API Reference

Email Security

Investigate

Copy Markdown

Open in Claude

Open in ChatGPT

Open in Cursor

---

Copy Markdown

View as Markdown

Get message details

client.EmailSecurity.Investigate.Get(ctx, investigateID, params) (*InvestigateGetResponse, error)

GET/accounts/{account_id}/email-security/investigate/{investigate_id}

Retrieves comprehensive details for a specific email message including headers, recipients, sender information, and current quarantine status. Use the investigate_id from search results to fetch detailed information.

Security

API Token

The preferred authorization scheme for interacting with the Cloudflare API. Create a token.

Example:Authorization: Bearer Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY

API Email + API Key

The previous authorization scheme for interacting with the Cloudflare API, used in conjunction with a Global API key.

Example:X-Auth-Email: user@example.com

The previous authorization scheme for interacting with the Cloudflare API. When possible, use API tokens instead of Global API keys.

Example:X-Auth-Key: 144c9defac04969c7bfad8efaa8ea194

Accepted Permissions (at least one required)

Cloud Email Security: WriteCloud Email Security: Read

ParametersExpand Collapse

investigateID string

Unique identifier for a message retrieved from investigation

params InvestigateGetParams

AccountID param.Field[string]

Path param: Identifier.

maxLength32

Submission param.Field[bool]Optional

Query param: When true, search the submissions datastore only. When false or omitted, search the regular datastore only.

ReturnsExpand Collapse

type InvestigateGetResponse struct{…}

ID string

Unique identifier for a message retrieved from investigation

DeprecatedActionLog []InvestigateGetResponseActionLog

Deprecated, use GET /investigate/{investigate_id}/action_log instead. End of life: November 1, 2026.

CompletedAt Time

Timestamp when action completed

formatdate-time

Operation InvestigateGetResponseActionLogOperation

Type of action performed

One of the following:

const InvestigateGetResponseActionLogOperationMove InvestigateGetResponseActionLogOperation = "MOVE"

const InvestigateGetResponseActionLogOperationRelease InvestigateGetResponseActionLogOperation = "RELEASE"

const InvestigateGetResponseActionLogOperationReclassify InvestigateGetResponseActionLogOperation = "RECLASSIFY"

const InvestigateGetResponseActionLogOperationSubmission InvestigateGetResponseActionLogOperation = "SUBMISSION"

const InvestigateGetResponseActionLogOperationQuarantineRelease InvestigateGetResponseActionLogOperation = "QUARANTINE_RELEASE"

const InvestigateGetResponseActionLogOperationPreview InvestigateGetResponseActionLogOperation = "PREVIEW"

DeprecatedCompletedTimestamp stringOptional

Deprecated, use completed_at instead. End of life: November 1, 2026.

Properties InvestigateGetResponseActionLogPropertiesOptional

Additional properties for the action

Folder stringOptional

Target folder for move operations

RequestedBy stringOptional

User who requested the action

Status stringOptional

Status of the action

ClientRecipients []string

DetectionReasons []string

IsPhishSubmission bool

IsQuarantined bool

PostfixID string

The identifier of the message

Properties InvestigateGetResponseProperties

Message processing properties

AllowlistedPattern stringOptional

Pattern that allowlisted this message

AllowlistedPatternType InvestigateGetResponsePropertiesAllowlistedPatternTypeOptional

Type of allowlist pattern

One of the following:

const InvestigateGetResponsePropertiesAllowlistedPatternTypeQuarantineRelease InvestigateGetResponsePropertiesAllowlistedPatternType = "quarantine_release"

const InvestigateGetResponsePropertiesAllowlistedPatternTypeAcceptableSender InvestigateGetResponsePropertiesAllowlistedPatternType = "acceptable_sender"

const InvestigateGetResponsePropertiesAllowlistedPatternTypeAllowedSender InvestigateGetResponsePropertiesAllowlistedPatternType = "allowed_sender"

const InvestigateGetResponsePropertiesAllowlistedPatternTypeAllowedRecipient InvestigateGetResponsePropertiesAllowlistedPatternType = "allowed_recipient"

const InvestigateGetResponsePropertiesAllowlistedPatternTypeDomainSimilarity InvestigateGetResponsePropertiesAllowlistedPatternType = "domain_similarity"

