selectorsToCheck.slice(i, i + DKIM_BATCH_SIZE);
+    const batchResults = await batchDnsQuery(
+      batch,
+      async (sel) => checkDkimSelector(domain, sel),
+      DKIM_BATCH_SIZE
+    );
+    for (const selectorResult of batchResults) {
+      result.selectorsChecked++;
+      if (selectorResult.exists) {
+        result.selectors.push(selectorResult);
+        result.found = true;
+        if (selectorResult.valid && !selectorResult.revoked) {
+          foundValid = true;
+        }
+      }
+    }
+  }
+  result.selectors.sort((a, b) => {
+    const aScore = (a.valid ? 2 : 0) + (a.revoked ? 0 : 1);
+    const bScore = (b.valid ? 2 : 0) + (b.revoked ? 0 : 1);
+    return bScore - aScore;
+  });
+  if (!result.found && detectedProvider) {
+    const randomSelectorProviders = {
+      ses: "AWS SES uses random DKIM selectors. Check your SES console or use --dkimSelector with your actual selector.",
+      amazonses: "AWS SES uses random DKIM selectors. Check your SES console or use --dkimSelector with your actual selector.",
+      sendgrid: "SendGrid may use custom selectors. Check your SendGrid dashboard or use --dkimSelector.",
+      mailgun: "Mailgun may use custom selectors. Check your Mailgun dashboard or use --dkimSelector."
+    };
+    const providerLower = detectedProvider.toLowerCase();
+    for (const [key, message] of Object.entries(randomSelectorProviders)) {
+      if (providerLower.includes(key)) {
+        result.warnings.push(message);
+        break;
+      }
+    }
+  }
+  return result;
+}
+async function checkDkimSelector(domain, selector) {
+  const result = {
+    selector,
+    exists: false,
+    record: null,
+    valid: false,
+    keyType: null,
+    keyBits: null,
+    publicKey: null,
+    testMode: false,
+    revoked: false,
+    expired: false,
+    hashAlgorithms: [],
+    serviceTypes: [],
+    flags: [],
+    errors: [],
+    warnings: []
+  };
+  try {
+    const record = await findDkimRecord(domain, selector);
+    if (!record) {
+      return result;
+    }
+    result.exists = true;
+    result.record = record;
+    parseDkimRecord(record, result);
+  } catch (error) {
+    result.errors.push(error.message);
+  }
+  return result;
+}
+function parseDkimRecord(record, result) {
+  const tags = parseDkimTags(record);
+  const version = tags.get("v");
+  if (version && version !== "DKIM1") {
+    result.errors.push(`Invalid DKIM version: ${version}`);
+  }
+  const keyType = tags.get("k") || "rsa";
+  if (keyType === "rsa") {
+    result.keyType = "rsa";
+  } else if (keyType === "ed25519") {
+    result.keyType = "ed25519";
+  } else {
+    result.keyType = "unknown";
+    result.warnings.push(`Unknown key type: ${keyType}`);
+  }
+  const publicKey = tags.get("p");
+  if (publicKey === void 0) {
+    result.errors.push("Missing public key (p=)");
+    return;
+  }
+  if (publicKey === "") {
+    result.revoked = true;
+    result.warnings.push("DKIM key is revoked (empty p= tag)");
+    return;
+  }
+  result.publicKey = publicKey;
+  if (result.keyType === "rsa") {
+    try {
+      const keyData = Buffer.from(publicKey, "base64");
+      const estimatedBits = keyData.length * 8;
+      result.keyBits = Math.round((estimatedBits - 256) * 0.95);
+      if (result.keyBits < 512) result.keyBits = 512;
+      if (result.keyBits > 4096) result.keyBits = 4096;
+      if (result.keyBits <= 768) result.keyBits = 512;
+      else if (result.keyBits <= 1200) result.keyBits = 1024;
+      else if (result.keyBits <= 2500) result.keyBits = 2048;
+      else if (result.keyBits <= 3500) result.keyBits = 3072;
+      else result.keyBits = 4096;
+      if (result.keyBits < 1024) {
+        result.errors.push(`RSA key too weak: ${result.keyBits} bits`);
+      } else if (result.keyBits < 2048) {
+        result.warnings.push(
+          `RSA key should be 2048+ bits (currently ${result.keyBits})`
+        );
+      }
+    } catch {
+      result.warnings.push("Could not determine RSA key size");
+    }
+  }
+  const hashAlg = tags.get("h");
+  if (hashAlg) {
+    result.hashAlgorithms = hashAlg.split(":").map((h) => h.trim());
+    if (result.hashAlgorithms.includes("sha1") && !result.hashAlgorithms.includes("sha256")) {
+      result.warnings.push("Only sha1 allowed - sha256 recommended");
+    }
+  } else {
+    result.hashAlgorithms = ["sha1", "sha256"];
+  }
+  const serviceType = tags.get("s");
+  if (serviceType) {
+    result.serviceTypes = serviceType.split(":").map((s) => s.trim());
+    if (!(result.serviceTypes.includes("*") || result.serviceTypes.includes("email"))) {
+      result.warnings.push(
+        `Service type restricts to: ${result.serviceTypes.join(", ")}`
+      );
+    }
+  } else {
+    result.serviceTypes = ["*"];
+  }
+  const flagsTag = tags.get("t");
+  if (flagsTag) {
+    result.flags = flagsTag.split(":").map((f) => f.trim());
+    if (result.flags.includes("y")) {
+      result.testMode = true;
+      result.warnings.push("DKIM in testing mode (t=y)");
+    }
+  }
+  const notes = tags.get("n");
+  if (notes) {
+    result.warnings.push(`DKIM note: ${notes}`);
+  }
+  result.valid = result.errors.length === 0 && !result.revoked;
+}
+function parseDkimTags(record) {
+  const tags = /* @__PURE__ */ new Map();
+  const parts = record.split(";").map((p) => p.trim()).filter(Boolean);
+  for (const part of parts) {
+    const eqIndex = part.indexOf("=");
+    if (eqIndex === -1) continue;
+    const key = part.slice(0, eqIndex).trim().toLowerCase();
+    const value = part.slice(eqIndex + 1).trim();
+    tags.set(key, value);
+  }
+  return tags;
+}
+async function checkDmarc(domain) {
+  const result = {
+    exists: false,
+    record: null,
+    valid: false,
+    policy: null,
+    subdomainPolicy: null,
+    percentage: 100,
+    reportingEnabled: false,
+    ruaAddresses: [],
+    rufAddresses: [],
+    alignmentSpf: "relaxed",
+    alignmentDkim: "relaxed",
+    failureOptions: "0",
+    reportInterval: 86400,
+    reportFormat: "afrf",
+    errors: [],
+    warnings: []
+  };
+  try {
+    const record = await findDmarcRecord(domain);
+    if (!record) {
+      return result;
+    }
+    result.exists = true;
+    result.record = record;
+    parseDmarcRecord(record, result);
+  } catch (error) {
+    result.errors.push(error.message);
+  }
+  return result;
+}
+function parseDmarcRecord(record, result) {
+  const tags = parseDmarcTags(record);
+  const version = tags.get("v");
+  if (version !== "DMARC1") {
+    result.errors.push(`Invalid DMARC version: ${version || "missing"}`);
+    return;
+  }
+  const policy = tags.get("p");
+  if (!policy) {
+    result.errors.push("Missing required policy (p=)");
+    return;
+  }
+  if (!["none", "quarantine", "reject"].includes(policy)) {
+    result.errors.push(`Invalid policy: ${policy}`);
+    return;
+  }
+  result.policy = policy;
+  const subdomainPolicy = tags.get("sp");
+  if (subdomainPolicy) {
+    if (["none", "quarantine", "reject"].includes(subdomainPolicy)) {
+      result.subdomainPolicy = subdomainPolicy;
+    } else {
+      result.warnings.push(`Invalid subdomain policy: ${subdomainPolicy}`);
+    }
+  } else {
+    result.subdomainPolicy = result.policy;
+  }
+  const pct = tags.get("pct");
+  if (pct) {
+    const pctNum = Number.parseInt(pct, 10);
+    if (Number.isNaN(pctNum) || pctNum < 0 || pctNum > 100) {
+      result.warnings.push(`Invalid percentage: ${pct}`);
+    } else {
+      result.percentage = pctNum;
+      if (pctNum < 100) {
+        result.warnings.push(`Only ${pctNum}% of messages subject to policy`);
+      }
+    }
+  }
+  const rua = tags.get("rua");
+  if (rua) {
+    result.ruaAddresses = parseReportAddresses(rua);
+    result.reportingEnabled = result.ruaAddresses.length > 0;
+  }
+  const ruf = tags.get("ruf");
+  if (ruf) {
+    result.rufAddresses = parseReportAddresses(ruf);
+  }
+  const aspf = tags.get("aspf");
+  if (aspf) {
+    if (aspf === "s") {
+      result.alignmentSpf = "strict";
+    } else if (aspf === "r") {
+      result.alignmentSpf = "relaxed";
+    } else {
