Analyser les en-têtes d'e-mail Outlook pour détecter la réputation IP et l'hameçonnage
Avancé
Ceci est unSecOpsworkflow d'automatisation du domainecontenant 41 nœuds.Utilise principalement des nœuds comme If, Set, Code, Limit, Merge. Analyser les en-têtes Outlook pour détecter la réputation IP et l'hameçonnage
Prérequis
- •Point de terminaison HTTP Webhook (généré automatiquement par n8n)
- •Peut nécessiter les informations d'identification d'authentification de l'API cible
Nœuds utilisés (41)
Catégorie
Aperçu du workflow
Visualisation des connexions entre les nœuds, avec support du zoom et du déplacement
Exporter le workflow
Copiez la configuration JSON suivante dans n8n pour importer et utiliser ce workflow
{
"meta": {
"instanceId": "03e9d14e9196363fe7191ce21dc0bb17387a6e755dcc9acc4f5904752919dca8"
},
"nodes": [
{
"id": "363be6de-5e8d-46b2-a31f-6f7bc204c986",
"name": "Déclenchement sur nouvel e-mail",
"type": "n8n-nodes-base.microsoftOutlookTrigger",
"disabled": true,
"position": [
-760,
1400
],
"parameters": {
"output": "raw",
"filters": {
"foldersToInclude": [
"AQMkADM5MWVmZWEwLTQ4OTMtNGMyYy1iOWUxLTQ4N2M1YmU0ODJjNQAuAAADWJOZOf0oRkGpsGIMN2VBCwEAbttrza1gUEiEMFJJPqIeZQAAAgEMAAAA"
]
},
"options": {},
"pollTimes": {
"item": [
{
"mode": "everyMinute"
}
]
}
},
"credentials": {
"microsoftOutlookOAuth2Api": {
"id": "vTCK0oVQ0WjFrI5H",
"name": "Outlook Credential"
}
},
"typeVersion": 1
},
{
"id": "0da8b1ab-6dbe-41b7-92f1-6e8637d082cb",
"name": "Récupérer les en-têtes de l'e-mail",
"type": "n8n-nodes-base.httpRequest",
"position": [
-560,
1400
],
"parameters": {
"url": "=https://graph.microsoft.com/v1.0/me/messages/{{ $json.id }}?$select=internetMessageHeaders",
"options": {},
"sendHeaders": true,
"authentication": "predefinedCredentialType",
"headerParameters": {
"parameters": [
{
"name": "Accept",
"value": "application/json"
}
]
},
"nodeCredentialType": "microsoftOutlookOAuth2Api"
},
"credentials": {
"microsoftOutlookOAuth2Api": {
"id": "vTCK0oVQ0WjFrI5H",
"name": "Outlook Credential"
}
},
"typeVersion": 4.2
},
{
"id": "2f28e47d-f010-4f0b-bbe4-074bbdf39a45",
"name": "Extraire les en-têtes Received",
"type": "n8n-nodes-base.code",
"position": [
80,
1460
],
"parameters": {
"jsCode": "// Extract the headers array from the JSON\nconst headers = $('Set Headers').item.json.headers;\n\n// Filter headers where the name is \"Received\"\nconst receivedHeaders = headers.filter(header => header.name === \"Received\");\n\n// Return the filtered headers\nreturn receivedHeaders;\n"
},
"executeOnce": false,
"typeVersion": 2
},
{
"id": "530fd9c3-94c2-4d5e-a686-57738cc10ae6",
"name": "Supprimer les en-têtes Received supplémentaires",
"type": "n8n-nodes-base.limit",
"position": [
300,
1460
],
"parameters": {
"keep": "lastItems"
},
"typeVersion": 1
},
{
"id": "9942704e-e0ac-42e9-b714-b2bdb3117c02",
"name": "Extraire l'IP d'origine From",
"type": "n8n-nodes-base.set",
"position": [
500,
1460
],
"parameters": {
"options": {},
"assignments": {
"assignments": [
{
"id": "5f740d1f-de62-4fe0-aa20-625063344c07",
"name": "extractedfromip",
"type": "string",
"value": "={{ $json.value.replace(/\\b(127\\.(?:\\d{1,3}\\.){2}\\d{1,3})|(10\\.(?:\\d{1,3}\\.){2}\\d{1,3})|(172\\.(?:1[6-9]|2[0-9]|3[0-1])\\.\\d{1,3}\\.\\d{1,3})|(192\\.168\\.\\d{1,3}\\.\\d{1,3})\\b/g, \"\").match(/(\\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])(\\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])(\\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])(\\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])(\\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])(\\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])(\\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])(\\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])){3}))|:)))(%.+)?\\s*)|(\\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)[.]){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\b)/)[0] }}"
}
]
}
},
"typeVersion": 3.4
},
{
"id": "6093bcd2-1101-4685-8d2c-751dd451afc4",
"name": "Interroger IP Quality Score API",
"type": "n8n-nodes-base.httpRequest",
"position": [
980,
1360
],
"parameters": {
"url": "=https://ipqualityscore.com/api/json/ip/Mlg6aZdzI1mVehUD3Z5Ak5Vl4yNN7P8v/{{ $('Extract Original From IP').item.json.extractedfromip }}?strictness=1&allow_public_access_points=true&lighter_penalties=true",
"options": {}
},
"typeVersion": 4.2
},
{
"id": "feb4203c-4f9b-456c-9640-82ce8f6f550f",
"name": "Interroger IP API",
"type": "n8n-nodes-base.httpRequest",
"position": [
1180,
1360
],
"parameters": {
"url": "=http://ip-api.com/json/{{ $('Extract Original From IP').item.json.extractedfromip }}",
"options": {}
},
"typeVersion": 4.2
},
{
"id": "f628e421-4cb5-4612-83c2-bde0f4f57367",
