Skip to content
Cloudflare API
Start here
API Reference

Email Security

Email SecurityInvestigate

Search email messages
email_security.investigate.list(InvestigateListParams**kwargs) -> SyncV4PagePaginationArray[InvestigateListResponse]
GET/accounts/{account_id}/email-security/investigate
Get message details
email_security.investigate.get(strinvestigate_id, InvestigateGetParams**kwargs) -> InvestigateGetResponse
GET/accounts/{account_id}/email-security/investigate/{investigate_id}
ModelsExpand Collapse
class InvestigateListResponse:
id: str

Unique identifier for a message retrieved from investigation

Deprecatedaction_log: List[ActionLog]

Deprecated, use GET /investigate/{investigate_id}/action_log instead. End of life: November 1, 2026.

completed_at: datetime

Timestamp when action completed

formatdate-time
operation: Literal["MOVE", "RELEASE", "RECLASSIFY", 3 more]

Type of action performed

One of the following:
"MOVE"
"RELEASE"
"RECLASSIFY"
"SUBMISSION"
"QUARANTINE_RELEASE"
"PREVIEW"
Deprecatedcompleted_timestamp: Optional[str]

Deprecated, use completed_at instead. End of life: November 1, 2026.

properties: Optional[ActionLogProperties]

Additional properties for the action

folder: Optional[str]

Target folder for move operations

requested_by: Optional[str]

User who requested the action

status: Optional[str]

Status of the action

client_recipients: List[str]
detection_reasons: List[str]
is_phish_submission: bool
is_quarantined: bool
postfix_id: str

The identifier of the message

properties: Properties

Message processing properties

allowlisted_pattern: Optional[str]

Pattern that allowlisted this message

allowlisted_pattern_type: Optional[Literal["quarantine_release", "acceptable_sender", "allowed_sender", 5 more]]

Type of allowlist pattern

One of the following:
"quarantine_release"
"acceptable_sender"
"allowed_sender"
"allowed_recipient"
"domain_similarity"
"domain_recency"
"managed_acceptable_sender"
"outbound_ndr"
blocklisted_message: Optional[bool]

Whether message was blocklisted

blocklisted_pattern: Optional[str]

Pattern that blocklisted this message

whitelisted_pattern_type: Optional[Literal["quarantine_release", "acceptable_sender", "allowed_sender", 5 more]]

Legacy field for allowlist pattern type

One of the following:
"quarantine_release"
"acceptable_sender"
"allowed_sender"
"allowed_recipient"
"domain_similarity"
"domain_recency"
"managed_acceptable_sender"
"outbound_ndr"
Deprecatedts: str

Deprecated, use scanned_at instead. End of life: November 1, 2026.

alert_id: Optional[str]
delivery_mode: Optional[Literal["DIRECT", "BCC", "JOURNAL", 8 more]]
One of the following:
"DIRECT"
"BCC"
"JOURNAL"
"REVIEW_SUBMISSION"
"DMARC_UNVERIFIED"
"DMARC_FAILURE_REPORT"
"DMARC_AGGREGATE_REPORT"
"THREAT_INTEL_SUBMISSION"
"SIMULATION_SUBMISSION"
"API"
"RETRO_SCAN"
delivery_status: Optional[List[Literal["delivered", "moved", "quarantined", 4 more]]]
One of the following:
"delivered"
"moved"
"quarantined"
"rejected"
"deferred"
"bounced"
"queued"
edf_hash: Optional[str]
envelope_from: Optional[str]
envelope_to: Optional[List[str]]
final_disposition: Optional[Literal["MALICIOUS", "MALICIOUS-BEC", "SUSPICIOUS", 7 more]]
One of the following:
"MALICIOUS"
"MALICIOUS-BEC"
"SUSPICIOUS"
"SPOOF"
"SPAM"
"BULK"
"ENCRYPTED"
"EXTERNAL"
"UNKNOWN"
"NONE"
Deprecatedfindings: Optional[List[Finding]]

Deprecated, use the findings field from GET /investigate/{investigate_id}/detections instead. End of life: November 1, 2026. Detection findings for this message.