+      result.warnings.push(`Invalid SPF alignment mode: ${aspf}`);
+    }
+  }
+  const adkim = tags.get("adkim");
+  if (adkim) {
+    if (adkim === "s") {
+      result.alignmentDkim = "strict";
+    } else if (adkim === "r") {
+      result.alignmentDkim = "relaxed";
+    } else {
+      result.warnings.push(`Invalid DKIM alignment mode: ${adkim}`);
+    }
+  }
+  const fo = tags.get("fo");
+  if (fo) {
+    const validOptions = ["0", "1", "d", "s"];
+    const options = fo.split(":").map((o) => o.trim());
+    for (const opt of options) {
+      if (!validOptions.includes(opt)) {
+        result.warnings.push(`Unknown failure option: ${opt}`);
+      }
+    }
+    result.failureOptions = fo;
+  }
+  const ri = tags.get("ri");
+  if (ri) {
+    const riNum = Number.parseInt(ri, 10);
+    if (Number.isNaN(riNum) || riNum < 0) {
+      result.warnings.push(`Invalid report interval: ${ri}`);
+    } else {
+      result.reportInterval = riNum;
+    }
+  }
+  const rf = tags.get("rf");
+  if (rf) {
+    result.reportFormat = rf;
+  }
+  if (result.policy === "none") {
+    result.warnings.push(
+      'DMARC policy is "none" - not enforcing authentication'
+    );
+  }
+  if (result.subdomainPolicy === "none" && result.policy !== "none") {
+    result.warnings.push("Subdomain policy is less strict than domain policy");
+  }
+  if (!result.reportingEnabled) {
+    result.warnings.push("No aggregate reporting configured (rua=)");
+  }
+  for (const addr of [...result.ruaAddresses, ...result.rufAddresses]) {
+    const match = addr.match(/^mailto:([^@]+)@(.+)$/i);
+    if (match) {
+      const domain = result.record?.includes("_dmarc.") ? result.record.split("_dmarc.")[1]?.split(" ")[0] : null;
+    }
+  }
+  result.valid = result.errors.length === 0;
+}
+function parseDmarcTags(record) {
+  const tags = /* @__PURE__ */ new Map();
+  const parts = record.split(";").map((p) => p.trim()).filter(Boolean);
+  for (const part of parts) {
+    const eqIndex = part.indexOf("=");
+    if (eqIndex === -1) continue;
+    const key = part.slice(0, eqIndex).trim().toLowerCase();
+    const value = part.slice(eqIndex + 1).trim();
+    tags.set(key, value);
+  }
+  return tags;
+}
+function parseReportAddresses(value) {
+  return value.split(",").map((addr) => addr.trim()).filter(Boolean);
+}
+async function checkMx(domain) {
+  const result = {
+    exists: false,
+    records: [],
+    hasRedundancy: false,
+    warnings: []
+  };
+  try {
+    const mxRecords = await resolveMxRecords(domain);
+    if (mxRecords.length === 0) {
+      result.warnings.push("No MX records found");
+      return result;
+    }
+    result.exists = true;
+    for (const mx of mxRecords) {
+      const mxResult = await checkMxRecord(mx);
+      result.records.push(mxResult);
+    }
+    const uniquePriorities = new Set(mxRecords.map((r) => r.priority));
+    result.hasRedundancy = mxRecords.length > 1 && uniquePriorities.size > 1;
+    const unresolving = result.records.filter((r) => !r.resolves);
+    if (unresolving.length > 0) {
+      result.warnings.push(`${unresolving.length} MX record(s) do not resolve`);
+    }
+    const ipMx = result.records.filter((r) => r.isIpAddress);
+    if (ipMx.length > 0) {
+      result.warnings.push(
+        "MX records should point to hostnames, not IP addresses"
+      );
+    }
+    const localhostMx = result.records.filter((r) => r.isLocalhost);
+    if (localhostMx.length > 0) {
+      result.warnings.push("MX record points to localhost");
+    }
+  } catch (error) {
+    result.warnings.push(`Error checking MX: ${error.message}`);
+  }
+  return result;
+}
+async function checkMxRecord(mx) {
+  const result = {
+    priority: mx.priority,
+    exchange: mx.exchange,
+    resolves: false,
+    ipv4Addresses: [],
+    ipv6Addresses: [],
+    isLocalhost: false,
+    isIpAddress: isIpAddress(mx.exchange),
+    reverseHostnames: []
+  };
+  if (result.isIpAddress) {
+    result.isLocalhost = isLocalhost(mx.exchange);
+    result.resolves = true;
+    if (mx.exchange.includes(":")) {
+      result.ipv6Addresses = [mx.exchange];
+    } else {
+      result.ipv4Addresses = [mx.exchange];
+    }
+    return result;
+  }
+  try {
+    const ipv4 = await resolveARecords(mx.exchange);
+    result.ipv4Addresses = ipv4;
+    const ipv6 = await resolveAaaaRecords(mx.exchange);
+    result.ipv6Addresses = ipv6;
+    result.resolves = ipv4.length > 0 || ipv6.length > 0;
+    for (const ip of [...ipv4, ...ipv6]) {
+      if (isLocalhost(ip)) {
+        result.isLocalhost = true;
+        break;
+      }
+    }
+    const allIps = [...ipv4, ...ipv6];
+    for (const ip of allIps.slice(0, 3)) {
+      try {
+        const ptrs = await resolvePtrRecords(ip);
+        result.reverseHostnames.push(...ptrs);
+      } catch {
+      }
+    }
+  } catch (error) {
+  }
+  return result;
+}
+var DEFAULT_TIMEOUT22 = 1e4;
+var SMTP_PORT = 25;
+async function checkMxTls(mxRecords, options = {}) {
+  const { skip = false, timeout = DEFAULT_TIMEOUT22, quick = false } = options;
+  const result = {
+    checked: false,
+    skipped: skip,
+    skipReason: skip ? "--skip-tls flag" : null,
+    servers: []
+  };
+  if (skip) {
+    return result;
+  }
+  if (mxRecords.length === 0) {
+    result.skipReason = "No MX records";
+    result.skipped = true;
+    return result;
+  }
+  const sortedMx = [...mxRecords].sort((a, b) => a.priority - b.priority);
+  const mxToCheck = quick ? sortedMx.slice(0, 1) : sortedMx.slice(0, 5);
+  const checkPromises = mxToCheck.map(
+    (mx) => checkServer(mx.exchange, timeout)
+  );
+  try {
+    result.servers = await Promise.all(checkPromises);
+    result.checked = true;
+  } catch (error) {
+    result.skipReason = error.message || "TLS check failed";
+  }
+  return result;
+}
+async function checkServer(hostname, timeout) {
+  const result = {
+    server: hostname,
+    port: SMTP_PORT,
+    connected: false,
+    connectionError: null,
+    supportsStarttls: false,
+    tlsVersions: [],
+    preferredTlsVersion: null,
+    cipherSuite: null,
+    certificate: null,
+    errors: []
+  };
+  try {
+    const smtpSession = await connectSmtp(hostname, SMTP_PORT, timeout);
+    result.connected = true;
+    const capabilities = await sendEhlo(smtpSession, timeout);
+    result.supportsStarttls = capabilities.includes("STARTTLS");
+    if (!result.supportsStarttls) {
+      smtpSession.socket.destroy();
+      result.errors.push("Server does not advertise STARTTLS");
+      return result;
+    }
+    const tlsResult = await upgradeToTls(smtpSession, hostname, timeout);
+    if (tlsResult.success && tlsResult.socket) {
+      result.preferredTlsVersion = tlsResult.tlsVersion || null;
+      result.cipherSuite = tlsResult.cipher || null;
+      if (tlsResult.tlsVersion) {
+        result.tlsVersions.push(tlsResult.tlsVersion);
+      }
+      if (tlsResult.certificate) {
+        const cert = tlsResult.certificate;
+        const now = /* @__PURE__ */ new Date();
+        const expiresAt = new Date(cert.valid_to);
+        const daysUntilExpiry = Math.floor(
+          (expiresAt.getTime() - now.getTime()) / (1e3 * 60 * 60 * 24)
+        );
+        result.certificate = {
+          valid: tlsResult.authorized ?? false,
+          issuer: formatX509Name(cert.issuer),
+          subject: formatX509Name(cert.subject),
+          altNames: parseAltNames(cert.subjectaltname),
+          expiresAt: cert.valid_to,
+          daysUntilExpiry,
+          matchesHostname: tlsResult.authorized ?? false,
+          selfSigned: isSelfSigned(cert),
+          chainValid: tlsResult.authorized ?? false
+        };
+      }
+      tlsResult.socket.destroy();
+    } else {
+      result.errors.push(tlsResult.error || "TLS upgrade failed");
+    }
+  } catch (error) {
+    result.connectionError = error.message || "Connection failed";
+    if (error.code === "ECONNREFUSED") {
+      result.connectionError = "Connection refused (port 25 blocked?)";
+    } else if (error.code === "ETIMEDOUT" || error.message?.includes("timeout")) {
+      result.connectionError = "Connection timed out";
