strapi-plugin-magic-mail 1.0.1

package/server/src/services/email-router.js

@@ -0,0 +1,1420 @@
+'use strict';
+
+const nodemailer = require('nodemailer');
+const { decryptCredentials } = require('../utils/encryption');
+
+/**
+ * Email Router Service
+ * Smart routing of emails to appropriate accounts
+ * Handles failover, rate limiting, and load balancing
+ */
+
+module.exports = ({ strapi }) => ({
+  /**
+   * Send email with smart routing
+   * @param {Object} emailData - { to, from, subject, text, html, attachments, type, priority, templateId, templateData OR data }
+   * @returns {Promise<Object>} Send result
+   */
+  async send(emailData) {
+    let {
+      to,
+      from,
+      subject,
+      text,
+      html,
+      replyTo,
+      attachments = [],       // Array of attachment objects
+      type = 'transactional', // transactional, marketing, notification
+      priority = 'normal',    // high, normal, low
+      accountName = null,     // Force specific account
+      templateId = null,      // Template Reference ID
+      templateData,           // Data for template rendering
+      data,                   // Alias for templateData (for native Strapi compatibility)
+    } = emailData;
+
+    // Support both 'data' and 'templateData' for backward compatibility
+    if (!templateData && data) {
+      templateData = data;
+    }
+
+    // NEW: If templateId/templateReferenceId provided, render template
+    let renderedTemplate = null;
+    if (templateId || emailData.templateReferenceId) {
+      try {
+        let resolvedTemplateReferenceId = null;
+        let templateRecord = null;
+
+        if (emailData.templateReferenceId) {
+          resolvedTemplateReferenceId = String(emailData.templateReferenceId).trim();
+          strapi.log.info(`[magic-mail] 🧩 Using provided templateReferenceId="${resolvedTemplateReferenceId}"`);
+        }
+
+        if (!resolvedTemplateReferenceId && templateId) {
+          const numericTemplateId = Number(templateId);
+
+          if (!Number.isNaN(numericTemplateId) && Number.isInteger(numericTemplateId)) {
+            strapi.log.info(`[magic-mail] 🔍 Looking up template by ID: ${numericTemplateId}`);
+            templateRecord = await strapi
+              .plugin('magic-mail')
+              .service('email-designer')
+              .findOne(numericTemplateId);
+
+            if (!templateRecord) {
+              strapi.log.error(`[magic-mail] ❌ Template with ID ${numericTemplateId} not found in database`);
+              throw new Error(`Template with ID ${numericTemplateId} not found`);
+            }
+
+            if (!templateRecord.templateReferenceId) {
+              throw new Error(`Template ${numericTemplateId} has no reference ID set`);
+            }
+
+            resolvedTemplateReferenceId = String(templateRecord.templateReferenceId).trim();
+            strapi.log.info(
+              `[magic-mail] ✅ Found template: ID=${templateRecord.id}, referenceId="${resolvedTemplateReferenceId}", name="${templateRecord.name}"`
+            );
+          } else {
+            // templateId was provided but not numeric; treat it directly as reference ID
+            resolvedTemplateReferenceId = String(templateId).trim();
+            strapi.log.info(`[magic-mail] 🧩 Treating templateId value as referenceId="${resolvedTemplateReferenceId}"`);
+          }
+        }
+
+        if (!resolvedTemplateReferenceId) {
+          throw new Error('No template reference ID could be resolved');
+        }
+
+        // Now render using the templateReferenceId
+        renderedTemplate = await strapi
+          .plugin('magic-mail')
+          .service('email-designer')
+          .renderTemplate(resolvedTemplateReferenceId, templateData || {});
+
+        // Override with rendered content
+        html = renderedTemplate.html;
+        text = renderedTemplate.text;
+        subject = subject || renderedTemplate.subject; // Use provided subject or template subject
+        type = type || renderedTemplate.category; // Use template category if not specified
+
+        strapi.log.info(
+          `[magic-mail] 📧 Rendered template reference "${resolvedTemplateReferenceId}" (requested ID: ${templateId ?? 'n/a'}): ${renderedTemplate.templateName}`
+        );
+
+        // Ensure templateId/templateName are populated for logging/analytics
+        emailData.templateReferenceId = resolvedTemplateReferenceId;
+        if (!emailData.templateName) {
+          emailData.templateName = templateRecord?.name || renderedTemplate.templateName;
+        }
+      } catch (error) {
+        strapi.log.error(`[magic-mail] ❌ Template rendering failed: ${error.message}`);
+        throw new Error(`Template rendering failed: ${error.message}`);
+      }
+    }
+
+    // NEW: Email Tracking - Create log & inject tracking
+    let emailLog = null;
+    let recipientHash = null;
+    const enableTracking = emailData.enableTracking !== false; // Enabled by default
+
+    if (enableTracking && html) {
+      try {
+        const analyticsService = strapi.plugin('magic-mail').service('analytics');
+        
+        // Create email log entry
+        emailLog = await analyticsService.createEmailLog({
+          to,
+          userId: emailData.userId || null,
+          recipientName: emailData.recipientName || null,
+          subject,
+          // Use provided templateId/Name OR from renderedTemplate (if template was rendered here)
+          templateId: emailData.templateId || renderedTemplate?.templateReferenceId || null,
+          templateName: emailData.templateName || renderedTemplate?.templateName || null,
+          accountId: null, // Will be set after account selection
+          accountName: null,
+          metadata: {
+            type,
+            priority,
+            hasAttachments: attachments.length > 0,
+          },
+        });
+
+        recipientHash = analyticsService.generateRecipientHash(emailLog.emailId, to);
+
+        // Inject tracking pixel
+        html = analyticsService.injectTrackingPixel(html, emailLog.emailId, recipientHash);
+
+        // Rewrite links for click tracking (now async)
+        html = await analyticsService.rewriteLinksForTracking(html, emailLog.emailId, recipientHash);
+
+        strapi.log.info(`[magic-mail] 📊 Tracking enabled for email: ${emailLog.emailId}`);
+      } catch (error) {
+        strapi.log.error(`[magic-mail] ⚠️  Tracking setup failed (continuing without tracking):`, error.message);
+        // Continue sending email even if tracking fails
+      }
+    }
+
+    // Update email data with tracked HTML
+    emailData.html = html;
+    emailData.text = text;
+    emailData.subject = subject;
+
+    try {
+      // License check for premium features
+      const licenseGuard = strapi.plugin('magic-mail').service('license-guard');