"name": "En-tête Authentication-Results ?",
"type": "n8n-nodes-base.if",
"position": [
1440,
1600
],
"parameters": {
"options": {},
"conditions": {
"options": {
"version": 2,
"leftValue": "",
"caseSensitive": true,
"typeValidation": "strict"
},
"combinator": "and",
"conditions": [
{
"id": "ead2b640-ad80-4189-a692-ae454723fd85",
"operator": {
"type": "boolean",
"operation": "true",
"singleValue": true
},
"leftValue": "={{ $('Set Headers').item.json.headers.some(header => header.name === \"Authentication-Results\") }}",
"rightValue": "true"
}
]
}
},
"typeVersion": 2.2
},
{
"id": "8616ecd3-1c71-49ff-a32c-4b09f3214edb",
"name": "Extraire l'en-tête Authentication-Results",
"type": "n8n-nodes-base.code",
"position": [
1720,
1360
],
"parameters": {
"jsCode": "// Extract the headers array from the JSON\nconst headers = $('Set Headers').item.json.headers;\n\n// Filter headers where the name is \"Received\"\nconst receivedHeaders = headers.filter(header => header.name === \"Authentication-Results\");\n\n// Return the filtered headers\nreturn receivedHeaders;\n"
},
"executeOnce": false,
"typeVersion": 2
},
{
"id": "7d3a37dc-6bbe-4c3b-9c2c-c9d2c1c24213",
"name": "En-tête Received-SPF ?",
"type": "n8n-nodes-base.if",
"position": [
1700,
2220
],
"parameters": {
"options": {},
"conditions": {
"options": {
"version": 2,
"leftValue": "",
"caseSensitive": true,
"typeValidation": "strict"
},
"combinator": "and",
"conditions": [
{
"id": "a38ebc9b-f896-4432-81fb-4f3db98f3409",
"operator": {
"type": "boolean",
"operation": "true",
"singleValue": true
},
"leftValue": "={{ $('Set Headers').item.json.headers.some(header => header.name === \"Received-SPF\") }}",
"rightValue": ""
}
]
}
},
"typeVersion": 2.2
},
{
"id": "f1ca55fb-07d8-4825-8850-f5a3c58e358a",
"name": "En-tête DKIM-Signature ?",
"type": "n8n-nodes-base.if",
"position": [
1700,
2620
],
"parameters": {
"options": {},
"conditions": {
"options": {
"version": 2,
"leftValue": "",
"caseSensitive": true,
"typeValidation": "strict"
},
"combinator": "and",
"conditions": [
{
"id": "a38ebc9b-f896-4432-81fb-4f3db98f3409",
"operator": {
"type": "boolean",
"operation": "true",
"singleValue": true
},
"leftValue": "={{ $('Set Headers').item.json.headers.some(header => header.name === \"DKIM-Signature\") }}",
"rightValue": ""
}
]
}
},
"typeVersion": 2.2
},
{
"id": "df19f38c-b263-4b97-bd22-adc8ff44f631",
"name": "Définir la valeur SPF",
"type": "n8n-nodes-base.set",
"position": [
2480,
2140
],
"parameters": {
"options": {},
"assignments": {
"assignments": [
{
"id": "179c48eb-97e5-48ab-82b8-ef4269f11366",
"name": "spfvalue",
"type": "string",
"value": "={{ $json.data.last().value.toLowerCase().includes('fail') ? \"fail\" : $json.data.last().value.toLowerCase().includes('pass') ? \"pass\" : \"unknown\"}}"
}
]
}
},
"typeVersion": 3.4
},
{
"id": "1613d276-3ec4-44b2-91ca-f76985e1b4c2",
"name": "Extraire l'en-tête Received-SPF",
"type": "n8n-nodes-base.code",
"position": [
1940,
2140
],
"parameters": {
"jsCode": "// Extract the headers array from the JSON\nconst headers = $('Set Headers').item.json.headers;\n\n// Filter headers where the name is \"Received\"\nconst receivedHeaders = headers.filter(header => header.name === \"Received-SPF\");\n\n// Return the filtered headers\nreturn receivedHeaders;\n"
},
"executeOnce": false,
"typeVersion": 2
},
{
"id": "47697f60-99e7-4c91-ab7c-7f966b1b5307",
"name": "Signature DKIM trouvée",
"type": "n8n-nodes-base.set",
"position": [
2480,
2520
],
"parameters": {
"options": {},
"assignments": {
"assignments": [
{
"id": "ae3158bf-3d91-4a61-a58c-c151362e52d7",
"name": "dkimvalue",
"type": "string",
"value": "=found"
}
]
}
},
"typeVersion": 3.4
},
{
"id": "2383e7b4-fe13-4c36-80a3-67ba3f02ce1d",
"name": "En-tête DMARC ?",
"type": "n8n-nodes-base.if",
"position": [
1700,
3060
],
"parameters": {
"options": {},
"conditions": {
"options": {
"version": 2,
"leftValue": "",
"caseSensitive": true,
"typeValidation": "strict"
},
"combinator": "and",
"conditions": [
{
"id": "a38ebc9b-f896-4432-81fb-4f3db98f3409",
"operator": {
"type": "boolean",
"operation": "true",
"singleValue": true
},
"leftValue": "={{ $('Set Headers').item.json.headers.some(header => header.name === \"dmarc\") }}",
"rightValue": ""
}
]
}
},
"typeVersion": 2.2
},
{
"id": "2c41e06d-0dc1-474e-a13f-302fc3e4d4ad",
"name": "Pas d'en-tête DMARC",
"type": "n8n-nodes-base.set",
"position": [
2480,
3160
],
"parameters": {
"options": {},
"assignments": {
"assignments": [
{
"id": "ae3158bf-3d91-4a61-a58c-c151362e52d7",
"name": "dmarcvalue",
"type": "string",
"value": "=not found"
}
]
}
},
"typeVersion": 3.4
},
{
"id": "81bd5082-634b-4f0e-951f-1374573fc6c0",
"name": "Extraire l'en-tête DMARC",
"type": "n8n-nodes-base.code",
"position": [
2120,
2960
],
"parameters": {
