Skip to main content

Email Headers Check - Generic

This Playbook is part of the Common Playbooks Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

This playbook executes one sub-playbook and one automation to check the email headers:

  • Process Microsoft's Anti-Spam Headers - This playbook stores the SCL, BCL and PCL scores if they exist to the relevant incident fields (Phishing SCL Score, Phishing PCL Score, Phishing BCL Score).
  • CheckEmailAuthenticity - This automation checks email authenticity based on its SPF, DMARC, and DKIM.


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Process Microsoft's Anti-Spam Headers


This playbook does not use any integrations.


  • CheckEmailAuthenticity


  • setIncident

Playbook Inputs#

NameDescriptionDefault ValueRequired
AuthenticateEmailWhether the authenticity of the email should be verified using SPF, DKIM and DMARC.FalseOptional
CheckMicrosoftHeadersWhether to Check Microsoft headers for BCL/PCL/SCL scores and set the "Severity" and "Email Classification" accordingly.FalseOptional

Playbook Outputs#

Email.AuthenticityCheckPossible values are: Fail / Suspicious / Undetermined / PassUnknown
Email.MicrosoftHeadersSeverityCheckPossible Values:

Medium: PCL or BCL scores are equal to or greater than 4.

High: BCL score is equal to or greater than 8.

Playbook Image#

Email Headers Check - Generic