+      
+      // Check if priority headers are allowed (Advanced+)
+      if (priority === 'high') {
+        const hasFeature = await licenseGuard.hasFeature('priority-headers');
+        if (!hasFeature) {
+          strapi.log.warn('[magic-mail] ⚠️  High priority emails require Advanced license - using normal priority');
+          emailData.priority = 'normal';
+        }
+      }
+
+      // Get account to use
+      const account = accountName
+        ? await this.getAccountByName(accountName)
+        : await this.selectAccount(type, priority, [], emailData);
+
+      if (!account) {
+        throw new Error('No email account available');
+      }
+
+      // Check if account's provider is allowed by license
+      const providerAllowed = await licenseGuard.isProviderAllowed(account.provider);
+      if (!providerAllowed) {
+        throw new Error(`Provider "${account.provider}" requires a higher license tier. Please upgrade or use a different account.`);
+      }
+
+      // Check rate limits
+      const canSend = await this.checkRateLimits(account);
+      if (!canSend) {
+        // Try failover
+        const fallbackAccount = await this.selectAccount(type, priority, [account.id], emailData);
+        if (fallbackAccount) {
+          strapi.log.info(`[magic-mail] Rate limit hit on ${account.name}, using fallback: ${fallbackAccount.name}`);
+          return await this.sendViaAccount(fallbackAccount, emailData);
+        }
+        throw new Error(`Rate limit exceeded on ${account.name} and no fallback available`);
+      }
+
+      // Send via selected account
+      const result = await this.sendViaAccount(account, emailData);
+
+      // Update email log with account info (if tracking enabled)
+      if (emailLog) {
+        try {
+          await strapi.db.query('plugin::magic-mail.email-log').update({
+            where: { id: emailLog.id },
+            data: {
+              accountId: account.id,
+              accountName: account.name,
+              deliveredAt: new Date(),
+            },
+          });
+        } catch (error) {
+          strapi.log.error('[magic-mail] Failed to update email log:', error.message);
+        }
+      }
+
+      // Update stats
+      await this.updateAccountStats(account.id);
+
+      strapi.log.info(`[magic-mail] ✅ Email sent to ${to} via ${account.name}`);
+
+      return {
+        success: true,
+        accountUsed: account.name,
+        messageId: result.messageId,
+      };
+    } catch (error) {
+      strapi.log.error('[magic-mail] ❌ Email send failed:', error);
+
+      throw error;
+    }
+  },
+
+  /**
+   * Select best account based on rules
+   */
+  async selectAccount(type, priority, excludeIds = [], emailData = {}) {
+    // Get all active accounts
+    const accounts = await strapi.entityService.findMany('plugin::magic-mail.email-account', {
+      filters: {
+        isActive: true,
+        id: { $notIn: excludeIds },
+      },
+      sort: { priority: 'desc' },
+    });
+
+    if (!accounts || accounts.length === 0) {
+      return null;
+    }
+
+    // Get all active routing rules
+    const allRules = await strapi.entityService.findMany('plugin::magic-mail.routing-rule', {
+      filters: {
+        isActive: true,
+      },
+      sort: { priority: 'desc' },
+    });
+
+    // Check routing rules with different match types
+    for (const rule of allRules) {
+      let matches = false;
+
+      switch (rule.matchType) {
+        case 'emailType':
+          matches = rule.matchValue === type;
+          break;
+        
+        case 'recipient':
+          // Match if recipient email contains the match value
+          matches = emailData.to && emailData.to.toLowerCase().includes(rule.matchValue.toLowerCase());
+          break;
+        
+        case 'subject':
+          // Match if subject contains the match value
+          matches = emailData.subject && emailData.subject.toLowerCase().includes(rule.matchValue.toLowerCase());
+          break;
+        
+        case 'template':
+          // Match if template name equals match value
+          matches = emailData.template && emailData.template === rule.matchValue;
+          break;
+        
+        case 'custom':
+          // Custom matching - evaluate matchValue as a condition
+          // For now, just exact match on a custom field
+          matches = emailData.customField && emailData.customField === rule.matchValue;
+          break;
+      }
+
+      if (matches) {
+        const account = accounts.find(a => a.name === rule.accountName);
+        if (account) {
+          strapi.log.info(`[magic-mail] 🎯 Routing rule matched: ${rule.name} → ${account.name}`);
+          return account;
+        }
+        // If primary account not found, try fallback
+        if (rule.fallbackAccountName) {
+          const fallbackAccount = accounts.find(a => a.name === rule.fallbackAccountName);
+          if (fallbackAccount) {
+            strapi.log.info(`[magic-mail] 🔄 Using fallback account: ${fallbackAccount.name}`);
+            return fallbackAccount;
+          }
+        }
+      }
+    }
+
+    // Fallback: Use primary or first active account
+    const primaryAccount = accounts.find(a => a.isPrimary);
+    return primaryAccount || accounts[0];
+  },
+
+  /**
+   * Send email via specific account
+   */
+  async sendViaAccount(account, emailData) {
+    const { to, subject, text, html, replyTo, attachments } = emailData;
+
+    if (account.provider === 'gmail-oauth') {
+      return await this.sendViaGmailOAuth(account, emailData);
+    } else if (account.provider === 'microsoft-oauth') {
+      return await this.sendViaMicrosoftOAuth(account, emailData);
+    } else if (account.provider === 'yahoo-oauth') {
+      return await this.sendViaYahooOAuth(account, emailData);
+    } else if (account.provider === 'nodemailer' || account.provider === 'smtp') {
+      return await this.sendViaSMTP(account, emailData);
+    } else if (account.provider === 'sendgrid') {
+      return await this.sendViaSendGrid(account, emailData);
+    } else if (account.provider === 'mailgun') {
+      return await this.sendViaMailgun(account, emailData);
+    }
+
+    throw new Error(`Unsupported provider: ${account.provider}`);
+  },
+
+  /**
+   * Send via SMTP (Nodemailer)
+   * With enhanced security: DKIM, proper headers, TLS enforcement
+   */
+  async sendViaSMTP(account, emailData) {
+    const config = decryptCredentials(account.config);
+
+    // Enhanced SMTP configuration with security features
+    const transportConfig = {
+      host: config.host,
+      port: config.port || 587,
+      secure: config.secure || false,
+      auth: {
+        user: config.user,
+        pass: config.pass,
+      },
+      // Security enhancements