"jsCode": "// Extract the headers array from the JSON\nconst headers = $('Set Headers').item.json.headers;\n\n// Filter headers where the name is \"Received\"\nconst receivedHeaders = headers.filter(header => header.name === \"dmarc\");\n\n// Return the filtered headers\nreturn receivedHeaders;\n"
},
"executeOnce": false,
"typeVersion": 2
},
{
"id": "55a5745c-2c73-492c-b63c-20936043b0b6",
"name": "Définir la valeur DMARC",
"type": "n8n-nodes-base.set",
"position": [
2480,
2960
],
"parameters": {
"options": {},
"assignments": {
"assignments": [
{
"id": "179c48eb-97e5-48ab-82b8-ef4269f11366",
"name": "spfvalue",
"type": "string",
"value": "={{ $json.value.toLowerCase().includes('pass') ? \"pass\" : $json.value.toLowerCase().includes('fail') ? \"fail\" : \"unknown\"}}"
}
]
}
},
"typeVersion": 3.4
},
{
"id": "48a5b283-7aa4-4e10-b784-fcce25465fc0",
"name": "IP d'origine trouvée ?",
"type": "n8n-nodes-base.if",
"position": [
700,
1460
],
"parameters": {
"options": {},
"conditions": {
"options": {
"version": 2,
"leftValue": "",
"caseSensitive": true,
"typeValidation": "strict"
},
"combinator": "and",
"conditions": [
{
"id": "1c27e7ba-d243-4673-b1cc-608c35951168",
"operator": {
"type": "boolean",
"operation": "notEmpty",
"singleValue": true
},
"leftValue": "={{ $json.extractedfromip?.toBoolean() }}",
"rightValue": ""
}
]
}
},
"typeVersion": 2.2
},
{
"id": "75818bdc-3ffb-42a7-a0a3-93fc413b757f",
"name": "Aucune signature DKIM trouvée",
"type": "n8n-nodes-base.set",
"position": [
2480,
2720
],
"parameters": {
"options": {},
"assignments": {
"assignments": [
{
"id": "ae3158bf-3d91-4a61-a58c-c151362e52d7",
"name": "dkimvalue",
"type": "string",
"value": "not found"
}
]
}
},
"typeVersion": 3.4
},
{
"id": "17bc160b-618f-4893-80c8-4e4c2638adc3",
"name": "Déterminer les valeurs d'authentification",
"type": "n8n-nodes-base.set",
"position": [
2040,
1360
],
"parameters": {
"options": {},
"assignments": {
"assignments": [
{
"id": "cd0b3f49-fe38-4686-a1f5-bc03a145adef",
"name": "spfvalue",
"type": "string",
"value": "={{ $json.value.toLowerCase().includes('spf=pass') ? \"pass\" : $json.value.toLowerCase().includes('spf=fail') ? \"fail\" : $json.value.toLowerCase().includes('spf=neutral') ? \"neutral\" : \"unknown\" }}"
},
{
"id": "6aa90f4d-773e-475f-8cbc-fe5c4fe93653",
"name": "dkimvalue",
"type": "string",
"value": "={{ $json.value.toLowerCase().includes('dkim=pass') ? \"pass\" : $json.value.toLowerCase().includes('dkim=fail') ? \"fail\" : $json.value.toLowerCase().includes('dkim=temperror') ? \"error\" : \"unknown\" }}"
},
{
"id": "d3b7b0c1-0680-4cb9-b376-d365e5602a29",
"name": "dmarcvalue",
"type": "string",
"value": "={{ $json.value.toLowerCase().includes('dmarc=pass') ? \"pass\" : $json.value.toLowerCase().includes('dmarc=fail') ? \"fail\" : \"unknown\" }}"
}
]
}
},
"typeVersion": 3.4
},
{
"id": "8ee70aff-0907-44f5-b675-1de26660c2e3",
"name": "Aucun SPF trouvé",
"type": "n8n-nodes-base.set",
"position": [
2480,
2320
],
"parameters": {
"options": {},
"assignments": {
"assignments": [
{
"id": "ae3158bf-3d91-4a61-a58c-c151362e52d7",
"name": "spfvalue",
"type": "string",
"value": "not found"
}
]
}
},
"typeVersion": 3.4
},
{
"id": "a658b7d1-ec0e-40c9-a6c6-1f81e776fcfb",
"name": "Fusionner",
"type": "n8n-nodes-base.merge",
"position": [
2840,
1600
],
"parameters": {
"numberInputs": 3
},
"typeVersion": 3
},
{
"id": "bb688aec-d7ae-4e5a-ac38-a8d9554966bd",
"name": "Agréger",
"type": "n8n-nodes-base.aggregate",
"position": [
3000,
1600
],
"parameters": {
"options": {},
"aggregate": "aggregateAllItemData"
},
"typeVersion": 1
},
{
"id": "e393c3b1-b756-44a8-ac3c-b2d9e15f4f47",
"name": "Aucune opération, ne rien faire",
"type": "n8n-nodes-base.noOp",
"position": [
980,
1600
],
"parameters": {},
"typeVersion": 1
},
{
"id": "d651412c-9e58-4ef6-a6eb-6556647a7223",
"name": "Formater la sortie Webhook",
"type": "n8n-nodes-base.set",
"position": [
3400,
1460
],
"parameters": {
"options": {},
"assignments": {
"assignments": []
},
"includeOtherFields": true
},
"typeVersion": 3.4
},
{
"id": "03c70339-8e92-4d62-b346-7e669c83d338",
"name": "Formater les sorties d'authentification individuelles",
"type": "n8n-nodes-base.set",
"position": [
3180,
1600
],
"parameters": {
"options": {},
"assignments": {
"assignments": [
{
"id": "1f466a9d-e8a1-4095-918c-89fd8e3dae57",
"name": "spf",
"type": "string",
"value": "={{ $json.data[0].spfvalue }}"
},
{
"id": "797b0e35-9a2e-4261-8741-a8d636e0d1ae",
"name": "dkim",
"type": "string",
"value": "={{ $json.data[1].dkimvalue }}"
},
{
"id": "8b6f9dda-081d-45b6-98a9-04a96642800b",
"name": "dmarc",
"type": "string",
"value": "={{ $json.data[2].dmarcvalue }}"
},
{
"id": "6d24a794-0d06-4f12-8bfb-cc3c71720a1b",
"name": "initialIP",
"type": "string",
