This workflow automates the analysis of email headers to detect the originating IP address, verify authentication mechanisms (SPF, DKIM, DMARC), and evaluate sender reputation. It can be triggered either from Outlook email events or via a Webhook API, making it suitable for both testing and production environments.
The workflow extracts key headers, checks authentication results, queries IP reputation services, and consolidates the findings into a clear, structured response. This helps security teams and analysts identify spoofed or malicious emails efficiently.
⚡ Features
- Flexible Triggers:
- Outlook trigger for live monitoring of new emails.
- Webhook trigger for integration with third-party platforms.
- Header Extraction & Processing:
- Retrieves full email headers.
- Extracts “Received”, “Authentication-Results”, “Received-SPF”, “DKIM-Signature”, and “DMARC” headers.
- Identifies the true originating IP address (ignoring internal/private IPs).
- IP Analysis:
- Validates extracted IP via IP Quality Score API (spam/fraud detection).
- Enriches IP data with geolocation and organization details from IP-API.
- Assesses sender reputation and recent spam activity.
- Authentication Checks:
- Evaluates SPF, DKIM, and DMARC status (
pass,fail,neutral,error, orunknown). - Detects missing headers and logs them accordingly.
- Evaluates SPF, DKIM, and DMARC status (
- Consolidated Output:
- Aggregates all results into a structured JSON object.
- Includes authentication values, originating IP, organization, country, city, reputation, and spam activity.
- Responds via webhook for seamless integration with external systems.
- Production-Ready & Test-Friendly:
- Includes dedicated sections for Outlook testing and webhook-based production use.
- Clear separation of workflow stages for easy debugging and extension.
