Get message details

client.EmailSecurity.Investigate.Get(ctx, postfixID, query) (*InvestigateGetResponse, error)

GET/accounts/{account_id}/email-security/investigate/{postfix_id}

Retrieves detailed information about a specific email message, including headers, metadata, and security scan results.

Security

API Email + API Key

The previous authorization scheme for interacting with the Cloudflare API, used in conjunction with a Global API key.

Example:X-Auth-Email: user@example.com

The previous authorization scheme for interacting with the Cloudflare API. When possible, use API tokens instead of Global API keys.

Example:X-Auth-Key: 144c9defac04969c7bfad8efaa8ea194

Accepted Permissions (at least one required)

Cloud Email Security: WriteCloud Email Security: Read

ParametersExpand Collapse

postfixID string

The identifier of the message.

query InvestigateGetParams

AccountID param.Field[string]

Account Identifier

maxLength32

minLength32

ReturnsExpand Collapse

type InvestigateGetResponse struct{…}

ID string

ActionLog unknown

ClientRecipients []string

DetectionReasons []string

IsPhishSubmission bool

IsQuarantined bool

PostfixID string

The identifier of the message.

Properties InvestigateGetResponseProperties

AllowlistedPattern stringoptional

AllowlistedPatternType InvestigateGetResponsePropertiesAllowlistedPatternTypeoptional

One of the following:

const InvestigateGetResponsePropertiesAllowlistedPatternTypeQuarantineRelease InvestigateGetResponsePropertiesAllowlistedPatternType = "quarantine_release"

const InvestigateGetResponsePropertiesAllowlistedPatternTypeAcceptableSender InvestigateGetResponsePropertiesAllowlistedPatternType = "acceptable_sender"

const InvestigateGetResponsePropertiesAllowlistedPatternTypeAllowedSender InvestigateGetResponsePropertiesAllowlistedPatternType = "allowed_sender"

const InvestigateGetResponsePropertiesAllowlistedPatternTypeAllowedRecipient InvestigateGetResponsePropertiesAllowlistedPatternType = "allowed_recipient"

const InvestigateGetResponsePropertiesAllowlistedPatternTypeDomainSimilarity InvestigateGetResponsePropertiesAllowlistedPatternType = "domain_similarity"

const InvestigateGetResponsePropertiesAllowlistedPatternTypeDomainRecency InvestigateGetResponsePropertiesAllowlistedPatternType = "domain_recency"

const InvestigateGetResponsePropertiesAllowlistedPatternTypeManagedAcceptableSender InvestigateGetResponsePropertiesAllowlistedPatternType = "managed_acceptable_sender"

const InvestigateGetResponsePropertiesAllowlistedPatternTypeOutboundNdr InvestigateGetResponsePropertiesAllowlistedPatternType = "outbound_ndr"

BlocklistedMessage booloptional

BlocklistedPattern stringoptional

WhitelistedPatternType InvestigateGetResponsePropertiesWhitelistedPatternTypeoptional

One of the following:

const InvestigateGetResponsePropertiesWhitelistedPatternTypeQuarantineRelease InvestigateGetResponsePropertiesWhitelistedPatternType = "quarantine_release"

const InvestigateGetResponsePropertiesWhitelistedPatternTypeAcceptableSender InvestigateGetResponsePropertiesWhitelistedPatternType = "acceptable_sender"

const InvestigateGetResponsePropertiesWhitelistedPatternTypeAllowedSender InvestigateGetResponsePropertiesWhitelistedPatternType = "allowed_sender"

const InvestigateGetResponsePropertiesWhitelistedPatternTypeAllowedRecipient InvestigateGetResponsePropertiesWhitelistedPatternType = "allowed_recipient"

const InvestigateGetResponsePropertiesWhitelistedPatternTypeDomainSimilarity InvestigateGetResponsePropertiesWhitelistedPatternType = "domain_similarity"

const InvestigateGetResponsePropertiesWhitelistedPatternTypeDomainRecency InvestigateGetResponsePropertiesWhitelistedPatternType = "domain_recency"

const InvestigateGetResponsePropertiesWhitelistedPatternTypeManagedAcceptableSender InvestigateGetResponsePropertiesWhitelistedPatternType = "managed_acceptable_sender"

const InvestigateGetResponsePropertiesWhitelistedPatternTypeOutboundNdr InvestigateGetResponsePropertiesWhitelistedPatternType = "outbound_ndr"

