<?php
// DeliverScore Scan API
header("Content-Type: application/json");
header("Access-Control-Allow-Origin: *");

$domain = trim($_GET["domain"] ?? "");
if(!$domain || !preg_match("/^[a-z0-9][a-z0-9.-]+\.[a-z]{2,}$/i", $domain)) {
    echo json_encode(["error" => "Domaine invalide"]);
    exit;
}

$results = ["domain" => $domain, "score" => 0, "grade" => "F", "checks" => []];
$score = 0;

// SPF
$spf = dns_get_record($domain, DNS_TXT);
$hasSPF = false;
foreach($spf as $r) {
    if(isset($r["txt"]) && strpos($r["txt"], "v=spf1") === 0) {
        $hasSPF = true;
        $results["checks"][] = ["name" => "SPF", "status" => "pass", "value" => $r["txt"], "detail" => "Record SPF valide"];
        $score += 20;
        break;
    }
}
if(!$hasSPF) $results["checks"][] = ["name" => "SPF", "status" => "fail", "value" => "", "detail" => "Aucun record SPF trouvé"];

// DKIM (check common selectors)
$dkimFound = false;
foreach(["default","google","s1","s2","selector1","selector2","k1","dkim"] as $sel) {
    $dkim = dns_get_record($sel."._domainkey.".$domain, DNS_TXT);
    if(!empty($dkim)) {
        $dkimFound = true;
        $results["checks"][] = ["name" => "DKIM", "status" => "pass", "value" => $sel, "detail" => "Sélecteur DKIM trouvé: ".$sel];
        $score += 20;
        break;
    }
}
if(!$dkimFound) $results["checks"][] = ["name" => "DKIM", "status" => "warn", "value" => "", "detail" => "Aucun sélecteur DKIM courant trouvé"];

// DMARC
$dmarc = dns_get_record("_dmarc.".$domain, DNS_TXT);
$hasDMARC = false;
foreach($dmarc as $r) {
    if(isset($r["txt"]) && strpos($r["txt"], "v=DMARC1") === 0) {
        $hasDMARC = true;
        $policy = "none";
        if(preg_match("/p=(\w+)/", $r["txt"], $m)) $policy = $m[1];
        $results["checks"][] = ["name" => "DMARC", "status" => $policy === "reject" ? "pass" : ($policy === "quarantine" ? "pass" : "warn"), "value" => $r["txt"], "detail" => "Policy: ".$policy];
        $score += ($policy === "reject" ? 20 : ($policy === "quarantine" ? 15 : 10));
        break;
    }
}
if(!$hasDMARC) $results["checks"][] = ["name" => "DMARC", "status" => "fail", "value" => "", "detail" => "Aucun record DMARC"];

// MX
$mx = dns_get_record($domain, DNS_MX);
if(!empty($mx)) {
    $mxHosts = array_map(function($r){return $r["target"];}, $mx);
    $results["checks"][] = ["name" => "MX", "status" => "pass", "value" => implode(", ", $mxHosts), "detail" => count($mx)." MX records"];
    $score += 15;
} else {
    $results["checks"][] = ["name" => "MX", "status" => "fail", "value" => "", "detail" => "Aucun MX record"];
}

// SSL check
$ctx = stream_context_create(["ssl" => ["verify_peer" => false, "capture_peer_cert" => true]]);
$fp = @stream_socket_client("ssl://".$domain.":443", $errno, $errstr, 5, STREAM_CLIENT_CONNECT, $ctx);
if($fp) {
    $results["checks"][] = ["name" => "SSL/TLS", "status" => "pass", "value" => "HTTPS actif", "detail" => "Certificat SSL valide"];
    $score += 15;
    fclose($fp);
} else {
    $results["checks"][] = ["name" => "SSL/TLS", "status" => "warn", "value" => "", "detail" => "HTTPS non détecté"];
}

// Blacklist check (simplified - check a few)
$ip = gethostbyname($domain);
if($ip !== $domain) {
    $rev = implode(".", array_reverse(explode(".", $ip)));
    $bls = ["zen.spamhaus.org","bl.spamcop.net","b.barracudacentral.org"];
    $clean = true;
    foreach($bls as $bl) {
        if(checkdnsrr($rev.".".$bl, "A")) { $clean = false; break; }
    }
    $results["checks"][] = ["name" => "Blacklists", "status" => $clean ? "pass" : "fail", "value" => $ip, "detail" => $clean ? "IP propre (3 BL vérifiées)" : "IP blacklistée"];
    if($clean) $score += 10;
}

$results["score"] = min(100, $score);
$results["grade"] = $score >= 90 ? "A+" : ($score >= 80 ? "A" : ($score >= 60 ? "B" : ($score >= 40 ? "C" : "F")));
$results["recommendations"] = [];
foreach($results["checks"] as $c) {
    if($c["status"] !== "pass") {
        $results["recommendations"][] = "Configurer ".$c["name"]." : ".$c["detail"];
    }
}

echo json_encode($results, JSON_PRETTY_PRINT);