n8n-flow

Watch DMARC, spam-complaint rate, and blocklist status before a sending domain gets suppressed

Difficulty

intermediate

Setup time

2-3 hours

For

revops · sdr-leader · gtm-engineer

RevOps

Stack

An n8n flow that polls Google Postmaster Tools, parses DMARC aggregate reports from a shared mailbox, runs DNSBL lookups across the major blocklists, and pulls bounce and complaint rates from Smartlead and Instantly — then alerts the assigned RevOps owner in Slack the moment any domain crosses a documented threshold, with a Claude-drafted remediation step attached. The bundle at apps/web/public/artifacts/email-deliverability-monitor-n8n/ ships the complete n8n export plus a _README.md covering import, environment variables, credential setup, threshold tuning, and per-branch verification.

When to use this

Use it when outbound volume is high enough that finding out a sending domain has been suppressed after the fact is a multi-week revenue event — typically when at least one team is sending more than 10,000 messages per week across two or more dedicated domains. By the time Gmail flips the bit and starts routing to spam, Postmaster Tools is already showing the spam rate over 0.3% — the Gmail and Yahoo bulk-sender threshold in effect since February 2024 — and you have already lost a deliverability cycle on every account currently in sequence. The point of this flow is to fire the alert when the rate crosses 0.1% — days before suppression, not days after.

It is also the right pattern when you operate multiple sending platforms (Smartlead for cold, Outreach for warm follow-up, a separate ESP for marketing) and need a single view that compares complaint and bounce rates across all of them on the same scale. The flow normalizes each vendor’s reporting into one record per domain per day so the RevOps lead can see in one Slack message whether the problem is platform-wide or isolated to one sender.

The Claude-drafted remediation step is the part that turns the alert from a notification into a runnable response. Each alert carries the specific corrective action — pause the sequence on a named domain, drop volume by 30% on warmup, request reinstatement from a named blocklist — based on which threshold tripped, not a generic “investigate deliverability.”

When NOT to use this

Skip this if your outbound volume is under 1,000 messages per week from a single domain. At that volume, Postmaster Tools will not show a usable spam-rate signal — the dashboard requires roughly 100+ daily deliveries to a Gmail address before reporting at all — and DMARC aggregate reports arrive too sparsely to drive a daily check. Watching deliverability manually inside the sending platform’s UI is the right tier of monitoring at that scale.

Skip it if you do not control your own sending domains. The flow assumes you have configured SPF, DKIM with at least one selector per domain, and DMARC with rua=mailto: reports going to a mailbox you can read. If you send through a shared subdomain on a vendor’s infrastructure (the default on most ESPs’ free tiers), DMARC RUA reports are aggregated at the vendor, not at you, and most of the polling paths in this flow return nothing useful.

Do not use the alert as the only deliverability discipline. The flow watches for the symptom — spam rate climbing, bounce rate climbing, a blocklist listing appearing — but the upstream cause (list hygiene, copy that triggers filters, sending pattern that looks like a burst) is a behavior problem. The weekly review where the RevOps lead and SDR manager look at the breakdown by sender and topic still has to happen.

Setup

Import the bundle. Drop apps/web/public/artifacts/email-deliverability-monitor-n8n/email-deliverability-monitor-n8n.json into n8n via Workflows → Import from File. Three trigger paths: a Schedule Trigger that runs every hour (Postmaster + DNSBL + ESP metric polls), a separate Schedule Trigger that runs every 15 minutes (IMAP poll for DMARC reports), and a manual webhook for ad-hoc domain checks.
Configure your domain register. The list of domains to watch lives in the Domain Register (Static) Code node — an array of objects shaped { domain, sendingPlatform, owner, slackHandle, severity }. Edit the array once with your real domains; the rest of the flow keys off it. Severity (primary / warmup / secondary) drives the alert color and the on-call routing.
Set environment variables. Twelve variables in total — Postmaster API token, IMAP credentials for the DMARC mailbox, Smartlead and Instantly API keys, DNSBL zone list, Slack channel names per severity tier, and the threshold values themselves. Full table is in _README.md. The thresholds default to: spam-rate alert at 0.1%, suppression threshold at 0.3%, bounce-rate alert at 5%, complaint-rate alert at 0.08%.
Wire credentials. Five credentials are required:
- PLACEHOLDER_POSTMASTER_CRED_ID — Google OAuth2 with gmail.postmaster.readonly scope
- PLACEHOLDER_IMAP_CRED_ID — IMAP login for the mailbox receiving DMARC RUA reports
- PLACEHOLDER_SMARTLEAD_CRED_ID — HTTP Header Auth with the Smartlead API key
- PLACEHOLDER_INSTANTLY_CRED_ID — HTTP Header Auth with the Instantly API key
- PLACEHOLDER_SLACK_CRED_ID — Slack bot token with chat:write
Point DMARC RUA to a real mailbox. In your DNS, the DMARC record for each watched domain should include rua=mailto:dmarc-reports@yourcompany.com. Create the mailbox if it does not exist. Most major mailbox providers (Google Workspace, Microsoft 365, Fastmail) deliver DMARC XML attachments without issue; the IMAP parser in the flow unzips .zip and .gz attachments and reads the XML directly.
Walk the verification. _README.md lists a five-step verification that exercises each branch — a manual webhook hit, a forced threshold trip, a stale-report test, a DNSBL false-positive test, and a multi-domain burst test. Run all five before activating the schedule triggers.

What the flow does

Schedule — Hourly Sweep fires every hour at the top of the hour and runs three parallel branches in a SplitInBatches: Postmaster Tools API (https://gmailpostmastertools.googleapis.com/v1/domains/<domain>/trafficStats) for each domain in the register, Smartlead /api/v1/campaign-statistics and Instantly /api/v2/accounts/health for the ESP-side numbers, and a DNSBL probe that performs A-record lookups against each blocklist’s zone (<reversed-ip>.<zone>) for the resolved IP of each domain’s MX record. The branches converge at Merge — Per-Domain Snapshot, which collapses one record per (domain, sourceMetric, dateBucket) and rejects records older than 26 hours so a slow API does not poison the most recent comparison.

Threshold Check (Code) reads the merged snapshot against the threshold envs and emits one of three statuses per metric: ok, alert (rate above alert threshold but below suppression), or critical (rate above suppression threshold OR domain appears on a blocklist). The Code node holds the policy in one place — every threshold and its rationale are commented inline so the RevOps lead can read and tune them without opening a JIRA ticket. The status is computed against the trailing 7-day rolling mean as well as the latest point, so a single noisy day does not page anyone, but a sustained 4-day drift does.

Dedup Gate (Static Data) reads $getWorkflowStaticData('global') for an alerted_<domain>_<metric>_<bucket> key. If the same domain crossed the same threshold within the last 12 hours, the gate halts the branch silently — exactly the behavior needed for an alert flow that polls hourly but where the underlying signal does not change that fast. Static data persists only on production executions, never on manual Execute Workflow runs, which is why the verification in _README.md uses the live schedule trigger rather than the manual-run button.

Claude — Remediation Draft posts to the Anthropic API with claude-haiku-4-5, an 8-second timeout, and a system prompt that maps the tripped metric to a specific corrective action: spam rate over 0.1% on a primary domain returns “pause the highest-volume sequence on <domain> for 24 hours and audit the last 200 sent messages for complaint patterns”; a blocklist listing returns “open a delisting request at <blocklist URL> and record why this IP was sending volume above its warmed-in cap”; bounce rate over 5% returns “run a list-scrub pass with <provider> on the last 30 days of imports before re-enabling sequences.” The draft is labeled “edit before action” in the Slack message — the rep confirms the action fits the situation; the flow does not auto-execute.

Slack — Notify posts to the channel matched to the alert’s severity (#deliverability-primary, #deliverability-warmup, #deliverability-secondary) with a Block Kit message: header with severity color, the offending metric and value vs. threshold, the rolling-mean comparison, and the Claude remediation draft. Critical-severity alerts also @-mention the on-call handle from the domain register so the right person is paged without polling the channel.

Schedule — DMARC Poll runs every 15 minutes and queries the IMAP mailbox for new messages with attachments matching *.xml, *.zip, or *.gz. Parse DMARC XML unzips and walks each report, extracts per-domain <source_ip> / <count> / <disposition> / <dkim> / <spf> triples, and pushes a structured record into the same threshold check path. The DMARC poll is the only branch that can catch a forged-sender problem from outside your sending platforms — it picks up spoofing attempts that show up nowhere else in the metric stack.

