Security hardening

• ARC-Authentication-Results headers are no longer mixed into the main SPF/DKIM/DMARC verdict; they are shown in the ARC chain card only.
• When no Authentication-Results header matches the receiving server (authserv-id), the message is now treated as unverified instead of trusting all headers.
• The From header address is now extracted from the last angle-bracket pair (RFC 5322), defeating display-name spoofing with embedded fake addresses.
• Deceptive link text (visible URL differing from the actual destination) is now always flagged, regardless of the trusted-domain list.

New features

• Authentication strength insights: weak DKIM keys (below 2048 bits, when recorded by the receiving server), rsa-sha1 signatures, partial body signing (l= tag), DMARC sp=none and pct below 100 are shown inside the DKIM/DMARC cards. The badge verdict is not affected.
• TLS visibility in the delivery route: each hop shows the transport encryption recorded in its Received header (TLS version, legacy TLS warning, plaintext protocol, or unknown), with cipher suites in tooltips.
• One-click report copy: a Copy button in the dashboard header exports a structured plain-text analysis report to the clipboard.

Localization

• Ten new strings translated in all 12 locales; the trusted-domain setting description was made more accurate in 10 locales.

Bug fixes

• Email relay/masking services (Firefox Relay, DuckDuckGo Email Protection, Apple Hide My Email, SimpleLogin, AnonAddy, and others) are no longer flagged as display-name spoofing or Reply-To mismatch. When the actual From: address belongs to a known relay service, the original sender's email address in the display name is recognized as legitimate forwarding behavior rather than impersonation.
• The DKIM alignment failed verdict reason is no longer surfaced when DMARC overall passes (when SPF or DKIM aligns and DMARC is pass). This eliminates false-positive warnings for brand mail delivered through bulk platforms such as Sailthru, SendGrid, or Mailchimp, where DKIM is signed by the platform but SPF aligns with the brand's bounce domain. Per-signature alignment indicators inside the DKIM card are unchanged.

Acknowledgments

• Thanks to @JerryLerman for the detailed bug reports on GitHub issues #3 and #4.

This release introduces a four-tier link safety severity model: critical, suspicious, untrusted, and privacy. Each level has a distinct meaning and resolution path.

• New "untrusted" level for findings that only indicate an unknown external domain (all-external links, external main CTA). These are shown in a softer amber color and carry a new Untrusted link domain verdict tag, making clear that the domain is simply not yet on your trust list — not evidence of wrongdoing.
• New "privacy" level for tracking pixel detection. Privacy notices no longer contribute to the suspicious verdict and have their own informational style.
• One-click Trust shortcut: when an untrusted indicator involves exactly one external domain, a Trust button appears directly on the finding row for immediate whitelisting.
• Aggregated findings: IP-address, IDN homograph, and URL shortener findings now combine multiple hosts into a single row to prevent list bloat.
• Dark mode support for the new untrusted and privacy styles.
• i18n updates across all 12 supported languages.

The verdict philosophy is unchanged: untrusted findings still do not earn a green badge until the user explicitly trusts the domain. The add-on never assumes legitimacy for any unknown external domain.

Security Fix

• DKIM alignment evaluation hardened: the security verdict now considers only DKIM signatures that passed authentication when evaluating alignment, preventing false alignment matches from failed signatures.

UI Fix

• Added missing CSS rules for alignment labels in SPF/DKIM cards. "Aligned" and "Not Aligned" labels are now properly color-coded (green/red).

Locale Consistency

• Unified alignment terminology between status labels and verdict reason tags in Japanese, Simplified Chinese, Traditional Chinese, Arabic, and Russian.

v1.1.4 — Review Compliance Update

• DOM Safety: Replaced all innerHTML usage with safe DOM APIs (document.createElement, textContent, replaceChildren) in options page and confirm dialog, per ATN review policy.
• Always-Collapsed Panel: The dashboard now always starts collapsed for every email. Status badge and verdict tags are visible at a glance in the header bar; click to expand for details.
• Header Cleanup: Removed the GitHub repository link from the main click area of the feature panel header, per ATN no-surprise policy.

v1.1.3 — Trusted Link Domains, Link Mismatch Badge and All-External Detection

Trusted Link Domains (Whitelist)

• "Trust" button appears next to external domains when link warnings are detected
• Confirm dialog prevents accidental whitelisting
• Trusted domains shown with shield icon in blue, suppress link mismatch and external-link warnings
• Manage from add-on settings page with text-based import/export

Link Mismatch Badge

• Renamed from "PHISHING" to "LINK MISMATCH" — flashing skull animation unchanged
• Better describes the detection: displayed URL differs from link destination

All-External Link Detection

• Warns when all links point to external domains (replaces sole-link check)
• Main CTA external detection no longer requires minimum area threshold
• Both checks respect trusted domain whitelist

Other Changes

• Alignment terminology updated to RFC 7489 standard across all 12 languages
• New "storage" permission for whitelist persistence (no network access)