← Back to MailParse

Webhook Integration for Document Extraction | MailParse

How to use Webhook Integration for Document Extraction. Practical guide with examples and best practices.

Webhook Integration for Document Extraction: Real-time delivery from inbox to pipeline

Webhook integration turns raw inbound email into structured events your backend can process in real time. For document extraction use cases - invoices, receipts, contracts, reports, shipping labels, compliance forms - webhooks remove polling delays and push attachments to your service as soon as they are delivered. Combined with MIME parsing and signed payloads, you get reliable, low-latency delivery that plugs directly into your data pipelines and storage layers. With MailParse, developers can stand up instant email addresses that receive inbound messages, parse MIME into normalized JSON, and deliver to a verified HTTPS endpoint in minutes.

Why webhook integration is critical for document extraction

Document-extraction workflows have unique demands: timely capture of documents from diverse senders, accurate parsing of multi-part MIME messages, and predictable delivery under production load. Webhook integration meets those needs with a push-based pattern that is resilient and easy to scale.

  • Real-time delivery: Attachments arrive at your endpoint seconds after the email hits the inbox. That minimizes lag between document submission and downstream processing.
  • Reduced complexity vs. polling: Instead of periodically pulling for new messages, your API only handles events that matter. This naturally reduces compute and infrastructure costs.
  • Reliable retries: Built-in retry logic with exponential backoff ensures transient errors do not drop documents. Your system can be temporarily unavailable without losing data.
  • Signed payloads: Payload signing lets you verify sender authenticity, integrity, and freshness. This safeguards your document-ingestion boundary.
  • MIME-aware normalization: You receive structured JSON that accurately maps to complex message structures - mixed and related parts, inline images, multiple attachments - so you can extract and route documents with confidence.
  • Observability: Every webhook delivery can be logged and correlated with message IDs. This creates a clear audit trail for compliance and debugging.

Architecture pattern for webhook-integration in document-extraction systems

The workflow below scales from a single endpoint to a distributed, multi-tenant pipeline:

  1. Inbound email address: A unique address per tenant, per supplier, or per workflow. This improves isolation and routing.
  2. Parsing layer: MIME parsing normalizes headers, body parts, and attachments. MailParse performs this step and emits a canonical JSON event.
  3. Webhook gateway: Events are delivered to your HTTPS endpoint with HMAC-signed headers, including timestamps and delivery IDs. Retries are handled automatically on non-2xx responses.
  4. Webhook receiver: Your service verifies signatures, validates schema, and writes the event to a durable queue or event bus. Acknowledge quickly to keep latency low.
  5. Extraction workers: Stateless workers pull from the queue, store raw attachments, run OCR or ML models, extract entities, and persist structured results.
  6. Storage and indexing: Original files go to object storage with content-addressed keys. Parsed metadata goes to a database or search index for traceability and retrieval.
  7. Post-processing: Trigger downstream actions - AP automation, ticket creation, CRM updates, ERP entries, or compliance archiving - via asynchronous tasks.

This pattern isolates network variability at the edge, keeps extraction compute out of the request path, and gives clear reprocessing capabilities.

Step-by-step implementation

1) Create inbound addresses and routing rules

  • Assign addresses strategically: one per vendor, department, or integration channel. Example: ap-invoices+acme@examplemail.com, receipts+store42@examplemail.com.
  • Use subaddressing and custom headers to encode routing keys. For example, the To or X-Workflow-Key header can map to tenant or pipeline IDs.
  • Configure spam and allowlists for known senders to improve deliverability and reduce noise. For guidance, see the Email Deliverability Checklist for SaaS Platforms.

2) Define parsing preferences and normalization

Make sure the parser preserves what your extraction logic needs:

  • Decode Content-Transfer-Encoding correctly for each MIME part.
  • Normalize filenames and content types for attachments. Map application/pdf, image/png, image/jpeg, text/csv, and common vendor-specific types.
  • Extract metadata from headers like Message-ID, Subject, From, To, Date, Reply-To, List-Id, and custom X- headers.
  • Preserve both text and HTML bodies. Inline images should be represented with cid: references when applicable.

3) Implement a verified webhook endpoint

Your receiver must be fast, secure, and idempotent. A typical request flow:

  1. Verify HTTPS and require TLS 1.2+.
  2. Parse the request body as JSON. Do not perform heavy work in the handler.
  3. Validate an HMAC signature header. Store the shared secret securely.
  4. Check a timestamp header to prevent replay attacks. Reject outdated payloads.
  5. Persist the event to a durable queue, then return HTTP 200 as quickly as possible.

