Get Started
Screenshot of n8n workflow
FREE TEMPLATE
Automate IMAP to Slack Email Security Alerts
0
Views
0
Downloads
20
Nodes
Download Template
Free
Preview Template
Utility Rating
7 / 10
Business Function
IT
Automation Orchestrator
n8n
Integrations
SMTP Email
Slack
MySQL
IMAP Email
Trigger Type
On app event
Approx setup time ≈ 55 min
Need help setting up this template?
Ask in our free Futurise community
About
Community
Courses
Events
Members
Templates

How to Automate IMAP to Slack Email Security Alerts?

Leon Petrou
FREE TEMPLATE
Automate IMAP to Slack Email Security Alerts
0
Views
0
Downloads
20
Nodes
Download Template
Free
Preview Template
Utility Rating
7 / 10
Business Function
IT
Automation Orchestrator
n8n
Integrations
SMTP Email
Slack
MySQL
IMAP Email
Trigger Type
On app event
Approximate setup time ≈ 55 minutes
Need help setting up this template?
Ask in our free Futurise community

Description

Collect DMARC reports from an inbox, store the data in MySQL, and alert your team in Slack when DKIM or SPF fail. It helps IT and security teams track email authentication problems without manual downloads or copy and paste. Weekly review time drops while visibility goes up.

New emails with ZIP attachments arrive through IMAP. Files are unzipped, XML is read, and the content is converted to JSON. The flow splits multiple records inside one report, renames keys for consistency, maps fields, and formats start and end dates so the database accepts them. All records go into a MySQL table, and a check flags failed results and sends a Slack message and an email alert.

Use a postmaster mailbox that receives DMARC aggregate reports. Add MySQL and Slack credentials, and confirm the database has the needed columns for the mapped fields. Expect faster incident response, fewer manual steps, and a complete history of reports for trend analysis and audits.

Copy link

Tools Required

SMTP Email
Sign up
Starter: $10 / mo, 10,000 emails / mo
Slack
Sign up
Free plan: $0 / mo; limited to 10 apps (third-party or custom) and usable via Slack API
n8n
Sign up
$24 / mo or $20 / mo billed annually to use n8n in the cloud. However, the local or self-hosted n8n Community Edition is free.
MySQL
Sign up
MySQL Community Edition (GPL) – Free ($0)
IMAP Email
Sign up

What this workflow does?

  • IMAP email listener downloads incoming attachments from the DMARC inbox
  • Unzips compressed report files before reading content
  • Extracts XML and converts it to JSON for easy mapping
  • Splits multiple records inside one report into separate items
  • Renames keys and maps fields to match the database schema
  • Formats date range start and end into a MySQL friendly format
  • Inserts each record into a MySQL table with detailed output
  • Checks for DKIM or SPF issues and routes alerts
  • Sends a Slack message to a channel when problems are found
  • Sends an email notification for error or failure conditions

What are the benefits?

  • Reduce manual review from hours per week to minutes by auto processing DMARC reports
  • Automate up to 90% of repetitive parsing and data entry tasks
  • Improve data accuracy by removing copy and paste errors from report handling
  • Connect email, database, and Slack so teams see issues in real time
  • Handle multi record reports at scale without extra manual sorting

How to set this up?

  1. Import the template into n8n: Create a new workflow in n8n > Click the three dots menu > Select 'Import from File' > Choose the downloaded JSON file.
  2. You'll need accounts with IMAP Email, MySQL, Slack and SMTP Email. See the Tools Required section above for links to create accounts with these services.
  3. Prepare a mailbox that receives DMARC aggregate reports. Verify that reports arrive with ZIP attachments from your email provider or DNS setup.
  4. Open the Email Trigger node. In the 'Credential to connect with' dropdown, click 'Create new credential' and follow the on screen steps to connect your IMAP account. Ensure attachment download is enabled.
  5. Check the Unzip File node. Confirm the binary property name matches the email attachment field such as attachment_0. If your mailbox sends multiple attachments, test with a known DMARC ZIP.
  6. Open the Extract XML data and Parse XML nodes. Ensure the binary property names line up, for example file_0. Run a single test email to confirm JSON output is produced.
  7. Review the Split Out and Rename Keys steps. Confirm that feedback.record is mapped to a simple key like fbr so the next mapping step reads it correctly.
  8. Open the Set and DateTime nodes. Verify field names for date_range_begin and date_range_end and confirm the date format matches your MySQL DATETIME setting.
  9. Open the MySQL node. In the credentials dropdown, click 'Create new credential' and add your MySQL host, database, user, and password. Point to the target table and align the columns with the mapped fields.
  10. Open the Slack node. Click 'Create new credential' and finish Slack OAuth. Choose the channel for alerts and set a clear message template.
  11. Open the Email Send node. Create a new SMTP credential or select an existing one. Add a recipient for error or failure notifications.
  12. Test end to end by sending a sample DMARC ZIP to the inbox. Check the execution log: you should see parsed items, database inserts, and alerts when DKIM or SPF fail.
  13. If you see empty output, confirm binary property names and that the ZIP actually contains an XML report. If dates fail to insert, adjust the date format to match your database settings.

Need help or want to customize this?

Ask in the Free Futurise Community.

Similar Templates

n8n
IT
Automate IMAP Slack Incident Response
Collect user reported phishing emails from a dedicated inbox, scan the .eml file with a threat engine, and post clear results to Slack. Security teams get faster triage and a simple view of matched rules so they can act quickly. The flow starts with an IMAP email trigger that reads new messages and checks if an .eml attachment exists. If the file is present and the type is correct, the file is converted to a base64 string. That string is sent to Sublime Security for analysis using an HTTP request. A code step splits the returned rules into matched and unmatched lists. A message is then built with counts and rule names and sent to a Slack channel. If no attachment is found, a different Slack message alerts the team to review the report. You will need access to an IMAP mailbox that receives reported phishing emails, a Sublime Security API token, and Slack access to post to a channel. After setup, most emails move from inbox to Slack in minutes with very little manual work. This is useful for SecOps teams that want fast, consistent phishing triage with minimal handling.
1 views
view
See More Templates

These templates were sourced from publicly available materials across the web, including n8n’s official website, YouTube and public GitHub repositories. We have consolidated and categorized them for easy search and filtering, and supplemented them with links to integrations, step-by-step setup instructions, and personalized support in the Futurise community. Content in this library is provided for education, evaluation and internal use. Users are responsible for checking and complying with the license terms with the author of the templates before commercial use or redistribution.Where an original author was identified, attribution has been provided. Some templates did not include author information. If you know who created this template, please let us know so we can add the appropriate credit and reference link. If you are the author and would like this template removed from the library, email us at info@futurise.com and we will remove it promptly.