"value": "={{ $('Extract Original From IP').item.json.extractedfromip || 'Originating IP Not Found'}}"
},
{
"id": "e9ec6f54-0ef7-451b-bbeb-8bb9291e4bcd",
"name": "organization",
"type": "string",
"value": "={{ $('Query IP API').item.json.org || \"No Organization Found\" }}"
},
{
"id": "719b8414-72e1-4916-855b-00abdfc8e776",
"name": "country",
"type": "string",
"value": "={{ $('Query IP API').item.json.country || \"No Country Found\" }}"
},
{
"id": "ab0dc08c-ba54-4e2c-b4df-9f23d36cb350",
"name": "city",
"type": "string",
"value": "={{ $('Query IP API').item.json.city || \"No City Found\" }}"
},
{
"id": "f8214eea-dfb6-4fe1-8e45-e0b8d3d44ee3",
"name": "recentSpamActivity",
"type": "string",
"value": "={{ $('Query IP Quality Score API').item.json.fraud_score>=85 ? \"Identified spam in the last 48 hours\" : $('Query IP Quality Score API').item.json.fraud_score>=75 ? \"Identified spam in the last month\" : \"Not associated with recent spam\" }}"
},
{
"id": "fe3488b2-ad00-45ad-b947-ca2dc4242363",
"name": "ipSenderReputation",
"type": "string",
"value": "={{ $('Query IP Quality Score API').item.json.fraud_score>=85 ? \"Bad\" : $('Query IP Quality Score API').item.json.fraud_score>=75 ? \"Poor\" : $('Gmail - Query IP Quality Score API').item.json.fraud_score>=50 ? \"Suspicious\" : $('Query IP Quality Score API').item.json.fraud_score>=11 ? \"OK\" : $('Query IP Quality Score API').item.json.fraud_score<11 ? \"Good\" : \"Unknown\"}}"
}
]
}
},
"typeVersion": 3.4
},
{
"id": "762153b7-0364-498f-9dba-547d676b9d74",
"name": "Formater la sortie d'authentification combinée",
"type": "n8n-nodes-base.set",
"position": [
2400,
1360
],
"parameters": {
"options": {},
"assignments": {
"assignments": [
{
"id": "1f466a9d-e8a1-4095-918c-89fd8e3dae57",
"name": "spf",
"type": "string",
"value": "={{ $json.spfvalue }}"
},
{
"id": "797b0e35-9a2e-4261-8741-a8d636e0d1ae",
"name": "dkim",
"type": "string",
"value": "={{ $json.dkimvalue }}"
},
{
"id": "8b6f9dda-081d-45b6-98a9-04a96642800b",
"name": "dmarc",
"type": "string",
"value": "={{ $json.dmarcvalue }}"
},
{
"id": "6d24a794-0d06-4f12-8bfb-cc3c71720a1b",
"name": "initialIP",
"type": "string",
"value": "={{ $('Extract Original From IP').item.json.extractedfromip || 'Originating IP Not Found'}}"
},
{
"id": "e9ec6f54-0ef7-451b-bbeb-8bb9291e4bcd",
"name": "organization",
"type": "string",
"value": "={{ $('Query IP API').item.json.org || \"No Organization Found\" }}"
},
{
"id": "719b8414-72e1-4916-855b-00abdfc8e776",
"name": "country",
"type": "string",
"value": "={{ $('Query IP API').item.json.country || \"No Country Found\" }}"
},
{
"id": "ab0dc08c-ba54-4e2c-b4df-9f23d36cb350",
"name": "city",
"type": "string",
"value": "={{ $('Query IP API').item.json.city || \"No City Found\" }}"
},
{
"id": "f8214eea-dfb6-4fe1-8e45-e0b8d3d44ee3",
"name": "recentSpamActivity",
"type": "string",
"value": "={{ $('Query IP Quality Score API').item.json.fraud_score>=85 ? \"Identified spam in the last 48 hours\" : $('Query IP Quality Score API').item.json.fraud_score>=75 ? \"Identified spam in the last month\" : \"Not associated with recent spam\" }}"
},
{
"id": "fe3488b2-ad00-45ad-b947-ca2dc4242363",
"name": "ipSenderReputation",
"type": "string",
"value": "={{ $('Query IP Quality Score API').item.json.fraud_score>=85 ? \"Bad\" : $('Query IP Quality Score API').item.json.fraud_score>=75 ? \"Poor\" : $('Query IP Quality Score API').item.json.fraud_score>=50 ? \"Suspicious\" : $('Query IP Quality Score API').item.json.fraud_score>=11 ? \"OK\" : $('Query IP Quality Score API').item.json.fraud_score<11 ? \"Good\" : \"Unknown\"}}"
}
]
}
},
"typeVersion": 3.4
},
{
"id": "391615b6-4996-4687-a07c-3f9af1246840",
"name": "Répondre à Webhook",
"type": "n8n-nodes-base.respondToWebhook",
"position": [
3620,
1460
],
"parameters": {
"options": {}
},
"typeVersion": 1.1
},
{
"id": "ff28eb77-d095-440e-a95f-9f3727a3c219",
"name": "Webhook1",
"type": "n8n-nodes-base.webhook",
"position": [
-780,
2140
],
"webhookId": "da28e0c6-ebe2-43e7-92fe-dde3278746a9",
"parameters": {
"path": "da28e0c6-ebe2-43e7-92fe-dde3278746a8",
"options": {},
"httpMethod": "POST",
"responseMode": "responseNode"
},
"typeVersion": 2
},
{
"id": "80d4ce98-c26b-4f14-9058-6dda098f4f14",
"name": "Définir les en-têtes",
"type": "n8n-nodes-base.set",
"position": [
-100,
1460
],
"parameters": {
"options": {},
"includeOtherFields": true
},
"typeVersion": 3.4
},
{
"id": "fddadcd8-ecaf-4fb3-bd38-12d6e48124be",
"name": "Agréger les en-têtes Received-SPF",
"type": "n8n-nodes-base.aggregate",
"position": [
2140,
2140
],
"parameters": {
"options": {},
"aggregate": "aggregateAllItemData"
},
"typeVersion": 1
},
{
"id": "175f81f1-f5ff-4170-9496-7adae5351ff4",
"name": "Définir les en-têtes ici",