Cost reality

Per check, claude-haiku-4-5 runs only on threshold trips — the median day produces zero LLM calls. On a bad week, the flow might fire 5–10 alerts at roughly 500 input and 120 output tokens each, costing under $0.005 per alert at Haiku 4.5 pricing (~$0.80/M input, ~$4/M output). Monthly Claude cost stays under $1 for a typical 5-domain register.

Postmaster Tools API is free with a Google Workspace account; quota is well above hourly polling for a few dozen domains. Smartlead’s API is included with their $94/month base plan as of 2026-05; Instantly’s API is included with the Growth plan at $97/month. DNSBL queries to public lists (Spamhaus, Barracuda, SORBS, SpamCop) are free for non-commercial query volume; high-volume use requires a paid data feed at $1,500–$3,000/year per zone, which is out of scope at the volume this flow generates.

n8n self-hosted is free; n8n Cloud Starter at $20/month handles the 700–1,500 monthly executions a 5-domain register produces. The Slack bot, IMAP mailbox, and DNS lookups add no incremental cost. Total deliverability-monitoring spend over the baseline ESP cost: under $25/month.

Failure modes

Postmaster Tools data lag. Google’s Postmaster API publishes the previous day’s data in batches throughout the next day — the data point for 2026-05-25 may not appear until late on 2026-05-26 (UTC). A naive “latest point” comparison will alarm on a domain that simply has no recent data yet. Guard: Threshold Check (Code) requires at least two data points within the trailing 72 hours before flagging critical, and falls back to alert (not critical) when only one point is present. The threshold logic is commented inline and exposed as POSTMASTER_MIN_POINTS_FOR_CRITICAL so the on-call can tune it without a code change.
DMARC reports arrive in formats not every parser handles. Some mailbox providers (notably Microsoft 365 with certain anti-malware rules) strip .zip attachments or rewrite .gz to .gz_renamed. The IMAP poll will see the message but Parse DMARC XML will skip it and the failure will be silent. Guard: every IMAP message is logged with attachmentMatched: true/false, and the daily count is reported in a #deliverability-ops digest. If false exceeds 10% over a week, an escalation alert fires and the mailbox provider configuration is the suspect. _README.md documents the Microsoft 365 setting (Anti-Malware → Common Attachment Filter) that most often causes this.
DNSBL false positives during a delisting cycle. Some blocklists (notably Spamhaus DROP) cache aggressively at recursive resolvers. A domain that was delisted hours ago can still resolve as listed against a slow caching resolver. Guard: the DNSBL probe queries authoritative resolvers (8.8.8.8, 1.1.1.1) explicitly rather than the n8n host’s default resolver, and a critical alert requires the same listing to be confirmed against at least two of three resolvers in DNSBL_RESOLVERS. A single-resolver hit downgrades the severity to alert so the on-call investigates without paging.
Smartlead complaint-rate field changes. Smartlead’s /api/v1/campaign-statistics response shape has changed twice in the last 18 months — the complaint_rate field was renamed from spam_complaints in 2025-Q2. If Smartlead changes it again, the threshold check will read null and quietly pass every domain through ok. Guard: Merge — Per-Domain Snapshot rejects any record whose key metric field is null and routes the rejection to the #deliverability-ops log channel so a schema drift surfaces the same day, not the day after suppression.

vs alternatives

vs Google Postmaster Tools UI directly. Postmaster’s web UI is the source of truth for Gmail-side metrics, and for a single-domain operation it is enough — the UI shows spam rate, IP reputation, domain reputation, and delivery errors in one view. It does not, however, correlate with Microsoft, Yahoo, or your ESP’s complaint data, and it does not page anyone — a human has to remember to check it. This flow uses the same Postmaster API the UI uses and adds the multi-source correlation plus the alert channel. If your only sending platform is one Gmail-anchored domain, Postmaster UI plus a weekly calendar reminder is the lower-cost answer.

vs Mailgun, SendGrid, or Smartlead’s native deliverability dashboards. Each major sending platform ships its own deliverability view — Mailgun’s Deliverability Dashboard, SendGrid’s Reputation panel, Smartlead’s Master Inbox health metrics. Those are the most accurate source for that platform’s own send, but they are scoped to that platform. If you send across two or three platforms, the native dashboards force the RevOps lead to log into each one separately and compare apples-to-oranges scales. This flow’s load-bearing job is the cross-platform normalization. Use the native dashboards for the deep dive once the alert has named the affected platform.

vs paid third-party monitors like 250ok / Validity / GlockApps. These services run seed-list tests against the major mailbox providers and can detect placement drift earlier and at higher fidelity than Postmaster Tools alone, at $400–$2,500/month per domain depending on coverage. They are the right tier for a deliverability program at the $50M+ ARR scale where one Gmail folder switch is a measurable revenue hit. They are overkill for the under-$10M ARR teams this flow targets — the seed-list signal arrives at the same daily resolution as Postmaster Tools, and the threshold-and-alert layer this flow provides is what is actually missing at the smaller end. If your seed-list deliverability is already paid and monitored, keep that and skip this flow.

Pairs naturally with intent-spike-handler-n8n for the inbound side of the same RevOps n8n stack.

Edit this page on GitHub

Files in this artifact

Download all (.zip)

# Email deliverability monitor — n8n flow

This bundle contains a complete n8n workflow that polls Google Postmaster Tools, parses DMARC aggregate reports from a shared IMAP mailbox, runs DNSBL lookups across the major public blocklists, and pulls bounce / complaint metrics from Smartlead and Instantly — then alerts the assigned RevOps owner in Slack the moment any watched domain crosses a documented threshold, with a Claude-drafted remediation step attached.

Three entry points:

- **Hourly Sweep** — `Schedule — Hourly Sweep` fires at the top of every hour and runs the Postmaster, ESP, and DNSBL branches in parallel against every domain in the register.
- **DMARC Poll** — `Schedule — DMARC Poll` runs every 15 minutes and checks the IMAP mailbox for new DMARC aggregate reports.
- **Ad-hoc check** — `Webhook — Ad-hoc Domain Check` accepts `POST /webhook/deliverability-check` for one-off checks against a single domain.

## What this flow does

The hourly sweep loads the static domain register, fans out a Split In Batches (size 3 to stay under the per-second limits on Postmaster Tools and the public DNSBL zones), and runs four parallel polls per domain: Postmaster Tools `trafficStats` for the last 7 days, Smartlead `campaign-statistics` if the domain's `sendingPlatform` is `smartlead`, Instantly `accounts/health` if it's `instantly`, and a DNSBL probe that resolves the MX → IP → queries each configured blocklist zone via two of three resolvers.

The branches converge in `Merge — Per-Domain Snapshot`, which collapses each upstream's shape into one record per `(domain, sourceMetric, dateBucket)` and rejects records older than 26 hours. `Threshold Check (Code)` then applies per-metric alert and critical thresholds against the latest point AND a trailing 7-day rolling mean of the prior points. The thresholds default to the Gmail/Yahoo bulk-sender envelope (spam rate alert at 0.1%, critical at 0.3%) and are overridable via env vars.

`Dedup Gate (Static Data)` reads `$getWorkflowStaticData('global')` for a 12-hour-bucketed `alerted_<domain>_<metric>_<status>` key. If the same alert fired in the last 12 hours, the branch halts silently. Otherwise the gate stamps the key and continues. Static data persists only on production executions — never on manual Execute Workflow runs — which is why the verification below uses live triggers, not the manual-run button.

`Claude — Remediation Draft` posts to the Anthropic API with `claude-haiku-4-5`, an 8-second timeout, and a system prompt that asks for a structured JSON remediation with three fields: `action`, `why`, and `runbookUrl`. The system prompt names what the reader can actually do — pause a sequence, open a delisting request, run a list scrub — so the draft is runnable, not advisory. `Parse Remediation` falls back to a deterministic per-metric template when the LLM call times out or the response fails to parse, and tags `draftSource` so the rep sees whether they got `claude-haiku-4-5` or `template-fallback`.

`Slack — Notify` posts to one of three channels based on alert status and domain severity, using a Block Kit message with a header (severity color), a fields grid (metric, value, alert/critical thresholds, 7-day mean, severity), the remediation as a section block, and a context block @-mentioning the domain owner.