DeprecatedTs string

Deprecated, use scanned_at instead

AlertID stringoptional

DeliveryMode InvestigateGetResponseDeliveryModeoptional

One of the following:

const InvestigateGetResponseDeliveryModeDirect InvestigateGetResponseDeliveryMode = "DIRECT"

const InvestigateGetResponseDeliveryModeBcc InvestigateGetResponseDeliveryMode = "BCC"

const InvestigateGetResponseDeliveryModeJournal InvestigateGetResponseDeliveryMode = "JOURNAL"

const InvestigateGetResponseDeliveryModeReviewSubmission InvestigateGetResponseDeliveryMode = "REVIEW_SUBMISSION"

const InvestigateGetResponseDeliveryModeDMARCUnverified InvestigateGetResponseDeliveryMode = "DMARC_UNVERIFIED"

const InvestigateGetResponseDeliveryModeDMARCFailureReport InvestigateGetResponseDeliveryMode = "DMARC_FAILURE_REPORT"

const InvestigateGetResponseDeliveryModeDMARCAggregateReport InvestigateGetResponseDeliveryMode = "DMARC_AGGREGATE_REPORT"

const InvestigateGetResponseDeliveryModeThreatIntelSubmission InvestigateGetResponseDeliveryMode = "THREAT_INTEL_SUBMISSION"

const InvestigateGetResponseDeliveryModeSimulationSubmission InvestigateGetResponseDeliveryMode = "SIMULATION_SUBMISSION"

const InvestigateGetResponseDeliveryModeAPI InvestigateGetResponseDeliveryMode = "API"

const InvestigateGetResponseDeliveryModeRetroScan InvestigateGetResponseDeliveryMode = "RETRO_SCAN"

EdfHash stringoptional

EnvelopeFrom stringoptional

EnvelopeTo []stringoptional

FinalDisposition InvestigateGetResponseFinalDispositionoptional

One of the following:

const InvestigateGetResponseFinalDispositionMalicious InvestigateGetResponseFinalDisposition = "MALICIOUS"

const InvestigateGetResponseFinalDispositionMaliciousBec InvestigateGetResponseFinalDisposition = "MALICIOUS-BEC"

const InvestigateGetResponseFinalDispositionSuspicious InvestigateGetResponseFinalDisposition = "SUSPICIOUS"

const InvestigateGetResponseFinalDispositionSpoof InvestigateGetResponseFinalDisposition = "SPOOF"

const InvestigateGetResponseFinalDispositionSpam InvestigateGetResponseFinalDisposition = "SPAM"

const InvestigateGetResponseFinalDispositionBulk InvestigateGetResponseFinalDisposition = "BULK"

const InvestigateGetResponseFinalDispositionEncrypted InvestigateGetResponseFinalDisposition = "ENCRYPTED"

const InvestigateGetResponseFinalDispositionExternal InvestigateGetResponseFinalDisposition = "EXTERNAL"

const InvestigateGetResponseFinalDispositionUnknown InvestigateGetResponseFinalDisposition = "UNKNOWN"

const InvestigateGetResponseFinalDispositionNone InvestigateGetResponseFinalDisposition = "NONE"

Findings []InvestigateGetResponseFindingoptional

Attachment stringoptional

Detail stringoptional

Detection InvestigateGetResponseFindingsDetectionoptional

One of the following:

const InvestigateGetResponseFindingsDetectionMalicious InvestigateGetResponseFindingsDetection = "MALICIOUS"

const InvestigateGetResponseFindingsDetectionMaliciousBec InvestigateGetResponseFindingsDetection = "MALICIOUS-BEC"

const InvestigateGetResponseFindingsDetectionSuspicious InvestigateGetResponseFindingsDetection = "SUSPICIOUS"

const InvestigateGetResponseFindingsDetectionSpoof InvestigateGetResponseFindingsDetection = "SPOOF"

const InvestigateGetResponseFindingsDetectionSpam InvestigateGetResponseFindingsDetection = "SPAM"

const InvestigateGetResponseFindingsDetectionBulk InvestigateGetResponseFindingsDetection = "BULK"

const InvestigateGetResponseFindingsDetectionEncrypted InvestigateGetResponseFindingsDetection = "ENCRYPTED"

const InvestigateGetResponseFindingsDetectionExternal InvestigateGetResponseFindingsDetection = "EXTERNAL"

const InvestigateGetResponseFindingsDetectionUnknown InvestigateGetResponseFindingsDetection = "UNKNOWN"

const InvestigateGetResponseFindingsDetectionNone InvestigateGetResponseFindingsDetection = "NONE"