+      requireTLS: true, // Enforce TLS encryption
+      tls: {
+        rejectUnauthorized: true, // Verify server certificates
+        minVersion: 'TLSv1.2', // Minimum TLS 1.2
+      },
+    };
+
+    // Add DKIM signing if configured
+    if (config.dkim) {
+      transportConfig.dkim = {
+        domainName: config.dkim.domainName,
+        keySelector: config.dkim.keySelector,
+        privateKey: config.dkim.privateKey,
+      };
+      strapi.log.info('[magic-mail] DKIM signing enabled');
+    }
+
+    const transporter = nodemailer.createTransport(transportConfig);
+
+    // Build mail options with comprehensive security headers
+    const mailOptions = {
+      from: emailData.from || `${account.fromName || 'MagicMail'} <${account.fromEmail}>`,
+      to: emailData.to,
+      replyTo: emailData.replyTo || account.replyTo,
+      subject: emailData.subject,
+      text: emailData.text,
+      html: emailData.html,
+      attachments: emailData.attachments || [],
+      
+      // RFC 5322 required headers
+      date: new Date(),
+      messageId: `<${Date.now()}.${Math.random().toString(36).substring(7)}@${account.fromEmail.split('@')[1]}>`,
+      
+      // Security and deliverability headers (2025 standards)
+      headers: {
+        // Client identification (RFC 5321)
+        'X-Mailer': 'MagicMail/1.0',
+        
+        // Priority headers (RFC 2156)
+        'X-Priority': emailData.priority === 'high' ? '1 (Highest)' : '3 (Normal)',
+        'Importance': emailData.priority === 'high' ? 'high' : 'normal',
+        
+        // Email type classification
+        'X-Email-Type': emailData.type || 'transactional',
+        
+        // Auto-submitted header (RFC 3834) - prevents auto-responders from replying
+        'Auto-Submitted': emailData.type === 'notification' ? 'auto-generated' : 'no',
+        
+        // Content security (prevents MIME sniffing attacks)
+        'X-Content-Type-Options': 'nosniff',
+        
+        // Tracking and reference
+        'X-Entity-Ref-ID': `magicmail-${Date.now()}`,
+        
+        // Sender policy (helps with SPF validation)
+        'Sender': account.fromEmail,
+        
+        // Content transfer encoding recommendation
+        'Content-Transfer-Encoding': '8bit',
+      },
+      
+      // Encoding (UTF-8 for international characters)
+      encoding: 'utf-8',
+      
+      // Text encoding for proper character handling
+      textEncoding: 'base64',
+    };
+
+    // Add List-Unsubscribe header for marketing emails (RFC 8058 - GDPR/CAN-SPAM)
+    if (emailData.type === 'marketing') {
+      if (emailData.unsubscribeUrl) {
+        mailOptions.headers['List-Unsubscribe'] = `<${emailData.unsubscribeUrl}>`;
+        mailOptions.headers['List-Unsubscribe-Post'] = 'List-Unsubscribe=One-Click';
+        mailOptions.headers['Precedence'] = 'bulk'; // Mark as bulk mail
+      } else {
+        strapi.log.warn('[magic-mail] ⚠️ Marketing email without unsubscribe URL - may violate GDPR/CAN-SPAM');
+      }
+    }
+
+    // Add custom headers if provided
+    if (emailData.headers && typeof emailData.headers === 'object') {
+      Object.assign(mailOptions.headers, emailData.headers);
+    }
+
+    if (mailOptions.attachments.length > 0) {
+      strapi.log.info(`[magic-mail] Sending email with ${mailOptions.attachments.length} attachment(s)`);
+    }
+
+    return await transporter.sendMail(mailOptions);
+  },
+
+  /**
+   * Send via Gmail OAuth
+   * With enhanced security headers and proper formatting
+   */
+  async sendViaGmailOAuth(account, emailData) {
+    // Check if OAuth tokens are available
+    if (!account.oauth) {
+      throw new Error('Gmail OAuth account not fully configured. Please complete the OAuth flow first.');
+    }
+
+    const oauth = decryptCredentials(account.oauth);
+    const config = decryptCredentials(account.config);
+
+    strapi.log.info(`[magic-mail] Sending via Gmail OAuth for account: ${account.name}`);
+    strapi.log.info(`[magic-mail] Has oauth.email: ${!!oauth.email} (${oauth.email || 'none'})`);
+    strapi.log.info(`[magic-mail] Has oauth.accessToken: ${!!oauth.accessToken}`);
+    strapi.log.info(`[magic-mail] Has config.clientId: ${!!config.clientId}`);
+
+    if (!oauth.email || !oauth.accessToken) {
+      throw new Error('Missing OAuth credentials. Please re-authenticate this account.');
+    }
+
+    if (!config.clientId || !config.clientSecret) {
+      throw new Error('Missing OAuth client credentials.');
+    }
+
+    // Validate email content for security
+    this.validateEmailSecurity(emailData);
+
+    // Check if token is expired and refresh if needed
+    let currentAccessToken = oauth.accessToken;
+    
+    if (oauth.expiresAt && new Date(oauth.expiresAt) < new Date()) {
+      strapi.log.info('[magic-mail] Access token expired, refreshing...');
+      
+      if (!oauth.refreshToken) {
+        throw new Error('Access token expired and no refresh token available. Please re-authenticate.');
+      }
+
+      try {
+        const oauthService = strapi.plugin('magic-mail').service('oauth');
+        const newTokens = await oauthService.refreshGmailTokens(
+          oauth.refreshToken,
+          config.clientId,
+          config.clientSecret
+        );
+        
+        currentAccessToken = newTokens.accessToken;
+        strapi.log.info('[magic-mail] ✅ Token refreshed successfully');
+        
+        // Update stored tokens
+        const { encryptCredentials } = require('../utils/encryption');
+        const updatedOAuth = encryptCredentials({
+          ...oauth,
+          accessToken: newTokens.accessToken,
+          expiresAt: newTokens.expiresAt,
+        });
+        
+        await strapi.entityService.update('plugin::magic-mail.email-account', account.id, {
+          data: { oauth: updatedOAuth },
+        });
+      } catch (refreshErr) {
+        strapi.log.error('[magic-mail] Token refresh failed:', refreshErr);
+        throw new Error('Access token expired and refresh failed. Please re-authenticate this account.');
+      }
+    }
+
+    // Use Gmail API directly instead of SMTP with OAuth
+    strapi.log.info('[magic-mail] Using Gmail API to send email...');
+    
+    try {
+      // Create email in RFC 2822 format with MIME multipart for attachments
+      const boundary = `----=_Part_${Date.now()}`;
+      const attachments = emailData.attachments || [];
+      
+      let emailContent = '';
+      
+      if (attachments.length > 0) {
+        // Multipart email with attachments
+        const emailLines = [
+          `From: ${account.fromName ? `"${account.fromName}" ` : ''}<${account.fromEmail}>`,
+          `To: ${emailData.to}`,
+          `Subject: ${emailData.subject}`,
+          `Date: ${new Date().toUTCString()}`,