The DMARC branch is independent: `IMAP — DMARC Mailbox` reads new messages matching the `Report Domain` subject pattern, `Parse DMARC XML` unzips `.gz` / `.zip` attachments and walks the XML, and the resulting per-record rows feed into the same `Merge — Per-Domain Snapshot` node. DMARC records with both SPF and DKIM evaluating to `fail` are tagged `spoofingSuspect: true` — the only branch in the flow that can catch a forged-sender attack from outside your sending platforms.

## Import

1. In n8n, open **Workflows → Import from File** and select `email-deliverability-monitor-n8n.json`.
2. Open the workflow's **Settings** and confirm `Execution Order` is `v1` and `Timezone` matches your business hours (defaults to `America/New_York`). The cron expression interprets its schedule in this zone.
3. Edit the `Domain Register (Static)` Code node to your real domains. The default array contains three placeholder entries (`outbound.example.com`, `warm.example.io`, `news.example.com`); replace them.
4. Set the environment variables listed below.
5. Wire all five credentials listed in the Credentials section.
6. Run the five-step verification before activating either Schedule Trigger.

## Domain Register

The watched domains live in the `Domain Register (Static)` Code node — not in env vars, not in a database. The list is short, and putting it in the workflow keeps the version history in n8n's workflow versions alongside the threshold logic.

Each entry:

| Field | Values | Purpose |
|---|---|---|
| `domain` | the FQDN you send from (e.g. `outbound.example.com`) | Used as the API parameter for Postmaster, Smartlead, Instantly; used for MX lookup in DNSBL probe |
| `sendingPlatform` | `smartlead` / `instantly` / `outreach` / `gmail-direct` | Routes which ESP API gets polled (other branches no-op) |
| `owner` | email | Recorded in alert context |
| `slackHandle` | Slack handle without `@` | @-mentioned in the alert |
| `severity` | `primary` / `warmup` / `secondary` | Drives channel routing and on-call paging |

## Environment variables

Set these in your n8n instance's environment (n8n Cloud: **Settings → Environment Variables**; self-hosted: your `.env` file or container environment):

| Variable | Where to find it | Example |
|---|---|---|
| `DNSBL_ZONES` | Comma-separated list of blocklist zones to query. Defaults to Spamhaus, Barracuda, SpamCop. | `zen.spamhaus.org,b.barracudacentral.org,bl.spamcop.net` |
| `DNSBL_RESOLVERS` | Comma-separated resolver IPs. The probe queries 2-of-3 by default. | `8.8.8.8,1.1.1.1,9.9.9.9` |
| `SPAM_RATE_ALERT_THRESHOLD` | Decimal — value at which the alert fires. Default 0.001 (0.1%). | `0.001` |
| `SPAM_RATE_CRITICAL_THRESHOLD` | Decimal — value at which the critical fires. Default 0.003 (0.3%, the Gmail/Yahoo bulk-sender ceiling). | `0.003` |
| `BOUNCE_RATE_ALERT_THRESHOLD` | Decimal — alert. Default 0.05. | `0.05` |
| `BOUNCE_RATE_CRITICAL_THRESHOLD` | Decimal — critical. Default 0.10. | `0.10` |
| `COMPLAINT_RATE_ALERT_THRESHOLD` | Decimal — alert. Default 0.0008 (0.08%). | `0.0008` |
| `COMPLAINT_RATE_CRITICAL_THRESHOLD` | Decimal — critical. Default 0.003. | `0.003` |
| `POSTMASTER_MIN_POINTS_FOR_CRITICAL` | Integer — minimum trailing-72h points required before a Postmaster critical fires. Downgrades to alert when fewer points are available. | `2` |
| `SLACK_CHANNEL_CRITICAL` | Channel name (with `#`) for critical alerts. | `#deliverability-primary` |
| `SLACK_CHANNEL_WARMUP` | Channel for warmup-severity alerts. | `#deliverability-warmup` |
| `SLACK_CHANNEL_SECONDARY` | Channel for secondary-severity alerts. | `#deliverability-secondary` |

The DNSBL public lists allow non-commercial query volume free of charge. If your domain register grows past roughly 30 watched domains, switch to a paid data feed for the Spamhaus zone you query most often — public-resolver rate limits will start to drop queries silently.

## Credentials

### `PLACEHOLDER_POSTMASTER_CRED_ID` — Google Postmaster OAuth

Used by `HTTP — Postmaster Tools`. Postmaster Tools requires a Google Workspace account with the domain already verified in `https://postmaster.google.com`. Create an OAuth 2.0 client in Google Cloud Console with the `https://www.googleapis.com/auth/postmaster.readonly` scope, add it as a **Google OAuth2 API** credential in n8n, and authorize against the same account that owns the Postmaster Tools verification.

### `PLACEHOLDER_IMAP_CRED_ID` — DMARC RUA Mailbox

Used by `IMAP — DMARC Mailbox`. Create a dedicated mailbox (`dmarc-reports@yourcompany.com` is the convention) and point every DMARC RUA record at it. In n8n, add an **IMAP** credential with the mailbox host, port (993 for IMAPS), username, and an app password if your provider requires one. Google Workspace and Microsoft 365 both require app passwords or service-account delegation rather than the primary account password.

### `PLACEHOLDER_SMARTLEAD_CRED_ID` — Smartlead API key

Used by `HTTP — Smartlead Stats`. Generate an API key in Smartlead under **Settings → API Keys**. In n8n, add an **HTTP Header Auth** credential with header name `Authorization` and value `Bearer <your_key>`. Smartlead's API rate-limit is 1 request/second per key as of 2026-05; the Split In Batches batch size of 3 with the default Schedule Trigger interval of 1 hour stays well under this.

### `PLACEHOLDER_INSTANTLY_CRED_ID` — Instantly API key

Used by `HTTP — Instantly Health`. Generate an API key in Instantly under **Settings → Integrations → API Keys**. In n8n, add an **HTTP Header Auth** credential with header name `Authorization` and value `Bearer <your_key>`. Instantly's `/api/v2` endpoints require an account on the Growth plan or above.

### `PLACEHOLDER_SLACK_CRED_ID` — Slack bot token

Used by `Slack — Notify`. Create a Slack app at `https://api.slack.com/apps`, add the `chat:write` bot scope, install it to your workspace, and invite the bot user to each of the three deliverability channels. In n8n, add an **HTTP Header Auth** credential with header name `Authorization` and value `Bearer xoxb-…`. Create the channels (`#deliverability-primary`, `#deliverability-warmup`, `#deliverability-secondary`, `#deliverability-ops`) before activating; the channel names are env-overridable but must exist.

### `PLACEHOLDER_ANTHROPIC_CRED_ID` — Anthropic API key

Used by `Claude — Remediation Draft`. Generate an API key at `https://console.anthropic.com`. In n8n, add an **HTTP Header Auth** credential with header name `x-api-key` and value set to the key. The node uses `claude-haiku-4-5` to keep the call under 2 seconds at typical payload size. Cost is roughly $0.005 per alert on the median payload (~500 input + 120 output tokens).

## DMARC mailbox setup

For each watched domain, the DNS DMARC record should look like:

```
_dmarc.outbound.example.com. IN TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourcompany.com; ruf=mailto:dmarc-reports@yourcompany.com; fo=1; adkim=r; aspf=r; pct=100"
```

Use `p=quarantine` or `p=reject` once you have established baseline reports show all legitimate sources passing. Starting on `p=none` will produce reports but no quarantining — the alert flow works either way; the policy choice is unrelated.

Most major mailbox providers deliver DMARC XML attachments without rewriting. Three known sources of silent attachment loss:

1. **Microsoft 365 with the default Anti-Malware Policy** — the Common Attachment Filter strips `.zip` from inbound mail. Setting: **Microsoft 365 Defender → Email & collaboration → Policies & rules → Anti-malware → Default policy → Protection settings → Common Attachment Filter → File types**. Remove `zip` from the blocked list, or create a transport rule that exempts messages from `dmarc-reports@yourcompany.com`.
2. **Gmail with strict attachment scanning** — `.gz` files are sometimes flagged. Gmail does not strip them but may quarantine the message. If reports stop arriving from a specific reporter, check the Quarantine in Google Workspace admin.
3. **Provider-side rewriting** — a few providers rename `.gz` to `.gz_renamed`. The parser will skip these and log `attachmentMatched: false`. Add a filename rule at the mailbox level to revert the name.

## Verification

Run all five before activating either Schedule Trigger. The flow should NOT be Active during steps 1-4.