const InvestigateGetResponsePropertiesAllowlistedPatternTypeDomainRecency InvestigateGetResponsePropertiesAllowlistedPatternType = "domain_recency"

const InvestigateGetResponsePropertiesAllowlistedPatternTypeManagedAcceptableSender InvestigateGetResponsePropertiesAllowlistedPatternType = "managed_acceptable_sender"

const InvestigateGetResponsePropertiesAllowlistedPatternTypeOutboundNdr InvestigateGetResponsePropertiesAllowlistedPatternType = "outbound_ndr"

BlocklistedMessage boolOptional

Whether message was blocklisted

BlocklistedPattern stringOptional

Pattern that blocklisted this message

WhitelistedPatternType InvestigateGetResponsePropertiesWhitelistedPatternTypeOptional

Legacy field for allowlist pattern type

One of the following:

const InvestigateGetResponsePropertiesWhitelistedPatternTypeQuarantineRelease InvestigateGetResponsePropertiesWhitelistedPatternType = "quarantine_release"

const InvestigateGetResponsePropertiesWhitelistedPatternTypeAcceptableSender InvestigateGetResponsePropertiesWhitelistedPatternType = "acceptable_sender"

const InvestigateGetResponsePropertiesWhitelistedPatternTypeAllowedSender InvestigateGetResponsePropertiesWhitelistedPatternType = "allowed_sender"

const InvestigateGetResponsePropertiesWhitelistedPatternTypeAllowedRecipient InvestigateGetResponsePropertiesWhitelistedPatternType = "allowed_recipient"

const InvestigateGetResponsePropertiesWhitelistedPatternTypeDomainSimilarity InvestigateGetResponsePropertiesWhitelistedPatternType = "domain_similarity"

const InvestigateGetResponsePropertiesWhitelistedPatternTypeDomainRecency InvestigateGetResponsePropertiesWhitelistedPatternType = "domain_recency"

const InvestigateGetResponsePropertiesWhitelistedPatternTypeManagedAcceptableSender InvestigateGetResponsePropertiesWhitelistedPatternType = "managed_acceptable_sender"

const InvestigateGetResponsePropertiesWhitelistedPatternTypeOutboundNdr InvestigateGetResponsePropertiesWhitelistedPatternType = "outbound_ndr"

DeprecatedTs string

Deprecated, use scanned_at instead. End of life: November 1, 2026.

AlertID stringOptional

DeliveryMode InvestigateGetResponseDeliveryModeOptional

One of the following:

const InvestigateGetResponseDeliveryModeDirect InvestigateGetResponseDeliveryMode = "DIRECT"

const InvestigateGetResponseDeliveryModeBcc InvestigateGetResponseDeliveryMode = "BCC"

const InvestigateGetResponseDeliveryModeJournal InvestigateGetResponseDeliveryMode = "JOURNAL"

const InvestigateGetResponseDeliveryModeReviewSubmission InvestigateGetResponseDeliveryMode = "REVIEW_SUBMISSION"

const InvestigateGetResponseDeliveryModeDMARCUnverified InvestigateGetResponseDeliveryMode = "DMARC_UNVERIFIED"

const InvestigateGetResponseDeliveryModeDMARCFailureReport InvestigateGetResponseDeliveryMode = "DMARC_FAILURE_REPORT"

const InvestigateGetResponseDeliveryModeDMARCAggregateReport InvestigateGetResponseDeliveryMode = "DMARC_AGGREGATE_REPORT"

const InvestigateGetResponseDeliveryModeThreatIntelSubmission InvestigateGetResponseDeliveryMode = "THREAT_INTEL_SUBMISSION"

const InvestigateGetResponseDeliveryModeSimulationSubmission InvestigateGetResponseDeliveryMode = "SIMULATION_SUBMISSION"

const InvestigateGetResponseDeliveryModeAPI InvestigateGetResponseDeliveryMode = "API"

const InvestigateGetResponseDeliveryModeRetroScan InvestigateGetResponseDeliveryMode = "RETRO_SCAN"