+          `Message-ID: <${Date.now()}.${Math.random().toString(36).substring(7)}@${account.fromEmail.split('@')[1]}>`,
+          'MIME-Version: 1.0',
+          `Content-Type: multipart/mixed; boundary="${boundary}"`,
+          'X-Mailer: MagicMail/1.0',
+        ];
+
+        // Add priority headers if high priority
+        if (emailData.priority === 'high') {
+          emailLines.push('X-Priority: 1 (Highest)');
+          emailLines.push('Importance: high');
+        }
+
+        // Add List-Unsubscribe for marketing emails
+        if (emailData.type === 'marketing' && emailData.unsubscribeUrl) {
+          emailLines.push(`List-Unsubscribe: <${emailData.unsubscribeUrl}>`);
+          emailLines.push('List-Unsubscribe-Post: List-Unsubscribe=One-Click');
+        }
+
+        emailLines.push('');
+        emailLines.push(`--${boundary}`);
+        emailLines.push('Content-Type: text/html; charset=utf-8');
+        emailLines.push('');
+        emailLines.push(emailData.html || emailData.text || '');
+        
+        // Add each attachment
+        const fs = require('fs');
+        const path = require('path');
+        
+        for (const attachment of attachments) {
+          emailLines.push(`--${boundary}`);
+          
+          let fileContent;
+          let filename;
+          let contentType = attachment.contentType || 'application/octet-stream';
+          
+          if (attachment.content) {
+            // Content provided as buffer or string
+            fileContent = Buffer.isBuffer(attachment.content) 
+              ? attachment.content 
+              : Buffer.from(attachment.content);
+            filename = attachment.filename || 'attachment';
+          } else if (attachment.path) {
+            // Read from file path
+            fileContent = fs.readFileSync(attachment.path);
+            filename = attachment.filename || path.basename(attachment.path);
+            
+            // Detect content type if not provided
+            if (!attachment.contentType) {
+              const ext = path.extname(filename).toLowerCase();
+              const types = {
+                '.pdf': 'application/pdf',
+                '.png': 'image/png',
+                '.jpg': 'image/jpeg',
+                '.jpeg': 'image/jpeg',
+                '.gif': 'image/gif',
+                '.txt': 'text/plain',
+                '.csv': 'text/csv',
+                '.doc': 'application/msword',
+                '.docx': 'application/vnd.openxmlformats-officedocument.wordprocessingml.document',
+                '.xls': 'application/vnd.ms-excel',
+                '.xlsx': 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet',
+              };
+              contentType = types[ext] || 'application/octet-stream';
+            }
+          } else {
+            continue; // Skip invalid attachment
+          }
+          
+          emailLines.push(`Content-Type: ${contentType}; name="${filename}"`);
+          emailLines.push(`Content-Disposition: attachment; filename="${filename}"`);
+          emailLines.push('Content-Transfer-Encoding: base64');
+          emailLines.push('');
+          emailLines.push(fileContent.toString('base64'));
+        }
+        
+        emailLines.push(`--${boundary}--`);
+        emailContent = emailLines.join('\r\n');
+        
+        strapi.log.info(`[magic-mail] Email with ${attachments.length} attachment(s) prepared`);
+      } else {
+        // Simple email without attachments
+        const emailLines = [
+          `From: ${account.fromName ? `"${account.fromName}" ` : ''}<${account.fromEmail}>`,
+          `To: ${emailData.to}`,
+          `Subject: ${emailData.subject}`,
+          `Date: ${new Date().toUTCString()}`,
+          `Message-ID: <${Date.now()}.${Math.random().toString(36).substring(7)}@${account.fromEmail.split('@')[1]}>`,
+          'MIME-Version: 1.0',
+          'Content-Type: text/html; charset=utf-8',
+          'X-Mailer: MagicMail/1.0',
+        ];
+
+        // Add priority headers if high priority
+        if (emailData.priority === 'high') {
+          emailLines.push('X-Priority: 1 (Highest)');
+          emailLines.push('Importance: high');
+        }
+
+        // Add List-Unsubscribe for marketing emails
+        if (emailData.type === 'marketing' && emailData.unsubscribeUrl) {
+          emailLines.push(`List-Unsubscribe: <${emailData.unsubscribeUrl}>`);
+          emailLines.push('List-Unsubscribe-Post: List-Unsubscribe=One-Click');
+        }
+
+        emailLines.push('');
+        emailLines.push(emailData.html || emailData.text || '');
+        
+        emailContent = emailLines.join('\r\n');
+      }
+      
+      const encodedEmail = Buffer.from(emailContent)
+        .toString('base64')
+        .replace(/\+/g, '-')
+        .replace(/\//g, '_')
+        .replace(/=+$/, '');
+      
+      // Send via Gmail API
+      const response = await fetch('https://gmail.googleapis.com/gmail/v1/users/me/messages/send', {
+        method: 'POST',
+        headers: {
+          'Authorization': `Bearer ${currentAccessToken}`,
+          'Content-Type': 'application/json',
+        },
+        body: JSON.stringify({
+          raw: encodedEmail,
+        }),
+      });
+      
+      if (!response.ok) {
+        const errorData = await response.json();
+        strapi.log.error('[magic-mail] Gmail API error:', errorData);
+        throw new Error(`Gmail API error: ${errorData.error?.message || response.statusText}`);
+      }
+      
+      const result = await response.json();
+      strapi.log.info('[magic-mail] ✅ Email sent via Gmail API');
+      
+      return {
+        messageId: result.id,
+        response: 'OK',
+      };
+    } catch (err) {
+      strapi.log.error('[magic-mail] Gmail API send failed:', err);
+      throw err;
+    }
+  },
+
+  /**
+   * Send via Microsoft OAuth (Outlook/Exchange Online)
+   * With enhanced security and Graph API best practices
+   */
+  async sendViaMicrosoftOAuth(account, emailData) {
+    // Check if OAuth tokens are available
+    if (!account.oauth) {
+      throw new Error('Microsoft OAuth account not fully configured. Please complete the OAuth flow first.');
+    }
+
+    const oauth = decryptCredentials(account.oauth);
+    const config = decryptCredentials(account.config);
+
+    strapi.log.info(`[magic-mail] Sending via Microsoft OAuth for account: ${account.name}`);
+    strapi.log.info(`[magic-mail] Has oauth.email: ${!!oauth.email} (${oauth.email || 'none'})`);
+    strapi.log.info(`[magic-mail] Has oauth.accessToken: ${!!oauth.accessToken}`);
+    strapi.log.info(`[magic-mail] Has config.clientId: ${!!config.clientId}`);
+
+    if (!oauth.email || !oauth.accessToken) {
+      throw new Error('Missing OAuth credentials. Please re-authenticate this account.');
+    }
+
+    if (!config.clientId || !config.clientSecret) {
