One approach I like is using procmail. A fairly simple procmail recipe can write each message into its own file in a given directory. From there, configure Splunk to read files from said directory as a "sinkhole" style input - meaning Splunk deletes the file after indexing it.
.procmailrc that does this looks something like this:
LOGFILE=$HOME/.procmail.log VERBOSE=yes :0 * Subject: security system alert.* /home/foo/securityalerts
Each message then gets written -- headers and all -- into its own file in
/home/foo/securityalerts. From there, it's pretty easy to let Splunk ingest that.
Then to configure Splunk:
[batch:///home/foo/securityalerts] move_policy = sinkhole whitelist = /msg\..*$ crcSalt = <SOURCE> sourcetype = securityalerts
[securityalerts] SHOULD_LINEMERGE = FALSE LINE_BREAKER = 12345678900987654321qwertyuiopasdfghjkllkjhgfdsapoiuytrewq TIME_PREFIX = ^Date:
The easiest thing would probably be to setup some kind of scripted input that checks if any new mails have arrived, checks the mailbox/maildir structure and extracts the relevant parts of any new email before finally outputting it back to Splunk.