attachment: Optional[str]
detail: Optional[str]
detection: Optional[Literal["MALICIOUS", "MALICIOUS-BEC", "SUSPICIOUS", 7 more]]
One of the following:
"MALICIOUS"
"MALICIOUS-BEC"
"SUSPICIOUS"
"SPOOF"
"SPAM"
"BULK"
"ENCRYPTED"
"EXTERNAL"
"UNKNOWN"
"NONE"
field: Optional[str]
name: Optional[str]
portion: Optional[str]
reason: Optional[str]
score: Optional[float]
formatdouble
value: Optional[str]
from_: Optional[str]
from_name: Optional[str]
htmltext_structure_hash: Optional[str]
message_id: Optional[str]
post_delivery_operations: Optional[List[Literal["PREVIEW", "QUARANTINE_RELEASE", "SUBMISSION", "MOVE"]]]

Post-delivery operations performed on this message

One of the following:
"PREVIEW"
"QUARANTINE_RELEASE"
"SUBMISSION"
"MOVE"
postfix_id_outbound: Optional[str]
replyto: Optional[str]
scanned_at: Optional[datetime]

When the message was scanned (UTC)

formatdate-time
sent_at: Optional[datetime]

When the message was sent (UTC)

formatdate-time
sent_date: Optional[str]
subject: Optional[str]
threat_categories: Optional[List[str]]
to: Optional[List[str]]
to_name: Optional[List[str]]
validation: Optional[Validation]
comment: Optional[str]
dkim: Optional[Literal["pass", "neutral", "fail", 2 more]]
One of the following:
"pass"
"neutral"
"fail"
"error"
"none"
dmarc: Optional[Literal["pass", "neutral", "fail", 2 more]]
One of the following:
"pass"
"neutral"
"fail"
"error"
"none"
spf: Optional[Literal["pass", "neutral", "fail", 2 more]]
One of the following:
"pass"
"neutral"
"fail"
"error"
"none"
class InvestigateGetResponse:
id: str

Unique identifier for a message retrieved from investigation

Deprecatedaction_log: List[ActionLog]

Deprecated, use GET /investigate/{investigate_id}/action_log instead. End of life: November 1, 2026.

completed_at: datetime

Timestamp when action completed

formatdate-time
operation: Literal["MOVE", "RELEASE", "RECLASSIFY", 3 more]

Type of action performed

One of the following:
"MOVE"
"RELEASE"
"RECLASSIFY"
"SUBMISSION"
"QUARANTINE_RELEASE"
"PREVIEW"
Deprecatedcompleted_timestamp: Optional[str]

Deprecated, use completed_at instead. End of life: November 1, 2026.

properties: Optional[ActionLogProperties]

Additional properties for the action

folder: Optional[str]

Target folder for move operations

requested_by: Optional[str]

User who requested the action

status: Optional[str]

Status of the action

client_recipients: List[str]
detection_reasons: List[str]
is_phish_submission: bool
is_quarantined: bool
postfix_id: str

The identifier of the message

properties: Properties

Message processing properties

allowlisted_pattern: Optional[str]

Pattern that allowlisted this message

allowlisted_pattern_type: Optional[Literal["quarantine_release", "acceptable_sender", "allowed_sender", 5 more]]

Type of allowlist pattern

One of the following:
"quarantine_release"
"acceptable_sender"
"allowed_sender"
"allowed_recipient"
"domain_similarity"
"domain_recency"
"managed_acceptable_sender"
"outbound_ndr"
blocklisted_message: Optional[bool]

Whether message was blocklisted

blocklisted_pattern: Optional[str]

Pattern that blocklisted this message

whitelisted_pattern_type: Optional[Literal["quarantine_release", "acceptable_sender", "allowed_sender", 5 more]]

Legacy field for allowlist pattern type

One of the following:
"quarantine_release"
"acceptable_sender"
"allowed_sender"
"allowed_recipient"
"domain_similarity"
"domain_recency"
"managed_acceptable_sender"
"outbound_ndr"
Deprecatedts: str

Deprecated, use scanned_at instead. End of life: November 1, 2026.