+      throw new Error('Missing OAuth client credentials.');
+    }
+
+    // Validate email content for security
+    this.validateEmailSecurity(emailData);
+
+    // Check if token is expired and refresh if needed
+    let currentAccessToken = oauth.accessToken;
+    
+    if (oauth.expiresAt && new Date(oauth.expiresAt) < new Date()) {
+      strapi.log.info('[magic-mail] Access token expired, refreshing...');
+      
+      if (!oauth.refreshToken) {
+        throw new Error('Access token expired and no refresh token available. Please re-authenticate.');
+      }
+
+      try {
+        if (!config.tenantId) {
+          throw new Error('Tenant ID not found in config. Please re-configure this account.');
+        }
+
+        const oauthService = strapi.plugin('magic-mail').service('oauth');
+        const newTokens = await oauthService.refreshMicrosoftTokens(
+          oauth.refreshToken,
+          config.clientId,
+          config.clientSecret,
+          config.tenantId
+        );
+        
+        currentAccessToken = newTokens.accessToken;
+        strapi.log.info('[magic-mail] ✅ Microsoft token refreshed successfully');
+        
+        // Update stored tokens
+        const { encryptCredentials } = require('../utils/encryption');
+        const updatedOAuth = encryptCredentials({
+          ...oauth,
+          accessToken: newTokens.accessToken,
+          expiresAt: newTokens.expiresAt,
+        });
+        
+        await strapi.entityService.update('plugin::magic-mail.email-account', account.id, {
+          data: { oauth: updatedOAuth },
+        });
+      } catch (refreshErr) {
+        strapi.log.error('[magic-mail] Token refresh failed:', refreshErr);
+        throw new Error('Access token expired and refresh failed. Please re-authenticate this account.');
+      }
+    }
+
+    // Use Microsoft Graph API with MIME format
+    // Key: Let Microsoft add From/DKIM headers automatically for DMARC compliance
+    strapi.log.info('[magic-mail] Using Microsoft Graph API with MIME format (DMARC-safe)...');
+    
+    try {
+      // Build MIME content WITHOUT From header (Microsoft adds it with proper DKIM)
+      const boundary = `----=_Part_${Date.now()}`;
+      const attachments = emailData.attachments || [];
+      
+      let mimeContent = '';
+      
+      if (attachments.length > 0) {
+        // Multipart MIME with attachments
+        const mimeLines = [
+          // DON'T include From - Microsoft adds it with DKIM!
+          `To: ${emailData.to}`,
+          `Subject: ${emailData.subject}`,
+          `Date: ${new Date().toUTCString()}`,
+          `Message-ID: <${Date.now()}.${Math.random().toString(36).substring(7)}@${account.fromEmail.split('@')[1]}>`,
+          'MIME-Version: 1.0',
+          `Content-Type: multipart/mixed; boundary="${boundary}"`,
+          'X-Mailer: MagicMail/1.0',
+        ];
+
+        // Priority headers
+        if (emailData.priority === 'high') {
+          mimeLines.push('X-Priority: 1 (Highest)');
+          mimeLines.push('Importance: high');
+        }
+
+        // List-Unsubscribe for marketing
+        if (emailData.type === 'marketing' && emailData.unsubscribeUrl) {
+          mimeLines.push(`List-Unsubscribe: <${emailData.unsubscribeUrl}>`);
+          mimeLines.push('List-Unsubscribe-Post: List-Unsubscribe=One-Click');
+        }
+
+        // Reply-To
+        if (emailData.replyTo || account.replyTo) {
+          mimeLines.push(`Reply-To: ${emailData.replyTo || account.replyTo}`);
+        }
+
+        mimeLines.push('');
+        mimeLines.push(`--${boundary}`);
+        mimeLines.push('Content-Type: text/html; charset=utf-8');
+        mimeLines.push('');
+        mimeLines.push(emailData.html || emailData.text || '');
+        
+        // Add attachments
+        const fs = require('fs');
+        const path = require('path');
+        
+        for (const attachment of attachments) {
+          mimeLines.push(`--${boundary}`);
+          
+          let fileContent;
+          let filename;
+          let contentType = attachment.contentType || 'application/octet-stream';
+          
+          if (attachment.content) {
+            fileContent = Buffer.isBuffer(attachment.content) 
+              ? attachment.content 
+              : Buffer.from(attachment.content);
+            filename = attachment.filename || 'attachment';
+          } else if (attachment.path) {
+            fileContent = fs.readFileSync(attachment.path);
+            filename = attachment.filename || path.basename(attachment.path);
+          } else {
+            continue;
+          }
+          
+          mimeLines.push(`Content-Type: ${contentType}; name="${filename}"`);
+          mimeLines.push(`Content-Disposition: attachment; filename="${filename}"`);
+          mimeLines.push('Content-Transfer-Encoding: base64');
+          mimeLines.push('');
+          mimeLines.push(fileContent.toString('base64'));
+        }
+        
+        mimeLines.push(`--${boundary}--`);
+        mimeContent = mimeLines.join('\r\n');
+      } else {
+        // Simple MIME email without attachments
+        const mimeLines = [
+          // DON'T include From - Microsoft adds it with DKIM!
+          `To: ${emailData.to}`,
+          `Subject: ${emailData.subject}`,
+          `Date: ${new Date().toUTCString()}`,
+          `Message-ID: <${Date.now()}.${Math.random().toString(36).substring(7)}@${account.fromEmail.split('@')[1]}>`,
+          'MIME-Version: 1.0',
+          'Content-Type: text/html; charset=utf-8',
+          'X-Mailer: MagicMail/1.0',
+        ];
+
+        // Priority headers
+        if (emailData.priority === 'high') {
+          mimeLines.push('X-Priority: 1 (Highest)');
+          mimeLines.push('Importance: high');
+        }
+
+        // List-Unsubscribe for marketing
+        if (emailData.type === 'marketing' && emailData.unsubscribeUrl) {
+          mimeLines.push(`List-Unsubscribe: <${emailData.unsubscribeUrl}>`);
+          mimeLines.push('List-Unsubscribe-Post: List-Unsubscribe=One-Click');
+        }
+
+        // Reply-To
+        if (emailData.replyTo || account.replyTo) {
+          mimeLines.push(`Reply-To: ${emailData.replyTo || account.replyTo}`);
+        }
+
+        mimeLines.push('');
+        mimeLines.push(emailData.html || emailData.text || '');
+        
+        mimeContent = mimeLines.join('\r\n');
+      }
+      
+      // Encode MIME to base64
+      const base64Mime = Buffer.from(mimeContent).toString('base64');
+      
+      // Send via Microsoft Graph using MIME format
+      const response = await fetch('https://graph.microsoft.com/v1.0/me/sendMail', {
+        method: 'POST',
+        headers: {
+          'Authorization': `Bearer ${currentAccessToken}`,
+          'Content-Type': 'text/plain', // MIME format!