DeliveryStatus []InvestigateGetResponseDeliveryStatusOptional

One of the following:

const InvestigateGetResponseDeliveryStatusDelivered InvestigateGetResponseDeliveryStatus = "delivered"

const InvestigateGetResponseDeliveryStatusMoved InvestigateGetResponseDeliveryStatus = "moved"

const InvestigateGetResponseDeliveryStatusQuarantined InvestigateGetResponseDeliveryStatus = "quarantined"

const InvestigateGetResponseDeliveryStatusRejected InvestigateGetResponseDeliveryStatus = "rejected"

const InvestigateGetResponseDeliveryStatusDeferred InvestigateGetResponseDeliveryStatus = "deferred"

const InvestigateGetResponseDeliveryStatusBounced InvestigateGetResponseDeliveryStatus = "bounced"

const InvestigateGetResponseDeliveryStatusQueued InvestigateGetResponseDeliveryStatus = "queued"

EdfHash stringOptional

EnvelopeFrom stringOptional

EnvelopeTo []stringOptional

FinalDisposition InvestigateGetResponseFinalDispositionOptional

One of the following:

const InvestigateGetResponseFinalDispositionMalicious InvestigateGetResponseFinalDisposition = "MALICIOUS"

const InvestigateGetResponseFinalDispositionMaliciousBec InvestigateGetResponseFinalDisposition = "MALICIOUS-BEC"

const InvestigateGetResponseFinalDispositionSuspicious InvestigateGetResponseFinalDisposition = "SUSPICIOUS"

const InvestigateGetResponseFinalDispositionSpoof InvestigateGetResponseFinalDisposition = "SPOOF"

const InvestigateGetResponseFinalDispositionSpam InvestigateGetResponseFinalDisposition = "SPAM"

const InvestigateGetResponseFinalDispositionBulk InvestigateGetResponseFinalDisposition = "BULK"

const InvestigateGetResponseFinalDispositionEncrypted InvestigateGetResponseFinalDisposition = "ENCRYPTED"

const InvestigateGetResponseFinalDispositionExternal InvestigateGetResponseFinalDisposition = "EXTERNAL"

const InvestigateGetResponseFinalDispositionUnknown InvestigateGetResponseFinalDisposition = "UNKNOWN"

const InvestigateGetResponseFinalDispositionNone InvestigateGetResponseFinalDisposition = "NONE"

DeprecatedFindings []InvestigateGetResponseFindingOptional

Deprecated, use the findings field from GET /investigate/{investigate_id}/detections instead. End of life: November 1, 2026. Detection findings for this message.

Attachment stringOptional

Detail stringOptional

Detection InvestigateGetResponseFindingsDetectionOptional

One of the following:

const InvestigateGetResponseFindingsDetectionMalicious InvestigateGetResponseFindingsDetection = "MALICIOUS"

const InvestigateGetResponseFindingsDetectionMaliciousBec InvestigateGetResponseFindingsDetection = "MALICIOUS-BEC"

const InvestigateGetResponseFindingsDetectionSuspicious InvestigateGetResponseFindingsDetection = "SUSPICIOUS"

const InvestigateGetResponseFindingsDetectionSpoof InvestigateGetResponseFindingsDetection = "SPOOF"

const InvestigateGetResponseFindingsDetectionSpam InvestigateGetResponseFindingsDetection = "SPAM"

const InvestigateGetResponseFindingsDetectionBulk InvestigateGetResponseFindingsDetection = "BULK"

const InvestigateGetResponseFindingsDetectionEncrypted InvestigateGetResponseFindingsDetection = "ENCRYPTED"

const InvestigateGetResponseFindingsDetectionExternal InvestigateGetResponseFindingsDetection = "EXTERNAL"

const InvestigateGetResponseFindingsDetectionUnknown InvestigateGetResponseFindingsDetection = "UNKNOWN"

const InvestigateGetResponseFindingsDetectionNone InvestigateGetResponseFindingsDetection = "NONE"

