Automated Email Security: IP Reputation & Header Analysis
detail.loadingPreview
This n8n workflow automates crucial first steps in email threat analysis by extracting the true origin IP of incoming emails. It then enriches this data with reputation scores and geographical information to help identify potential phishing attempts or spam, bolstering your inbox's defenses.
About This Workflow
This powerful n8n workflow is designed to bolster your email security posture by automating the analysis of inbound emails. Upon receiving a new email (configured for Microsoft Outlook), it intelligently retrieves critical message headers, specifically focusing on the Received headers to trace the email's true path. It meticulously extracts the original public IP address, filtering out internal network IPs, before querying leading IP reputation services like IPQualityScore and geo-location APIs such as IP-API. Furthermore, the workflow inspects email authentication headers like Authentication-Results and Received-SPF to verify sender legitimacy, providing a comprehensive, automated assessment to safeguard your inbox from malicious threats and unwanted spam.
Key Features
- Microsoft Outlook Integration: Configured to automatically trigger on new emails received in a specified Outlook folder (initially disabled for flexible setup).
- Original IP Extraction: Intelligently extracts the public IP address of the email's true origin from
Receivedheaders, bypassing internal network hops. - IP Reputation Scoring: Integrates with IPQualityScore to get a real-time threat assessment and fraud score for the identified origin IP.
- Geo-Location Lookup: Utilizes the IP-API service to retrieve geographical data (country, city, ISP) associated with the email's origin IP.
- Email Authentication Checks: Analyzes vital
Authentication-ResultsandReceived-SPFheaders to validate sender authenticity and identify potential spoofing or malicious campaigns.
How To Use
- Configure Microsoft Outlook Credential: Ensure your
microsoftOutlookOAuth2Apicredential (namedOutlook Credential) is correctly set up and linked to the Outlook account you wish to monitor. - Enable and Configure "Trigger on New Email": Reactivate this node (it's currently disabled) and update the
parameters.filters.foldersToIncludewith the specific ID of the Outlook folder you want to monitor for new emails. - Verify Header Retrieval: The "Retrieve Headers of Email" node uses the Microsoft Graph API to fetch all internet message headers for the incoming email. Ensure this node is functioning correctly.
- Adjust Code Node References (Important): The "Extract Received Headers" and "Extract Authentication-Results Header" nodes currently reference
$('Set Headers'). You will likely need to adjust these code nodes to correctly reference the output of the "Retrieve Headers of Email" node to parse theinternetMessageHeadersfrom the Graph API response. - Obtain and Insert API Keys: For the "Query IP Quality Score API" node, replace the placeholder key (
Mlg6aZdzI1mVehUD3Z5Ak5Vl4yNN7P8v) with your actual API key from IPQualityScore. The "Query IP API" node typically does not require a key for basic usage. - Extend Workflow (Optional): After the IP and authentication checks, connect additional nodes to define the actions to be taken based on the analysis (e.g., move suspicious emails, send alerts to a chat service, update a database, or integrate with other security tools).
Apps Used
Workflow JSON
{
"id": "a98fbe92-2982-40bd-b0a2-c28c887cd706",
"name": "Automated Email Security: IP Reputation & Header Analysis",
"nodes": 9,
"category": "Operations",
"status": "active",
"version": "1.0.0"
}Note: This is a sample preview. The full workflow JSON contains node configurations, credentials placeholders, and execution logic.
Get This Workflow
ID: a98fbe92-2982...
About the Author
DevOps_Master_X
Infrastructure Expert
Specializing in CI/CD pipelines, Docker, and Kubernetes automations.
Statistics
Related Workflows
Discover more workflows you might like
Universal CSV to JSON API Converter
Effortlessly transform CSV data into structured JSON with this versatile n8n workflow. Integrate it into any application as a custom API endpoint, supporting various input methods including file uploads and raw text.
Instant WooCommerce Order Notifications via Telegram
When a new order is placed on your WooCommerce store, instantly receive detailed notifications directly to your Telegram chat. Stay on top of your e-commerce operations with real-time alerts, including order specifics and a direct link to view the order.
On-Demand Microsoft SQL Query Execution
This workflow allows you to manually trigger and execute any SQL query against your Microsoft SQL Server database. Perfect for ad-hoc data lookups, administrative tasks, or quick tests, giving you direct control over your database operations.