### 1. Manual webhook hit against a known domain

POST a single-domain check to the webhook endpoint:

```bash
curl -X POST "https://<your-n8n-host>/webhook/deliverability-check" \
-H "Content-Type: application/json" \
-d '{"domain": "outbound.example.com"}'
```

Expected: 202 response, and within ~30 seconds you see the Slack message in `#deliverability-primary` IF the domain has any threshold trip. If not, the execution log in n8n should show all four branches running with `status: ok` outputs from `Threshold Check (Code)`.

### 2. Forced threshold trip

Temporarily set `SPAM_RATE_ALERT_THRESHOLD=0` and `SPAM_RATE_CRITICAL_THRESHOLD=0`, then re-run the manual webhook. Every Postmaster point will trip. You should see one Slack alert per domain — NOT multiple, because the dedup gate within a 12-hour window collapses them. Reset the env vars afterward.

### 3. Stale-report test

Edit `Merge — Per-Domain Snapshot` temporarily to set the `MAX_AGE_MS` constant to `0`. Re-run. Every Postmaster record should be rejected (collected-at older than 0ms), and you should see the resulting `status: ok` (no data → no alert) rather than spurious alerts on missing data. Revert the constant.

### 4. DNSBL false-positive test

In `DNSBL Probe (Code)`, hardcode a known-clean IP (e.g. `8.8.8.8`) in place of the MX lookup result and re-run. The probe should return `dnsblStatus: ok` with an empty `listings` array. Then hardcode a known-listed test IP from `127.0.0.2` (the standard Spamhaus self-test address — listed on `zen.spamhaus.org` by design) and confirm `dnsblStatus: critical` with the listing recorded. Revert.

### 5. Multi-domain burst test

Add five extra domains to `Domain Register (Static)` temporarily and run the manual webhook. Confirm the Split In Batches handles them without rate-limit errors from Postmaster Tools. The execution log should show the second batch starting ~1 second after the first. Revert.

After verifying all five, set both Schedule Triggers to Active and confirm the next top-of-hour execution runs cleanly in production mode (the dedup gate's static data only persists on production runs).

## Known limits

1. **Single-file zip assumption.** `Parse DMARC XML` uses a minimal zip reader that assumes one file per archive (the DMARC norm). Multi-file zips will fail to parse. If you see `dmarc-parse-error` rows with `error: 'not a zip'` for `.zip` attachments, replace the unwrap function with a real zip library (`adm-zip` is available in most n8n environments).
2. **Postmaster Tools data lag.** Google publishes the previous day's data in batches throughout the next day. The `POSTMASTER_MIN_POINTS_FOR_CRITICAL` env var downgrades single-point days from critical to alert; do not lower it below 2 without accepting noisier paging.
3. **DNSBL public-resolver rate limits.** Spamhaus, Barracuda, and SpamCop all rate-limit queries from common public resolvers. At a register size of 5-10 domains with hourly polling this is well within limits; past ~30 domains, switch the high-volume zone to a paid data feed.
4. **No automatic delisting requests.** The flow surfaces the delisting URL in the Claude remediation draft. Filing the request still requires a human; most blocklists require account creation and a reason-for-listing explanation.
5. **Not runtime-tested in this repo.** The bundle is a complete export and has been hand-walked node by node, but it has not been imported into a live n8n instance against a production Google Workspace and Smartlead account. Treat the verification above as a real first run, not a smoke test.

