Email Header Validation

This IBM QRadar SOAR Function package can be used to analyze DKIM and ARC headers on a RFC822 formatted email. This email can be provide via a SOAR Attachment, SOAR Artifact, or string. Once the analysis is complete, the user is informed if the headers authenticate or not through a SOAR Note.

Table of Contents

• Release Notes

• Installation

  • Install

  • Uninstall

  • Distribution

  • Functions

Release Notes

Version	Date	Notes
1.0.2	05/2025	Converted example workflows to python3
1.0.1	04/2020	AppHost Support Added
1.0.0	02/2019	Initial Release

Installation

To install in development mode:

pip install -e ./fn_email_header_validation/

To uninstall:

pip uninstall fn_email_header_validation

To package for distribution:

python ./fn_email_header_validation/setup.py sdist

The resulting .tar.gz file can be installed using

pip install <filename>.tar.gz

How to use the function

1. Import the necessary customization data into the SOAR platform:

    resilient-circuits customize
   

   This creates the following customization components:

   • Function inputs:

     • email_header_validation_target_email

     • artifact_id

     • attachment_id

     • optional_incident_id

   • Message Destination: fn_email_header_validation

   • Function: email_header_validation_using_dkimarc

   • Workflows:

     • example_of_email_header_validation_using_dkimarc_artifact

     • example_of_email_header_validation_using_dkimarc_attachment

   • Rule: Email Header Avalidation Using DKIM/ARC

2. Start Resilient Circuits:

   resilient-circuits run
   

3. Trigger the rule.