+    } else if (error.code === "ENOTFOUND") {
+      result.connectionError = "Host not found";
+    }
+  }
+  return result;
+}
+function connectSmtp(hostname, port, timeout) {
+  return new Promise((resolve, reject) => {
+    const socket = net.createConnection({ host: hostname, port });
+    let buffer = "";
+    let resolved = false;
+    const timer = setTimeout(() => {
+      if (!resolved) {
+        resolved = true;
+        socket.destroy();
+        reject(new Error("Connection timeout"));
+      }
+    }, timeout);
+    socket.on("connect", () => {
+    });
+    socket.on("data", (data) => {
+      buffer += data.toString();
+      if (buffer.includes("\r\n") && buffer.startsWith("220") && !resolved) {
+        resolved = true;
+        clearTimeout(timer);
+        resolve({ socket, buffer: "" });
+      }
+    });
+    socket.on("error", (err) => {
+      if (!resolved) {
+        resolved = true;
+        clearTimeout(timer);
+        reject(err);
+      }
+    });
+    socket.on("close", () => {
+      if (!resolved) {
+        resolved = true;
+        clearTimeout(timer);
+        reject(new Error("Connection closed"));
+      }
+    });
+  });
+}
+function sendEhlo(session, timeout) {
+  return new Promise((resolve, reject) => {
+    let buffer = "";
+    let resolved = false;
+    const timer = setTimeout(() => {
+      if (!resolved) {
+        resolved = true;
+        reject(new Error("EHLO timeout"));
+      }
+    }, timeout);
+    session.socket.on("data", (data) => {
+      buffer += data.toString();
+      const lines = buffer.split("\r\n").filter(Boolean);
+      const lastLine = lines[lines.length - 1];
+      if (lastLine && /^250[ ]/.test(lastLine) && !resolved) {
+        resolved = true;
+        clearTimeout(timer);
+        const capabilities = lines.filter((line) => line.startsWith("250")).map((line) => line.slice(4).trim().toUpperCase());
+        resolve(capabilities);
+      }
+    });
+    session.socket.on("error", (err) => {
+      if (!resolved) {
+        resolved = true;
+        clearTimeout(timer);
+        reject(err);
+      }
+    });
+    session.socket.write("EHLO mail.check.wraps.dev\r\n");
+  });
+}
+function upgradeToTls(session, hostname, timeout) {
+  return new Promise((resolve) => {
+    let buffer = "";
+    let resolved = false;
+    const timer = setTimeout(() => {
+      if (!resolved) {
+        resolved = true;
+        resolve({ success: false, error: "STARTTLS timeout" });
+      }
+    }, timeout);
+    const onData = (data) => {
+      buffer += data.toString();
+      if (buffer.includes("220")) {
+        session.socket.removeListener("data", onData);
+        const tlsSocket = tls.connect(
+          {
+            socket: session.socket,
+            servername: hostname,
+            rejectUnauthorized: false,
+            // We'll check manually
+            minVersion: "TLSv1.2"
+          },
+          () => {
+            if (!resolved) {
+              resolved = true;
+              clearTimeout(timer);
+              const cipher = tlsSocket.getCipher();
+              const cert = tlsSocket.getPeerCertificate();
+              resolve({
+                success: true,
+                socket: tlsSocket,
+                tlsVersion: tlsSocket.getProtocol() || void 0,
+                cipher: cipher?.name,
+                certificate: cert,
+                authorized: tlsSocket.authorized
+              });
+            }
+          }
+        );
+        tlsSocket.on("error", (err) => {
+          if (!resolved) {
+            resolved = true;
+            clearTimeout(timer);
+            resolve({ success: false, error: err.message });
+          }
+        });
+      } else if (buffer.includes("454") || buffer.includes("501")) {
+        if (!resolved) {
+          resolved = true;
+          clearTimeout(timer);
+          resolve({ success: false, error: "Server rejected STARTTLS" });
+        }
+      }
+    };
+    session.socket.on("data", onData);
+    session.socket.on("error", (err) => {
+      if (!resolved) {
+        resolved = true;
+        clearTimeout(timer);
+        resolve({ success: false, error: err.message });
+      }
+    });
+    session.socket.write("STARTTLS\r\n");
+  });
+}
+function formatX509Name(name) {
+  if (!name) return "";
+  const parts = [];
+  if (name.O) parts.push(name.O);
+  if (name.CN) parts.push(name.CN);
+  return parts.join(" - ") || JSON.stringify(name);
+}
+function parseAltNames(subjectaltname) {
+  if (!subjectaltname) return [];
+  return subjectaltname.split(", ").filter((san) => san.startsWith("DNS:")).map((san) => san.slice(4));
+}
+function isSelfSigned(cert) {
+  if (!(cert.issuer && cert.subject)) return false;
+  return cert.issuer.CN === cert.subject.CN && cert.issuer.O === cert.subject.O;
+}
+var RDAP_BOOTSTRAP_URL = "https://data.iana.org/rdap/dns.json";
+var rdapBootstrapCache = null;
+var bootstrapCacheTime = 0;
+var BOOTSTRAP_CACHE_TTL = 36e5;
+async function checkDomainAge(domain, options = {}) {
+  const { quick = false, timeout = 1e4 } = options;
+  const result = {
+    createdAt: null,
+    expiresAt: null,
+    updatedAt: null,
+    ageInDays: null,
+    daysUntilExpiry: null,
+    registrar: null,
+    registrantOrganization: null,
+    registrantCountry: null,
+    nameservers: [],
+    dnssecEnabled: false,
+    source: "unavailable",
+    privacyEnabled: false,
+    errors: []
+  };
+  if (quick) {
+    result.errors.push("Skipped in quick mode");
+    return result;
+  }
+  try {
+    const tld = getTld(domain);
+    if (!tld) {
+      result.errors.push("Could not determine TLD");
+      return result;
+    }
+    const rdapServer = await findRdapServer(tld, timeout);
+    if (!rdapServer) {
+      result.errors.push(`No RDAP server found for .${tld}`);
+      return result;
+    }
+    const rdapData = await queryRdap(rdapServer, domain, timeout);
+    if (!rdapData) {
+      result.errors.push("RDAP query returned no data");
+      return result;
+    }
+    parseRdapResponse(rdapData, result);
+    result.source = "rdap";
+  } catch (error) {
+    result.errors.push(error.message || "RDAP lookup failed");
+  }
+  return result;
+}
+function getTld(domain) {
+  const parts = domain.toLowerCase().split(".");
+  if (parts.length < 2) return null;
+  const lastTwo = parts.slice(-2).join(".");
+  const secondLevelTlds = [
+    "co.uk",
+    "org.uk",
+    "me.uk",
+    "ac.uk",
+    "com.au",
+    "net.au",
+    "org.au",
+    "co.nz",
+    "org.nz",
+    "co.jp",
+    "or.jp",
+    "com.br",
+    "org.br"
+  ];
+  if (secondLevelTlds.includes(lastTwo) && parts.length > 2) {
+    return lastTwo;
+  }
+  return parts[parts.length - 1] || null;
+}
+async function findRdapServer(tld, timeout) {
+  const now = Date.now();
+  if (rdapBootstrapCache && now - bootstrapCacheTime < BOOTSTRAP_CACHE_TTL) {
+    return rdapBootstrapCache.get(tld.toLowerCase()) || null;
+  }
+  try {
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => controller.abort(), timeout);
+    const response = await fetch(RDAP_BOOTSTRAP_URL, {
+      signal: controller.signal,
+      headers: { Accept: "application/json" }
+    });
+    clearTimeout(timeoutId);
+    if (!response.ok) {
+      return null;
+    }
+    const bootstrap = await response.json();
+    rdapBootstrapCache = /* @__PURE__ */ new Map();
+    bootstrapCacheTime = now;
+    for (const [tlds, urls] of bootstrap.services) {
+      const serverUrl = urls[0];
+      if (serverUrl) {
+        for (const t of tlds) {
+          rdapBootstrapCache.set(t.toLowerCase(), serverUrl);
+        }
+      }
+    }
+    return rdapBootstrapCache.get(tld.toLowerCase()) || null;
+  } catch {
+    return null;
+  }
+}
+async function queryRdap(serverUrl, domain, timeout) {
+  try {
+    let url = serverUrl;
+    if (!url.endsWith("/")) url += "/";
+    url += `domain/${domain}`;
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => controller.abort(), timeout);
+    const response = await fetch(url, {
+      signal: controller.signal,