Field stringOptional

Name stringOptional

Portion stringOptional

Reason stringOptional

Score float64Optional

formatdouble

Value stringOptional

From stringOptional

FromName stringOptional

HtmltextStructureHash stringOptional

MessageID stringOptional

PostDeliveryOperations []InvestigateGetResponsePostDeliveryOperationOptional

Post-delivery operations performed on this message

One of the following:

const InvestigateGetResponsePostDeliveryOperationPreview InvestigateGetResponsePostDeliveryOperation = "PREVIEW"

const InvestigateGetResponsePostDeliveryOperationQuarantineRelease InvestigateGetResponsePostDeliveryOperation = "QUARANTINE_RELEASE"

const InvestigateGetResponsePostDeliveryOperationSubmission InvestigateGetResponsePostDeliveryOperation = "SUBMISSION"

const InvestigateGetResponsePostDeliveryOperationMove InvestigateGetResponsePostDeliveryOperation = "MOVE"

PostfixIDOutbound stringOptional

Replyto stringOptional

ScannedAt TimeOptional

When the message was scanned (UTC)

formatdate-time

SentAt TimeOptional

When the message was sent (UTC)

formatdate-time

SentDate stringOptional

Subject stringOptional

ThreatCategories []stringOptional

To []stringOptional

ToName []stringOptional

Validation InvestigateGetResponseValidationOptional

Comment stringOptional

DKIM InvestigateGetResponseValidationDKIMOptional

One of the following:

const InvestigateGetResponseValidationDKIMPass InvestigateGetResponseValidationDKIM = "pass"

const InvestigateGetResponseValidationDKIMNeutral InvestigateGetResponseValidationDKIM = "neutral"

const InvestigateGetResponseValidationDKIMFail InvestigateGetResponseValidationDKIM = "fail"

const InvestigateGetResponseValidationDKIMError InvestigateGetResponseValidationDKIM = "error"

const InvestigateGetResponseValidationDKIMNone InvestigateGetResponseValidationDKIM = "none"

DMARC InvestigateGetResponseValidationDMARCOptional

One of the following:

const InvestigateGetResponseValidationDMARCPass InvestigateGetResponseValidationDMARC = "pass"

const InvestigateGetResponseValidationDMARCNeutral InvestigateGetResponseValidationDMARC = "neutral"

const InvestigateGetResponseValidationDMARCFail InvestigateGetResponseValidationDMARC = "fail"

const InvestigateGetResponseValidationDMARCError InvestigateGetResponseValidationDMARC = "error"

const InvestigateGetResponseValidationDMARCNone InvestigateGetResponseValidationDMARC = "none"

SPF InvestigateGetResponseValidationSPFOptional

One of the following:

const InvestigateGetResponseValidationSPFPass InvestigateGetResponseValidationSPF = "pass"

const InvestigateGetResponseValidationSPFNeutral InvestigateGetResponseValidationSPF = "neutral"

const InvestigateGetResponseValidationSPFFail InvestigateGetResponseValidationSPF = "fail"

const InvestigateGetResponseValidationSPFError InvestigateGetResponseValidationSPF = "error"

const InvestigateGetResponseValidationSPFNone InvestigateGetResponseValidationSPF = "none"

Get message details

Go

HTTP

TypeScript

Python

Go

Terraform

package main

import (
  "context"
  "fmt"

  "github.com/cloudflare/cloudflare-go"
  "github.com/cloudflare/cloudflare-go/email_security"
  "github.com/cloudflare/cloudflare-go/option"
)

func main() {
  client := cloudflare.NewClient(
    option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
  )
  investigate, err := client.EmailSecurity.Investigate.Get(
    context.TODO(),
    "4Njp3P0STMz2c02Q-2024-01-05T10:00:00-12345678",
    email_security.InvestigateGetParams{
      AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"),
    },
  )
  if err != nil {
    panic(err.Error())
  }
  fmt.Printf("%+v\n", investigate.ID)
}

