Analyze Outlook Email Headers with n8n Automation

Opening Problem Statement

Meet Sarah, a cybersecurity analyst responsible for protecting her company from phishing and spoofing attacks. Every day, Sarah receives hundreds of emails, many appearing suspicious. Manually investigating the legitimacy of these emails wastes her hours, delays responses, and sometimes lets harmful messages slip through, risking the company’s security.

Sarah needs a way to automate the detailed inspection of incoming Outlook email headers — including pulling out originating IP addresses, checking authentication protocols like SPF, DKIM, and DMARC, and assessing the sending IP’s reputation — but without juggling multiple tools or complex scripts. This is exactly what this n8n workflow solves, saving Sarah valuable time while strengthening email security.

What This Automation Does

This n8n workflow processes incoming Outlook email headers and extracts crucial security and origin information. Specifically, when running, it:

• Retrieves detailed headers from a new email in a specified Outlook folder.
• Extracts the originating IP address from the most recent “Received” header, filtering out private IPs.
• Queries IP reputation services (IP Quality Score and IP API) to gather fraud risk, geographical location, and organizational data about the IP.
• Checks for the presence and results of key email authentication headers: Authentication-Results, Received-SPF, DKIM-Signature, and DMARC headers.
• Determines SPF, DKIM, and DMARC pass/fail status based on header data, handling cases when headers are missing.
• Consolidates and formats all gathered data into a structured JSON response, ready to be used by third-party platforms via webhook.

By automating this process, Sarah can save several hours weekly, eliminate manual error, and respond faster to suspicious emails.

Prerequisites ⚙️

• Microsoft Outlook Account with OAuth credentials configured in n8n to access email messages.
• n8n Automation Platform Account (cloud or self-hosted) to build and run the workflow.
• IP Quality Score API Key for querying IP reputation.
• Internet Connection for n8n to send HTTP requests to APIs.
• Optional: APIs are accessed via HTTP request nodes, so no additional services are mandatory beyond those.

Step-by-Step Guide

1. Set Up Outlook Email Trigger (Optional Testing)

Navigate to Trigger on New Email node (disabled by default). Configure it to watch your Outlook inbox or specific folder. It polls every minute and triggers workflow when new emails arrive.

For initial testing, enable it: Click the node → Enable → Ensure Microsoft Outlook OAuth2 credentials are connected correctly.

On trigger, it fetches the new email’s ID to pull its headers.

Common mistake: Forgetting to enable this node or misconfiguring OAuth credentials.

2. Retrieve Email Headers from Microsoft Graph API

The Retrieve Headers of Email HTTP Request node calls Microsoft Graph API with the email ID to get detailed internetMessageHeaders.

Parameters: URL template as https://graph.microsoft.com/v1.0/me/messages/{{ $json.id }}?$select=internetMessageHeaders.

Authentication: Use OAuth credentials tied to Outlook.

Expected output is an array of headers containing routing and authentication info.

Common mistake: Incorrect API URL or missing query parameter ?$select=internetMessageHeaders to get headers.

3. Extract Headers Array

Use the Set Headers Here node to pick the internetMessageHeaders array from the previous node’s JSON and assign it to a standardized field named headers for further nodes.

This simplifies further processing by having headers in a consistent place.

4. Extract “Received” Headers Using Code Node

The Extract Received Headers Code node filters the headers array to only those with the name “Received” which tracks email relay servers.

// JavaScript code snippet
const headers = $('Set Headers').item.json.headers;
const receivedHeaders = headers.filter(header => header.name === "Received");
return receivedHeaders;

This identifies all relay points the email passed through.

5. Keep Only the Most Recent “Received” Header

The Remove Extra Received Headers Limit node trims the list to keep only the last “Received” header. This usually holds the originating IP address.

This streamlines the data for IP extraction.

6. Extract Original From IP Address

The Extract Original From IP Set node applies a regex to remove private/internal IP addresses from the last “Received” header and then captures the first external IPv4 or IPv6 address found.

Regex used handles exclusion of private IP ranges (127.x.x.x, 10.x.x.x, etc.) and matches valid IP addresses.

Example output field: extractedfromip.

Common mistake: Regex syntax errors or overlooking private IP exclusions can lead to incorrect IP extraction.

7. Check if Original IP Exists

The Original IP Found? If node checks if the extracted IP is non-empty. If false, the workflow triggers a No Operation node stopping further processing.

This avoids wasting resources on empty or invalid IP data.

8. Query IP Reputation via IP Quality Score API

The Query IP Quality Score API HTTP Request node queries the IPQualityScore.com API using the extracted IP.

URL template: https://ipqualityscore.com/api/json/ip/API_KEY/{{extractedfromip}}?strictness=1&allow_public_access_points=true&lighter_penalties=true

This returns fraud score and spam activity info, showing if the IP was involved in recent spam or scams.

9. Query Additional IP Info via IPAPI

The Query IP API node calls http://ip-api.com/json/{{extractedfromip}} to get more info such as city, country, and organization.