+      headers: { Accept: "application/rdap+json, application/json" }
+    });
+    clearTimeout(timeoutId);
+    if (!response.ok) {
+      return null;
+    }
+    return await response.json();
+  } catch {
+    return null;
+  }
+}
+function parseRdapResponse(data, result) {
+  const now = /* @__PURE__ */ new Date();
+  if (data.events) {
+    for (const event of data.events) {
+      const date = event.eventDate;
+      switch (event.eventAction) {
+        case "registration":
+          result.createdAt = date;
+          break;
+        case "expiration":
+          result.expiresAt = date;
+          break;
+        case "last changed":
+        case "last update of RDAP database":
+          if (!result.updatedAt) {
+            result.updatedAt = date;
+          }
+          break;
+      }
+    }
+  }
+  if (result.createdAt) {
+    const created = new Date(result.createdAt);
+    result.ageInDays = Math.floor(
+      (now.getTime() - created.getTime()) / (1e3 * 60 * 60 * 24)
+    );
+  }
+  if (result.expiresAt) {
+    const expires = new Date(result.expiresAt);
+    result.daysUntilExpiry = Math.floor(
+      (expires.getTime() - now.getTime()) / (1e3 * 60 * 60 * 24)
+    );
+  }
+  if (data.nameservers) {
+    result.nameservers = data.nameservers.map((ns) => ns.ldhName?.toLowerCase()).filter((ns) => !!ns);
+  }
+  if (data.secureDNS?.delegationSigned) {
+    result.dnssecEnabled = true;
+  }
+  if (data.entities) {
+    for (const entity of data.entities) {
+      const roles = entity.roles || [];
+      if (roles.includes("registrar")) {
+        const name = extractVcardName(entity.vcardArray);
+        if (name) result.registrar = name;
+      }
+      if (roles.includes("registrant")) {
+        const name = extractVcardName(entity.vcardArray);
+        if (name) {
+          result.registrantOrganization = name;
+          const privacyIndicators = [
+            "privacy",
+            "proxy",
+            "whoisguard",
+            "domains by proxy",
+            "contact privacy",
+            "redacted",
+            "withheld"
+          ];
+          const nameLower = name.toLowerCase();
+          result.privacyEnabled = privacyIndicators.some(
+            (p) => nameLower.includes(p)
+          );
+        }
+        const country = extractVcardCountry(entity.vcardArray);
+        if (country) result.registrantCountry = country;
+      }
+    }
+  }
+}
+function extractVcardName(vcardArray) {
+  if (!vcardArray || vcardArray[0] !== "vcard") return null;
+  const properties = vcardArray[1];
+  if (!Array.isArray(properties)) return null;
+  for (const prop of properties) {
+    if (!Array.isArray(prop)) continue;
+    const [name, , , value] = prop;
+    if (name === "fn" && typeof value === "string" && value.trim()) {
+      return value.trim();
+    }
+    if (name === "org" && typeof value === "string" && value.trim()) {
+      return value.trim();
+    }
+  }
+  return null;
+}
+function extractVcardCountry(vcardArray) {
+  if (!vcardArray || vcardArray[0] !== "vcard") return null;
+  const properties = vcardArray[1];
+  if (!Array.isArray(properties)) return null;
+  for (const prop of properties) {
+    if (!Array.isArray(prop)) continue;
+    const [name, , , value] = prop;
+    if (name === "adr" && Array.isArray(value)) {
+      const country = value[6];
+      if (typeof country === "string" && country.trim()) {
+        return country.trim();
+      }
+    }
+  }
+  return null;
+}
+async function checkSpf(domain) {
+  const spfRecords = await findSpfRecord(domain);
+  const result = {
+    exists: spfRecords.length > 0,
+    record: spfRecords[0] || null,
+    records: spfRecords,
+    multipleRecords: spfRecords.length > 1,
+    valid: false,
+    syntaxErrors: [],
+    warnings: [],
+    lookupCount: 0,
+    lookupLimit: SPF_LOOKUP_LIMIT,
+    lookupTree: [],
+    allMechanism: null,
+    includes: [],
+    hasPtr: false,
+    hasDuplicates: false,
+    hasCircularInclude: false,
+    recordLength: spfRecords[0]?.length || 0,
+    usesMacros: false,
+    macros: []
+  };
+  if (spfRecords.length > 1) {
+    result.syntaxErrors.push(
+      `Multiple SPF records found (${spfRecords.length}). RFC 7208 allows only one.`
+    );
+    return result;
+  }
+  if (!(result.exists && result.record)) {
+    return result;
+  }
+  try {
+    await parseAndValidateSpf(domain, result.record, result);
+  } catch (error) {
+    result.syntaxErrors.push(error.message);
+  }
+  return result;
+}
+async function parseAndValidateSpf(domain, record, result) {
+  if (!record.startsWith("v=spf1")) {
+    result.syntaxErrors.push('SPF record must start with "v=spf1"');
+    return;
+  }
+  const mechanisms = record.slice(6).trim().split(/\s+/).filter(Boolean);
+  const context = {
+    visited: /* @__PURE__ */ new Set([domain]),
+    totalLookups: 0,
+    hasCircular: false,
+    errors: []
+  };
+  const includes = [];
+  let allMechanism = null;
+  let hasPtr = false;
+  for (const mechanism of mechanisms) {
+    const parsed = parseMechanism(mechanism);
+    if (!parsed) {
+      if (mechanism.includes("%{")) {
+        result.usesMacros = true;
+        result.macros.push(mechanism);
+        result.warnings.push(
+          `SPF uses macro "${mechanism}" - cannot fully validate without sending IP`
+        );
+      } else if (mechanism !== "") {
+        result.syntaxErrors.push(`Invalid mechanism: ${mechanism}`);
+      }
+      continue;
+    }
+    switch (parsed.type) {
+      case "all":
+        allMechanism = parsed.qualifier;
+        break;
+      case "include":
+        if (parsed.domain) {
+          includes.push(parsed.domain);
+          const includeNode = await checkSpfInclude(
+            parsed.domain,
+            context,
+            mechanism
+          );
+          result.lookupTree.push(includeNode);
+        }
+        break;
+      case "redirect":
+        if (parsed.domain) {
+          const redirectNode = await checkSpfInclude(
+            parsed.domain,
+            context,
+            mechanism
+          );
+          result.lookupTree.push(redirectNode);
+        }
+        break;
+      case "a":
+        context.totalLookups++;
+        if (parsed.domain) {
+          const aNode = {
+            mechanism,
+            type: "a",
+            domain: parsed.domain,
+            lookups: 1,
+            children: [],
+            error: null
+          };
+          result.lookupTree.push(aNode);
+        }
+        break;
+      case "mx":
+        context.totalLookups++;
+        if (parsed.domain) {
+          const mxNode = {
+            mechanism,
+            type: "mx",
+            domain: parsed.domain,
+            lookups: 1,
+            children: [],
+            error: null
+          };
+          result.lookupTree.push(mxNode);
+        }
+        break;
+      case "ptr":
+        hasPtr = true;
+        context.totalLookups++;
+        result.warnings.push("SPF uses deprecated 'ptr' mechanism (RFC 7208)");
+        break;
+      case "exists":
+        context.totalLookups++;
+        break;
+      case "ip4":
+      case "ip6":
+        break;
+      default:
+        result.warnings.push(`Unknown mechanism type: ${parsed.type}`);
+    }
+  }
+  const seenIncludes = /* @__PURE__ */ new Set();
+  for (const inc of includes) {
+    if (seenIncludes.has(inc)) {
+      result.hasDuplicates = true;
+      result.warnings.push(`Duplicate include: ${inc}`);
+    }
+    seenIncludes.add(inc);
+  }
+  result.includes = includes;
+  result.allMechanism = allMechanism;
+  result.hasPtr = hasPtr;
+  result.lookupCount = context.totalLookups;
+  result.hasCircularInclude = context.hasCircular;
+  result.valid = result.syntaxErrors.length === 0 && !result.multipleRecords && !result.hasCircularInclude;
+  if (context.totalLookups > SPF_LOOKUP_LIMIT) {
+    result.warnings.push(
+      `SPF exceeds 10 DNS lookup limit (${context.totalLookups} lookups)`
+    );
+  } else if (context.totalLookups === SPF_LOOKUP_LIMIT) {
+    result.warnings.push(
+      "SPF at lookup limit (10). Adding more includes will fail."