{
  "name": "Email deliverability monitor — alert before suppression",
  "nodes": [
    {
      "parameters": {
        "rule": {
          "interval": [
            {
              "field": "cronExpression",
              "expression": "0 * * * *"
            }
          ]
        }
      },
      "id": "4b4b4b4b-0001-0000-0000-000000000001",
      "name": "Schedule — Hourly Sweep",
      "type": "n8n-nodes-base.scheduleTrigger",
      "typeVersion": 1.2,
      "position": [200, 200],
      "notesInFlow": true,
      "notes": "Fires at the top of every hour. Drives the Postmaster, ESP, and DNSBL branches. Cron expression interpreted in workflow timezone (set in Settings)."
    },
    {
      "parameters": {
        "rule": {
          "interval": [
            {
              "field": "minutes",
              "minutesInterval": 15
            }
          ]
        }
      },
      "id": "4b4b4b4b-0001-0000-0000-000000000002",
      "name": "Schedule — DMARC Poll",
      "type": "n8n-nodes-base.scheduleTrigger",
      "typeVersion": 1.2,
      "position": [200, 1400],
      "notesInFlow": true,
      "notes": "Polls the DMARC RUA mailbox every 15 minutes for new aggregate reports."
    },
    {
      "parameters": {
        "httpMethod": "POST",
        "path": "deliverability-check",
        "responseMode": "responseNode",
        "options": {
          "rawBody": false
        }
      },
      "id": "4b4b4b4b-0001-0000-0000-000000000003",
      "name": "Webhook — Ad-hoc Domain Check",
      "type": "n8n-nodes-base.webhook",
      "typeVersion": 2,
      "position": [200, 1700],
      "webhookId": "deliverability-check-webhook",
      "notesInFlow": true,
      "notes": "Manual check entrypoint. POST { \"domain\": \"example.com\" } to run the full sweep against a single domain on demand."
    },
    {
      "parameters": {
        "respondWith": "json",
        "responseBody": "={ \"received\": true, \"domain\": \"{{ $json.body.domain }}\" }",
        "options": {
          "responseCode": 202
        }
      },
      "id": "4b4b4b4b-0001-0000-0000-000000000004",
      "name": "Respond 202 Accepted",
      "type": "n8n-nodes-base.respondToWebhook",
      "typeVersion": 1.1,
      "position": [200, 1880],
      "notesInFlow": true,
      "notes": "Return immediately so the caller is not blocked on the downstream polls."
    },
    {
      "parameters": {
        "jsCode": "// Domain Register — the single source of truth for which domains this flow monitors.\n// Edit this array once to add or remove a watched domain. The rest of the flow\n// keys off the records emitted here.\n//\n// severity values:\n//   primary   — the main production sending domain; pages on-call on critical\n//   warmup    — a domain currently in warmup; lower thresholds applied\n//   secondary — a tertiary domain (newsletters, system mail); logs only\n//\n// sendingPlatform values are free-form strings; used to route ESP API polls.\n//   Supported out of the box: 'smartlead', 'instantly', 'outreach', 'gmail-direct'.\n\nconst register = [\n  {\n    domain: 'outbound.example.com',\n    sendingPlatform: 'smartlead',\n    owner: 'revops-lead@example.com',\n    slackHandle: 'revops-lead',\n    severity: 'primary',\n  },\n  {\n    domain: 'warm.example.io',\n    sendingPlatform: 'smartlead',\n    owner: 'sdr-leader@example.com',\n    slackHandle: 'sdr-leader',\n    severity: 'warmup',\n  },\n  {\n    domain: 'news.example.com',\n    sendingPlatform: 'instantly',\n    owner: 'marketing-ops@example.com',\n    slackHandle: 'marketing-ops',\n    severity: 'secondary',\n  },\n];\n\nreturn register.map((r) => ({ json: r }));"
      },
      "id": "4b4b4b4b-0001-0000-0000-000000000005",
      "name": "Domain Register (Static)",
      "type": "n8n-nodes-base.code",
      "typeVersion": 2,
      "position": [420, 200],
      "notesInFlow": true,
      "notes": "Edit the array to your real domains. severity drives alert color and routing."
    },
    {
      "parameters": {
        "batchSize": 3,
        "options": {
          "reset": false
        }
      },
      "id": "4b4b4b4b-0001-0000-0000-000000000006",
      "name": "Split In Batches",
      "type": "n8n-nodes-base.splitInBatches",
      "typeVersion": 3,
      "position": [640, 200],
      "notesInFlow": true,
      "notes": "Batches of 3 to keep Postmaster API and DNSBL probes under their per-second limits."
    },
    {
      "parameters": {
        "method": "GET",
        "url": "=https://gmailpostmastertools.googleapis.com/v1/domains/{{ $json.domain }}/trafficStats",
        "authentication": "predefinedCredentialType",
        "nodeCredentialType": "googleApi",
        "sendQuery": true,
        "queryParameters": {
          "parameters": [
            {
              "name": "startDate.year",
              "value": "={{ new Date(Date.now() - 7*86400*1000).getUTCFullYear() }}"
            },
            {
              "name": "startDate.month",
              "value": "={{ new Date(Date.now() - 7*86400*1000).getUTCMonth() + 1 }}"
            },
            {
              "name": "startDate.day",
              "value": "={{ new Date(Date.now() - 7*86400*1000).getUTCDate() }}"
            }
          ]
        },
        "options": {
          "timeout": 10000,
          "response": {
            "response": {
              "neverError": true,
              "responseFormat": "json"
            }
          }
        }
      },
      "id": "4b4b4b4b-0001-0000-0000-000000000007",
      "name": "HTTP — Postmaster Tools",
      "type": "n8n-nodes-base.httpRequest",
      "typeVersion": 4.2,
      "position": [860, 100],
      "credentials": {
        "googleApi": {
          "id": "PLACEHOLDER_POSTMASTER_CRED_ID",
          "name": "Google Postmaster OAuth"
        }
      },
      "notesInFlow": true,
      "notes": "Pulls trafficStats for the last 7 days. neverError so a 401/404 does not halt the batch."
    },
    {
      "parameters": {
        "method": "GET",
        "url": "=https://server.smartlead.ai/api/v1/campaign-statistics?domain={{ $json.domain }}",
        "authentication": "predefinedCredentialType",
        "nodeCredentialType": "httpHeaderAuth",
        "options": {
          "timeout": 10000,
          "response": {
            "response": {
              "neverError": true,
              "responseFormat": "json"
            }
          }
        }
      },
      "id": "4b4b4b4b-0001-0000-0000-000000000008",
      "name": "HTTP — Smartlead Stats",
      "type": "n8n-nodes-base.httpRequest",
      "typeVersion": 4.2,
      "position": [860, 250],
      "credentials": {
        "httpHeaderAuth": {
          "id": "PLACEHOLDER_SMARTLEAD_CRED_ID",
          "name": "Smartlead API Key"
        }
      },
      "notesInFlow": true,
      "notes": "Reads Smartlead campaign-level complaint and bounce rates for the watched domain. Only runs when sendingPlatform === 'smartlead'."
    },
    {
      "parameters": {
        "method": "GET",
        "url": "=https://api.instantly.ai/api/v2/accounts/health?domain={{ $json.domain }}",
        "authentication": "predefinedCredentialType",
        "nodeCredentialType": "httpHeaderAuth",
        "options": {
          "timeout": 10000,
          "response": {
            "response": {
              "neverError": true,
              "responseFormat": "json"
            }
          }
        }
      },
      "id": "4b4b4b4b-0001-0000-0000-000000000009",
      "name": "HTTP — Instantly Health",
      "type": "n8n-nodes-base.httpRequest",
      "typeVersion": 4.2,
      "position": [860, 400],
      "credentials": {
        "httpHeaderAuth": {
          "id": "PLACEHOLDER_INSTANTLY_CRED_ID",
          "name": "Instantly API Key"
        }
      },
      "notesInFlow": true,
      "notes": "Reads Instantly account health for the domain. Only runs when sendingPlatform === 'instantly'."
    },
    {
      "parameters": {