+        },
+        body: base64Mime,
+      });
+      
+      // Microsoft Graph returns 202 Accepted on success
+      if (response.status !== 202) {
+        let errorData = 'Unknown error';
+        try {
+          errorData = await response.text();
+        } catch (e) {
+          // Ignore
+        }
+        strapi.log.error('[magic-mail] Microsoft Graph MIME error:', errorData);
+        strapi.log.error('[magic-mail] Response status:', response.status);
+        throw new Error(`Microsoft Graph API error: ${response.status} - ${response.statusText}`);
+      }
+      
+      strapi.log.info('[magic-mail] ✅ Email sent via Microsoft Graph API with MIME + custom headers');
+      strapi.log.info('[magic-mail] Microsoft adds From/DKIM automatically for DMARC compliance');
+      
+      return {
+        messageId: `microsoft-${Date.now()}`,
+        response: 'Accepted',
+      };
+    } catch (err) {
+      strapi.log.error('[magic-mail] Microsoft Graph API send failed:', err);
+      throw err;
+    }
+  },
+
+  /**
+   * Send via Yahoo OAuth
+   * With enhanced security and SMTP OAuth2 best practices
+   */
+  async sendViaYahooOAuth(account, emailData) {
+    // Check if OAuth tokens are available
+    if (!account.oauth) {
+      throw new Error('Yahoo OAuth account not fully configured. Please complete the OAuth flow first.');
+    }
+
+    const oauth = decryptCredentials(account.oauth);
+    const config = decryptCredentials(account.config);
+
+    strapi.log.info(`[magic-mail] Sending via Yahoo OAuth for account: ${account.name}`);
+    strapi.log.info(`[magic-mail] Has oauth.email: ${!!oauth.email} (${oauth.email || 'none'})`);
+    strapi.log.info(`[magic-mail] Has oauth.accessToken: ${!!oauth.accessToken}`);
+
+    if (!oauth.email || !oauth.accessToken) {
+      throw new Error('Missing OAuth credentials. Please re-authenticate this account.');
+    }
+
+    // Validate email content for security
+    this.validateEmailSecurity(emailData);
+
+    // Check if token is expired and refresh if needed
+    let currentAccessToken = oauth.accessToken;
+    
+    if (oauth.expiresAt && new Date(oauth.expiresAt) < new Date()) {
+      strapi.log.info('[magic-mail] Access token expired, refreshing...');
+      
+      if (!oauth.refreshToken) {
+        throw new Error('Access token expired and no refresh token available. Please re-authenticate.');
+      }
+
+      try {
+        const oauthService = strapi.plugin('magic-mail').service('oauth');
+        const newTokens = await oauthService.refreshYahooTokens(
+          oauth.refreshToken,
+          config.clientId,
+          config.clientSecret
+        );
+        
+        currentAccessToken = newTokens.accessToken;
+        strapi.log.info('[magic-mail] ✅ Token refreshed successfully');
+        
+        // Update stored tokens
+        const { encryptCredentials } = require('../utils/encryption');
+        const updatedOAuth = encryptCredentials({
+          ...oauth,
+          accessToken: newTokens.accessToken,
+          expiresAt: newTokens.expiresAt,
+        });
+        
+        await strapi.entityService.update('plugin::magic-mail.email-account', account.id, {
+          data: { oauth: updatedOAuth },
+        });
+      } catch (refreshErr) {
+        strapi.log.error('[magic-mail] Token refresh failed:', refreshErr);
+        throw new Error('Access token expired and refresh failed. Please re-authenticate this account.');
+      }
+    }
+
+    // Yahoo Mail API uses SMTP with OAuth token as password
+    // We use nodemailer with XOAUTH2
+    const nodemailer = require('nodemailer');
+    
+    strapi.log.info('[magic-mail] Using Yahoo SMTP with OAuth...');
+    
+    try {
+      const transporter = nodemailer.createTransport({
+        host: 'smtp.mail.yahoo.com',
+        port: 465,
+        secure: true,
+        auth: {
+          type: 'OAuth2',
+          user: oauth.email,
+          accessToken: currentAccessToken,
+        },
+      });
+
+      const mailOptions = {
+        from: `${account.fromName || 'Yahoo Mail'} <${account.fromEmail}>`,
+        to: emailData.to,
+        replyTo: emailData.replyTo || account.replyTo,
+        subject: emailData.subject,
+        text: emailData.text,
+        html: emailData.html,
+        attachments: emailData.attachments || [],
+        
+        // Security and deliverability headers
+        headers: {
+          'X-Mailer': 'MagicMail/1.0',
+          'X-Priority': emailData.priority === 'high' ? '1' : '3',
+        },
+        
+        // Generate proper Message-ID
+        messageId: `<${Date.now()}.${Math.random().toString(36).substring(7)}@${account.fromEmail.split('@')[1]}>`,
+        date: new Date(),
+      };
+
+      // Add List-Unsubscribe for marketing emails
+      if (emailData.type === 'marketing' && emailData.unsubscribeUrl) {
+        mailOptions.headers['List-Unsubscribe'] = `<${emailData.unsubscribeUrl}>`;
+        mailOptions.headers['List-Unsubscribe-Post'] = 'List-Unsubscribe=One-Click';
+      }
+
+      if (mailOptions.attachments.length > 0) {
+        strapi.log.info(`[magic-mail] Sending email with ${mailOptions.attachments.length} attachment(s)`);
+      }
+
+      const result = await transporter.sendMail(mailOptions);
+      strapi.log.info('[magic-mail] ✅ Email sent via Yahoo OAuth');
+      
+      return {
+        messageId: result.messageId,
+        response: result.response,
+      };
+    } catch (err) {
+      strapi.log.error('[magic-mail] Yahoo OAuth send failed:', err);
+      throw err;
+    }
+  },
+
+  /**
+   * Send via SendGrid API
+   * With enhanced security and proper headers
+   */
+  async sendViaSendGrid(account, emailData) {
+    const config = decryptCredentials(account.config);
+    
+    if (!config.apiKey) {
+      throw new Error('SendGrid API key not configured');
+    }
+
+    // Validate email content for security
+    this.validateEmailSecurity(emailData);
+
+    strapi.log.info(`[magic-mail] Sending via SendGrid for account: ${account.name}`);
+
+    try {
+      // Build message object for SendGrid
+      const msg = {
+        to: emailData.to,
+        from: {
+          email: account.fromEmail,
+          name: account.fromName || account.fromEmail,