+    );
+  }
+  if (allMechanism === "+all") {
+    result.syntaxErrors.push("SPF ends with +all which allows anyone to send");
+    result.valid = false;
+  } else if (allMechanism === "?all") {
+    result.warnings.push(
+      "SPF uses ?all (neutral) - consider using -all or ~all"
+    );
+  } else if (!allMechanism) {
+    result.warnings.push(
+      "SPF record has no 'all' mechanism - defaults to neutral"
+    );
+  }
+  if (context.errors.length > 0) {
+    result.warnings.push(...context.errors);
+  }
+}
+async function checkSpfInclude(domain, context, mechanism) {
+  const node = {
+    mechanism,
+    type: mechanism.startsWith("redirect=") ? "redirect" : "include",
+    domain,
+    lookups: 1,
+    children: [],
+    error: null
+  };
+  if (context.visited.has(domain)) {
+    context.hasCircular = true;
+    node.error = `Circular include detected: ${domain}`;
+    return node;
+  }
+  context.visited.add(domain);
+  context.totalLookups++;
+  try {
+    const spfRecords = await findSpfRecord(domain);
+    if (spfRecords.length === 0) {
+      node.error = `No SPF record found for ${domain}`;
+      return node;
+    }
+    if (spfRecords.length > 1) {
+      node.error = `Multiple SPF records found for ${domain}`;
+      return node;
+    }
+    const record = spfRecords[0];
+    if (!record.startsWith("v=spf1")) {
+      node.error = `Invalid SPF record for ${domain}`;
+      return node;
+    }
+    const mechanisms = record.slice(6).trim().split(/\s+/).filter(Boolean);
+    for (const mech of mechanisms) {
+      const parsed = parseMechanism(mech);
+      if (!parsed) continue;
+      switch (parsed.type) {
+        case "include":
+        case "redirect":
+          if (parsed.domain) {
+            const childNode = await checkSpfInclude(
+              parsed.domain,
+              context,
+              mech
+            );
+            node.children.push(childNode);
+            node.lookups += childNode.lookups;
+          }
+          break;
+        case "a":
+        case "mx":
+        case "ptr":
+        case "exists":
+          context.totalLookups++;
+          node.lookups++;
+          break;
+      }
+    }
+  } catch (error) {
+    node.error = `Failed to resolve ${domain}: ${error.message}`;
+  }
+  return node;
+}
+function parseMechanism(mechanism) {
+  if (!mechanism) return null;
+  let qualifier = "+";
+  let mech = mechanism;
+  if (/^[+\-~?]/.test(mech)) {
+    qualifier = mech.charAt(0);
+    mech = mech.slice(1);
+  }
+  const match = mech.match(
+    /^(all|include|a|mx|ptr|ip4|ip6|exists|redirect|exp)(?:[:=]([^\s/]+))?(?:\/(\d+))?$/i
+  );
+  if (!match) {
+    return null;
+  }
+  const type = match[1];
+  const value = match[2];
+  const prefix = match[3];
+  if (!type) {
+    return null;
+  }
+  return {
+    qualifier,
+    type: type.toLowerCase(),
+    domain: value,
+    prefix
+  };
+}
+function formatSpfLookupTree(nodes, indent = "") {
+  const lines = [];
+  for (const [i, node] of nodes.entries()) {
+    const isLast = i === nodes.length - 1;
+    const prefix = isLast ? "\u2514\u2500\u2500 " : "\u251C\u2500\u2500 ";
+    const childIndent = isLast ? "    " : "\u2502   ";
+    let line = `${indent}${prefix}${node.mechanism}`;
+    if (node.lookups > 1) {
+      line += ` (${node.lookups} lookups)`;
+    } else {
+      line += " (1)";
+    }
+    if (node.error) {
+      line += ` \u26A0 ${node.error}`;
+    }
+    lines.push(line);
+    if (node.children.length > 0) {
+      lines.push(formatSpfLookupTree(node.children, indent + childIndent));
+    }
+  }
+  return lines.join("\n");
+}
+function calculateScore(checks) {
+  let score = 100;
+  const deductions = [];
+  const bonuses = [];
+  if (!checks.spf.exists) {
+    score -= 30;
+    deductions.push({ check: "spf", points: 30, reason: "No SPF record" });
+  } else if (checks.spf.multipleRecords) {
+    score -= 30;
+    deductions.push({
+      check: "spf",
+      points: 30,
+      reason: "Multiple SPF records (RFC violation)"
+    });
+  } else if (!checks.spf.valid) {
+    score -= 30;
+    deductions.push({ check: "spf", points: 30, reason: "Invalid SPF syntax" });
+  } else if (checks.spf.allMechanism === "+all") {
+    score -= 30;
+    deductions.push({
+      check: "spf",
+      points: 30,
+      reason: "SPF +all allows anyone"
+    });
+  } else if (checks.spf.hasCircularInclude) {
+    score -= 30;
+    deductions.push({
+      check: "spf",
+      points: 30,
+      reason: "SPF has circular include (infinite loop)"
+    });
+  } else {
+    if (checks.spf.allMechanism === "?all") {
+      score -= 15;
+      deductions.push({
+        check: "spf",
+        points: 15,
+        reason: "SPF ?all is too permissive"
+      });
+    } else if (checks.spf.allMechanism === "~all") {
+      score -= 5;
+      deductions.push({
+        check: "spf",
+        points: 5,
+        reason: "SPF ~all (softfail) instead of -all"
+      });
+    }
+    if (checks.spf.lookupCount > 10) {
+      score -= 10;
+      deductions.push({
+        check: "spf",
+        points: 10,
+        reason: `SPF exceeds 10 lookups (${checks.spf.lookupCount})`
+      });
+    }
+    if (checks.spf.hasPtr) {
+      score -= 2;
+      deductions.push({
+        check: "spf",
+        points: 2,
+        reason: "SPF uses deprecated ptr mechanism"
+      });
+    }
+  }
+  if (checks.dkim.found) {
+    const validSelector = checks.dkim.selectors.find(
+      (s) => s.valid && !s.revoked
+    );
+    if (validSelector) {
+      if (validSelector.keyType === "rsa" && validSelector.keyBits && validSelector.keyBits < 1024) {
+        score -= 20;
+        deductions.push({
+          check: "dkim",
+          points: 20,
+          reason: `DKIM key too weak (${validSelector.keyBits} bits)`
+        });
+      } else if (validSelector.keyType === "rsa" && validSelector.keyBits && validSelector.keyBits < 2048) {
+        score -= 5;
+        deductions.push({
+          check: "dkim",
+          points: 5,
+          reason: `DKIM key should be 2048+ bits (${validSelector.keyBits})`
+        });
+      }
+      if (validSelector.testMode) {
+        score -= 10;
+        deductions.push({
+          check: "dkim",
+          points: 10,
+          reason: "DKIM in testing mode (t=y)"
+        });
+      }
+      const validCount = checks.dkim.selectors.filter(
+        (s) => s.valid && !s.revoked
+      ).length;
+      if (validCount > 1) {
+        bonuses.push({
+          check: "dkim",
+          points: 2,
+          reason: `${validCount} valid DKIM selectors`
+        });
+      }
+    } else {
+      score -= 25;
+      deductions.push({
+        check: "dkim",
+        points: 25,
+        reason: "No valid DKIM record"
+      });
+    }
+  } else {
+    score -= 25;
+    deductions.push({
+      check: "dkim",
+      points: 25,
+      reason: "No DKIM record found"
+    });
+  }
+  if (!checks.dmarc.exists) {
+    score -= 20;
+    deductions.push({ check: "dmarc", points: 20, reason: "No DMARC record" });
+  } else if (checks.dmarc.valid) {
+    if (checks.dmarc.policy === "none") {
+      score -= 10;
+      deductions.push({
+        check: "dmarc",
+        points: 10,
+        reason: "DMARC policy is none (not enforcing)"
+      });
+    }
+    if (checks.dmarc.percentage < 100) {
+      score -= 5;
+      deductions.push({
+        check: "dmarc",
+        points: 5,
+        reason: `DMARC pct=${checks.dmarc.percentage} (not 100%)`
