API Reference

Email Security

Investigate

Copy Markdown

Open in Claude

Open in ChatGPT

Open in Cursor

---

Copy Markdown

View as Markdown

Search email messages

client.emailSecurity.investigate.list(InvestigateListParams { account_id, action_log, alert_id, 15 more } params, RequestOptionsoptions?): V4PagePaginationArray<InvestigateListResponse { id, action_log, client_recipients, 29 more } >

GET/accounts/{account_id}/email-security/investigate

Returns information for each email that matches the search parameter(s).

Security

API Token

The preferred authorization scheme for interacting with the Cloudflare API. Create a token.

Example:Authorization: Bearer Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY

API Email + API Key

The previous authorization scheme for interacting with the Cloudflare API, used in conjunction with a Global API key.

Example:X-Auth-Email: user@example.com

The previous authorization scheme for interacting with the Cloudflare API. When possible, use API tokens instead of Global API keys.

Example:X-Auth-Key: 144c9defac04969c7bfad8efaa8ea194

Accepted Permissions (at least one required)

Cloud Email Security: WriteCloud Email Security: Read

ParametersExpand Collapse

params: InvestigateListParams { account_id, action_log, alert_id, 15 more }

account_id: string

Path param: Identifier.

maxLength32

action_log?: boolean

Query param: Whether to include the message action log in the response.

alert_id?: string

Query param

cursor?: string

Query param

detections_only?: boolean

Query param: Whether to include only detections in search results.

domain?: string

Query param: Sender domains to filter by.

end?: string

Query param: The end of the search date range. Defaults to now.

formatdate-time

final_disposition?: "MALICIOUS" | "SUSPICIOUS" | "SPOOF" | 3 more

Query param: Dispositions to filter by.

One of the following:

"MALICIOUS"

"SUSPICIOUS"

"SPOOF"

"SPAM"

"BULK"

"NONE"

message_action?: "PREVIEW" | "QUARANTINE_RELEASED" | "MOVED"

Query param: Message actions to filter by.

One of the following:

"PREVIEW"

"QUARANTINE_RELEASED"

"MOVED"

message_id?: string

Query param

metric?: string

Query param

page?: number | null

Query param: Deprecated: Use cursor pagination instead. End of life: November 1, 2026.

minimum1

per_page?: number

Query param: The number of results per page. Maximum value is 1000.

maximum1000

minimum1

query?: string

Query param: Space-delimited search term. Case-insensitive.

recipient?: string

Query param

sender?: string

Query param

start?: string

Query param: The beginning of the search date range. Defaults to now - 30 days.

formatdate-time

subject?: string

Query param

ReturnsExpand Collapse

InvestigateListResponse { id, action_log, client_recipients, 29 more }

id: string

Unique identifier for a message retrieved from investigation

Deprecatedaction_log: Array<ActionLog>

Deprecated, use GET /investigate/{investigate_id}/action_log instead. End of life: November 1, 2026.

completed_at: string

Timestamp when action completed

formatdate-time

operation: "MOVE" | "RELEASE" | "RECLASSIFY" | 3 more

Type of action performed

One of the following:

"MOVE"

"RELEASE"

"RECLASSIFY"

"SUBMISSION"

"QUARANTINE_RELEASE"

"PREVIEW"

Deprecatedcompleted_timestamp?: string

Deprecated, use completed_at instead. End of life: November 1, 2026.

properties?: Properties { folder, requested_by }

Additional properties for the action

folder?: string

Target folder for move operations

requested_by?: string

User who requested the action

status?: string | null

Status of the action

client_recipients: Array<string>

detection_reasons: Array<string>

is_phish_submission: boolean

is_quarantined: boolean

postfix_id: string

The identifier of the message

properties: Properties { allowlisted_pattern, allowlisted_pattern_type, blocklisted_message, 2 more }

Message processing properties

allowlisted_pattern?: string | null

Pattern that allowlisted this message

allowlisted_pattern_type?: "quarantine_release" | "acceptable_sender" | "allowed_sender" | 5 more | null

Type of allowlist pattern

One of the following:

"quarantine_release"

"acceptable_sender"

"allowed_sender"

"allowed_recipient"

"domain_similarity"

"domain_recency"

"managed_acceptable_sender"

"outbound_ndr"

blocklisted_message?: boolean | null

Whether message was blocklisted

blocklisted_pattern?: string | null

Pattern that blocklisted this message

whitelisted_pattern_type?: "quarantine_release" | "acceptable_sender" | "allowed_sender" | 5 more | null

