{ "name": "Analyze email headers for IPs and spoofing", "nodes": [ { "id": "a2dca82d-f2b4-41f7-942a-2713a5ae012e", "name": "Receive Headers", "type": "n8n-nodes-base.webhook", "position": [ -320, 740 ] }, { "id": "8cb2e9f4-6954-4812-a443-47cc83e7db0a", "name": "Sticky Note", "type": "n8n-nodes-base.stickyNote", "position": [ 2900, 420 ], "parameters": { "width": 528.410729274179, "height": 545.969373616973, "content": "## Output\nReturns output like:\n```\n[\n {\n \"ipAnalysis\": [\n {\n \"IP\": \"104.245.209.248\",\n \"fraud_score\": 87,\n \"recent_abuse\": true,\n " } }, { "id": "2464403b-5cb9-4090-b923-912bb8af673a", "name": "Fraud Score", "type": "n8n-nodes-base.code", "position": [ 1340, 560 ] }, { "id": "70e3e88a-001a-40fc-a771-ace7696f54eb", "name": "Respond to Webhook", "type": "n8n-nodes-base.respondToWebhook", "position": [ 2680, 760 ] }, { "id": "4e16523d-a7e1-44d1-840a-3df3a44bd034", "name": "Sticky Note1", "type": "n8n-nodes-base.stickyNote", "position": [ 460, -39.5 ], "parameters": { "width": 628.6931617686989, "height": 834.0576186324413, "content": "![ipqualityscore](https://i.imgur.com/CQRV2uV.png)\n## IP Reputation and Email Security Analysis\nThis critical part of the workflow specializes in fortifying email security by extracting IP addresses f" } }, { "id": "2e8ead40-a97a-4c7e-953c-33546b83eaf6", "name": "Explode Email Header", "type": "n8n-nodes-base.code", "position": [ 80, 740 ] }, { "id": "1118176d-a315-439d-a3b6-fe4d40c900c6", "name": "Split Out IPs", "type": "n8n-nodes-base.itemLists", "position": [ 740, 560 ] }, { "id": "ef118900-11a6-418a-b1b3-159933d62cbf", "name": "Extract IPs from \"received\"", "type": "n8n-nodes-base.code", "position": [ 540, 560 ] }, { "id": "ffefc1e2-214c-47d7-a7a3-104fefdccda1", "name": "IP Quality Score", "type": "n8n-nodes-base.httpRequest", "position": [ 920, 560 ] }, { "id": "2f1c5b30-950c-4e0d-81a6-bf4c2c64f968", "name": "IP-API", "type": "n8n-nodes-base.httpRequest", "position": [ 1140, 560 ] }, { "id": "c9cae845-63e8-475a-bc08-ba0552712394", "name": "Collect interesting data", "type": "n8n-nodes-base.set", "position": [ 1520, 560 ] }, { "id": "01b33cc9-b7b3-44e6-b683-b753e6daa2dc", "name": "SPF/DKIM/DMARC from \"authentication-results\"", "type": "n8n-nodes-base.code", "position": [ 520, 1160 ] }, { "id": "33923ec2-10db-4799-9b5e-a369cdd74640", "name": "SPF from \"received-spf\"", "type": "n8n-nodes-base.code", "position": [ 500, 1858 ] }, { "id": "9cec1f09-3887-46ec-aa25-b03a0ab34190", "name": "DKIM from \"dkim-signature\"", "type": "n8n-nodes-base.code", "position": [ 760, 1858 ] }, { "id": "0f856808-c044-4547-bc81-5e6d1208d9ad", "name": "DMARC from \"received-dmarc\"", "type": "n8n-nodes-base.code", "position": [ 1020, 1858 ] }, { "id": "0780dc59-8a4c-4355-9cdc-35b2505043a6", "name": "DKIM", "type": "n8n-nodes-base.switch", "position": [ 1260, 2718 ] }, { "id": "b0be02f9-ae6c-460e-9e1c-0be8f878f81b", "name": "Sticky Note4", "type": "n8n-nodes-base.stickyNote", "position": [ -359.7001600000003, -46.60400000000038 ], "parameters": { "width": 811.1951544353835, "height": 1042.0833160085729, "content": "![webhook](https://i.imgur.com/D6SP9P0.png)\n## Workflow Overview\nThis n8n workflow is adept at dissecting email headers to assess security risks. It employs a webhook to receive data, then diverges in" } }, { "id": "3c8fe0f3-0b65-4366-9c1e-a2a7bcc35ed5", "name": "Extract Email Header from webhook", "type": "n8n-nodes-base.set", "position": [ -99, 740 ] }, { "id": "4eef6457-27cf-442f-bccf-75663170401b", "name": "Sticky