alert_id: Optional[str]
delivery_mode: Optional[Literal["DIRECT", "BCC", "JOURNAL", 8 more]]
One of the following:
"DIRECT"
"BCC"
"JOURNAL"
"REVIEW_SUBMISSION"
"DMARC_UNVERIFIED"
"DMARC_FAILURE_REPORT"
"DMARC_AGGREGATE_REPORT"
"THREAT_INTEL_SUBMISSION"
"SIMULATION_SUBMISSION"
"API"
"RETRO_SCAN"
delivery_status: Optional[List[Literal["delivered", "moved", "quarantined", 4 more]]]
One of the following:
"delivered"
"moved"
"quarantined"
"rejected"
"deferred"
"bounced"
"queued"
edf_hash: Optional[str]
envelope_from: Optional[str]
envelope_to: Optional[List[str]]
final_disposition: Optional[Literal["MALICIOUS", "MALICIOUS-BEC", "SUSPICIOUS", 7 more]]
One of the following:
"MALICIOUS"
"MALICIOUS-BEC"
"SUSPICIOUS"
"SPOOF"
"SPAM"
"BULK"
"ENCRYPTED"
"EXTERNAL"
"UNKNOWN"
"NONE"
Deprecatedfindings: Optional[List[Finding]]

Deprecated, use the findings field from GET /investigate/{investigate_id}/detections instead. End of life: November 1, 2026. Detection findings for this message.

attachment: Optional[str]
detail: Optional[str]
detection: Optional[Literal["MALICIOUS", "MALICIOUS-BEC", "SUSPICIOUS", 7 more]]
One of the following:
"MALICIOUS"
"MALICIOUS-BEC"
"SUSPICIOUS"
"SPOOF"
"SPAM"
"BULK"
"ENCRYPTED"
"EXTERNAL"
"UNKNOWN"
"NONE"
field: Optional[str]
name: Optional[str]
portion: Optional[str]
reason: Optional[str]
score: Optional[float]
formatdouble
value: Optional[str]
from_: Optional[str]
from_name: Optional[str]
htmltext_structure_hash: Optional[str]
message_id: Optional[str]
post_delivery_operations: Optional[List[Literal["PREVIEW", "QUARANTINE_RELEASE", "SUBMISSION", "MOVE"]]]

Post-delivery operations performed on this message

One of the following:
"PREVIEW"
"QUARANTINE_RELEASE"
"SUBMISSION"
"MOVE"
postfix_id_outbound: Optional[str]
replyto: Optional[str]
scanned_at: Optional[datetime]

When the message was scanned (UTC)

formatdate-time
sent_at: Optional[datetime]

When the message was sent (UTC)

formatdate-time
sent_date: Optional[str]
subject: Optional[str]
threat_categories: Optional[List[str]]
to: Optional[List[str]]
to_name: Optional[List[str]]
validation: Optional[Validation]
comment: Optional[str]
dkim: Optional[Literal["pass", "neutral", "fail", 2 more]]
One of the following:
"pass"
"neutral"
"fail"
"error"
"none"
dmarc: Optional[Literal["pass", "neutral", "fail", 2 more]]
One of the following:
"pass"
"neutral"
"fail"
"error"
"none"
spf: Optional[Literal["pass", "neutral", "fail", 2 more]]
One of the following:
"pass"
"neutral"
"fail"
"error"
"none"

Email SecurityInvestigateDetections

Get message detection details
email_security.investigate.detections.get(strinvestigate_id, DetectionGetParams**kwargs) -> DetectionGetResponse
GET/accounts/{account_id}/email-security/investigate/{investigate_id}/detections
ModelsExpand Collapse
class DetectionGetResponse:
action: str
attachments: List[Attachment]
size: int

Size of the attachment in bytes

minimum0
content_type: Optional[str]

MIME type of the attachment

detection: Optional[Literal["MALICIOUS", "MALICIOUS-BEC", "SUSPICIOUS", 7 more]]

Detection result for this attachment

One of the following:
"MALICIOUS"
"MALICIOUS-BEC"
"SUSPICIOUS"
"SPOOF"
"SPAM"
"BULK"
"ENCRYPTED"
"EXTERNAL"
"UNKNOWN"
"NONE"
encrypted: Optional[bool]

Whether the attachment is encrypted

filename: Optional[str]

Name of the attached file

md5: Optional[str]

MD5 hash of the attachment

name: Optional[str]