Legacy field for allowlist pattern type

One of the following:

"quarantine_release"

"acceptable_sender"

"allowed_sender"

"allowed_recipient"

"domain_similarity"

"domain_recency"

"managed_acceptable_sender"

"outbound_ndr"

Deprecatedts: string

Deprecated, use scanned_at instead. End of life: November 1, 2026.

alert_id?: string | null

delivery_mode?: "DIRECT" | "BCC" | "JOURNAL" | 8 more

One of the following:

"DIRECT"

"BCC"

"JOURNAL"

"REVIEW_SUBMISSION"

"DMARC_UNVERIFIED"

"DMARC_FAILURE_REPORT"

"DMARC_AGGREGATE_REPORT"

"THREAT_INTEL_SUBMISSION"

"SIMULATION_SUBMISSION"

"API"

"RETRO_SCAN"

delivery_status?: Array<"delivered" | "moved" | "quarantined" | 4 more> | null

One of the following:

"delivered"

"moved"

"quarantined"

"rejected"

"deferred"

"bounced"

"queued"

edf_hash?: string | null

envelope_from?: string | null

envelope_to?: Array<string> | null

final_disposition?: "MALICIOUS" | "MALICIOUS-BEC" | "SUSPICIOUS" | 7 more

One of the following:

"MALICIOUS"

"MALICIOUS-BEC"

"SUSPICIOUS"

"SPOOF"

"SPAM"

"BULK"

"ENCRYPTED"

"EXTERNAL"

"UNKNOWN"

"NONE"

Deprecatedfindings?: Array<Finding> | null

Deprecated, use the findings field from GET /investigate/{investigate_id}/detections instead. End of life: November 1, 2026. Detection findings for this message.

attachment?: string | null

detail?: string | null

detection?: "MALICIOUS" | "MALICIOUS-BEC" | "SUSPICIOUS" | 7 more

One of the following:

"MALICIOUS"

"MALICIOUS-BEC"

"SUSPICIOUS"

"SPOOF"

"SPAM"

"BULK"

"ENCRYPTED"

"EXTERNAL"

"UNKNOWN"

"NONE"

field?: string | null

name?: string | null

portion?: string | null

reason?: string | null

score?: number | null

formatdouble

value?: string | null

from?: string | null

from_name?: string | null

htmltext_structure_hash?: string | null

message_id?: string | null

post_delivery_operations?: Array<"PREVIEW" | "QUARANTINE_RELEASE" | "SUBMISSION" | "MOVE"> | null

Post-delivery operations performed on this message

One of the following:

"PREVIEW"

"QUARANTINE_RELEASE"

"SUBMISSION"

"MOVE"

postfix_id_outbound?: string | null

replyto?: string | null

scanned_at?: string | null

When the message was scanned (UTC)

formatdate-time

sent_at?: string | null

When the message was sent (UTC)

formatdate-time

sent_date?: string | null

subject?: string | null

threat_categories?: Array<string> | null

to?: Array<string> | null

to_name?: Array<string> | null

validation?: Validation { comment, dkim, dmarc, spf }

comment?: string | null

dkim?: "pass" | "neutral" | "fail" | 2 more

One of the following:

"pass"

"neutral"

"fail"

"error"

"none"

dmarc?: "pass" | "neutral" | "fail" | 2 more

One of the following:

"pass"

"neutral"

"fail"

"error"

"none"

spf?: "pass" | "neutral" | "fail" | 2 more

One of the following:

"pass"

"neutral"

"fail"

"error"

"none"

Search email messages

TypeScript

HTTP

TypeScript

Python

Go

Terraform

import Cloudflare from 'cloudflare';

const client = new Cloudflare({
  apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted
});

// Automatically fetches more pages as needed.
for await (const investigateListResponse of client.emailSecurity.investigate.list({
  account_id: '023e105f4ecef8ad9ca31a8372d0c353',
})) {
  console.log(investigateListResponse.id);
}

