Automate DMARC Report Parsing and Notifications with n8n

Opening Problem Statement

Meet Anna, the IT security engineer at a mid-sized company. Every day, she receives dozens of DMARC (Domain-based Message Authentication, Reporting & Conformance) reports via email. These reports are XML files zipped inside email attachments. Anna needs to manually unpack these attachments, convert the XML data to readable formats, extract valuable insights, and feed them into her company’s security database. If any issues within the reports indicate DKIM or SPF failures, she has to notify the team immediately.

Before discovering this n8n workflow, Anna spent roughly 2-3 hours daily performing these manual tasks. Error-prone and tedious, this routine distracted her from more strategic security improvements. Anna also worried about missing subtle DNS authentication issues from these complex reports, potentially risking her organization’s email deliverability and security.

What This Automation Does

This n8n workflow named “Parse DMARC reports” automates Anna’s entire DMARC processing pipeline. Here’s what happens when the workflow runs:

• Automatically triggers when a new DMARC email arrives in IMAP inbox, downloads attached zipped XML reports.
• Unzips and extracts XML data from the attachment files.
• Parses the XML into JSON format for easier data manipulation.
• Detects if multiple domain entries exist in a single report and splits them for individual processing.
• Maps and transforms nested DMARC data fields into a clear structured format compatible with MySQL database input.
• Formats DMARC date ranges into MySQL-friendly datetime strings for accurate storage.
• Inputs parsed and cleaned data into a MySQL database table for long-term monitoring and analytics.
• Evaluates DKIM and SPF authentication results; sends Slack and/or Email notifications if any failure is detected.

This automation saves Anna over 10 hours weekly, eliminates human errors in data input, and ensures prompt alerts on email authentication issues.

Prerequisites ⚙️

• n8n automation platform account.
• IMAP email account with access to receive DMARC reports (e.g., GMail, Outlook, or any mail provider).
• MySQL or MariaDB database configured and accessible to n8n for storing parsed DMARC data.
• Slack account with OAuth2 credentials configured in n8n (optional, for notifications).
• Email Sending account configured in n8n (optional, as alternative notification channel).
• Basic understanding of n8n workflows and credentials setup.

Step-by-Step Guide to Build This Workflow

1. Set Up Email Trigger (IMAP) Node to Capture Incoming DMARC Reports

In n8n, add the Email Trigger (IMAP) node. Navigate to Settings → Credentials and configure your IMAP email with details like host, username, and password.

Set the node parameter to downloadAttachments as true so attachments are downloaded for further processing.

Once done, when a DMARC report email arrives, it will trigger this workflow and pull in the zipped report for parsing.

Common mistake: Forgetting to enable attachment downloading will prevent the workflow from accessing report files.

2. Unzip File Node to Extract XML Attachment

Connect the Email Trigger node to a Unzip File node.

Configure it to extract the first attachment binary property (usually attachment_0).

This node decompresses the zipped XML report for parsing.

3. Extract XML Data Node to Prepare for Parsing

Next, link to the Extract XML data node.

Set it to extract the XML content from the binary file property output by the Unzip node (e.g., file_0).

This step reads the raw XML to a structured format n8n can process further.

4. Parse XML Data to JSON Node

Add the Parse XML data to JSON node to convert XML into JSON format.

This node enables easier handling of complex nested XML data inside n8n.

5. Handle Multiple Records with an If Node

Attach an If multiple records to parse node that checks whether the JSON contains multiple DMARC records.

If multiple, it branches to a Split Out For Separate Entries node, which splits the record array into individual entries for precise processing.

If only one record, it proceeds via another route with a Rename column for consistency node to align field names.

6. Rename Keys for JSON Consistency

Use a Rename Keys node to rename the deep nested key feedback.record to a simpler alias (e.g., fbr) for easier referencing in later steps.

7. Map Fields for Database Input

This Map fields for DB input and parse Set node is crucial. It assembles an organized JSON object mapping all necessary fields from DMARC data, including:

• Original full data JSON string
• Organization name, domain, policy info
• Date ranges (begin/end)
• Source IP, mail count, evaluated DKIM/SPF results, disposition
• Identifiers and auth results if present

This process transforms nested, verbose DMARC report data into a neat schema matching your DB table.

