What This Workflow Does
This workflow looks at email headers from Outlook emails. It finds the original sender’s IP address and checks if the IP is safe or risky. It also checks if the email passed security tests like SPF, DKIM, and DMARC. The final result shows clear info about the email’s origin and security status. This helps users find bad emails faster and easier.
Who Should Use This Workflow
This is good for anyone who wants to check emails deeply without doing slow manual work. It is especially useful for users who get many suspicious emails and want faster, better detection of phishing risks. It helps people working with Outlook who need clear reports on sender IP and email security checks.
Tools and Services Used
- Microsoft Outlook OAuth Credentials: To access emails and headers via Microsoft Graph API.
- n8n Automation Platform: Builds and runs the workflow logic.
- IP Quality Score API: Checks IP addresses for fraud and spam risk.
- IPAPI HTTP API: Gives location and organization info of IP addresses.
- Microsoft Graph API: Gets email headers from Outlook.
Beginner Step-by-Step: How To Use This Workflow in n8n
Import the Workflow
- Download the workflow file using the Download button on this page.
- Open the n8n editor where workflows are created.
- Click “Import from File” and select the workflow file.
Setup Required Credentials and IDs
- Add Microsoft Outlook OAuth credentials under n8n Credentials section.
- Enter the IP Quality Score API Key in the relevant HTTP Request node URL.
- If needed, update email folder IDs, emails, or webhook URLs in the nodes.
Test and Activate
- Run the workflow once by triggering or calling the webhook to confirm it works.
- Check outputs to see if IPs and authentication data are correct.
- When happy, activate the workflow for ongoing use.
These simple steps let users deploy the workflow quickly. Adjustments are minimal and easy to do.
For users running n8n on their own system, check self-host n8n resources to support smooth operation.
Inputs, Processing Steps, and Output
Inputs
- New email arrives in Outlook folder (optional trigger).
- Email ID pulled from trigger or webhook call.
Processing Steps
- Call Microsoft Graph API to get full email headers.
- Extract the headers array and filter to find all “Received” headers.
- Keep only the last “Received” header which has the originating IP.
- Use regex to find an external IP address, skip internal/private IPs.
- Check if an IP was found; if not, stop processing.
- Call IP Quality Score API for fraud and spam risk info about the IP.
- Call IPAPI to get location and company data of the IP.
- Check if “Authentication-Results” header is present to get SPF, DKIM, DMARC results.
- If missing, check “Received-SPF”, “DKIM-Signature”, and DMARC headers separately.
- Parse the headers to set pass/fail or missing statuses for SPF, DKIM, DMARC.
- Combine all info into a structured JSON object.
Output
- JSON object showing:
- Sender IP address.
- IP organization, city, country.
- IP risk scores (fraud, spam, abuse).
- SPF, DKIM, DMARC pass/fail status.
- Ready for use by other apps via webhook.
Edge Cases and Failures
- If no “Received” header with external IP is found, the process stops early.
- IP extraction fails if regex does not match uncommon IP formats.
- Missing “Authentication-Results” header triggers fallback to checking individual authentication headers.
- API errors or rate limits may cause missing reputation or location data.
- Webhook does not reply if the workflow is not active.
Users should test with multiple example emails to catch these cases.
Customization Ideas
- Change Outlook folder in the trigger node for different email sources.
- Adjust IP Quality Score API parameters for more or less strict risk assessments.
- Add parsing for other custom email authentication headers if needed.
- Edit the output JSON format node to match target API or reporting tools.
- Enable the Outlook trigger node for automated checks instead of only webhooks.
Summary
✓ Checks Outlook email headers deeply.
✓ Extracts original sender IP and filters private IPs.
✓ Queries IP reputation and location data.
✓ Reads SPF, DKIM, and DMARC authentication status.
✓ Outputs clear structured JSON for easy use.
✓ Saves time and reduces manual email checks.
✓ Easy to import and start with minimal setup.