import type { ParsedEmail } from "../parse/index.mjs"; /** DKIM / SPF / DMARC verification helpers. * * Two modes: * 1. **Trust the relay** (default): parse the \`Authentication-Results\` * header supplied by the MTA that delivered the message. Cheap, * works on Workers, relies on the upstream being honest (typically * Gmail, Google Workspace, Exchange, SES — all trustworthy). * 2. **Active verification**: plug in a callback to run DNS lookups + * cryptographic verification. We don't bundle this because active * DKIM needs DNS access (Workers require \`dns-over-https\`) and a * real crypto validator — not worth reinventing. When the callback * is present it overrides the parsed header result. */ export type AuthResult = "pass" | "fail" | "neutral" | "softfail" | "temperror" | "permerror" | "none"; export interface AuthenticationResults { dkim: AuthResult; spf: AuthResult; dmarc: AuthResult; authenticatedDomain?: string; raw?: string; } export interface VerifyOptions { /** Optional callback for active verification. Receives the parsed * email; should return fresh results (authoritative lookups, etc.). */ verify?: (mail: ParsedEmail) => Promise | AuthenticationResults; } /** Run all three checks. Returns the callback result if provided, * otherwise the parsed \`Authentication-Results\` header. */ export declare function verifyAll(mail: ParsedEmail, options?: VerifyOptions): Promise; export declare function verifyDkim(mail: ParsedEmail): AuthResult; export declare function verifySpf(mail: ParsedEmail): AuthResult; export declare function verifyDmarc(mail: ParsedEmail): AuthResult; /** Parse one or more \`Authentication-Results\` headers per RFC 8601. */ export declare function parseAuthenticationResults(header: string | undefined): AuthenticationResults;