This enriches the IP data with location and ownership details.

10. Check for “Authentication-Results” Header

The Authentication-Results Header? If node verifies if the email headers include “Authentication-Results” which summarizes SPF, DKIM, DMARC results.

If not found, workflow proceeds to check each header type separately.

11. Extract and Determine SPF, DKIM, DMARC Status

The workflow includes multiple nodes to individually check for:

• Received-SPF header (extract, aggregate, set pass/fail value or record absent)
• DKIM-Signature header (mark presence or absence)
• DMARC header (extract and set pass/fail value or flag as missing)

Code nodes and set nodes parse header strings, aggregate results, and classify authentication results clearly.

12. Format Authentication Results and Combine With IP Info

Using Determine Auth Values and Format Combined Auth Output Set nodes, the workflow compiles SPF, DKIM, DMARC results with originating IP info, location, organization, and IP quality scores.

This structured data gives a clear picture of the email’s security standing.

13. Merge Authentication Results Streams

The Merge node consolidates SPF, DKIM, and DMARC parsed data streams into one.

The Aggregate node groups all item data for final processing.

14. Format Final Output and Respond to Webhook

The Format Individual Auth Outputs node creates a JSON object with all results labeled: spf, dkim, dmarc, IP, organization, country, city, spam activity, and reputation.

The Format Webhook Output node sends this as the final structured response format.

The Respond to Webhook node returns this JSON when the webhook is called by external systems.

Customizations ✏️

1. Change Email Source Folder: In the Trigger on New Email node, modify the Outlook folder ID to watch a different mailbox folder (e.g., “Inbox” or “Spam”) to target specific emails.
2. Adjust IP Quality Score Parameters: In the Query IP Quality Score API node, tweak URL parameters such as strictness, allow_public_access_points, or lighter_penalties to balance sensitivity and accuracy of reputation checks.
3. Expand Header Checks: Add new Code nodes modeled after the existing ones to parse other headers if your organization uses custom authentication headers.
4. Output Format Customization: Modify the Format Individual Auth Outputs Set node to add or remove fields or change label names to fit your API consumer’s data schema.
5. Enable Trigger Node: Activate the Trigger on New Email node for real-time automation instead of webhook-only testing for continuous inbox monitoring.

Troubleshooting 🔧

Problem: “Authentication-Results Header?” condition always false.
Cause: Headers array may not include “Authentication-Results” due to non-standard email server configurations.
Solution: Verify the raw headers in test emails. Adjust the header name case or add alternative header checks.

Problem: IP is not extracted correctly from “Received” header.
Cause: Regex in Extract Original From IP node might not cover all IP formats.
Solution: Test the regex with sample headers and adjust it to include uncommon IP patterns or IPv6 formats.

Problem: Webhook doesn’t respond when called.
Cause: Workflow is not activated.
Solution: Activate the workflow in n8n so the webhook listens and responds.

Pre-Production Checklist ✅

• Confirm valid Microsoft Outlook OAuth credentials are set and tested.
• Test the Retrieve Headers of Email node with a sample email ID to confirm header retrieval.
• Verify IP extraction works correctly on multiple emails with varied header formats.
• Test IP reputation API calls with your API key to confirm proper responses.
• Use webhook testing tools to simulate incoming email header data and check structured output.
• Backup the workflow configuration before production deployment.

Deployment Guide

To deploy this workflow for real use, activate it in your n8n instance so the webhook starts listening for requests. If using the Outlook trigger, ensure it is enabled and properly polling the correct folder.

Monitor the workflow’s executions via the n8n dashboard logs for errors or unexpected results. Adjust API keys or node parameters as needed.

Consider setting up alerting on failed runs or suspicious output patterns.

FAQs

Q: Can I use a Gmail account instead of Outlook?
A: This workflow is designed specifically for Microsoft Outlook due to the Microsoft Graph API usage. You would need to modify trigger and HTTP request nodes for Gmail’s API.

Q: Does querying IP Quality Score API consume API credits?
A: Yes, be mindful of your API usage limits when deploying at scale.

Q: Is the workflow secure?
A: Sensitive data is only handled within n8n and via secure API calls. OAuth tokens should be secured by n8n credentials management.

Q: Can this workflow handle a high volume of emails?
A: Yes, but performance depends on your n8n setup and API rate limits.

Conclusion

By completing this tutorial, you have built a powerful n8n automation that inspects Outlook email headers in-depth, extracts sender IP addresses, analyzes IP reputation, and verifies crucial authentication headers like SPF, DKIM, and DMARC.

This workflow saves you significant time previously spent on manual email investigation, improves security by detecting suspicious senders quickly, and provides actionable data for further decision-making or automated responses.

Next, consider extending this system to automatically quarantine flagged emails, generate security incident reports, or integrate results with your SIEM system for broader visibility.

Keep experimenting with n8n’s flexibility — your cybersecurity automation journey has only just begun!