"type": "n8n-nodes-base.set",
"position": [
-360,
1400
],
"parameters": {
"options": {},
"assignments": {
"assignments": [
{
"id": "5bf15ec1-a009-4473-a3da-fca15a6cd29a",
"name": "headers",
"type": "array",
"value": "={{ $json.internetMessageHeaders }}"
}
]
}
},
"typeVersion": 3.4
},
{
"id": "6aa1040e-1c57-4ef3-9a06-9e25ca66247f",
"name": "Définir les en-têtes Webhook ici",
"type": "n8n-nodes-base.set",
"position": [
-380,
2140
],
"parameters": {
"options": {},
"assignments": {
"assignments": [
{
"id": "80d3bf91-ce79-44b7-b8d6-a612ef810891",
"name": "headers",
"type": "array",
"value": "={{ $json.body.headers }}"
}
]
}
},
"typeVersion": 3.4
},
{
"id": "6d177ff6-333f-40af-87ee-28f5808b90b6",
"name": "Note adhésive",
"type": "n8n-nodes-base.stickyNote",
"position": [
-840,
849.3566000559811
],
"parameters": {
"color": 7,
"width": 635.6437587743126,
"height": 738.7992581051316,
"content": "\n## **Testing Email Header Analysis Workflow**\n\nThis section of the workflow is designed for testing purposes to ensure that the setup functions correctly with your Outlook email client before deploying it as an API for third-party platforms. The process begins with the `Trigger on New Email` node, which monitors a specified folder in your Outlook mailbox and triggers the workflow whenever a new email arrives. Configured to poll every minute, it ensures timely detection and processing of incoming emails.\n\nOnce an email is detected, the `Retrieve Headers of Email` node uses the Microsoft Graph API to fetch the detailed headers of the new email. These headers contain critical metadata, such as routing information and authentication results, essential for the analysis of the email's origin and legitimacy.\n\nFinally, the `Set Headers Here` node extracts and organizes the email headers into a standardized format as an array called `headers`. This structured format prepares the email data for further processing in the subsequent sections of the workflow. By validating these steps, you can confirm the workflow is functioning correctly before integrating it into broader use cases."
},
"typeVersion": 1
},
{
"id": "4347e3ac-6268-4f47-9ffa-d6cfdb9db6fe",
"name": "Note adhésive1",
"type": "n8n-nodes-base.stickyNote",
"position": [
-840,
1597.2834217449708
],
"parameters": {
"color": 7,
"width": 635.6437587743126,
"height": 722.658386273084,
"content": "\n## **Webhook Integration for Production**\n\nThis section transitions the workflow into production, enabling it to function as an API for analyzing email headers received from third-party platforms. To utilize this webhook functionality, it is essential to **activate the workflow**, as the webhook will only respond when the workflow is live.\n\nThe `Webhook1` node listens for incoming HTTP POST requests at the specified path. When the webhook is triggered, it receives and processes the payload containing email data, including headers sent by the third-party platform. This enables the workflow to operate dynamically with external systems.\n\nThe `Set Webhook Headers Here` node takes the received email data and extracts the `headers` array from the payload's body. This ensures the incoming data is formatted correctly and ready for further processing in subsequent steps of the workflow.\n\nBy activating the workflow and integrating it with external systems, users can automate the analysis of email headers seamlessly in a production environment."
},
"typeVersion": 1
},
{
"id": "166afae1-13f7-4c61-b605-751e2692f272",
"name": "Note adhésive2",
"type": "n8n-nodes-base.stickyNote",
"position": [
-195.35026277953466,
1001.1991904481583
],
"parameters": {
"color": 7,
"width": 869.3564073187465,
"height": 626.9566677129526,
"content": "\n## **Extract and Process Email Headers**\n\nThis section processes the headers from incoming email data to extract critical information, particularly focusing on the originating IP address. The workflow begins with the `Set Headers` node, which takes the headers provided from the previous nodes and prepares them for analysis.\n\nThe `Extract Received Headers` node filters through the headers and isolates those labeled as \"Received.\" These headers document the servers through which the email has passed, providing a traceable path of its journey. Next, the `Remove Extra Received Headers` node narrows the focus to the most recent \"Received\" header, which typically contains the originating IP address of the email sender.\n\nUsing the `Extract Original From IP` node, the workflow applies a regular expression to extract the IP address from the retained header, removing any internal or private IP addresses that might be present. This ensures that only the relevant external IP address is identified."