4) Understand the payload format

A webhook for document-extraction typically looks like:

{
  "event_id": "deliv_01HV7C7ABCDQ2M5D2H4",
  "message_id": "<CADF12.34567@example.net>",
  "timestamp": "2026-04-21T14:03:22.114Z",
  "from": {"name": "Acme AP", "address": "invoices@acme.com"},
  "to": [{"name": "AP Intake", "address": "ap-invoices+acme@examplemail.com"}],
  "subject": "Invoice 98341 - March 2026",
  "headers": {
    "dkim-signature": "...",
    "received-spf": "pass",
    "x-workflow-key": "tenant_acme_ap"
  },
  "body": {
    "text": "Please see attached invoice 98341.",
    "html": "<p>Please see attached <strong>invoice 98341</strong>.</p>"
  },
  "attachments": [
    {
      "filename": "INV-98341.pdf",
      "content_type": "application/pdf",
      "size": 284553,
      "content_id": null,
      "disposition": "attachment",
      "sha256": "1b2b1d...c9f",
      "download_url": "https://signed-cdn.example/att/01HV7C7A/INV-98341.pdf?sig=..."
    },
    {
      "filename": "line-items.csv",
      "content_type": "text/csv",
      "size": 5120,
      "disposition": "attachment",
      "sha256": "d7f9a0...41b",
      "download_url": "https://signed-cdn.example/att/01HV7C7A/line-items.csv?sig=..."
    }
  ]
}

Attachments are referenced by secure short-lived URLs or embedded as base64 for small payloads. Persist the original files to object storage with their SHA256 checksums for deduplication and auditing.

5) Verify payload signatures

Use an HMAC SHA-256 signature with a shared secret. Verify a canonical string that includes the timestamp and raw body:

# Pseudocode
signature = hex(HMAC_SHA256(secret, timestamp + "." + raw_body))
assert header["X-Signature"] == "v1=" + signature
assert abs(now - header["X-Timestamp"]) <= 5 minutes

Reject mismatches and stale timestamps. Log the delivery ID for investigation.

6) Make webhook handling idempotent

  • Use event_id and message_id as natural idempotency keys.
  • On duplicate deliveries, short-circuit after confirming previous success.
  • Persist a compact event ledger, keyed by event_id, with status and checksum.

7) Store before you compute

Write the payload to durable storage or a queue first. Only then trigger extraction jobs. This decouples network timing and gives you replay capabilities if downstream steps fail.

8) Extract, validate, and enrich

  • For PDFs and images: run OCR engines like Tesseract, Google Cloud Vision, or AWS Textract. Extract vendor names, totals, dates, PO numbers, and line items.
  • For CSV or XLSX: load to a staging table, validate schema, and run transformations.
  • For HTML body invoices: detect tables and sanitize content to prevent XSS when previewing.
  • Enrich with sender reputation or allowlist data to reduce fraud risk.

9) Acknowledge quickly and rely on retries

Return HTTP 200 only after persisting the event to your queue. If storage fails, return a 500 to trigger a retry. Automatic retries with exponential backoff and a max delivery window protect against transient issues.

Example MIME considerations for document-extraction

Real emails vary widely. Your pipeline should expect:

  • multipart/mixed with one or more attachments.
  • multipart/related where inline images reference Content-ID values. Do not mistake these for documents.
  • multipart/alternative with both text and HTML bodies. Pick the preferred part for text extraction or previews.
  • Filenames without extensions, duplicate filenames, and non-ASCII names using RFC 2231 encoding.
  • Content types that lie, such as a PDF sent as application/octet-stream.

Here is a trimmed sample:

Content-Type: multipart/mixed; boundary="b1"
Message-ID: <CADF12.34567@example.net>
From: invoices@acme.com
To: ap-invoices+acme@examplemail.com
Subject: Invoice 98341 - March 2026

--b1
Content-Type: multipart/alternative; boundary="b2"

--b2
Content-Type: text/plain; charset=UTF-8

Please see attached invoice 98341.

--b2
Content-Type: text/html; charset=UTF-8

<p>Please see attached <strong>invoice 98341</strong>.</p>

--b2--
--b1
Content-Type: application/pdf
Content-Disposition: attachment; filename="INV-98341.pdf"

%PDF-1.7 ...
--b1--

Testing your document-extraction pipeline

Reliable webhook-integration depends on thorough testing with real-world edge cases.

  • Unit tests for the receiver: Verify HMAC signatures, timestamp drift, and idempotency keys. Simulate invalid headers and corrupted body content.
  • Replay tests: Store canonical payloads and run them through staging. Confirm deterministic outcomes across version updates.
  • MIME variability: Use generators like swaks or smtp-sink to craft different multipart structures, large attachments, and unusual encodings.
  • Attachment permutations: Test PDFs with and without text layers, multi-page TIFFs, high DPI images, empty CSVs, and password-protected archives.
  • Failure-path tests: Force your endpoint to return HTTP 500 to observe retry behavior. Validate backoff intervals and max-attempt handling.
  • Throughput tests: Load test with bursts that reflect end-of-month invoice spikes. Measure queue depth, extraction latency, and storage performance.
  • Deliverability checks: Validate SPF, DKIM, and DMARC on sender domains. For a deeper review, see the Email Infrastructure Checklist for SaaS Platforms.

Also test the handling of signed download_url expirations. Your workers should fetch and persist attachments immediately, or your system should refresh the URL via a short authenticated call if supported.

