What this workflow does
This workflow takes an email header string as input and checks it for fake senders and bad IP addresses quickly.
It finds IP addresses inside the header and looks up if those IPs have bad reputations using online services.
It also checks if the email passed security checks like SPF, DKIM, and DMARC.
After all checks, it sends back a clear report showing if the email is safe or suspicious.
Who should use this workflow
The user who gets lots of suspicious emails and wants to save time finding bad senders can use this.
No need to look at raw headers and guess the risks anymore.
It helps people checking email security faster and more accurately.
Tools and services used
- n8n: For building and running the automation workflow.
- IP Quality Score API: Checks IP addresses for fraud and abuse risks.
- IP-API: Returns location and ISP info for IP addresses.
- Webhook endpoint: To start the workflow with email header data.
Input, processing, and output
Input
User sends an email header text to the webhook URL in n8n as a POST request.
Processing
- The workflow splits the header into parts and finds IP addresses.
- Each IP address is checked using IP Quality Score for bad behavior.
- IP-API adds more info about the IP’s location and ISP.
- The workflow reads security checks from the header (SPF, DKIM, DMARC).
- All data is joined into one report.
Output
A JSON object showing IP reputations, location details, and authentication results is returned to the webhook caller.
Beginner step-by-step: How to use this workflow in n8n production
Download and import the workflow
- Find and click the Download button on this page to save the workflow file to your computer.
- Open your n8n editor where you build flows.
- Click the menu and choose “Import from File”.
- Select the downloaded workflow file and import it.
Configure the workflow
- Open the imported workflow to see all nodes.
- Enter your IP Quality Score API Key in the node named HTTP Request node called IP Quality Score. Replace the placeholder with your real key.
- Check if any IDs, URLs, or email addresses used in the nodes match your real environment. Edit them if needed.
Test and activate
- Send a test email header as a POST request to the URL of the Webhook node named Receive Headers.
- Look at the workflow run to confirm the output includes IP checks and authentication results.
- If all looks good, turn on the workflow’s toggle switch to activate it for real use.
You can now send real email headers to this webhook and get detailed safety reports back automatically.
If self hosting n8n, remember to secure the webhook URL and keep API Keys private. Learn more about self-host n8n.
Customizations
- Add deeper DKIM checks to confirm signature validity and alignment.
- Make a whitelist of safe IPs to skip some fraud checks.
- Add more IP Quality Score parameters to catch VPNs or anonymizers.
- Setup logging for suspicious IPs and fails using Google Sheets or file writing nodes.
- Add alerts to Slack channel when bad IPs or authentication failures are found.
Possible problems and fixes
- If the IP Quality Score node shows 401 errors, check if the API Key is correct and not expired.
- If the webhook never receives data, make sure to use the POST method and the correct URL path.
- Too many requests to IP-API can cause rate limiting; slow down query speed or batch IPs.
Summary
✓ Automatically parses email headers to find all IP addresses found in received headers.
✓ Looks up IP quality and reputation to highlight risky senders.
✓ Checks SPF, DKIM, and DMARC authentication results from header data.
✓ Creates one easy-to-understand JSON report of IP risk and email auth.
→ Greatly cuts manual checking time and mistakes in email security analysis.
→ Helps quickly surface spoofing or phishing risk from suspicious emails.
✓ Can be extended with alerts, logging, or whitelisting for custom security needs.