},
"typeVersion": 1
},
{
"id": "a676cc11-c48d-4160-a60f-5a2cce1ecc94",
"name": "Note adhésive3",
"type": "n8n-nodes-base.stickyNote",
"position": [
686.9090848322476,
800.8639469405958
],
"parameters": {
"color": 7,
"width": 922.1859426288208,
"height": 965.2875565450952,
"content": "\n## **Analyze IP Address and Check Authentication Results**\n\nThis section focuses on analyzing the originating IP address and verifying the presence of essential email authentication headers. The workflow begins with the `Original IP Found?` node, which evaluates whether the extracted IP address is valid and non-empty. If a valid IP address is found, the workflow proceeds; otherwise, it triggers the `No Operation, do nothing` node to halt further processing.\n\nThe `Query IP Quality Score API` node interacts with the IP Quality Score service, evaluating the IP’s reputation. This analysis identifies whether the IP is associated with spam, fraud, or other malicious activities. The results help determine the sender's trustworthiness.\n\nNext, the `Query IP API` node provides additional contextual information about the IP address, including geographical details (e.g., country, city) and the organization associated with the IP. This information enriches the analysis, offering insights into the sender’s origin.\n\nThe `Authentication-Results Header?` node checks for the presence of the \"Authentication-Results\" header in the email. This header indicates the results of SPF, DKIM, and DMARC checks performed by the receiving email server. If present, the workflow proceeds to analyze the header further in subsequent sections.\n\nBy validating the IP address and analyzing its reputation, this section ensures a comprehensive understanding of the email's legitimacy before moving forward in the workflow."
},
"typeVersion": 1
},
{
"id": "999b7855-b515-45b7-a560-55882555a2c2",
"name": "Note adhésive4",
"type": "n8n-nodes-base.stickyNote",
"position": [
1622.1779104636253,
911.7549500344078
],
"parameters": {
"color": 7,
"width": 1016.1357697283069,
"height": 619.3441192962306,
"content": "\n## **Extract and Evaluate Authentication Results**\n\nIf the header is found, the workflow proceeds to the `Extract Authentication-Results Header` node, which isolates the relevant header and extracts its contents. This allows the workflow to parse the authentication results systematically.\n\nNext, the `Determine Auth Values` node processes the extracted data, determining the status of SPF, DKIM, and DMARC. It categorizes each result as `pass`, `fail`, `neutral`, `error`, or `unknown` based on the information present in the header. This step ensures a clear understanding of the email's adherence to authentication protocols.\n\nFinally, the `Format Combined Auth Output` node aggregates the authentication results with other relevant metadata, such as the originating IP, sender's organization, and geographical location, obtained from previous steps. Additionally, it evaluates the IP's reputation and recent spam activity using the data from the IP Quality Score API. This structured output provides a comprehensive overview of the email's security and legitimacy, making it ready for integration with external systems or reporting tools."
},
"typeVersion": 1
},
{
"id": "f2fefb66-8325-4d00-932b-292b353f7b2f",
"name": "Note adhésive5",
"type": "n8n-nodes-base.stickyNote",
"position": [
2660,
890.7472796133279
],
"parameters": {
"color": 7,
"width": 1285.8545784346588,
"height": 909.4741259295762,
"content": "\n## **Combine Results and Respond to Webhook**\n\nThis final section consolidates the results from previous nodes and prepares the data for delivery via a webhook response. It ensures all authentication checks and metadata are aggregated into a cohesive output.\n\nThe process begins with the `Merge` node, which combines data streams from SPF, DKIM, and DMARC evaluations. The aggregated data is then processed by the `Aggregate` node, which organizes the results into a unified dataset.\n\nNext, the `Format Individual Auth Outputs` node formats the consolidated data into a structured JSON object. This output includes the SPF, DKIM, and DMARC results, as well as additional metadata such as the originating IP address, sender’s organization, geographical location, IP reputation, and recent spam activity. Each field is clearly labeled to ensure compatibility with external systems.\n\nThe formatted output is passed to the `Format Webhook Output` node, which finalizes the response structure for the webhook. The `Respond to Webhook` node then sends this structured response back to the calling system. This enables seamless integration with third-party platforms, allowing them to use the results for further analysis or automation.\n\nBy combining and formatting all authentication data, this section ensures that the workflow delivers clear, actionable insights to the consuming system, completing the email analysis pipeline."
},
"typeVersion": 1
},
{
"id": "4c2592a3-3550-428c-9622-b1e95ad28d4f",
"name": "Note adhésive6",
"type": "n8n-nodes-base.stickyNote",
"position": [
1620,
1540
],
"parameters": {
"color": 7,
"width": 1016.1357697283069,
"height": 1788.2607166792513,
"content": "\n## **Evaluate SPF, DKIM, and DMARC Compliance**\n\nThis section focuses on detailed analysis and validation of SPF, DKIM, and DMARC headers. Each authentication mechanism is evaluated to determine its status, providing critical insights into the email’s legitimacy and adherence to security protocols.\n\nThe workflow begins with the `Received-SPF Header?` node, which checks if the \"Received-SPF\" header exists. If found, the workflow proceeds to the `Extract Received-SPF Header` node to isolate the SPF validation results. These results are aggregated and analyzed using the `Aggregate Received-SPF Headers` node, with the final outcome recorded by the `Set SPF Value` node. If no SPF header is found, the workflow instead records this absence using the `No SPF Found` node.\n\nThe `DKIM-Signature Header?` node performs a similar function for DKIM validation, checking for the presence of a DKIM signature. If the header is found, the `DKIM Signature Found` node confirms its presence, while the `No DKIM Signature Found` node handles its absence.\n\nThe `DMARC Header?` node checks for the presence of a DMARC header, indicating compliance with the domain’s published DMARC policy. If present, the workflow extracts and evaluates it via the `Extract DMARC Header` and `Set DMARC Value` nodes. If the header is missing, the `No DMARC Header` node records this information.\n\nBy systematically evaluating these headers, the workflow provides a comprehensive understanding of the email's authentication status. This granular analysis strengthens email security by detecting potential spoofing or misconfigurations in the sender’s authentication setup."