        "jsCode": "// DNSBL Probe — A-record lookups against each blocklist zone.\n// Resolves the MX IP for the domain, then queries each configured zone with\n// the reversed-octet form: <reversed-ip>.<zone>. Any A-record reply means listed.\n//\n// To avoid resolver-caching false positives, every query goes to two of the\n// three resolvers configured in DNSBL_RESOLVERS, and a 'critical' status\n// requires confirmation from at least two of three.\n\nimport dns from 'dns/promises';\n\nconst zones = ($env.DNSBL_ZONES || 'zen.spamhaus.org,b.barracudacentral.org,bl.spamcop.net').split(',').map(z => z.trim());\nconst resolvers = ($env.DNSBL_RESOLVERS || '8.8.8.8,1.1.1.1,9.9.9.9').split(',').map(r => r.trim());\nconst domain = $json.domain;\nconst severity = $json.severity;\n\nasync function reverseIp(ip) {\n  return ip.split('.').reverse().join('.');\n}\n\nasync function resolveWith(resolverIp, hostname) {\n  const resolver = new dns.Resolver();\n  resolver.setServers([resolverIp]);\n  try {\n    const records = await resolver.resolve4(hostname);\n    return records.length > 0;\n  } catch (_) {\n    return false; // NXDOMAIN or timeout = not listed against this resolver\n  }\n}\n\nasync function getMxIp(d) {\n  try {\n    const mxs = await dns.resolveMx(d);\n    if (!mxs.length) return null;\n    mxs.sort((a, b) => a.priority - b.priority);\n    const a = await dns.resolve4(mxs[0].exchange);\n    return a[0];\n  } catch (_) {\n    return null;\n  }\n}\n\nconst ip = await getMxIp(domain);\nif (!ip) {\n  return [{ json: { domain, severity, sourceMetric: 'dnsbl', dnsblStatus: 'no-mx', listings: [], probedAt: new Date().toISOString() } }];\n}\n\nconst reversed = await reverseIp(ip);\nconst listings = [];\n\nfor (const zone of zones) {\n  const fqdn = `${reversed}.${zone}`;\n  const hits = [];\n  for (const r of resolvers) {\n    if (await resolveWith(r, fqdn)) hits.push(r);\n  }\n  if (hits.length > 0) {\n    listings.push({ zone, resolversAgreeing: hits.length, confirmedAt: new Date().toISOString() });\n  }\n}\n\nconst status = listings.some(l => l.resolversAgreeing >= 2) ? 'critical' : (listings.length > 0 ? 'alert' : 'ok');\n\nreturn [{ json: { domain, severity, sourceMetric: 'dnsbl', dnsblStatus: status, listings, mxIp: ip, probedAt: new Date().toISOString() } }];"
      },
      "id": "4b4b4b4b-0001-0000-0000-00000000000a",
      "name": "DNSBL Probe (Code)",
      "type": "n8n-nodes-base.code",
      "typeVersion": 2,
      "position": [860, 550],
      "notesInFlow": true,
      "notes": "Resolves MX → IP → queries each zone with reversed-octet form against 3 resolvers. status='critical' requires 2-of-3 resolver agreement."
    },
    {
      "parameters": {
        "jsCode": "// Merge — Per-Domain Snapshot\n// Collects the outputs from the three upstream HTTP/Code nodes (Postmaster,\n// ESP, DNSBL) and emits one record per (domain, sourceMetric, dateBucket).\n//\n// Reject records older than 26 hours so a slow upstream API does not poison\n// the most recent comparison. Also reject any record whose key metric is null\n// — that indicates schema drift at the source and routes to #deliverability-ops\n// via the Threshold Check fallthrough.\n\nconst items = $input.all();\nconst now = Date.now();\nconst MAX_AGE_MS = 26 * 3600 * 1000;\nconst out = [];\n\nfor (const item of items) {\n  const j = item.json;\n  const domain = j.domain;\n  const severity = j.severity;\n\n  // Postmaster shape: { trafficStats: [ { date, spammyFeedbackLoops, userReportedSpamRatio, ... } ] }\n  if (Array.isArray(j.trafficStats)) {\n    for (const point of j.trafficStats) {\n      const dateBucket = `${point.date?.year}-${String(point.date?.month).padStart(2, '0')}-${String(point.date?.day).padStart(2, '0')}`;\n      const ageMs = now - Date.parse(dateBucket + 'T00:00:00Z');\n      if (ageMs > 7 * 24 * 3600 * 1000) continue;\n      out.push({\n        json: {\n          domain, severity, sourceMetric: 'postmaster-spam-rate', dateBucket,\n          value: point.userReportedSpamRatio ?? null,\n          rawDomainReputation: point.domainReputation ?? null,\n          rawIpReputations: point.ipReputations ?? null,\n          collectedAt: new Date().toISOString(),\n        }\n      });\n    }\n    continue;\n  }\n\n  // Smartlead shape: { domain, complaint_rate, bounce_rate, last_updated }\n  if (j.complaint_rate !== undefined || j.bounce_rate !== undefined) {\n    const lastUpdated = j.last_updated ? Date.parse(j.last_updated) : now;\n    if (now - lastUpdated > MAX_AGE_MS) continue;\n    if (j.complaint_rate === null || j.complaint_rate === undefined) {\n      out.push({ json: { domain, severity, sourceMetric: 'smartlead-schema-drift', value: null, collectedAt: new Date().toISOString() } });\n    } else {\n      out.push({ json: { domain, severity, sourceMetric: 'smartlead-complaint-rate', dateBucket: new Date(lastUpdated).toISOString().slice(0,10), value: j.complaint_rate, collectedAt: new Date().toISOString() } });\n      out.push({ json: { domain, severity, sourceMetric: 'smartlead-bounce-rate', dateBucket: new Date(lastUpdated).toISOString().slice(0,10), value: j.bounce_rate, collectedAt: new Date().toISOString() } });\n    }\n    continue;\n  }\n\n  // Instantly shape: { domain, health_score, bounce_rate, spam_rate, last_synced_at }\n  if (j.health_score !== undefined || j.spam_rate !== undefined) {\n    const lastUpdated = j.last_synced_at ? Date.parse(j.last_synced_at) : now;\n    if (now - lastUpdated > MAX_AGE_MS) continue;\n    out.push({ json: { domain, severity, sourceMetric: 'instantly-spam-rate', dateBucket: new Date(lastUpdated).toISOString().slice(0,10), value: j.spam_rate ?? null, collectedAt: new Date().toISOString() } });\n    out.push({ json: { domain, severity, sourceMetric: 'instantly-bounce-rate', dateBucket: new Date(lastUpdated).toISOString().slice(0,10), value: j.bounce_rate ?? null, collectedAt: new Date().toISOString() } });\n    continue;\n  }\n\n  // DNSBL shape already has sourceMetric set\n  if (j.sourceMetric === 'dnsbl') {\n    out.push({ json: { ...j, dateBucket: new Date().toISOString().slice(0,10), collectedAt: new Date().toISOString() } });\n    continue;\n  }\n}\n\nreturn out;"
      },
      "id": "4b4b4b4b-0001-0000-0000-00000000000b",
      "name": "Merge — Per-Domain Snapshot",
      "type": "n8n-nodes-base.code",
      "typeVersion": 2,
      "position": [1100, 300],
      "notesInFlow": true,
      "notes": "Normalizes Postmaster, Smartlead, Instantly, and DNSBL outputs into one record-per-(domain,metric,dateBucket). Rejects stale (>26h) and null-metric records."
    },
    {
      "parameters": {
        "jsCode": "// Threshold Check — apply alert/critical thresholds per metric.\n//\n// Policy lives here, in one place. Every threshold below is overridable via\n// an env var so an on-call can tune without a code change.\n//\n// Status semantics:\n//   ok       — no action needed\n//   alert    — early warning; metric crossed alert threshold, still below suppression\n//   critical — suppression imminent (or in progress for blocklist listings)\n//\n// Critical-on-Postmaster requires at least 2 data points in the last 72h to\n// avoid alarming on a missing data day. POSTMASTER_MIN_POINTS_FOR_CRITICAL\n// is configurable.\n\nconst items = $input.all();\nconst thresholds = {\n  spamRateAlert: parseFloat($env.SPAM_RATE_ALERT_THRESHOLD || '0.001'),       // 0.1%\n  spamRateCritical: parseFloat($env.SPAM_RATE_CRITICAL_THRESHOLD || '0.003'), // 0.3% — Gmail/Yahoo bulk-sender ceiling\n  bounceRateAlert: parseFloat($env.BOUNCE_RATE_ALERT_THRESHOLD || '0.05'),    // 5%\n  bounceRateCritical: parseFloat($env.BOUNCE_RATE_CRITICAL_THRESHOLD || '0.10'), // 10%\n  complaintRateAlert: parseFloat($env.COMPLAINT_RATE_ALERT_THRESHOLD || '0.0008'), // 0.08%\n  complaintRateCritical: parseFloat($env.COMPLAINT_RATE_CRITICAL_THRESHOLD || '0.003'),\n  postmasterMinPointsForCritical: parseInt($env.POSTMASTER_MIN_POINTS_FOR_CRITICAL || '2', 10),\n};\n\n// Group by (domain, sourceMetric) for rolling-mean computation\nconst groups = new Map();\nfor (const it of items) {\n  const key = `${it.json.domain}::${it.json.sourceMetric}`;\n  if (!groups.has(key)) groups.set(key, []);\n  groups.get(key).push(it.json);\n}\n\nconst out = [];\nfor (const [key, points] of groups) {\n  points.sort((a, b) => (a.dateBucket || '').localeCompare(b.dateBucket || ''));\n  const latest = points[points.length - 1];\n  if (!latest) continue;\n\n  // Schema drift sentinel — surface to ops, do not page\n  if (latest.sourceMetric.endsWith('-schema-drift')) {\n    out.push({ json: { ...latest, status: 'ops', reason: 'schema-drift detected, value is null' } });\n    continue;\n  }\n\n  // DNSBL has its own pre-computed status\n  if (latest.sourceMetric === 'dnsbl') {\n    out.push({ json: { ...latest, status: latest.dnsblStatus } });\n    continue;\n  }\n\n  const value = latest.value;\n  if (value === null || value === undefined) {\n    out.push({ json: { ...latest, status: 'ops', reason: 'value-null' } });\n    continue;\n  }\n\n  // Rolling 7-day mean (excluding the latest point so the comparison is to history)\n  const history = points.slice(0, -1).map(p => p.value).filter(v => v !== null && v !== undefined);\n  const mean = history.length > 0 ? history.reduce((a, b) => a + b, 0) / history.length : null;\n\n  let alertThr, criticalThr;\n  if (latest.sourceMetric.endsWith('spam-rate')) { alertThr = thresholds.spamRateAlert; criticalThr = thresholds.spamRateCritical; }\n  else if (latest.sourceMetric.endsWith('bounce-rate')) { alertThr = thresholds.bounceRateAlert; criticalThr = thresholds.bounceRateCritical; }\n  else if (latest.sourceMetric.endsWith('complaint-rate')) { alertThr = thresholds.complaintRateAlert; criticalThr = thresholds.complaintRateCritical; }\n  else { out.push({ json: { ...latest, status: 'ok' } }); continue; }\n\n  let status = 'ok';\n  if (latest.sourceMetric.startsWith('postmaster-') && points.length < thresholds.postmasterMinPointsForCritical && value >= criticalThr) {\n    status = 'alert'; // Downgrade — not enough points to call this critical\n  } else if (value >= criticalThr) {\n    status = 'critical';\n  } else if (value >= alertThr) {\n    status = 'alert';\n  }\n\n  out.push({ json: { ...latest, status, rollingMean: mean, alertThreshold: alertThr, criticalThreshold: criticalThr } });\n}\n\nreturn out;"
