Comprehensive Email Header Security and IP Reputation Analysis Workflow

Workflow Name

Key Features and Highlights

This workflow automates the extraction and analysis of detailed email header information, focusing on the original sending IP address and its security authentication results (SPF, DKIM, DMARC). It leverages Microsoft Outlook triggers and Microsoft Graph API to retrieve email header data, combined with third-party services such as IP Quality Score and IP-API to perform reputation checks and geolocation of the sending IP. The consolidated authentication results and IP reputation data are output in a structured JSON format via Webhook, facilitating integration with third-party systems and enabling subsequent automated processing.

Core Problems Addressed

Automatically identify the original sending IP from email headers, excluding private/internal IP addresses.
Evaluate the reputation of the sending IP to determine if the email may originate from spam or malicious sources.
Systematically extract and parse email authentication results to assess compliance with SPF, DKIM, and DMARC policies.
Provide unified, structured security authentication and IP reputation analysis results, supporting API calls and automated responses.

Application Scenarios

Email Security Systems: Assist email gateways or security teams in verifying email security and detecting threats for inbound and outbound emails.
Anti-Spam Services: Help determine email trustworthiness, reducing risks of spam and phishing emails.
Email Operations and Compliance Monitoring: Monitor email authentication configurations to prevent corporate email spoofing or tampering.
Third-Party Platform Integration: Provide email security analysis data to external systems via Webhook interfaces.

Main Workflow Steps

Email Trigger and Header Retrieval
- Monitor new emails in designated Outlook mailbox folders (optional enablement).
- Retrieve complete email header information via Microsoft Graph API.
Email Header Processing
- Extract all “Received” headers to locate the latest original sending IP, filtering out internal/private IP addresses.
IP Reputation and Geolocation Lookup
- Query IP Quality Score API for fraud scores and spam-related information of the IP.
- Query IP-API for organizational, country, city, and other geolocation details corresponding to the IP.
Email Authentication Result Analysis
- Check for the presence of the “Authentication-Results” header; extract and parse SPF, DKIM, and DMARC statuses.
- If absent, individually check and extract “Received-SPF,” “DKIM-Signature,” and “DMARC” headers to determine their presence and results.
- Classify each authentication result into categories such as pass, fail, neutral, error, or unknown.
Result Consolidation and Output
- Merge SPF, DKIM, DMARC results with IP reputation and geolocation data.
- Format into a standardized JSON structure.
- Output via Webhook response, supporting external calls and system integration.

Involved Systems and Services

Microsoft Outlook (Email triggering and authentication)
Microsoft Graph API (Email header retrieval)
IP Quality Score API (IP reputation and fraud detection)
IP-API (IP geolocation and organizational information lookup)
n8n Webhook (External system integration and response)

Target Users and Value

Email security engineers and operations personnel, enhancing email security monitoring efficiency.
Enterprise IT security teams for email protection and threat intelligence analysis.
Anti-spam service providers for automated email verification and risk assessment.
Developers and third-party platforms for easy integration of email security analysis APIs to strengthen product security capabilities.

This workflow automates email header analysis and IP reputation checks to help users effectively identify potential email risks and ensure secure email communications. It is suitable for organizations and platforms requiring email security verification and automated analysis.