+      });
+    }
+    if (!checks.dmarc.reportingEnabled) {
+      score -= 5;
+      deductions.push({
+        check: "dmarc",
+        points: 5,
+        reason: "DMARC reporting not configured (no rua=)"
+      });
+    }
+    if (checks.dmarc.alignmentSpf === "strict" && checks.dmarc.alignmentDkim === "strict") {
+      bonuses.push({
+        check: "dmarc",
+        points: 2,
+        reason: "DMARC strict alignment configured"
+      });
+    }
+  } else {
+    score -= 20;
+    deductions.push({
+      check: "dmarc",
+      points: 20,
+      reason: "Invalid DMARC syntax"
+    });
+  }
+  if (checks.mx.exists) {
+    const unresolving = checks.mx.records.filter((r) => !r.resolves);
+    if (unresolving.length > 0) {
+      score -= 5;
+      deductions.push({
+        check: "mx",
+        points: 5,
+        reason: `${unresolving.length} MX records don't resolve`
+      });
+    }
+    if (checks.mx.hasRedundancy) {
+      bonuses.push({
+        check: "mx",
+        points: 1,
+        reason: "Multiple MX records for redundancy"
+      });
+    }
+  } else {
+    score -= 5;
+    deductions.push({ check: "mx", points: 5, reason: "No MX records" });
+  }
+  const domainListings = checks.blacklist.domainChecks.listed;
+  const ipListings = checks.blacklist.ipChecks.listed;
+  for (const listing of [...domainListings, ...ipListings]) {
+    if (listing.zone.includes("spamhaus")) {
+      score -= 30;
+      deductions.push({
+        check: "blacklist",
+        points: 30,
+        reason: `Listed on ${listing.blacklist}`
+      });
+    } else if (listing.priority === "critical" || listing.priority === "high") {
+      const pts = listing.priority === "critical" ? 15 : 10;
+      score -= pts;
+      deductions.push({
+        check: "blacklist",
+        points: pts,
+        reason: `Listed on ${listing.blacklist}`
+      });
+    } else if (listing.priority === "medium") {
+      score -= 5;
+      deductions.push({
+        check: "blacklist",
+        points: 5,
+        reason: `Listed on ${listing.blacklist}`
+      });
+    } else {
+      score -= 2;
+      deductions.push({
+        check: "blacklist",
+        points: 2,
+        reason: `Listed on ${listing.blacklist}`
+      });
+    }
+  }
+  if (checks.blacklist.overallClean) {
+    bonuses.push({
+      check: "blacklist",
+      points: 5,
+      reason: "Clean on all blacklists"
+    });
+  }
+  if (checks.mtaSts.configured && checks.mtaSts.policy?.mode === "enforce") {
+    bonuses.push({ check: "mta-sts", points: 5, reason: "MTA-STS enforcing" });
+  } else if (checks.mtaSts.configured && checks.mtaSts.policy?.mode === "testing") {
+    bonuses.push({
+      check: "mta-sts",
+      points: 2,
+      reason: "MTA-STS testing mode"
+    });
+  }
+  if (checks.tlsRpt.configured) {
+    bonuses.push({ check: "tls-rpt", points: 2, reason: "TLS-RPT configured" });
+  }
+  if (checks.bimi.configured && checks.bimi.dmarcCompatible) {
+    if (checks.bimi.vmcValid) {
+      bonuses.push({ check: "bimi", points: 5, reason: "BIMI with VMC" });
+    } else if (checks.bimi.logoAccessible) {
+      bonuses.push({
+        check: "bimi",
+        points: 2,
+        reason: "BIMI configured (no VMC)"
+      });
+    }
+  }
+  if (checks.mxTls.checked && !checks.mxTls.skipped) {
+    const allMxTls13 = checks.mxTls.servers.every(
+      (s) => s.tlsVersions?.includes("TLSv1.3")
+    );
+    if (allMxTls13) {
+      bonuses.push({
+        check: "mx-tls",
+        points: 2,
+        reason: "All MX servers support TLS 1.3"
+      });
+    }
+  }
+  if (checks.dnssec.enabled && checks.dnssec.valid) {
+    bonuses.push({
+      check: "dnssec",
+      points: 3,
+      reason: "DNSSEC enabled and valid"
+    });
+  } else if (checks.dnssec.enabled && !checks.dnssec.valid) {
+    score -= 5;
+    deductions.push({ check: "dnssec", points: 5, reason: "DNSSEC broken" });
+  }
+  if (checks.ipv6.mxHasIpv6 && checks.ipv6.spfIncludesIpv6) {
+    bonuses.push({ check: "ipv6", points: 2, reason: "Full IPv6 support" });
+  } else if (checks.ipv6.mxHasIpv6) {
+    bonuses.push({ check: "ipv6", points: 1, reason: "Partial IPv6 support" });
+  }
+  if (checks.reverseDns.allHavePtr && checks.reverseDns.allConfirm) {
+    bonuses.push({ check: "ptr", points: 2, reason: "All PTR records valid" });
+  } else if (!checks.reverseDns.allHavePtr) {
+    score -= 5;
+    deductions.push({ check: "ptr", points: 5, reason: "Missing reverse DNS" });
+  }
+  if (checks.domainAge.ageInDays !== null) {
+    if (checks.domainAge.ageInDays < 30) {
+      score -= 10;
+      deductions.push({
+        check: "domain-age",
+        points: 10,
+        reason: "Domain less than 30 days old"
+      });
+    } else if (checks.domainAge.ageInDays < 90) {
+      score -= 5;
+      deductions.push({
+        check: "domain-age",
+        points: 5,
+        reason: "Domain less than 90 days old"
+      });
+    } else if (checks.domainAge.ageInDays > 365) {
+      bonuses.push({
+        check: "domain-age",
+        points: 2,
+        reason: "Domain over 1 year old"
+      });
+    }
+  }
+  if (checks.caa.configured) {
+    bonuses.push({ check: "caa", points: 1, reason: "CAA records configured" });
+  }
+  const totalBonus = bonuses.reduce((sum, b) => sum + b.points, 0);
+  const rawScore = score + Math.min(totalBonus, 20);
+  const finalScore = Math.min(100, Math.max(0, rawScore));
+  return {
+    rawScore,
+    finalScore,
+    grade: getGrade(finalScore),
+    deductions,
+    bonuses,
+    breakdown: {
+      spf: {
+        max: 30,
+        score: Math.max(0, 30 - sumDeductions(deductions, "spf"))
+      },
+      dkim: {
+        max: 25,
+        score: Math.max(0, 25 - sumDeductions(deductions, "dkim"))
+      },
+      dmarc: {
+        max: 25,
+        score: Math.max(0, 25 - sumDeductions(deductions, "dmarc"))
+      },
+      mx: { max: 10, score: Math.max(0, 10 - sumDeductions(deductions, "mx")) },
+      blacklist: {
+        max: 10,
+        score: Math.max(0, 10 - sumDeductions(deductions, "blacklist"))
+      },
+      bonus: { earned: Math.min(totalBonus, 20), possible: 20 }
+    }
+  };
+}
+function getGrade(score) {
+  if (score >= 90) return "A";
+  if (score >= 80) return "B";
+  if (score >= 70) return "C";
+  if (score >= 50) return "D";
+  return "F";
+}
+function sumDeductions(deductions, check2) {
+  return deductions.filter((d) => d.check === check2).reduce((sum, d) => sum + d.points, 0);
+}
+async function runEmailCheck(domain, options = {}) {
+  const startTime = Date.now();
+  const normalizedDomain = toAsciiDomain(domain);
+  if (!isValidDomain(normalizedDomain)) {
+    throw new Error(`Invalid domain: ${domain}`);
+  }
+  const { quick = false, skipBlacklists = false, skipTls = false } = options;
+  const [spfResult, dkimResult, dmarcResult, mxResult] = await Promise.all([
+    checkSpf(normalizedDomain),
+    checkDkim(normalizedDomain, {
+      quick,
+      selector: options.dkimSelector,
+      selectors: options.dkimSelectors,
+      verbose: options.verbose
+    }),
+    checkDmarc(normalizedDomain),
+    checkMx(normalizedDomain)
+  ]);
+  if (!dkimResult.found && spfResult.record) {
+    const spfLower = spfResult.record.toLowerCase();
+    if (spfLower.includes("amazonses") || spfLower.includes("_spf.aws")) {
+      dkimResult.warnings.push(
+        "AWS SES uses random DKIM selectors. Run `wraps email domains get-dkim -d <domain>` to find yours."