},
"typeVersion": 1
}
],
"pinData": {},
"connections": {
"a658b7d1-ec0e-40c9-a6c6-1f81e776fcfb": {
"main": [
[
{
"node": "bb688aec-d7ae-4e5a-ac38-a8d9554966bd",
"type": "main",
"index": 0
}
]
]
},
"ff28eb77-d095-440e-a95f-9f3727a3c219": {
"main": [
[
{
"node": "6aa1040e-1c57-4ef3-9a06-9e25ca66247f",
"type": "main",
"index": 0
}
]
]
},
"bb688aec-d7ae-4e5a-ac38-a8d9554966bd": {
"main": [
[
{
"node": "03c70339-8e92-4d62-b346-7e669c83d338",
"type": "main",
"index": 0
}
]
]
},
"80d4ce98-c26b-4f14-9058-6dda098f4f14": {
"main": [
[
{
"node": "2f28e47d-f010-4f0b-bbe4-074bbdf39a45",
"type": "main",
"index": 0
}
]
]
},
"8ee70aff-0907-44f5-b675-1de26660c2e3": {
"main": [
[
{
"node": "a658b7d1-ec0e-40c9-a6c6-1f81e776fcfb",
"type": "main",
"index": 0
}
]
]
},
"feb4203c-4f9b-456c-9640-82ce8f6f550f": {
"main": [
[
{
"node": "f628e421-4cb5-4612-83c2-bde0f4f57367",
"type": "main",
"index": 0
}
]
]
},
"2383e7b4-fe13-4c36-80a3-67ba3f02ce1d": {
"main": [
[
{
"node": "81bd5082-634b-4f0e-951f-1374573fc6c0",
"type": "main",
"index": 0
}
],
[
{
"node": "2c41e06d-0dc1-474e-a13f-302fc3e4d4ad",
"type": "main",
"index": 0
}
]
]
},
"df19f38c-b263-4b97-bd22-adc8ff44f631": {
"main": [
[
{
"node": "a658b7d1-ec0e-40c9-a6c6-1f81e776fcfb",
"type": "main",
"index": 0
}
]
]
},
"2c41e06d-0dc1-474e-a13f-302fc3e4d4ad": {
"main": [
[
{
"node": "a658b7d1-ec0e-40c9-a6c6-1f81e776fcfb",
"type": "main",
"index": 2
}
]
]
},
"55a5745c-2c73-492c-b63c-20936043b0b6": {
"main": [
[
{
"node": "a658b7d1-ec0e-40c9-a6c6-1f81e776fcfb",
"type": "main",
"index": 2
}
]
]
},
"175f81f1-f5ff-4170-9496-7adae5351ff4": {
"main": [
[
{
"node": "80d4ce98-c26b-4f14-9058-6dda098f4f14",
"type": "main",
"index": 0
}
]
]
},
"48a5b283-7aa4-4e10-b784-fcce25465fc0": {
"main": [
[
{
"node": "6093bcd2-1101-4685-8d2c-751dd451afc4",
"type": "main",
"index": 0
}
],
[
{
"node": "e393c3b1-b756-44a8-ac3c-b2d9e15f4f47",
"type": "main",
"index": 0
}
]
]
},
"47697f60-99e7-4c91-ab7c-7f966b1b5307": {
"main": [
[
{
"node": "a658b7d1-ec0e-40c9-a6c6-1f81e776fcfb",
"type": "main",
"index": 1
}
]
]
},
"81bd5082-634b-4f0e-951f-1374573fc6c0": {
"main": [
[
{
"node": "55a5745c-2c73-492c-b63c-20936043b0b6",
"type": "main",
"index": 0
}
]
]
},
"7d3a37dc-6bbe-4c3b-9c2c-c9d2c1c24213": {
"main": [
[
{
"node": "1613d276-3ec4-44b2-91ca-f76985e1b4c2",
"type": "main",
"index": 0
}
],
[
{
"node": "8ee70aff-0907-44f5-b675-1de26660c2e3",
"type": "main",
"index": 0
}
]
]
},
"363be6de-5e8d-46b2-a31f-6f7bc204c986": {
"main": [
[
{
"node": "0da8b1ab-6dbe-41b7-92f1-6e8637d082cb",
"type": "main",
"index": 0
}
]
]
},
"17bc160b-618f-4893-80c8-4e4c2638adc3": {
"main": [
[
{
"node": "762153b7-0364-498f-9dba-547d676b9d74",
"type": "main",
"index": 0
}
]
]
},
"d651412c-9e58-4ef6-a6eb-6556647a7223": {
"main": [
[
{
"node": "391615b6-4996-4687-a07c-3f9af1246840",
"type": "main",
"index": 0
}
]
]
},
"f1ca55fb-07d8-4825-8850-f5a3c58e358a": {
"main": [
[
{
"node": "47697f60-99e7-4c91-ab7c-7f966b1b5307",
"type": "main",
"index": 0
}
],
[
{
"node": "75818bdc-3ffb-42a7-a0a3-93fc413b757f",
"type": "main",
"index": 0
}
]
]
},
"75818bdc-3ffb-42a7-a0a3-93fc413b757f": {
"main": [
[
{
"node": "a658b7d1-ec0e-40c9-a6c6-1f81e776fcfb",
"type": "main",
"index": 1
}
]
]
},
"9942704e-e0ac-42e9-b714-b2bdb3117c02": {
"main": [
[
{
"node": "48a5b283-7aa4-4e10-b784-fcce25465fc0",
"type": "main",
"index": 0
}
]
]
},
"2f28e47d-f010-4f0b-bbe4-074bbdf39a45": {
"main": [
[
{
"node": "530fd9c3-94c2-4d5e-a686-57738cc10ae6",
"type": "main",
"index": 0
}
]
]
},
"e393c3b1-b756-44a8-ac3c-b2d9e15f4f47": {
"main": [
[
{
"node": "f628e421-4cb5-4612-83c2-bde0f4f57367",
"type": "main",
"index": 0
}
]
]
},
"6aa1040e-1c57-4ef3-9a06-9e25ca66247f": {
"main": [
[
{
"node": "80d4ce98-c26b-4f14-9058-6dda098f4f14",
"type": "main",
"index": 0
}
]
]
},
"0da8b1ab-6dbe-41b7-92f1-6e8637d082cb": {
"main": [
[
{
"node": "175f81f1-f5ff-4170-9496-7adae5351ff4",
"type": "main",
"index": 0
}
]
]
},
"6093bcd2-1101-4685-8d2c-751dd451afc4": {
"main": [