8. Format Date Ranges for MySQL

Chain two DateTime Format nodes to convert DMARC date timestamps (often Unix or other formats) into yyyy-MM-dd hh:mm:ss format readable by MySQL.

The first formats the beginning date; the second formats the end date.

9. Input Processed Data Into MySQL Database

Use the MySQL node to insert the transformed data into your dmarc database table.

Map each field from the previous node accordingly into DB columns.

10. Detect DKIM/SPF Failures with If Node

Add an If issue with DKIM or SPF node to check if either the DKIM or SPF evaluation is not “pass.”

If failures are found, branch to notification nodes.

11. Send Notifications on Authentication Failures

Add a Slack Post Message On Channel node to send a Slack alert with details about the domain, mail count, and specific failure disposition.

Optionally, use the Send Error Notification Email node to email the security team.

Remember to set up Slack OAuth2 credentials and/or SMTP email settings properly in n8n.

Customizations ✏️

• Add New Notification Channels: Add a Microsoft Teams or SMS node after the DKIM/SPF failure IF node to notify via alternate channels.
• Change Date Format: In the DateTime Format nodes, modify the customFormat field to match other regional or reporting system datetime formats.
• Database Table Adjustments: Update the MySQL node to point to a different database or table if you have a custom schema or want to feed data into data warehousing solutions.
• Attachment Handling: Update Unzip node to handle multiple attachments if your email might contain more than one zipped file per report.
• Filter Emails by Subject: Add an If node after the Email Trigger to process only emails matching “DMARC report” in subject to avoid unrelated emails.

Troubleshooting 🔧

Problem: “No attachments found in email”

Cause: The IMAP Email Trigger was not set to download attachments or the incoming emails truly lack them.

Solution: In the Email Trigger, ensure “Download Attachments” is enabled. Also verify incoming emails contain zipped XML files.

Problem: “XML parsing errors”

Cause: The Extract XML or Parse XML node may encounter malformed input or incorrect binary property reference.

Solution: Verify the Unzip node outputs the correct binary named property (like file_0). Use n8n’s debug mode to inspect payloads before XML parsing.

Problem: “Database insertion fails or null data”

Cause: Data mapping mismatches or date format errors causing SQL errors.

Solution: Double-check field names in the MySQL node match your database schema. Confirm date formatting nodes output valid yyyy-MM-dd hh:mm:ss strings.

Pre-Production Checklist ✅

• Test IMAP Email trigger with a sample DMARC report email to confirm attachment download.
• Verify Unzip node properly extracts XML files.
• Check successful XML-to-JSON conversion in parsing nodes.
• Simulate multiple record DMARC reports to ensure splitting logic works.
• Validate date format nodes output correct strings for MySQL.
• Test database inserts with sample data.
• Trigger DKIM/SPF failure conditions and confirm notifications send correctly.

Deployment Guide

Once tested, activate this workflow in n8n by toggling it to active.

Make sure your credentials for email, database, and Slack/email notifications are securely saved and refreshed if needed.

Monitor workflow executions through n8n’s dashboard and logs for failures or performance issues.

FAQs

Q: Can I use an Office365 email account instead of IMAP?
A: Yes, as long as it supports IMAP and you provide the correct server details and credentials, the Email Trigger (IMAP) node will work.

Q: Will this workflow consume many API calls or credits?
A: This workflow uses IMAP for email and standard MySQL connections, so it doesn’t consume API credits like a SaaS API might.

Q: Is my DMARC data secure?
A: Yes, data stays within your environment and database. Ensure your n8n and DB credentials are properly secured.

Conclusion

In this tutorial, you automated the tedious and error-prone process of handling DMARC email reports using n8n. You set up an email-based trigger to fetch zipped XML reports, unpacked and parsed them, converted data into MySQL-friendly formats, and alerted your team on any security authentication failures.

This workflow can save you over 10 hours weekly and dramatically improve your email domain security visibility and response times.

Next steps you could try include adding deeper analytics dashboards on DMARC trends, integrating with SIEM systems for security correlation, or expanding notifications to multiple channels like SMS and Teams.

Ready to boost your email security workflow? Let’s get this automation running and keep your domains safe!