200 example

{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "result": {
    "id": "4Njp3P0STMz2c02Q-2024-01-05T10:00:00-12345678",
    "action_log": [
      {
        "completed_at": "2019-12-27T18:11:19.117Z",
        "operation": "MOVE",
        "completed_timestamp": "completed_timestamp",
        "properties": {
          "folder": "folder",
          "requested_by": "requested_by"
        },
        "status": "status"
      }
    ],
    "client_recipients": [
      "string"
    ],
    "detection_reasons": [
      "string"
    ],
    "is_phish_submission": true,
    "is_quarantined": true,
    "postfix_id": "4Njp3P0STMz2c02Q",
    "properties": {
      "allowlisted_pattern": "allowlisted_pattern",
      "allowlisted_pattern_type": "quarantine_release",
      "blocklisted_message": true,
      "blocklisted_pattern": "blocklisted_pattern",
      "whitelisted_pattern_type": "quarantine_release"
    },
    "ts": "ts",
    "alert_id": "alert_id",
    "delivery_mode": "DIRECT",
    "delivery_status": [
      "delivered"
    ],
    "edf_hash": "edf_hash",
    "envelope_from": "envelope_from",
    "envelope_to": [
      "string"
    ],
    "final_disposition": "MALICIOUS",
    "findings": [
      {
        "attachment": "attachment",
        "detail": "detail",
        "detection": "MALICIOUS",
        "field": "field",
        "name": "name",
        "portion": "portion",
        "reason": "reason",
        "score": 0,
        "value": "value"
      }
    ],
    "from": "from",
    "from_name": "from_name",
    "htmltext_structure_hash": "htmltext_structure_hash",
    "message_id": "message_id",
    "post_delivery_operations": [
      "PREVIEW"
    ],
    "postfix_id_outbound": "postfix_id_outbound",
    "replyto": "replyto",
    "scanned_at": "2019-12-27T18:11:19.117Z",
    "sent_at": "2019-12-27T18:11:19.117Z",
    "sent_date": "sent_date",
    "subject": "subject",
    "threat_categories": [
      "string"
    ],
    "to": [
      "string"
    ],
    "to_name": [
      "string"
    ],
    "validation": {
      "comment": "comment",
      "dkim": "pass",
      "dmarc": "pass",
      "spf": "pass"
    }
  },
  "success": true
}

Returns Examples

200 example

{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "result": {
    "id": "4Njp3P0STMz2c02Q-2024-01-05T10:00:00-12345678",
    "action_log": [
      {
        "completed_at": "2019-12-27T18:11:19.117Z",
        "operation": "MOVE",
        "completed_timestamp": "completed_timestamp",
        "properties": {
          "folder": "folder",
          "requested_by": "requested_by"
        },
        "status": "status"
      }
    ],
    "client_recipients": [
      "string"
    ],
    "detection_reasons": [
      "string"
    ],
    "is_phish_submission": true,
    "is_quarantined": true,
    "postfix_id": "4Njp3P0STMz2c02Q",
    "properties": {
      "allowlisted_pattern": "allowlisted_pattern",
      "allowlisted_pattern_type": "quarantine_release",
      "blocklisted_message": true,
      "blocklisted_pattern": "blocklisted_pattern",
      "whitelisted_pattern_type": "quarantine_release"
    },
    "ts": "ts",
    "alert_id": "alert_id",
    "delivery_mode": "DIRECT",
    "delivery_status": [
      "delivered"
    ],
    "edf_hash": "edf_hash",
    "envelope_from": "envelope_from",
    "envelope_to": [
      "string"
    ],
    "final_disposition": "MALICIOUS",
    "findings": [
      {
        "attachment": "attachment",
        "detail": "detail",
        "detection": "MALICIOUS",
        "field": "field",
        "name": "name",
        "portion": "portion",
        "reason": "reason",
        "score": 0,
        "value": "value"
      }
    ],
    "from": "from",
    "from_name": "from_name",
    "htmltext_structure_hash": "htmltext_structure_hash",
    "message_id": "message_id",
    "post_delivery_operations": [
      "PREVIEW"
    ],
    "postfix_id_outbound": "postfix_id_outbound",
    "replyto": "replyto",
    "scanned_at": "2019-12-27T18:11:19.117Z",
    "sent_at": "2019-12-27T18:11:19.117Z",
    "sent_date": "sent_date",
    "subject": "subject",
    "threat_categories": [
      "string"
    ],
    "to": [
      "string"
    ],
    "to_name": [
      "string"
    ],
    "validation": {
      "comment": "comment",
      "dkim": "pass",
      "dmarc": "pass",
      "spf": "pass"
    }
  },
  "success": true
}