Field stringoptional

Name stringoptional

Portion stringoptional

Reason stringoptional

Score float64optional

formatdouble

Value stringoptional

From stringoptional

FromName stringoptional

HtmltextStructureHash stringoptional

MessageID stringoptional

PostDeliveryOperations []InvestigateGetResponsePostDeliveryOperationoptional

One of the following:

const InvestigateGetResponsePostDeliveryOperationPreview InvestigateGetResponsePostDeliveryOperation = "PREVIEW"

const InvestigateGetResponsePostDeliveryOperationQuarantineRelease InvestigateGetResponsePostDeliveryOperation = "QUARANTINE_RELEASE"

const InvestigateGetResponsePostDeliveryOperationSubmission InvestigateGetResponsePostDeliveryOperation = "SUBMISSION"

const InvestigateGetResponsePostDeliveryOperationMove InvestigateGetResponsePostDeliveryOperation = "MOVE"

PostfixIDOutbound stringoptional

Replyto stringoptional

ScannedAt Timeoptional

formatdate-time

SentAt Timeoptional

formatdate-time

DeprecatedSentDate stringoptional

Deprecated, use sent_at instead

Subject stringoptional

ThreatCategories []stringoptional

To []stringoptional

ToName []stringoptional

Validation InvestigateGetResponseValidationoptional

Comment stringoptional

DKIM InvestigateGetResponseValidationDKIMoptional

One of the following:

const InvestigateGetResponseValidationDKIMPass InvestigateGetResponseValidationDKIM = "pass"

const InvestigateGetResponseValidationDKIMNeutral InvestigateGetResponseValidationDKIM = "neutral"

const InvestigateGetResponseValidationDKIMFail InvestigateGetResponseValidationDKIM = "fail"

const InvestigateGetResponseValidationDKIMError InvestigateGetResponseValidationDKIM = "error"

const InvestigateGetResponseValidationDKIMNone InvestigateGetResponseValidationDKIM = "none"

DMARC InvestigateGetResponseValidationDMARCoptional

One of the following:

const InvestigateGetResponseValidationDMARCPass InvestigateGetResponseValidationDMARC = "pass"

const InvestigateGetResponseValidationDMARCNeutral InvestigateGetResponseValidationDMARC = "neutral"

const InvestigateGetResponseValidationDMARCFail InvestigateGetResponseValidationDMARC = "fail"

const InvestigateGetResponseValidationDMARCError InvestigateGetResponseValidationDMARC = "error"

const InvestigateGetResponseValidationDMARCNone InvestigateGetResponseValidationDMARC = "none"

SPF InvestigateGetResponseValidationSPFoptional

One of the following:

const InvestigateGetResponseValidationSPFPass InvestigateGetResponseValidationSPF = "pass"

const InvestigateGetResponseValidationSPFNeutral InvestigateGetResponseValidationSPF = "neutral"

const InvestigateGetResponseValidationSPFFail InvestigateGetResponseValidationSPF = "fail"

const InvestigateGetResponseValidationSPFError InvestigateGetResponseValidationSPF = "error"

const InvestigateGetResponseValidationSPFNone InvestigateGetResponseValidationSPF = "none"

Get message details

package main

import (
  "context"
  "fmt"

  "github.com/cloudflare/cloudflare-go"
  "github.com/cloudflare/cloudflare-go/email_security"
  "github.com/cloudflare/cloudflare-go/option"
)

func main() {
  client := cloudflare.NewClient(
    option.WithAPIKey("144c9defac04969c7bfad8efaa8ea194"),
    option.WithAPIEmail("user@example.com"),
  )
  investigate, err := client.EmailSecurity.Investigate.Get(
    context.TODO(),
    "4Njp3P0STMz2c02Q",
    email_security.InvestigateGetParams{
      AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"),
    },
  )
  if err != nil {
    panic(err.Error())
  }
  fmt.Printf("%+v\n", investigate.ID)
}