200 example

{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "result": [
    {
      "id": "4Njp3P0STMz2c02Q-2024-01-05T10:00:00-12345678",
      "action_log": [
        {
          "completed_at": "2019-12-27T18:11:19.117Z",
          "operation": "MOVE",
          "completed_timestamp": "completed_timestamp",
          "properties": {
            "folder": "folder",
            "requested_by": "requested_by"
          },
          "status": "status"
        }
      ],
      "client_recipients": [
        "string"
      ],
      "detection_reasons": [
        "string"
      ],
      "is_phish_submission": true,
      "is_quarantined": true,
      "postfix_id": "4Njp3P0STMz2c02Q",
      "properties": {
        "allowlisted_pattern": "allowlisted_pattern",
        "allowlisted_pattern_type": "quarantine_release",
        "blocklisted_message": true,
        "blocklisted_pattern": "blocklisted_pattern",
        "whitelisted_pattern_type": "quarantine_release"
      },
      "ts": "ts",
      "alert_id": "alert_id",
      "delivery_mode": "DIRECT",
      "delivery_status": [
        "delivered"
      ],
      "edf_hash": "edf_hash",
      "envelope_from": "envelope_from",
      "envelope_to": [
        "string"
      ],
      "final_disposition": "MALICIOUS",
      "findings": [
        {
          "attachment": "attachment",
          "detail": "detail",
          "detection": "MALICIOUS",
          "field": "field",
          "name": "name",
          "portion": "portion",
          "reason": "reason",
          "score": 0,
          "value": "value"
        }
      ],
      "from": "from",
      "from_name": "from_name",
      "htmltext_structure_hash": "htmltext_structure_hash",
      "message_id": "message_id",
      "post_delivery_operations": [
        "PREVIEW"
      ],
      "postfix_id_outbound": "postfix_id_outbound",
      "replyto": "replyto",
      "scanned_at": "2019-12-27T18:11:19.117Z",
      "sent_at": "2019-12-27T18:11:19.117Z",
      "sent_date": "sent_date",
      "subject": "subject",
      "threat_categories": [
        "string"
      ],
      "to": [
        "string"
      ],
      "to_name": [
        "string"
      ],
      "validation": {
        "comment": "comment",
        "dkim": "pass",
        "dmarc": "pass",
        "spf": "pass"
      }
    }
  ],
  "result_info": {
    "count": 0,
    "per_page": 0,
    "total_count": 0,
    "next": "next",
    "page": 0,
    "previous": "previous"
  },
  "success": true
}

Returns Examples

200 example

{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "result": [
    {
      "id": "4Njp3P0STMz2c02Q-2024-01-05T10:00:00-12345678",
      "action_log": [
        {
          "completed_at": "2019-12-27T18:11:19.117Z",
          "operation": "MOVE",
          "completed_timestamp": "completed_timestamp",
          "properties": {
            "folder": "folder",
            "requested_by": "requested_by"
          },
          "status": "status"
        }
      ],
      "client_recipients": [
        "string"
      ],
      "detection_reasons": [
        "string"
      ],
      "is_phish_submission": true,
      "is_quarantined": true,
      "postfix_id": "4Njp3P0STMz2c02Q",
      "properties": {
        "allowlisted_pattern": "allowlisted_pattern",
        "allowlisted_pattern_type": "quarantine_release",
        "blocklisted_message": true,
        "blocklisted_pattern": "blocklisted_pattern",
        "whitelisted_pattern_type": "quarantine_release"
      },
      "ts": "ts",
      "alert_id": "alert_id",
      "delivery_mode": "DIRECT",
      "delivery_status": [
        "delivered"
      ],
      "edf_hash": "edf_hash",
      "envelope_from": "envelope_from",
      "envelope_to": [
        "string"
      ],
      "final_disposition": "MALICIOUS",
      "findings": [
        {
          "attachment": "attachment",
          "detail": "detail",
          "detection": "MALICIOUS",
          "field": "field",
          "name": "name",
          "portion": "portion",
          "reason": "reason",
          "score": 0,
          "value": "value"
        }
      ],
      "from": "from",
      "from_name": "from_name",
      "htmltext_structure_hash": "htmltext_structure_hash",
      "message_id": "message_id",
      "post_delivery_operations": [
        "PREVIEW"
      ],
      "postfix_id_outbound": "postfix_id_outbound",
      "replyto": "replyto",
      "scanned_at": "2019-12-27T18:11:19.117Z",
      "sent_at": "2019-12-27T18:11:19.117Z",
      "sent_date": "sent_date",
      "subject": "subject",
      "threat_categories": [
        "string"
      ],
      "to": [
        "string"
      ],
      "to_name": [
        "string"
      ],
      "validation": {
        "comment": "comment",
        "dkim": "pass",
        "dmarc": "pass",
        "spf": "pass"
      }
    }
  ],
  "result_info": {
    "count": 0,
    "per_page": 0,
    "total_count": 0,
    "next": "next",
    "page": 0,
    "previous": "previous"
  },
  "success": true
}