+        },
+        subject: emailData.subject,
+        text: emailData.text,
+        html: emailData.html,
+        
+        // Security and tracking headers
+        customArgs: {
+          'magicmail_version': '1.0',
+          'email_type': emailData.type || 'transactional',
+          'priority': emailData.priority || 'normal',
+        },
+        
+        // Headers object for custom headers
+        headers: {
+          'X-Mailer': 'MagicMail/1.0',
+        },
+      };
+
+      // Add priority headers if high priority
+      if (emailData.priority === 'high') {
+        msg.headers['X-Priority'] = '1 (Highest)';
+        msg.headers['Importance'] = 'high';
+      }
+
+      // Add ReplyTo if provided
+      if (emailData.replyTo || account.replyTo) {
+        msg.replyTo = {
+          email: emailData.replyTo || account.replyTo,
+        };
+      }
+
+      // Add List-Unsubscribe for marketing emails (GDPR/CAN-SPAM compliance)
+      if (emailData.type === 'marketing' && emailData.unsubscribeUrl) {
+        msg.headers['List-Unsubscribe'] = `<${emailData.unsubscribeUrl}>`;
+        msg.headers['List-Unsubscribe-Post'] = 'List-Unsubscribe=One-Click';
+      }
+
+      // Add attachments if provided
+      const attachments = emailData.attachments || [];
+      if (attachments.length > 0) {
+        const fs = require('fs');
+        const path = require('path');
+        
+        msg.attachments = [];
+        
+        for (const attachment of attachments) {
+          let fileContent;
+          let filename;
+          let contentType = attachment.contentType || 'application/octet-stream';
+          
+          if (attachment.content) {
+            // Content provided as buffer or string
+            fileContent = Buffer.isBuffer(attachment.content) 
+              ? attachment.content 
+              : Buffer.from(attachment.content);
+            filename = attachment.filename || 'attachment';
+          } else if (attachment.path) {
+            // Read from file path
+            fileContent = fs.readFileSync(attachment.path);
+            filename = attachment.filename || path.basename(attachment.path);
+          } else {
+            continue;
+          }
+          
+          msg.attachments.push({
+            content: fileContent.toString('base64'),
+            filename: filename,
+            type: contentType,
+            disposition: 'attachment',
+          });
+        }
+        
+        strapi.log.info(`[magic-mail] Email with ${attachments.length} attachment(s) prepared`);
+      }
+
+      // Send via SendGrid API
+      const response = await fetch('https://api.sendgrid.com/v3/mail/send', {
+        method: 'POST',
+        headers: {
+          'Authorization': `Bearer ${config.apiKey}`,
+          'Content-Type': 'application/json',
+        },
+        body: JSON.stringify(msg),
+      });
+
+      if (!response.ok) {
+        const errorText = await response.text();
+        strapi.log.error('[magic-mail] SendGrid API error:', errorText);
+        throw new Error(`SendGrid API error: ${response.statusText}`);
+      }
+
+      strapi.log.info('[magic-mail] ✅ Email sent via SendGrid API');
+
+      // SendGrid returns 202 Accepted with no body on success
+      return {
+        messageId: response.headers.get('x-message-id') || `sendgrid-${Date.now()}`,
+        response: 'Accepted',
+      };
+    } catch (err) {
+      strapi.log.error('[magic-mail] SendGrid send failed:', err);
+      throw err;
+    }
+  },
+
+  /**
+   * Send via Mailgun API
+   * With enhanced security and compliance headers
+   */
+  async sendViaMailgun(account, emailData) {
+    const config = decryptCredentials(account.config);
+    
+    if (!config.apiKey || !config.domain) {
+      throw new Error('Mailgun API key and domain not configured');
+    }
+
+    // Validate email content for security
+    this.validateEmailSecurity(emailData);
+
+    strapi.log.info(`[magic-mail] Sending via Mailgun for account: ${account.name}`);
+    strapi.log.info(`[magic-mail] Domain: ${config.domain}`);
+
+    try {
+      // Build FormData for Mailgun API
+      const FormData = require('form-data');
+      const form = new FormData();
+
+      // Required fields
+      form.append('from', account.fromName 
+        ? `${account.fromName} <${account.fromEmail}>`
+        : account.fromEmail
+      );
+      form.append('to', emailData.to);
+      form.append('subject', emailData.subject);
+      
+      // Add text or html content
+      if (emailData.html) {
+        form.append('html', emailData.html);
+      }
+      if (emailData.text) {
+        form.append('text', emailData.text);
+      }
+
+      // Add ReplyTo if provided
+      if (emailData.replyTo || account.replyTo) {
+        form.append('h:Reply-To', emailData.replyTo || account.replyTo);
+      }
+
+      // Add custom headers for tracking and security
+      form.append('h:X-Mailer', 'MagicMail/1.0');
+      form.append('h:X-Email-Type', emailData.type || 'transactional');
+
+      // Add List-Unsubscribe for marketing emails (GDPR/CAN-SPAM compliance)
+      if (emailData.type === 'marketing' && emailData.unsubscribeUrl) {
+        form.append('h:List-Unsubscribe', `<${emailData.unsubscribeUrl}>`);
+        form.append('h:List-Unsubscribe-Post', 'List-Unsubscribe=One-Click');
+      }
+
+      // Add attachments if provided
+      const attachments = emailData.attachments || [];
+      if (attachments.length > 0) {
+        const fs = require('fs');
+        const path = require('path');
+        
+        for (const attachment of attachments) {
+          let fileContent;
+          let filename;
+          
+          if (attachment.content) {
+            // Content provided as buffer or string
+            fileContent = Buffer.isBuffer(attachment.content) 
+              ? attachment.content 
+              : Buffer.from(attachment.content);
+            filename = attachment.filename || 'attachment';
+          } else if (attachment.path) {
+            // Read from file path
+            fileContent = fs.readFileSync(attachment.path);
+            filename = attachment.filename || path.basename(attachment.path);
+          } else {
+            continue;