      },
      "id": "4b4b4b4b-0001-0000-0000-00000000000c",
      "name": "Threshold Check (Code)",
      "type": "n8n-nodes-base.code",
      "typeVersion": 2,
      "position": [1340, 300],
      "notesInFlow": true,
      "notes": "All policy is in this node. Thresholds overridable via env. Postmaster downgrades critical→alert when fewer than POSTMASTER_MIN_POINTS_FOR_CRITICAL points exist."
    },
    {
      "parameters": {
        "jsCode": "// Dedup Gate (Static Data)\n// Per (domain, metric, 12h-bucket) key. If we already alerted this key,\n// halt the branch silently. Else stamp and continue.\n//\n// Important: workflow static data only persists for production executions\n// (webhook, schedule trigger) — not manual Execute Workflow runs. The\n// verification in _README.md covers this.\n\nconst data = $getWorkflowStaticData('global');\nif (!data.alerted) data.alerted = {};\n\nconst now = Date.now();\nconst TWELVE_HOURS = 12 * 3600 * 1000;\n\n// Prune older than 48h\nfor (const k of Object.keys(data.alerted)) {\n  if (now - data.alerted[k] > 48 * 3600 * 1000) delete data.alerted[k];\n}\n\nconst items = $input.all();\nconst out = [];\nfor (const it of items) {\n  const j = it.json;\n  if (j.status === 'ok' || j.status === 'ops') {\n    out.push({ json: { ...j, dedupResult: 'pass-through-non-alerting' } });\n    continue;\n  }\n  const bucket = Math.floor(now / TWELVE_HOURS);\n  const key = `alerted_${j.domain}_${j.sourceMetric}_${j.status}_${bucket}`;\n  if (data.alerted[key]) {\n    // Silently halt — same alert was already sent within the 12h window\n    continue;\n  }\n  data.alerted[key] = now;\n  out.push({ json: { ...j, dedupKey: key, firstAlerted: new Date(now).toISOString() } });\n}\n\nreturn out;"
      },
      "id": "4b4b4b4b-0001-0000-0000-00000000000d",
      "name": "Dedup Gate (Static Data)",
      "type": "n8n-nodes-base.code",
      "typeVersion": 2,
      "position": [1580, 300],
      "notesInFlow": true,
      "notes": "12-hour dedup window per (domain, metric, status). Static data only persists on production runs."
    },
    {
      "parameters": {
        "method": "POST",
        "url": "https://api.anthropic.com/v1/messages",
        "authentication": "predefinedCredentialType",
        "nodeCredentialType": "httpHeaderAuth",
        "sendHeaders": true,
        "headerParameters": {
          "parameters": [
            { "name": "anthropic-version", "value": "2023-06-01" },
            { "name": "content-type", "value": "application/json" }
          ]
        },
        "sendBody": true,
        "specifyBody": "json",
        "jsonBody": "={\n  \"model\": \"claude-haiku-4-5\",\n  \"max_tokens\": 300,\n  \"system\": \"You write a single corrective action for an email deliverability alert. Output JSON: { \\\"action\\\": <imperative sentence naming the platform, domain, and step>, \\\"why\\\": <one short sentence>, \\\"runbookUrl\\\": <string or empty> }. Do not hedge. Do not add unrelated advice. The reader is a RevOps lead who can pause a sequence, scrub a list, or open a delisting request directly.\",\n  \"messages\": [{\n    \"role\": \"user\",\n    \"content\": \"Alert payload:\\ndomain: {{ $json.domain }}\\nseverity: {{ $json.severity }}\\nstatus: {{ $json.status }}\\nmetric: {{ $json.sourceMetric }}\\nvalue: {{ $json.value }}\\nrolling 7d mean: {{ $json.rollingMean }}\\nalert threshold: {{ $json.alertThreshold }}\\ncritical threshold: {{ $json.criticalThreshold }}\\nDNSBL listings: {{ JSON.stringify($json.listings || []) }}\\n\\nReturn ONLY the JSON.\"\n  }]\n}",
        "options": {
          "timeout": 8000,
          "response": {
            "response": {
              "neverError": true,
              "responseFormat": "json"
            }
          }
        }
      },
      "id": "4b4b4b4b-0001-0000-0000-00000000000e",
      "name": "Claude — Remediation Draft",
      "type": "n8n-nodes-base.httpRequest",
      "typeVersion": 4.2,
      "position": [1820, 300],
      "credentials": {
        "httpHeaderAuth": {
          "id": "PLACEHOLDER_ANTHROPIC_CRED_ID",
          "name": "Anthropic API Key"
        }
      },
      "notesInFlow": true,
      "notes": "Haiku 4.5, 8s timeout, neverError. Returns a structured JSON remediation. Template fallback applied downstream."
    },
    {
      "parameters": {
        "jsCode": "// Parse Remediation (with template fallback)\n// On a Claude timeout or malformed JSON, fall back to a deterministic\n// template per metric. The Slack message tags draftSource so the rep\n// knows whether they got the LLM draft or the fallback.\n\nconst items = $input.all();\nconst out = [];\n\nfunction templateFor(json) {\n  const m = json.sourceMetric || '';\n  const d = json.domain;\n  if (m === 'dnsbl') {\n    const zones = (json.listings || []).map(l => l.zone).join(', ');\n    return {\n      action: `Open a delisting request at ${zones || '<blocklist URL>'} for ${d}. Record why the IP was sending volume above its warmed-in cap.`,\n      why: 'Domain or MX IP is listed on a major blocklist; inbound deliverability is degraded until delisted.',\n      runbookUrl: '',\n    };\n  }\n  if (m.endsWith('spam-rate')) {\n    return {\n      action: `Pause the highest-volume sequence on ${d} for 24 hours and audit the last 200 sent messages for complaint patterns.`,\n      why: `Spam rate ${json.value} is over the ${json.alertThreshold} alert threshold; suppression follows ${json.criticalThreshold}.`,\n      runbookUrl: '',\n    };\n  }\n  if (m.endsWith('bounce-rate')) {\n    return {\n      action: `Run a list-scrub pass on the last 30 days of imports for ${d} before re-enabling sequences.`,\n      why: `Bounce rate ${json.value} is over the ${json.alertThreshold} alert threshold; further sending raises spam-trap risk.`,\n      runbookUrl: '',\n    };\n  }\n  return {\n    action: `Investigate ${m} on ${d}; current value ${json.value} exceeds ${json.alertThreshold}.`,\n    why: 'Threshold tripped without a templated remediation.',\n    runbookUrl: '',\n  };\n}\n\nfor (const it of items) {\n  const j = it.json;\n  let remediation = null;\n  let draftSource = 'template-fallback';\n  const claude = j.content?.[0]?.text || j.completion || null;\n  if (claude) {\n    try {\n      remediation = JSON.parse(claude);\n      if (remediation && remediation.action) draftSource = 'claude-haiku-4-5';\n    } catch (_) {\n      remediation = null;\n    }\n  }\n  if (!remediation) remediation = templateFor(j);\n  out.push({ json: { ...j, remediation, draftSource } });\n}\n\nreturn out;"
      },
      "id": "4b4b4b4b-0001-0000-0000-00000000000f",
      "name": "Parse Remediation",
      "type": "n8n-nodes-base.code",
      "typeVersion": 2,
      "position": [2060, 300],
      "notesInFlow": true,
      "notes": "Claude-or-template fallback. draftSource tag exposed in Slack so reps know which they received."
    },
    {
      "parameters": {
        "method": "POST",
        "url": "https://slack.com/api/chat.postMessage",
        "authentication": "predefinedCredentialType",
        "nodeCredentialType": "httpHeaderAuth",
        "sendBody": true,
        "specifyBody": "json",
        "jsonBody": "={\n  \"channel\": \"{{ $json.status === 'critical' ? ($env.SLACK_CHANNEL_CRITICAL || '#deliverability-primary') : ($json.severity === 'warmup' ? ($env.SLACK_CHANNEL_WARMUP || '#deliverability-warmup') : ($env.SLACK_CHANNEL_SECONDARY || '#deliverability-secondary')) }}\",\n  \"text\": \"Deliverability {{ $json.status }} on {{ $json.domain }} ({{ $json.sourceMetric }})\",\n  \"blocks\": [\n    { \"type\": \"header\", \"text\": { \"type\": \"plain_text\", \"text\": \"{{ $json.status === 'critical' ? '🚨' : '⚠️' }} {{ $json.status.toUpperCase() }} — {{ $json.domain }}\" } },\n    { \"type\": \"section\", \"fields\": [\n      { \"type\": \"mrkdwn\", \"text\": \"*Metric*\\n{{ $json.sourceMetric }}\" },\n      { \"type\": \"mrkdwn\", \"text\": \"*Value*\\n{{ $json.value }}\" },\n      { \"type\": \"mrkdwn\", \"text\": \"*Alert at*\\n{{ $json.alertThreshold }}\" },\n      { \"type\": \"mrkdwn\", \"text\": \"*Critical at*\\n{{ $json.criticalThreshold }}\" },\n      { \"type\": \"mrkdwn\", \"text\": \"*7d mean*\\n{{ $json.rollingMean }}\" },\n      { \"type\": \"mrkdwn\", \"text\": \"*Severity*\\n{{ $json.severity }}\" }\n    ] },\n    { \"type\": \"section\", \"text\": { \"type\": \"mrkdwn\", \"text\": \"*Recommended action (edit before action — `{{ $json.draftSource }}`)*\\n{{ $json.remediation.action }}\\n\\n_Why:_ {{ $json.remediation.why }}\" } },\n    { \"type\": \"context\", \"elements\": [ { \"type\": \"mrkdwn\", \"text\": \"<@{{ $json.slackHandle }}> · dedup key `{{ $json.dedupKey }}` · {{ $json.firstAlerted }}\" } ] }\n  ]\n}",