Attachment name (alternative to filename)

sha1: Optional[str]

SHA1 hash of the attachment

sha256: Optional[str]

SHA256 hash of the attachment

findings: Optional[List[Finding]]
attachment: Optional[str]
detail: Optional[str]
detection: Optional[Literal["MALICIOUS", "MALICIOUS-BEC", "SUSPICIOUS", 7 more]]
One of the following:
"MALICIOUS"
"MALICIOUS-BEC"
"SUSPICIOUS"
"SPOOF"
"SPAM"
"BULK"
"ENCRYPTED"
"EXTERNAL"
"UNKNOWN"
"NONE"
field: Optional[str]
name: Optional[str]
portion: Optional[str]
reason: Optional[str]
score: Optional[float]
formatdouble
value: Optional[str]
headers: List[Header]
name: str
value: str
text: Optional[str]
sender_info: SenderInfo
as_name: Optional[str]

The name of the autonomous system.

as_number: Optional[int]

The number of the autonomous system.

geo: Optional[str]
ip: Optional[str]
pld: Optional[str]
threat_categories: List[ThreatCategory]
id: Optional[int]
description: Optional[str]
name: Optional[str]
validation: Validation
comment: Optional[str]
dkim: Optional[Literal["pass", "neutral", "fail", 2 more]]
One of the following:
"pass"
"neutral"
"fail"
"error"
"none"
dmarc: Optional[Literal["pass", "neutral", "fail", 2 more]]
One of the following:
"pass"
"neutral"
"fail"
"error"
"none"
spf: Optional[Literal["pass", "neutral", "fail", 2 more]]
One of the following:
"pass"
"neutral"
"fail"
"error"
"none"
final_disposition: Optional[Literal["MALICIOUS", "MALICIOUS-BEC", "SUSPICIOUS", 7 more]]
One of the following:
"MALICIOUS"
"MALICIOUS-BEC"
"SUSPICIOUS"
"SPOOF"
"SPAM"
"BULK"
"ENCRYPTED"
"EXTERNAL"
"UNKNOWN"
"NONE"

Email SecurityInvestigatePreview

Get email preview
email_security.investigate.preview.get(strinvestigate_id, PreviewGetParams**kwargs) -> PreviewGetResponse
GET/accounts/{account_id}/email-security/investigate/{investigate_id}/preview
Preview for non-detection messages
email_security.investigate.preview.create(PreviewCreateParams**kwargs) -> PreviewCreateResponse
POST/accounts/{account_id}/email-security/investigate/preview
ModelsExpand Collapse
class PreviewGetResponse:
screenshot: str

A base64 encoded PNG image of the email.

class PreviewCreateResponse:
screenshot: str

A base64 encoded PNG image of the email.

Email SecurityInvestigateRaw

Get raw email content
email_security.investigate.raw.get(strinvestigate_id, RawGetParams**kwargs) -> RawGetResponse
GET/accounts/{account_id}/email-security/investigate/{investigate_id}/raw
ModelsExpand Collapse
class RawGetResponse:
raw: str

A UTF-8 encoded eml file of the email.

Email SecurityInvestigateTrace

Get email trace
email_security.investigate.trace.get(strinvestigate_id, TraceGetParams**kwargs) -> TraceGetResponse
GET/accounts/{account_id}/email-security/investigate/{investigate_id}/trace
ModelsExpand Collapse
class TraceGetResponse:
inbound: Inbound
lines: Optional[List[InboundLine]]
lineno: Optional[int]

Line number in the trace log

logged_at: Optional[datetime]
formatdate-time
message: Optional[str]
Deprecatedts: Optional[str]

Deprecated, use logged_at instead. End of life: November 1, 2026.

pending: Optional[bool]
outbound: Outbound
lines: Optional[List[OutboundLine]]
lineno: Optional[int]

Line number in the trace log

logged_at: Optional[datetime]
formatdate-time
message: Optional[str]
Deprecatedts: Optional[str]

Deprecated, use logged_at instead. End of life: November 1, 2026.

pending: Optional[bool]