Note5", "type": "n8n-nodes-base.stickyNote", "position": [ 1100, 20 ], "parameters": { "width": 610.1426815377504, "height": 772.7590323462559, "content": "![ipapi](https://i.imgur.com/OMhn14b.png)\n## IP Reputation and Fraud Analysis\nThis workflow section performs an in-depth reputation assessment of each IP address. The `IP-API` node retrieves geolocati" } }, { "id": "764de66e-8e40-44d1-8c09-fb099753d800", "name": "Sticky Note6", "type": "n8n-nodes-base.stickyNote", "position": [ 1720, 141.75 ], "parameters": { "width": 1153.9919748350057, "height": 818.3738794326835, "content": "![n8n](https://i.imgur.com/lKnBNnH.png)\n## Analyze and Respond to Email Header Analysis\nThe concluding segment of the `Analyze Email Headers For IPs and Spoofing` workflow integrates sophisticated dat" } }, { "id": "2fa3c912-f478-48a1-9b2e-5e3f51c6a363", "name": "Sticky Note8", "type": "n8n-nodes-base.stickyNote", "position": [ 460, 800 ], "parameters": { "width": 630.5819800503231, "height": 535.80387776221, "content": "![nodejs](https://i.imgur.com/OqjRFGZ.png)\n## Authentication Analysis\n\nThis section assesses the presence and validity of SPF, DKIM, and DMARC records within email headers to confirm authentication. `" } }, { "id": "5297e5a0-f2d1-4ee3-b931-9b1abe75b2cc", "name": "Sticky Note10", "type": "n8n-nodes-base.stickyNote", "position": [ 460, 2038 ], "parameters": { "width": 983.9576126829675, "height": 1039.0141642262715, "content": "![n8n](https://i.imgur.com/yz109RJ.png)\n## SPF and DKIM Authentication Routing\nThis group of nodes orchestrates the authentication status routing for SPF and DKIM records found in email headers.\n\nSPF " } }, { "id": "f6c06bc5-048c-433e-9bfa-f155ca6735e4", "name": "Received Headers Present?", "type": "n8n-nodes-base.if", "position": [ 300, 660 ] }, { "id": "a92ef09c-0cc6-469c-98ff-8c6172615a4b", "name": "Authentication Results Present?", "type": "n8n-nodes-base.if", "position": [ 300, 820 ] }, { "id": "aef7f739-dfef-40b1-b01f-29adad4a9bda", "name": "Aggregate Authentication Data", "type": "n8n-nodes-base.set", "position": [ 1280, 1858 ] }, { "id": "5d7ce661-3bdf-45e5-a1e2-335602e62b5d", "name": "Sticky Note2", "type": "n8n-nodes-base.stickyNote", "position": [ 460, 1349.3807407407407 ], "parameters": { "width": 984.4210239195738, "height": 672.6925241611406, "content": "![nodejs](https://i.imgur.com/OqjRFGZ.png)\n## Email Authentication Assessment\nThis set of nodes is dedicated to evaluating the authentication of email headers, specifically focusing on SPF, DKIM, and " } }, { "id": "88888a82-815b-423a-85d3-8c86756d10cd", "name": "IP Data Merge", "type": "n8n-nodes-base.merge", "position": [ 1800, 660 ] }, { "id": "b7add244-9759-450f-8b01-6ec4555a5971", "name": "Merge Security Data", "type": "n8n-nodes-base.merge", "position": [ 2171, 760 ] }, { "id": "ef679cda-9420-44fd-90cc-23be1b166e2c", "name": "Join IP Analysis into one JSON object", "type": "n8n-nodes-base.itemLists", "position": [ 1960, 660 ] }, { "id": "1e5ae57b-948c-40c8-8248-fcbda80264e2", "name": "Join results into one JSON object", "type": "n8n-nodes-base.itemLists", "position": [ 2391, 760 ] }, { "id": "7fef7675-1350-4886-b184-f907dacf08b1", "name": "SPF Authentication Checker", "type": "n8n-nodes-base.switch", "position": [ 500, 2718 ] }, { "id": "410ccb8c-a551-45a3-a487-b0ce15a56882", "name": "Set SPF Pass Status", "type": "n8n-nodes-base.set", "position": [ 920, 2518 ] }, { "id": "127c0c91-162c-4cbb-b692-eb0675a55c42", "name": "Set SPF Fail Status", "type": "n8n-nodes-base.set", "position": [ 920, 2658 ] }, { "id": "7a15ae91-012f-4fc8-9075-7f855b15d979", "name": "Set SPF Neutral Status", "type": "n8n-nodes-base.set", "position": [ 920, 2798 ] }, { "id": "2ac1e5ce-83a4-4205-9774-76506f06108e", "name": "Set SPF UnknownStatus", "type": "n8n-nodes-base.set", "position": [ 920, 2938 ] } ], "connections": { "IP-API": { "main": [ [ { "node": "Fraud Score", "type": "main", "index": 0 } ] ] }, "Fraud Score": { "main": [ [ { "node": "Collect interesting data", "type": "main", "index": 0 } ] ] }, "IP Data Merge": { "main": [ [ { "node": "Join IP Analysis into one JSON object", "type": "main", "index": 0 } ] ] }, "Split Out IPs": { "main": [ [ { "node": "IP Quality Score", "type": "main", "index": 0 } ] ] }, "Receive Headers": { "main": [ [ { "node": "Extract Email Header from webhook", "type": "main", "index": 0 } ] ] }, "IP Quality Score": { "main": [ [ { "node": "IP-API", "type": "main", "index": 0 } ] ] }, "Merge Security Data": { "main": [ [ { "node": "Join results into one JSON object", "type": "main", "index": 0 } ] ] }, "Set SPF Fail Status": { "main": [ [ { "node": "DKIM", "type": "main", "index": 0 } ] ] }, "Set SPF Pass Status": { "main": [ [ { "node": "DKIM", "type": "main", "index": 0 } ] ] }, "Explode Email Header": { "main": [ [ { "node": "Received Headers Present?", "type": "main", "index": 0 }, { "node": "Authentication Results Present?", "type": "main", "index": 0 } ] ] }, "Set SPF UnknownStatus": { "main": [ [ { "node": "DKIM", "type": "main", "index": 0 } ] ] }, "Set SPF Neutral Status": { "main": [ [ { "node": "DKIM", "type": "main", "index": 0 } ] ] }, "SPF from \"received-spf\"": { "main": [ [ { "node": "DKIM from \"dkim-signature\"", "type": "main", "index": 0 } ] ] }, "Collect interesting data": { "main": [ [ { "node": "IP Data Merge", "type": "main", "index": 0 } ] ] }, "Received Headers Present?": { "main": [ [ { "node": "Extract IPs from \"received\"", "type": "main", "index": 0 } ], [ { "node": "IP Data Merge", "type": "main", "index": 1 } ] ] }, "DKIM from \"dkim-signature\"": { "main": [ [ { "node": "DMARC from \"received-dmarc\"", "type": "main", "index": 0 } ] ] }, "SPF Authentication Checker": { "main": [ [ { "node": "Set SPF Pass Status", "type": "main", "index": 0 } ], [ { "node": "Set SPF Fail Status", "type": "main", "index": 0 } ], [ { "node": "Set SPF Neutral Status", "type": "main", "index": 0 } ], [ { "node": "Set SPF UnknownStatus", "type": "main", "index": 0 } ] ] }, "DMARC from \"received-dmarc\"": { "main": [ [ { "node": "Aggregate Authentication Data", "type": "main", "index": 0 } ] ] }, "Extract IPs from \"received\"": { "main": [ [ { "node": "Split Out IPs", "type": "main", "index": 0 } ] ] }, "Aggregate Authentication Data": { "main": [ [ { "node": "Merge Security Data", "type": "main", "index": 1 } ] ] }, "Authentication Results Present?": { "main": [ [ { "node": "SPF/DKIM/DMARC from \"authentication-results\"", "type": "main", "index": 0 }, { "node": "SPF Authentication Checker", "type": "main", "index": 0 } ], [ { "node": "SPF from \"received-spf\"", "type": "main", "index": 0 } ] ] }, "Extract Email Header from webhook": { "main": [ [ { "node": "Explode Email Header", "type": "main", "index": 0 } ] ] }, "Join results into one JSON object": { "main": [ [ { "node": "Respond to Webhook", "type": "main", "index": 0 } ] ] }, "Join IP Analysis into one JSON object": { "main": [ [ { "node": "Merge Security Data", "type": "main", "index": 0 } ] ] }, "SPF/DKIM/DMARC from \"authentication-results\"": { "main": [ [ { "node": "Merge Security Data", "type": "main", "index": 1 } ] ] } } }