        "options": {
          "timeout": 10000,
          "response": {
            "response": {
              "neverError": true,
              "responseFormat": "json"
            }
          }
        }
      },
      "id": "4b4b4b4b-0001-0000-0000-000000000010",
      "name": "Slack — Notify",
      "type": "n8n-nodes-base.httpRequest",
      "typeVersion": 4.2,
      "position": [2300, 300],
      "credentials": {
        "httpHeaderAuth": {
          "id": "PLACEHOLDER_SLACK_CRED_ID",
          "name": "Slack Bot Token"
        }
      },
      "notesInFlow": true,
      "notes": "Routes to one of three channels by severity/status. Block Kit message with header, fields, remediation, and @-mention of the owner."
    },
    {
      "parameters": {
        "protocol": "imap",
        "operation": "getAll",
        "format": "resolved",
        "filters": {
          "filters": {
            "unseen": true,
            "subject": "Report Domain"
          }
        },
        "options": {
          "limit": 50
        }
      },
      "id": "4b4b4b4b-0001-0000-0000-000000000011",
      "name": "IMAP — DMARC Mailbox",
      "type": "n8n-nodes-base.emailReadImap",
      "typeVersion": 2,
      "position": [420, 1400],
      "credentials": {
        "imap": {
          "id": "PLACEHOLDER_IMAP_CRED_ID",
          "name": "DMARC RUA Mailbox"
        }
      },
      "notesInFlow": true,
      "notes": "Reads unseen messages matching 'Report Domain' (the standard DMARC RUA subject pattern). Marks as seen after fetch."
    },
    {
      "parameters": {
        "jsCode": "// Parse DMARC XML\n// Walks each attachment, unzips if .zip/.gz, parses the XML, and extracts\n// per-source-IP / disposition / dkim / spf triples. Records that fail SPF\n// AND DKIM are emitted as spoofing-suspect rows.\n//\n// Uses Node's built-in zlib + a small XML-to-JSON walk (no extra deps).\n\nimport zlib from 'zlib';\nimport { promisify } from 'util';\nconst gunzip = promisify(zlib.gunzip);\n\nfunction extractTag(xml, tag) {\n  const re = new RegExp(`<${tag}>([\\\\s\\\\S]*?)<\\\\/${tag}>`, 'g');\n  const out = [];\n  let m;\n  while ((m = re.exec(xml)) !== null) out.push(m[1]);\n  return out;\n}\n\nasync function unwrap(buf, name) {\n  if (name.endsWith('.gz')) return (await gunzip(buf)).toString('utf8');\n  if (name.endsWith('.zip')) {\n    // Minimal local-file-header read; assumes single-file zip (the DMARC norm)\n    // For multi-file zips, the n8n environment should have a zip package available\n    // — flagged in _README.md as a known limit.\n    const sig = buf.readUInt32LE(0);\n    if (sig !== 0x04034b50) throw new Error('not a zip');\n    const nameLen = buf.readUInt16LE(26);\n    const extraLen = buf.readUInt16LE(28);\n    const dataStart = 30 + nameLen + extraLen;\n    const compressed = buf.subarray(dataStart);\n    return zlib.inflateRawSync(compressed).toString('utf8');\n  }\n  return buf.toString('utf8');\n}\n\nconst items = $input.all();\nconst out = [];\n\nfor (const it of items) {\n  const attachments = it.binary || {};\n  let attachmentMatched = false;\n  for (const key of Object.keys(attachments)) {\n    const att = attachments[key];\n    const name = (att.fileName || '').toLowerCase();\n    if (!name.endsWith('.xml') && !name.endsWith('.zip') && !name.endsWith('.gz')) continue;\n    attachmentMatched = true;\n    let xml;\n    try {\n      const buf = Buffer.from(att.data, 'base64');\n      xml = await unwrap(buf, name);\n    } catch (e) {\n      out.push({ json: { sourceMetric: 'dmarc-parse-error', attachmentName: name, error: String(e), attachmentMatched: true, collectedAt: new Date().toISOString() } });\n      continue;\n    }\n    const reportedDomain = (extractTag(xml, 'domain')[0] || '').trim();\n    const records = extractTag(xml, 'record');\n    for (const rec of records) {\n      const sourceIp = (extractTag(rec, 'source_ip')[0] || '').trim();\n      const count = parseInt((extractTag(rec, 'count')[0] || '0').trim(), 10);\n      const disposition = (extractTag(rec, 'disposition')[0] || '').trim();\n      const dkim = (extractTag(rec, 'dkim')[1] || extractTag(rec, 'dkim')[0] || '').trim(); // policy_evaluated.dkim\n      const spf = (extractTag(rec, 'spf')[1] || extractTag(rec, 'spf')[0] || '').trim();\n      const spoofingSuspect = (dkim === 'fail' && spf === 'fail');\n      out.push({\n        json: {\n          domain: reportedDomain,\n          sourceMetric: 'dmarc-record',\n          sourceIp, count, disposition, dkim, spf, spoofingSuspect,\n          attachmentMatched: true,\n          collectedAt: new Date().toISOString(),\n        }\n      });\n    }\n  }\n  if (!attachmentMatched) {\n    out.push({ json: { sourceMetric: 'dmarc-no-attachment', attachmentMatched: false, messageSubject: it.json.subject, collectedAt: new Date().toISOString() } });\n  }\n}\n\nreturn out;"
      },
      "id": "4b4b4b4b-0001-0000-0000-000000000012",
      "name": "Parse DMARC XML",
      "type": "n8n-nodes-base.code",
      "typeVersion": 2,
      "position": [640, 1400],
      "notesInFlow": true,
      "notes": "Unzips .gz/.zip attachments, parses DMARC XML, emits per-record rows. Flags spoofingSuspect when both SPF and DKIM evaluate to fail."
    },
    {
      "parameters": {
        "operation": "merge",
        "mode": "append"
      },
      "id": "4b4b4b4b-0001-0000-0000-000000000013",
      "name": "Merge — Inbound Branches",
      "type": "n8n-nodes-base.merge",
      "typeVersion": 3,
      "position": [1100, 1100],
      "notesInFlow": true,
      "notes": "Joins the hourly and DMARC branches into the shared threshold check."
    }
  ],
  "connections": {
    "Schedule — Hourly Sweep": {
      "main": [[{ "node": "Domain Register (Static)", "type": "main", "index": 0 }]]
    },
    "Domain Register (Static)": {
      "main": [[{ "node": "Split In Batches", "type": "main", "index": 0 }]]
    },
    "Split In Batches": {
      "main": [[
        { "node": "HTTP — Postmaster Tools", "type": "main", "index": 0 },
        { "node": "HTTP — Smartlead Stats", "type": "main", "index": 0 },
        { "node": "HTTP — Instantly Health", "type": "main", "index": 0 },
        { "node": "DNSBL Probe (Code)", "type": "main", "index": 0 }
      ]]
    },
    "HTTP — Postmaster Tools": {
      "main": [[{ "node": "Merge — Per-Domain Snapshot", "type": "main", "index": 0 }]]
    },
    "HTTP — Smartlead Stats": {
      "main": [[{ "node": "Merge — Per-Domain Snapshot", "type": "main", "index": 0 }]]
    },
    "HTTP — Instantly Health": {
      "main": [[{ "node": "Merge — Per-Domain Snapshot", "type": "main", "index": 0 }]]
    },
    "DNSBL Probe (Code)": {
      "main": [[{ "node": "Merge — Per-Domain Snapshot", "type": "main", "index": 0 }]]
    },
    "Merge — Per-Domain Snapshot": {
      "main": [[{ "node": "Threshold Check (Code)", "type": "main", "index": 0 }]]
    },
    "Threshold Check (Code)": {
      "main": [[{ "node": "Dedup Gate (Static Data)", "type": "main", "index": 0 }]]
    },
    "Dedup Gate (Static Data)": {
      "main": [[{ "node": "Claude — Remediation Draft", "type": "main", "index": 0 }]]
    },
    "Claude — Remediation Draft": {
      "main": [[{ "node": "Parse Remediation", "type": "main", "index": 0 }]]
    },
    "Parse Remediation": {
      "main": [[{ "node": "Slack — Notify", "type": "main", "index": 0 }]]
    },
    "Schedule — DMARC Poll": {
      "main": [[{ "node": "IMAP — DMARC Mailbox", "type": "main", "index": 0 }]]
    },
    "IMAP — DMARC Mailbox": {
      "main": [[{ "node": "Parse DMARC XML", "type": "main", "index": 0 }]]
    },
    "Parse DMARC XML": {
      "main": [[{ "node": "Merge — Per-Domain Snapshot", "type": "main", "index": 0 }]]
    },
    "Webhook — Ad-hoc Domain Check": {
      "main": [[
        { "node": "Respond 202 Accepted", "type": "main", "index": 0 },
        { "node": "Domain Register (Static)", "type": "main", "index": 0 }
      ]]
    }
  },
  "settings": {
    "executionOrder": "v1",
    "timezone": "America/New_York",
    "saveExecutionProgress": true,
    "saveManualExecutions": true,
    "saveDataErrorExecution": "all",
    "saveDataSuccessExecution": "all"
  },
  "active": false,
  "version": "1.0.0",
  "id": "email-deliverability-monitor-n8n",
  "meta": {
    "templateCredsSetupCompleted": false
  }
}