Email SecurityInvestigateMove

Move a message
email_security.investigate.move.create(strinvestigate_id, MoveCreateParams**kwargs) -> SyncSinglePage[MoveCreateResponse]
POST/accounts/{account_id}/email-security/investigate/{investigate_id}/move
Move multiple messages
email_security.investigate.move.bulk(MoveBulkParams**kwargs) -> SyncSinglePage[MoveBulkResponse]
POST/accounts/{account_id}/email-security/investigate/move
ModelsExpand Collapse
class MoveCreateResponse:
success: bool

Whether the operation succeeded

completed_at: Optional[datetime]

When the move operation completed (UTC)

formatdate-time
Deprecatedcompleted_timestamp: Optional[datetime]

Deprecated, use completed_at instead. End of life: November 1, 2026.

formatdate-time
destination: Optional[str]

Destination folder for the message

Deprecateditem_count: Optional[int]

Number of items moved. End of life: November 1, 2026.

message_id: Optional[str]

Message identifier

operation: Optional[str]

Type of operation performed

recipient: Optional[str]

Recipient email address

status: Optional[str]

Operation status

class MoveBulkResponse:
success: bool

Whether the operation succeeded

completed_at: Optional[datetime]

When the move operation completed (UTC)

formatdate-time
Deprecatedcompleted_timestamp: Optional[datetime]

Deprecated, use completed_at instead. End of life: November 1, 2026.

formatdate-time
destination: Optional[str]

Destination folder for the message

Deprecateditem_count: Optional[int]

Number of items moved. End of life: November 1, 2026.

message_id: Optional[str]

Message identifier

operation: Optional[str]

Type of operation performed

recipient: Optional[str]

Recipient email address

status: Optional[str]

Operation status

Email SecurityInvestigateReclassify

Change email classification
email_security.investigate.reclassify.create(strinvestigate_id, ReclassifyCreateParams**kwargs) -> object
POST/accounts/{account_id}/email-security/investigate/{investigate_id}/reclassify

Email SecurityInvestigateRelease

Release messages from quarantine
email_security.investigate.release.bulk(ReleaseBulkParams**kwargs) -> SyncSinglePage[ReleaseBulkResponse]
POST/accounts/{account_id}/email-security/investigate/release
ModelsExpand Collapse
class ReleaseBulkResponse:
id: str

Unique identifier for a message retrieved from investigation

delivered: Optional[List[str]]
failed: Optional[List[str]]
Deprecatedpostfix_id: Optional[str]

Deprecated, use id instead. End of life: November 1, 2026.

undelivered: Optional[List[str]]

Email SecurityPhishguard

Email SecurityPhishguardReports

Get PhishGuard reports
email_security.phishguard.reports.list(ReportListParams**kwargs) -> SyncSinglePage[ReportListResponse]
GET/accounts/{account_id}/email-security/phishguard/reports
ModelsExpand Collapse
class ReportListResponse:
id: int
content: str
disposition: Literal["MALICIOUS", "MALICIOUS-BEC", "SUSPICIOUS", 7 more]
One of the following:
"MALICIOUS"
"MALICIOUS-BEC"
"SUSPICIOUS"
"SPOOF"
"SPAM"
"BULK"
"ENCRYPTED"
"EXTERNAL"
"UNKNOWN"
"NONE"
fields: Fields
to: List[str]
from_: Optional[str]
occurred_at: Optional[datetime]
formatdate-time
postfix_id: Optional[str]
Deprecatedts: Optional[datetime]

Deprecated, use occurred_at instead

formatdate-time
priority: str
title: str
created_at: Optional[datetime]
formatdate-time
tags: Optional[List[Tag]]
category: str
value: str
Deprecatedts: Optional[datetime]