+          }
+          
+          // Mailgun expects attachments as form data with buffer
+          form.append('attachment', fileContent, {
+            filename: filename,
+            contentType: attachment.contentType || 'application/octet-stream',
+          });
+        }
+        
+        strapi.log.info(`[magic-mail] Email with ${attachments.length} attachment(s) prepared`);
+      }
+
+      // Send via Mailgun API
+      const response = await fetch(`https://api.mailgun.net/v3/${config.domain}/messages`, {
+        method: 'POST',
+        headers: {
+          'Authorization': `Basic ${Buffer.from(`api:${config.apiKey}`).toString('base64')}`,
+          ...form.getHeaders(),
+        },
+        body: form,
+      });
+
+      if (!response.ok) {
+        const errorData = await response.text();
+        strapi.log.error('[magic-mail] Mailgun API error:', errorData);
+        throw new Error(`Mailgun API error: ${response.statusText}`);
+      }
+
+      const result = await response.json();
+      strapi.log.info('[magic-mail] ✅ Email sent via Mailgun API');
+
+      return {
+        messageId: result.id || `mailgun-${Date.now()}`,
+        response: result.message || 'Queued',
+      };
+    } catch (err) {
+      strapi.log.error('[magic-mail] Mailgun send failed:', err);
+      throw err;
+    }
+  },
+
+  /**
+   * Check if account is within rate limits
+   */
+  async checkRateLimits(account) {
+    if (account.dailyLimit > 0 && account.emailsSentToday >= account.dailyLimit) {
+      return false;
+    }
+    if (account.hourlyLimit > 0 && account.emailsSentThisHour >= account.hourlyLimit) {
+      return false;
+    }
+    return true;
+  },
+
+  /**
+   * Update account statistics
+   */
+  async updateAccountStats(accountId) {
+    const account = await strapi.entityService.findOne('plugin::magic-mail.email-account', accountId);
+
+    await strapi.entityService.update('plugin::magic-mail.email-account', accountId, {
+      data: {
+        emailsSentToday: (account.emailsSentToday || 0) + 1,
+        emailsSentThisHour: (account.emailsSentThisHour || 0) + 1,
+        totalEmailsSent: (account.totalEmailsSent || 0) + 1,
+        lastUsed: new Date(),
+      },
+    });
+  },
+
+  /**
+   * Log email to database (DEPRECATED - now handled by Analytics)
+   * This function previously created duplicate logs
+   * Now it's a no-op since email-log creation is handled in the analytics service
+   */
+  async logEmail(logData) {
+    // Email logging is now handled by the Analytics service (createEmailLog)
+    // This function is kept for backward compatibility but does nothing
+    // The analytics log is created earlier in the send() flow with proper tracking data
+    strapi.log.debug('[magic-mail] Email already logged via Analytics service');
+  },
+
+  /**
+   * Get account by name
+   */
+  async getAccountByName(name) {
+    const accounts = await strapi.entityService.findMany('plugin::magic-mail.email-account', {
+      filters: { name, isActive: true },
+      limit: 1,
+    });
+
+    return accounts && accounts.length > 0 ? accounts[0] : null;
+  },
+
+  /**
+   * Validate email content for security best practices
+   * Prevents common security issues and spam triggers
+   */
+  validateEmailSecurity(emailData) {
+    const { to, subject, html, text } = emailData;
+
+    // 1. Validate recipient email format
+    const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+    if (!emailRegex.test(to)) {
+      throw new Error(`Invalid recipient email format: ${to}`);
+    }
+
+    // 2. Prevent empty subject (spam trigger)
+    if (!subject || subject.trim().length === 0) {
+      throw new Error('Email subject is required for security and deliverability');
+    }
+
+    // 3. Prevent excessively long subjects (spam trigger)
+    if (subject.length > 200) {
+      strapi.log.warn('[magic-mail] Subject line exceeds 200 characters - may trigger spam filters');
+    }
+
+    // 4. Require either text or html content
+    if (!html && !text) {
+      throw new Error('Email must have either text or html content');
+    }
+
+    // 5. Check for common spam trigger patterns in subject
+    const spamTriggers = [
+      /\bfree\b.*\bmoney\b/i,
+      /\b100%\s*free\b/i,
+      /\bclaim.*\bprize\b/i,
+      /\bclick\s*here\s*now\b/i,
+      /\bviagra\b/i,
+      /\bcasino\b/i,
+    ];
+
+    for (const pattern of spamTriggers) {
+      if (pattern.test(subject)) {
+        strapi.log.warn(`[magic-mail] Subject contains potential spam trigger: "${subject}"`);
+        break;
+      }
+    }
+
+    // 6. Validate HTML doesn't contain dangerous scripts
+    if (html) {
+      if (/<script[^>]*>.*?<\/script>/i.test(html)) {
+        throw new Error('Email HTML must not contain <script> tags for security');
+      }
+      
+      if (/javascript:/i.test(html)) {
+        throw new Error('Email HTML must not contain javascript: protocol for security');
+      }
+    }
+
+    // 7. Check for proper content balance (text vs html)
+    if (html && !text) {
+      strapi.log.warn('[magic-mail] Email has HTML but no text alternative - may reduce deliverability');
+    }
+
+    strapi.log.info('[magic-mail] ✅ Email security validation passed');
+  },
+
+  /**
+   * Add security headers to email data
+   * Returns enhanced email data with security headers
+   */
+  addSecurityHeaders(emailData, account) {
+    const headers = {
+      'X-Mailer': 'MagicMail/1.0',
+      'X-Entity-Ref-ID': `magicmail-${Date.now()}`,
+    };
+
+    // Add priority headers if specified
+    if (emailData.priority === 'high') {
+      headers['X-Priority'] = '1';
+      headers['Importance'] = 'high';
+    }
+
+    // Add List-Unsubscribe for marketing emails (RFC 8058)
+    if (emailData.type === 'marketing') {
+      if (emailData.unsubscribeUrl) {
+        headers['List-Unsubscribe'] = `<${emailData.unsubscribeUrl}>`;
+        headers['List-Unsubscribe-Post'] = 'List-Unsubscribe=One-Click';
+      } else {
+        strapi.log.warn('[magic-mail] Marketing email without unsubscribe URL - may violate regulations');
+      }
+    }
+
+    return {
+      ...emailData,
+      headers: {
+        ...emailData.headers,
+        ...headers,
+      },
+    };
+  },
+});
+