Stop guessing if an email is safe. This automation reads raw email headers, checks the sender IP reputation, and confirms SPF, DKIM, and DMARC status. Security and IT teams can use it to speed up phishing review and block risky senders fast.

It starts with a webhook that receives the header text. The flow splits into two tracks. One track pulls IPs from Received lines, checks each IP with IPQualityScore, and adds location data from IP API. The other track scans Authentication Results and also looks at received spf, dkim signature, and received dmarc fields. The results are merged into one clean JSON report, then sent back through the webhook with a 200 status so you can use it in tickets or alerts.

Setup is simple. You only need the webhook URL and an IPQualityScore API key. IP API does not need a key but it has a rate limit, so plan your volume. Teams usually cut manual header review from many minutes to under a minute per message. Use it to enrich SOC tickets, score inbound messages from forms, or add checks before creating user alerts.

• Webhook intake that receives raw email headers as JSON
• Header explode and parsing to isolate Received lines for IPs
• Regex extraction and item splitting to process each IP on its own
• IPQualityScore check to get fraud score and abuse signals
• IP API lookup to add ISP and geolocation details
• Code node that summarizes spam activity and sender reputation
• SPF DKIM DMARC detection from authentication results and related headers
• Switch and set nodes to label pass fail neutral unknown states
• Merging and joining steps that compile everything into a single JSON object
• Respond to Webhook node that returns the final report with HTTP 200

• Reduce manual header review from 15 minutes to under 1 minute per email
• Automate over 90 percent of IP reputation lookups
• Improve triage accuracy by flagging risky IPs and failed SPF DKIM DMARC
• Handle up to 10 times more reviews without adding staff
• Unify two reputation sources into one clear JSON report
• Return a ready to use result to your webhook or ticket system

1. Import the template into n8n: Create a new workflow in n8n > Click the three dots menu > Select 'Import from File' > Choose the downloaded JSON file.
2. You'll need accounts with IPQualityScore and IP-API. See the Tools Required section above for links to create accounts with these services.
3. Open the Receive Headers node. Copy the Test URL. You will send test requests here while you configure the flow.
4. Get your IPQualityScore API key from your IPQualityScore dashboard. In n8n, open the IP Quality Score node and replace the placeholder in the URL with your key. You can also store the key as an environment variable and reference it with an expression.
5. IP-API needs no credential setup. Keep in mind the service limits requests per minute, so space out tests if you see HTTP 429.
6. Prepare a test request. Send a POST to the webhook URL with Content-Type application/json and a body field that contains the raw email header text. Use the example payload to validate your format.
7. Run a test execution. Confirm the Split Out IPs, IP Quality Score, IP-API, and Collect interesting data nodes each show values like IP, fraud_score, ISP, and recent_abuse.
8. Check the SPF DKIM DMARC branch. Review outputs from the authentication nodes and ensure statuses are set to pass fail neutral or unknown as expected.
9. Open the final Join nodes and the Respond to Webhook node. Verify the result field returns a single JSON report with ipAnalysis and authentication statuses.
10. If you get empty IP results, confirm your headers include Received lines and adjust the IP regex if you need IPv6. If you get 429 errors, slow down requests or add a wait step.
11. When everything looks good, switch the webhook to Production URL in n8n and activate the workflow. Optionally embed it in a larger flow using Execute Workflow and replace the webhook nodes as needed.