Deprecated, use created_at instead

formatdate-time
updated_at: Optional[datetime]
formatdate-time

Email SecuritySettings

Email SecuritySettingsAllow Policies

List email allow policies
email_security.settings.allow_policies.list(AllowPolicyListParams**kwargs) -> SyncV4PagePaginationArray[AllowPolicyListResponse]
GET/accounts/{account_id}/email-security/settings/allow_policies
Get an email allow policy
email_security.settings.allow_policies.get(strpolicy_id, AllowPolicyGetParams**kwargs) -> AllowPolicyGetResponse
GET/accounts/{account_id}/email-security/settings/allow_policies/{policy_id}
Create email allow policy
email_security.settings.allow_policies.create(AllowPolicyCreateParams**kwargs) -> AllowPolicyCreateResponse
POST/accounts/{account_id}/email-security/settings/allow_policies
Update an email allow policy
email_security.settings.allow_policies.edit(strpolicy_id, AllowPolicyEditParams**kwargs) -> AllowPolicyEditResponse
PATCH/accounts/{account_id}/email-security/settings/allow_policies/{policy_id}
Delete an email allow policy
email_security.settings.allow_policies.delete(strpolicy_id, AllowPolicyDeleteParams**kwargs) -> AllowPolicyDeleteResponse
DELETE/accounts/{account_id}/email-security/settings/allow_policies/{policy_id}
ModelsExpand Collapse
class AllowPolicyListResponse:

An email allow policy

id: str

Allow policy identifier

formatuuid
created_at: datetime
formatdate-time
Deprecatedlast_modified: datetime

Deprecated, use modified_at instead. End of life: November 1, 2026.

formatdate-time
comments: Optional[str]
maxLength1024
is_acceptable_sender: Optional[bool]

Messages from this sender will be exempted from Spam, Spoof and Bulk dispositions. Note - This will not exempt messages with Malicious or Suspicious dispositions.

is_exempt_recipient: Optional[bool]

Messages to this recipient will bypass all detections

Deprecatedis_recipient: Optional[bool]

Deprecated as of July 1, 2025. Use is_exempt_recipient instead. End of life: July 1, 2026.

is_regex: Optional[bool]
Deprecatedis_sender: Optional[bool]

Deprecated as of July 1, 2025. Use is_trusted_sender instead. End of life: July 1, 2026.

Deprecatedis_spoof: Optional[bool]

Deprecated as of July 1, 2025. Use is_acceptable_sender instead. End of life: July 1, 2026.

is_trusted_sender: Optional[bool]

Messages from this sender will bypass all detections and link following

modified_at: Optional[datetime]
formatdate-time
pattern: Optional[str]
maxLength1024
minLength1
pattern_type: Optional[Literal["EMAIL", "DOMAIN", "IP", "UNKNOWN"]]

Type of pattern matching. Note: UNKNOWN is deprecated and cannot be used when creating or updating policies, but may be returned for existing entries.

One of the following:
"EMAIL"
"DOMAIN"
"IP"
"UNKNOWN"
verify_sender: Optional[bool]

Enforce DMARC, SPF or DKIM authentication. When on, Email Security only honors policies that pass authentication.

class AllowPolicyGetResponse:

An email allow policy

id: str

Allow policy identifier

formatuuid
created_at: datetime
formatdate-time
Deprecatedlast_modified: datetime

Deprecated, use modified_at instead. End of life: November 1, 2026.

formatdate-time
comments: Optional[str]
maxLength1024
is_acceptable_sender: Optional[bool]

Messages from this sender will be exempted from Spam, Spoof and Bulk dispositions. Note - This will not exempt messages with Malicious or Suspicious dispositions.

is_exempt_recipient: Optional[bool]

Messages to this recipient will bypass all detections

Deprecatedis_recipient: Optional[bool]

Deprecated as of July 1, 2025. Use is_exempt_recipient instead. End of life: July 1, 2026.

is_regex: Optional[bool]
Deprecatedis_sender: Optional[bool]

Deprecated as of July 1, 2025. Use is_trusted_sender instead. End of life: July 1, 2026.

Deprecatedis_spoof: Optional[bool]

Deprecated as of July 1, 2025. Use is_acceptable_sender instead. End of life: July 1, 2026.

is_trusted_sender: Optional[bool]

Messages from this sender will bypass all detections and link following

modified_at: Optional[datetime]
formatdate-time
pattern: Optional[str]
maxLength1024
minLength1
pattern_type: Optional[Literal["EMAIL", "DOMAIN", "IP", "UNKNOWN"]]

Type of pattern matching. Note: UNKNOWN is deprecated and cannot be used when creating or updating policies, but may be returned for existing entries.