[
{
"node": "feb4203c-4f9b-456c-9640-82ce8f6f550f",
"type": "main",
"index": 0
}
]
]
},
"1613d276-3ec4-44b2-91ca-f76985e1b4c2": {
"main": [
[
{
"node": "fddadcd8-ecaf-4fb3-bd38-12d6e48124be",
"type": "main",
"index": 0
}
]
]
},
"762153b7-0364-498f-9dba-547d676b9d74": {
"main": [
[
{
"node": "d651412c-9e58-4ef6-a6eb-6556647a7223",
"type": "main",
"index": 0
}
]
]
},
"530fd9c3-94c2-4d5e-a686-57738cc10ae6": {
"main": [
[
{
"node": "9942704e-e0ac-42e9-b714-b2bdb3117c02",
"type": "main",
"index": 0
}
]
]
},
"fddadcd8-ecaf-4fb3-bd38-12d6e48124be": {
"main": [
[
{
"node": "df19f38c-b263-4b97-bd22-adc8ff44f631",
"type": "main",
"index": 0
}
]
]
},
"f628e421-4cb5-4612-83c2-bde0f4f57367": {
"main": [
[
{
"node": "8616ecd3-1c71-49ff-a32c-4b09f3214edb",
"type": "main",
"index": 0
}
],
[
{
"node": "7d3a37dc-6bbe-4c3b-9c2c-c9d2c1c24213",
"type": "main",
"index": 0
},
{
"node": "f1ca55fb-07d8-4825-8850-f5a3c58e358a",
"type": "main",
"index": 0
},
{
"node": "2383e7b4-fe13-4c36-80a3-67ba3f02ce1d",
"type": "main",
"index": 0
}
]
]
},
"03c70339-8e92-4d62-b346-7e669c83d338": {
"main": [
[
{
"node": "d651412c-9e58-4ef6-a6eb-6556647a7223",
"type": "main",
"index": 0
}
]
]
},
"8616ecd3-1c71-49ff-a32c-4b09f3214edb": {
"main": [
[
{
"node": "17bc160b-618f-4893-80c8-4e4c2638adc3",
"type": "main",
"index": 0
}
]
]
}
}
}Foire aux questions
Comment utiliser ce workflow ?
Copiez le code de configuration JSON ci-dessus, créez un nouveau workflow dans votre instance n8n et sélectionnez "Importer depuis le JSON", collez la configuration et modifiez les paramètres d'authentification selon vos besoins.
Dans quelles scénarios ce workflow est-il adapté ?
Avancé - Opérations de sécurité
Est-ce payant ?
Ce workflow est entièrement gratuit et peut être utilisé directement. Veuillez noter que les services tiers utilisés dans le workflow (comme l'API OpenAI) peuvent nécessiter un paiement de votre part.
Workflows recommandés
Analyser les en-têtes d'e-mail Gmail pour détecter la réputation IP et l'hameçonnage
Analyser les en-têtes Gmail pour détecter la réputation IP et l'hameçonnage
If
Set
Code
+
If
Set
Code
40 NœudsAngel Menendez
Opérations de sécurité
Explorer les nœuds n8n dans la bibliothèque de références visuelles
Explorer les nœuds n8n dans la base de références visuelles
If
Ftp
Set
+
If
Ftp
Set
113 NœudsI versus AI
Autres
Routage et réponse de messages automatisés LinkedIn (avec détection de demande)
Routage et répondeur automatique de messages LinkedIn avec détection de requêtes
If
Set
Slack
+
If
Set
Slack
52 NœudsAngel Menendez
Support
Analyser et classer le contenu suspect des e-mails avec ChatGPT
Analyser et classer le contenu d'e-mails suspects avec ChatGPT
If
Set
Code
+
If
Set
Code
25 NœudsAngel Menendez
Intelligence Artificielle
PDF vers commande
Utiliser l'IA pour automatiser la conversion des commandes d'achat PDF en commandes de vente Adobe Commerce
If
Set
Code
+
If
Set
Code
96 NœudsJKingma
Extraction de documents
Génération automatisée de prospects LinkedIn et envoi de messages privés avec Airtable, OpenAI et Unipile
Génération automatique de prospects LinkedIn et contact par message direct avec Airtable, OpenAI et Unipile
If
Set
Code
+
If
Set
Code
143 NœudsRuben AI
Nurturing de leads
Informations sur le workflow
Niveau de difficulté
Avancé
Nombre de nœuds41
Catégorie1
Types de nœuds12
Description de la difficulté
Auteur
Angel Menendez
@djangelicAngel Menendez is a Staff Developer Advocate at n8n.io, specializing in low-code tools for cybersecurity workflows. From Puerto Rico, Angel's tech journey began by helping his father translate technical books. He later started a web development business and transitioned from a career as a flight attendant to cybersecurity engineering. His workflows have saved companies significant time. Outside work, Angel enjoys time with his two sons, riding electric bikes, reading, and exploring new places.
Liens externes
Voir sur n8n.io →
Partager ce workflow