Production checklist: monitoring, error handling, and scaling

Before going live with document-extraction via webhooks, confirm the following:

Security and validation

  • Enforce TLS and modern cipher suites on your endpoint.
  • Verify HMAC signatures and timestamps for every request.
  • Limit payload size by policy. Reject messages that exceed attachment quotas or total size budgets.
  • Scan attachments for malware using a gateway or a sandbox before OCR or parsing.
  • Implement allowlists for high-risk workflows. Block or flag unexpected senders.

Reliability and retries

  • Return 2xx only after durable write. Otherwise return 5xx to trigger retries.
  • Use exponential backoff with jitter. Cap max attempts and move failures to a dead-letter queue.
  • Maintain a replay tool to re-deliver events by event_id or message_id.

Observability

  • Emit structured logs containing event_id, message_id, sender, attachment count, and status.
  • Metrics to track: inbound emails per minute, median and P95 webhook latency, retry rate, extraction success rate, average attachment size, OCR duration, and queue lag.
  • Alerting thresholds: sustained retry rates over 5 percent, queue lag over 5 minutes, OCR failures over 2 percent, and storage error spikes.

Scalability

  • Scale your webhook receivers horizontally behind a load balancer. Use sticky sessions only if needed for rate-limiting.
  • Keep the receiver stateless. Rely on a queue and object storage for state.
  • Batch downstream work when possible. For example, route N attachments to a single OCR job when latency is not critical.
  • Use content-addressed storage keys and lifecycle policies to manage costs. Archive old source documents to cold storage after processing.

Data governance and compliance

  • Encrypt at rest and in transit. Rotate keys and secrets regularly.
  • Keep original emails and parsed artifacts for audit windows. Maintain tamper-evident logs that bind document hashes to processing steps.
  • Support data deletion and retention policies per tenant or workflow.

Operational playbooks

  • Runbooks for endpoint outages, parsing regressions, and upstream provider incidents.
  • Feature flags for rolling back parser versions or disabling risky attachment types.
  • Canary deployments for new extraction models or classification rules.
  • Capacity tests before monthly and quarterly spikes. Document back-pressure strategies if OCR or ML throughput saturates.

Connecting webhook-integration to outcomes

Document-extraction is about more than moving files. It is about turning unstructured email into structured, verifiable data that drives business flows. Webhook integration closes the gap from inbox to system-of-record. From a single invoice email, you can automatically extract totals, match POs, code GL accounts, and submit approvals. With a contract email, you can route to legal, index clauses, sync to a repository, and notify owners. The net effect is faster cycle times, lower manual effort, and higher data quality.

Conclusion

When your goal is real-time document-extraction from email, webhook integration is the most direct path from delivery to processing. Normalize MIME, verify signed payloads, store before compute, and let retries absorb transient faults. Build for idempotency and observability from day one. With MailParse delivering structured JSON and attachments to your verified endpoint, you can focus on extraction logic, data quality, and business outcomes rather than email plumbing. For more ideation on inbound workflows, explore Top Inbound Email Processing Ideas for SaaS Platforms.

FAQ

How do I choose between webhooks and REST polling for document-extraction?

Use webhooks for real-time delivery and reduced infrastructure overhead. Polling fits air-gapped networks or long-running maintenance windows. Many teams run a hybrid: webhooks for the fast path and periodic polling as a safety net to detect rare missed events.

What happens if my endpoint is down during delivery?

The sender will retry with exponential backoff until a max window is reached. Your endpoint should return non-2xx codes on failure so retries occur. Implement a dead-letter queue for cases that exceed max attempts. Store events durably as soon as you receive them so you can reprocess safely.

How do I prevent inline images from being mistaken for documents?

Check Content-Disposition and Content-ID. Inline parts often have disposition=inline with cid: references in the HTML body. Filter by file type and minimum size thresholds. Only treat parts flagged as attachments or matched by your rules as document candidates.

How big can attachments be, and how should I handle large files?

Set policy limits that reflect your processing capabilities. For large files, stream to object storage rather than holding in memory. Chunked uploads and signed URLs help keep memory and CPU usage predictable. Return 5xx if you cannot persist, so a retry occurs later.

Where should I verify message authenticity?

Perform SPF, DKIM, and DMARC checks at intake, and include their results in the webhook payload. Your receiver can enforce policy based on those flags and on allowlists. To refine your inbound posture, review the Email Infrastructure Checklist for Customer Support Teams.

Getting started is straightforward: create inbound addresses, expose a verified HTTPS endpoint, and wire your extraction workers to your queue. Once the plumbing is handled, MailParse takes care of parsing and reliable delivery so your team can focus on pulling the right documents and data from every inbound email.

Related Articles

Email Deliverability Checklist for SaaS Platforms

This checklist helps SaaS teams ensure reliable email receipt by aligning domain strategy, DNS, SMTP security, MIME parsing, and webhook delivery with produc...

Email Infrastructure Checklist for SaaS Platforms

Use this checklist to design and operate a scalable email infrastructure for SaaS platforms that rely on inbound messages to drive product workflows. It cove...

Email Infrastructure Checklist for Customer Support Teams

This checklist helps customer support leaders build reliable email infrastructure that scales with ticket volume while protecting SLAs. It focuses on MX reco...

Ready to get started?

Start parsing inbound emails with MailParse today.

Get Started Free