{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "result": {
    "id": "4Njp3P0STMz2c02Q-2022-12-30T02:44:49-2a539d65",
    "action_log": [],
    "client_recipients": [
      "email@example.com"
    ],
    "detection_reasons": [
      "Selector is a source of spam/uce : Smtp-Helo-Server-Ip=<b>127.0.0[dot]186</b>"
    ],
    "is_phish_submission": false,
    "is_quarantined": false,
    "postfix_id": "47JJcT1w6GztQV7",
    "properties": {
      "allowlisted_pattern": "allowlisted_pattern",
      "allowlisted_pattern_type": "quarantine_release",
      "blocklisted_message": true,
      "blocklisted_pattern": "blocklisted_pattern",
      "whitelisted_pattern_type": "quarantine_release"
    },
    "ts": "2019-11-20T23:22:01",
    "alert_id": "4Njp3P0STMz2c02Q-2022-12-30T02:44:49",
    "delivery_mode": "DIRECT",
    "edf_hash": null,
    "envelope_from": "d1994@example.com",
    "envelope_to": [
      "email@example.com"
    ],
    "final_disposition": "MALICIOUS",
    "findings": [
      {
        "attachment": "attachment",
        "detail": "detail",
        "detection": "MALICIOUS",
        "field": "field",
        "name": "name",
        "portion": "portion",
        "reason": "reason",
        "score": 0,
        "value": "value"
      }
    ],
    "from": "d1994@example.com",
    "from_name": "Sender Name",
    "htmltext_structure_hash": null,
    "message_id": "<4VAZPrAdg7IGNxdt1DWRNu0gvOeL_iZiwP4BQfo4DaE.Yw-woXuugQbeFhBpzwFQtqq_v2v1HOKznoMBqbciQpE@example.com>",
    "post_delivery_operations": [
      "PREVIEW"
    ],
    "postfix_id_outbound": null,
    "replyto": "email@example.com",
    "scanned_at": "2019-11-20T23:22:01Z",
    "sent_at": "2019-11-21T00:22:01Z",
    "sent_date": "2019-11-21T00:22:01",
    "subject": "listen, I highly recommend u to read that email, just to ensure not a thing will take place",
    "threat_categories": [
      "IPReputation",
      "ASNReputation"
    ],
    "to": [
      "email@example.com"
    ],
    "to_name": [
      "Recipient Name"
    ],
    "validation": {
      "comment": null,
      "dkim": "pass",
      "dmarc": "none",
      "spf": "fail"
    }
  },
  "success": true
}

Returns Examples

{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "result": {
    "id": "4Njp3P0STMz2c02Q-2022-12-30T02:44:49-2a539d65",
    "action_log": [],
    "client_recipients": [
      "email@example.com"
    ],
    "detection_reasons": [
      "Selector is a source of spam/uce : Smtp-Helo-Server-Ip=<b>127.0.0[dot]186</b>"
    ],
    "is_phish_submission": false,
    "is_quarantined": false,
    "postfix_id": "47JJcT1w6GztQV7",
    "properties": {
      "allowlisted_pattern": "allowlisted_pattern",
      "allowlisted_pattern_type": "quarantine_release",
      "blocklisted_message": true,
      "blocklisted_pattern": "blocklisted_pattern",
      "whitelisted_pattern_type": "quarantine_release"
    },
    "ts": "2019-11-20T23:22:01",
    "alert_id": "4Njp3P0STMz2c02Q-2022-12-30T02:44:49",
    "delivery_mode": "DIRECT",
    "edf_hash": null,
    "envelope_from": "d1994@example.com",
    "envelope_to": [
      "email@example.com"
    ],
    "final_disposition": "MALICIOUS",
    "findings": [
      {
        "attachment": "attachment",
        "detail": "detail",
        "detection": "MALICIOUS",
        "field": "field",
        "name": "name",
        "portion": "portion",
        "reason": "reason",
        "score": 0,
        "value": "value"
      }
    ],
    "from": "d1994@example.com",
    "from_name": "Sender Name",
    "htmltext_structure_hash": null,
    "message_id": "<4VAZPrAdg7IGNxdt1DWRNu0gvOeL_iZiwP4BQfo4DaE.Yw-woXuugQbeFhBpzwFQtqq_v2v1HOKznoMBqbciQpE@example.com>",
    "post_delivery_operations": [
      "PREVIEW"
    ],
    "postfix_id_outbound": null,
    "replyto": "email@example.com",
    "scanned_at": "2019-11-20T23:22:01Z",
    "sent_at": "2019-11-21T00:22:01Z",
    "sent_date": "2019-11-21T00:22:01",
    "subject": "listen, I highly recommend u to read that email, just to ensure not a thing will take place",
    "threat_categories": [
      "IPReputation",
      "ASNReputation"
    ],
    "to": [
      "email@example.com"
    ],
    "to_name": [
      "Recipient Name"
    ],
    "validation": {
      "comment": null,
      "dkim": "pass",
      "dmarc": "none",
      "spf": "fail"
    }
  },
  "success": true
}