+      );
+    } else if (spfLower.includes("sendgrid")) {
+      dkimResult.warnings.push(
+        "SendGrid uses custom DKIM selectors. Check your SendGrid dashboard or use --dkimSelector."
+      );
+    } else if (spfLower.includes("mailgun")) {
+      dkimResult.warnings.push(
+        "Mailgun uses custom DKIM selectors. Check your Mailgun dashboard or use --dkimSelector."
+      );
+    }
+  }
+  const mxIps = [];
+  for (const mx of mxResult.records) {
+    mxIps.push(...mx.ipv4Addresses);
+  }
+  const blacklistResult = await checkBlacklist({
+    domain: normalizedDomain,
+    ips: mxIps,
+    quick,
+    skip: skipBlacklists
+  });
+  const mxTlsResult = await checkMxTls(mxResult.records, {
+    skip: skipTls,
+    quick
+  });
+  const mtaStsResult = {
+    configured: false,
+    dnsRecord: null,
+    dnsRecordId: null,
+    policyFetched: false,
+    policyUrl: `https://mta-sts.${normalizedDomain}/.well-known/mta-sts.txt`,
+    policy: null,
+    mxPatternsMatch: false,
+    errors: [],
+    warnings: []
+  };
+  const tlsRptResult = {
+    configured: false,
+    record: null,
+    version: null,
+    reportingUris: [],
+    errors: []
+  };
+  const reverseDnsResult = {
+    results: [],
+    allHavePtr: false,
+    allConfirm: false,
+    warnings: []
+  };
+  for (const mx of mxResult.records) {
+    for (const ip of mx.ipv4Addresses) {
+      const hasPtr = mx.reverseHostnames.length > 0;
+      reverseDnsResult.results.push({
+        ip,
+        ipVersion: 4,
+        ptrHostname: mx.reverseHostnames[0] || null,
+        forwardConfirms: hasPtr,
+        // Simplified - would need actual check
+        looksGeneric: false,
+        matchesDomain: mx.reverseHostnames.some(
+          (h) => h.includes(normalizedDomain)
+        )
+      });
+    }
+  }
+  reverseDnsResult.allHavePtr = reverseDnsResult.results.every(
+    (r) => r.ptrHostname !== null
+  );
+  reverseDnsResult.allConfirm = reverseDnsResult.results.every(
+    (r) => r.forwardConfirms
+  );
+  const ipv6Result = {
+    mxHasIpv6: mxResult.records.some((r) => r.ipv6Addresses.length > 0),
+    mxIpv6Addresses: mxResult.records.filter((r) => r.ipv6Addresses.length > 0).map((r) => ({ mx: r.exchange, addresses: r.ipv6Addresses })),
+    ipv6Connectable: false,
+    // Would need actual check
+    spfIncludesIpv6: spfResult.record?.includes("ip6:") ?? false,
+    warnings: []
+  };
+  const domainAgeResult = await checkDomainAge(normalizedDomain, { quick });
+  const dnssecResult = {
+    enabled: false,
+    valid: false,
+    validationMethod: "system-resolver",
+    chainOfTrust: [],
+    algorithm: null,
+    keyTag: null,
+    errors: []
+  };
+  const caaResult = {
+    configured: false,
+    records: [],
+    allowedIssuers: [],
+    allowedWildcardIssuers: [],
+    reportingConfigured: false,
+    iodefUri: null
+  };
+  const bimiResult = {
+    configured: false,
+    record: null,
+    logoUrl: null,
+    vmcUrl: null,
+    logoAccessible: false,
+    logoValid: false,
+    vmcAccessible: false,
+    vmcValid: false,
+    dmarcCompatible: dmarcResult.policy === "quarantine" || dmarcResult.policy === "reject",
+    errors: [],
+    warnings: []
+  };
+  const score = calculateScore({
+    spf: spfResult,
+    dkim: dkimResult,
+    dmarc: dmarcResult,
+    mx: mxResult,
+    mxTls: mxTlsResult,
+    mtaSts: mtaStsResult,
+    tlsRpt: tlsRptResult,
+    bimi: bimiResult,
+    dnssec: dnssecResult,
+    ipv6: ipv6Result,
+    reverseDns: reverseDnsResult,
+    blacklist: blacklistResult,
+    domainAge: domainAgeResult,
+    caa: caaResult
+  });
+  const duration = Date.now() - startTime;
+  return {
+    domain: normalizedDomain,
+    checkedAt: (/* @__PURE__ */ new Date()).toISOString(),
+    duration,
+    options,
+    spf: spfResult,
+    dkim: dkimResult,
+    dmarc: dmarcResult,
+    mx: mxResult,
+    mxTls: mxTlsResult,
+    mtaSts: mtaStsResult,
+    tlsRpt: tlsRptResult,
+    reverseDns: reverseDnsResult,
+    ipv6: ipv6Result,
+    blacklist: blacklistResult,
+    domainAge: domainAgeResult,
+    dnssec: dnssecResult,
+    caa: caaResult,
+    bimi: bimiResult,
+    score
+  };
+}
+function getExitCode(grade) {
+  switch (grade) {
+    case "A":
+    case "B":
+      return 0;
+    case "C":
+    case "D":
+      return 1;
+    case "F":
+      return 2;
+    default:
+      return 4;
+  }
+}
+
+// src/commands/email/check.ts
+init_events();
+import pc4 from "picocolors";
+async function check(options) {
+  const startTime = Date.now();
+  let domain = options.domain;
+  if (!domain) {
+    const input = await clack3.text({
+      message: "Enter domain to check:",
+      placeholder: "example.com",
+      validate: (value) => {
+        if (!value) return "Domain is required";
+        if (!/^[a-z0-9][a-z0-9.-]*\.[a-z]{2,}$/i.test(value)) {
+          return "Invalid domain format";
+        }
+      }
+    });
+    if (clack3.isCancel(input)) {
+      clack3.cancel("Operation cancelled");
+      process.exit(0);
+    }
+    domain = input;
+  }
+  if (!options.json) {
+    clack3.intro(pc4.bold("Wraps Email Check"));
+    console.log();
+  }
+  const spinner4 = options.json ? null : clack3.spinner();
+  spinner4?.start(`Checking ${pc4.cyan(domain)}...`);
+  let dkimSelectors;
+  if (!options.dkimSelector) {
+    const sesTokens = await tryGetSesDkimTokens(domain);
+    if (sesTokens.length > 0) {
+      dkimSelectors = sesTokens;
+    }
+  }
+  try {
+    const result = await runEmailCheck(domain, {
+      quick: options.quick,
+      verbose: options.verbose,
+      dkimSelector: options.dkimSelector,
+      dkimSelectors,
+      // Use SES tokens if found
+      skipBlacklists: options.skipBlacklists,
+      skipTls: options.skipTls,
+      timeout: options.timeout
+    });
+    spinner4?.stop(`Check complete in ${result.duration}ms`);
+    if (options.json) {
+      console.log(JSON.stringify(result, null, 2));
+    } else {
+      displayResults(result, options);
+    }
+    const duration = Date.now() - startTime;
+    trackCommand("email:check", {
+      success: true,
+      duration_ms: duration,
+      grade: result.score.grade
+    });
+    process.exit(getExitCode(result.score.grade));
+  } catch (error) {
+    spinner4?.stop("Check failed");
+    if (options.json) {
+      console.log(JSON.stringify({ error: error.message }));
+    } else {
+      clack3.log.error(error.message);
+    }
+    const duration = Date.now() - startTime;
+    trackCommand("email:check", {
+      success: false,
+      duration_ms: duration,
+      error: error.message
+    });
+    process.exit(4);
+  }
+}
+function displayResults(result, options) {
+  const { score, spf, dkim, dmarc, mx, blacklist } = result;
+  console.log();
+  displayScoreBox(result.domain, score.finalScore, score.grade, options.quick);
+  console.log();
+  console.log(pc4.bold("AUTHENTICATION"));
+  console.log();
+  displaySpfResult(spf, options.verbose);
+  displayDkimResult(dkim, options.verbose);
+  displayDmarcResult(dmarc);
+  console.log();
+  console.log(pc4.bold("INFRASTRUCTURE"));
+  console.log();
+  displayMxResult(mx);
+  displayMxTlsResult(result);
+  displayReverseDnsResult(result);
+  displayIpv6Result(result);
+  console.log();
+  console.log(pc4.bold("REPUTATION"));
+  console.log();
+  displayBlacklistResult(blacklist, options.quick);
+  displayDomainAgeResult(result);
+  if (result.dnssec.enabled || result.caa.configured || result.mtaSts.configured || result.tlsRpt.configured) {
+    console.log();
+    console.log(pc4.bold("SECURITY"));
+    console.log();
+    if (result.dnssec.enabled) {
+      const status2 = result.dnssec.valid ? pc4.green("\u2713") : pc4.red("\u2717");
+      console.log(
+        `  ${status2} ${pc4.dim("DNSSEC")}           ${result.dnssec.valid ? "Enabled and validated" : "Broken"}`
+      );
+    } else {
+      console.log(
+        `  ${pc4.dim("\u25CB")} ${pc4.dim("DNSSEC")}           Not configured`
+      );
+    }
+    if (result.caa.configured) {
+      console.log(
+        `  ${pc4.green("\u2713")} ${pc4.dim("CAA")}              Configured (${result.caa.allowedIssuers.join(", ")})`
+      );
+    } else {
+      console.log(
+        `  ${pc4.dim("\u25CB")} ${pc4.dim("CAA")}              Not configured`
+      );
+    }
+    if (result.mtaSts.configured) {
+      const mode = result.mtaSts.policy?.mode || "unknown";
+      console.log(
+        `  ${pc4.green("\u2713")} ${pc4.dim("MTA-STS")}          ${mode === "enforce" ? "Enforcing mode" : `${mode} mode`}`
+      );
+    } else {
+      console.log(
+        `  ${pc4.dim("\u25CB")} ${pc4.dim("MTA-STS")}          Not configured`
+      );
+    }
+    if (result.tlsRpt.configured) {
+      console.log(
+        `  ${pc4.green("\u2713")} ${pc4.dim("TLS-RPT")}          Configured`
+      );
+    } else {
+      console.log(
+        `  ${pc4.dim("\u25CB")} ${pc4.dim("TLS-RPT")}          Not configured`
+      );
+    }
+  }
+  const criticalDeductions = score.deductions.filter((d) => d.points >= 20);
+  const warningDeductions = score.deductions.filter(
+    (d) => d.points >= 5 && d.points < 20
+  );
+  if (criticalDeductions.length > 0 || warningDeductions.length > 0) {
+    console.log();
+    console.log(pc4.dim("\u2500".repeat(78)));
+    console.log();
+    console.log(
+      pc4.bold(
+        `ISSUES (${criticalDeductions.length} critical, ${warningDeductions.length} warnings)`
+      )
+    );
+    console.log();
+    if (criticalDeductions.length > 0) {
+      console.log(pc4.red("\u274C CRITICAL"));
+      console.log();
+      for (let i = 0; i < criticalDeductions.length; i++) {
+        const d = criticalDeductions[i];
+        console.log(
+          `  ${i + 1}. ${d.reason} (${pc4.red(`-${d.points} points`)})`
+        );
+        console.log();
+        console.log(`     ${getFixSuggestion(d.check, d.reason)}`);
+        console.log();
+      }
+    }
+    if (warningDeductions.length > 0) {
+      console.log(pc4.yellow("\u26A0\uFE0F  WARNINGS"));
+      console.log();
+      for (let i = 0; i < warningDeductions.length; i++) {
+        const d = warningDeductions[i];
+        console.log(`  ${criticalDeductions.length + i + 1}. ${d.reason}`);
+        console.log();
+      }
+    }
+  }
+  console.log();
+  console.log(pc4.dim("\u2500".repeat(78)));
+  console.log();
+  if (score.grade === "A" || score.grade === "B") {
+    console.log(
+      pc4.green(
+        "\u2705 " + (score.grade === "A" ? "Excellent! Your email configuration follows all best practices." : "Good! Your email configuration is solid with minor improvements possible.")
+      )
+    );
+  } else {
+    console.log(
+      pc4.yellow(
+        "Need help fixing these? Deploy Wraps to manage your email infrastructure:"
+      )
+    );
+    console.log();
+    console.log(`  ${pc4.cyan("npx @wraps.dev/cli email init")}`);
+  }
+  console.log();
+  console.log(`Share: ${pc4.cyan(`https://wraps.dev/check/${result.domain}`)}`);
+  console.log();
+}
+function displayScoreBox(domain, score, grade, quick) {
+  const width = 78;
+  const bar = "\u2588".repeat(Math.round(score / 100 * 60));
+  const emptyBar = "\u2591".repeat(60 - bar.length);
+  const gradeColor = grade === "A" || grade === "B" ? pc4.green : grade === "C" ? pc4.yellow : grade === "D" ? pc4.magenta : pc4.red;
+  console.log(pc4.dim("\u256D" + "\u2500".repeat(width - 2) + "\u256E"));
+  console.log(pc4.dim("\u2502") + " ".repeat(width - 2) + pc4.dim("\u2502"));
+  console.log(
+    pc4.dim("\u2502") + "   " + pc4.bold(`wraps email check${quick ? " --quick" : ""}`) + " ".repeat(width - 25 - (quick ? 8 : 0)) + pc4.dim("\u2502")
   );
   console.log(pc4.dim("\u2502") + " ".repeat(width - 2) + pc4.dim("\u2502"));
   console.log(
@@ -6498,7 +8915,7 @@ async function scanAWSResources(region) {
 }
 
 // src/commands/email/connect.ts
-async function connect(options) {
+async function connect2(options) {
   const startTime = Date.now();
   clack6.intro(
     pc7.bold(
@@ -7056,7 +9473,7 @@ Run ${pc8.cyan("wraps email init")} to deploy infrastructure again.
 init_esm_shims();
 init_events();
 init_aws();
-import { Resolver } from "dns/promises";
+import { Resolver as Resolver2 } from "dns/promises";
 import { GetEmailIdentityCommand as GetEmailIdentityCommand2, SESv2Client as SESv2Client3 } from "@aws-sdk/client-sesv2";
 import * as clack8 from "@clack/prompts";
 import pc9 from "picocolors";
@@ -7091,7 +9508,7 @@ Run ${pc9.cyan(`wraps email init --domain ${options.domain}`)} to add this domai
     process.exit(1);
     return;
   }
-  const resolver = new Resolver();
+  const resolver = new Resolver2();
   resolver.setServers(["8.8.8.8", "1.1.1.1"]);
   const dnsResults = [];
   for (const token of dkimTokens) {
@@ -10009,7 +12426,7 @@ function createMetricsRouter(config2) {
 
 // src/console/routes/settings.ts
 init_esm_shims();
-import dns from "dns/promises";
+import dns2 from "dns/promises";
 import { Router as createRouter4 } from "express";
 
 // src/console/services/settings-service.ts
@@ -10166,7 +12583,7 @@ function createSettingsRouter(config2) {
       }
       console.log(`[Verify] Checking CNAME for: ${domain}`);
       console.log(`[Verify] Expected target: ${expectedTarget}`);
-      const records = await dns.resolveCname(domain);
+      const records = await dns2.resolveCname(domain);
       console.log("[Verify] CNAME records found:", records);
       const verified = records.some(
         (record) => record.toLowerCase().includes(expectedTarget.toLowerCase())
@@ -10199,7 +12616,7 @@ function createSettingsRouter(config2) {
       }
       const dmarcDomain = `_dmarc.${domain}`;
       console.log(`[Verify] Checking DMARC for: ${dmarcDomain}`);
-      const records = await dns.resolveTxt(dmarcDomain);
+      const records = await dns2.resolveTxt(dmarcDomain);
       console.log("[Verify] TXT records found:", records);
       const hasDmarc = records.some((record) => {
         const value = record.join("");
@@ -15726,7 +18143,7 @@ if (!primaryCommand) {
         preview: flags.preview
       });
     } else {
-      await connect({
+      await connect2({
         provider: flags.provider,
         region: flags.region,
         yes: flags.yes,
@@ -15785,7 +18202,7 @@ async function run() {
           });
           break;
         case "connect":
-          await connect({
+          await connect2({
             provider: flags.provider,
             region: flags.region,
             yes: flags.yes,