One of the following:
"EMAIL"
"DOMAIN"
"IP"
"UNKNOWN"
verify_sender: Optional[bool]

Enforce DMARC, SPF or DKIM authentication. When on, Email Security only honors policies that pass authentication.

class AllowPolicyCreateResponse:

An email allow policy

id: str

Allow policy identifier

formatuuid
created_at: datetime
formatdate-time
Deprecatedlast_modified: datetime

Deprecated, use modified_at instead. End of life: November 1, 2026.

formatdate-time
comments: Optional[str]
maxLength1024
is_acceptable_sender: Optional[bool]

Messages from this sender will be exempted from Spam, Spoof and Bulk dispositions. Note - This will not exempt messages with Malicious or Suspicious dispositions.

is_exempt_recipient: Optional[bool]

Messages to this recipient will bypass all detections

Deprecatedis_recipient: Optional[bool]

Deprecated as of July 1, 2025. Use is_exempt_recipient instead. End of life: July 1, 2026.

is_regex: Optional[bool]
Deprecatedis_sender: Optional[bool]

Deprecated as of July 1, 2025. Use is_trusted_sender instead. End of life: July 1, 2026.

Deprecatedis_spoof: Optional[bool]

Deprecated as of July 1, 2025. Use is_acceptable_sender instead. End of life: July 1, 2026.

is_trusted_sender: Optional[bool]

Messages from this sender will bypass all detections and link following

modified_at: Optional[datetime]
formatdate-time
pattern: Optional[str]
maxLength1024
minLength1
pattern_type: Optional[Literal["EMAIL", "DOMAIN", "IP", "UNKNOWN"]]

Type of pattern matching. Note: UNKNOWN is deprecated and cannot be used when creating or updating policies, but may be returned for existing entries.

One of the following:
"EMAIL"
"DOMAIN"
"IP"
"UNKNOWN"
verify_sender: Optional[bool]

Enforce DMARC, SPF or DKIM authentication. When on, Email Security only honors policies that pass authentication.

class AllowPolicyEditResponse:

An email allow policy

id: str

Allow policy identifier

formatuuid
created_at: datetime
formatdate-time
Deprecatedlast_modified: datetime

Deprecated, use modified_at instead. End of life: November 1, 2026.

formatdate-time
comments: Optional[str]
maxLength1024
is_acceptable_sender: Optional[bool]

Messages from this sender will be exempted from Spam, Spoof and Bulk dispositions. Note - This will not exempt messages with Malicious or Suspicious dispositions.

is_exempt_recipient: Optional[bool]

Messages to this recipient will bypass all detections

Deprecatedis_recipient: Optional[bool]

Deprecated as of July 1, 2025. Use is_exempt_recipient instead. End of life: July 1, 2026.

is_regex: Optional[bool]
Deprecatedis_sender: Optional[bool]

Deprecated as of July 1, 2025. Use is_trusted_sender instead. End of life: July 1, 2026.

Deprecatedis_spoof: Optional[bool]

Deprecated as of July 1, 2025. Use is_acceptable_sender instead. End of life: July 1, 2026.

is_trusted_sender: Optional[bool]

Messages from this sender will bypass all detections and link following

modified_at: Optional[datetime]
formatdate-time
pattern: Optional[str]
maxLength1024
minLength1
pattern_type: Optional[Literal["EMAIL", "DOMAIN", "IP", "UNKNOWN"]]

Type of pattern matching. Note: UNKNOWN is deprecated and cannot be used when creating or updating policies, but may be returned for existing entries.

One of the following:
"EMAIL"
"DOMAIN"
"IP"
"UNKNOWN"
verify_sender: Optional[bool]

Enforce DMARC, SPF or DKIM authentication. When on, Email Security only honors policies that pass authentication.

class AllowPolicyDeleteResponse:
id: str

Allow policy identifier

formatuuid

Email SecuritySettingsBlock Senders

List blocked email senders
email_security.settings.block_senders.list(BlockSenderListParams**kwargs) -> SyncV4PagePaginationArray[BlockSenderListResponse]
GET/accounts/{account_id}/email-security/settings/block_senders
Get a blocked email sender
email_security.settings.block_senders.get(strpattern_id, BlockSenderGetParams**kwargs) -> BlockSenderGetResponse
GET/accounts/{account_id}/email-security/settings/block_senders/{pattern_id}
Create blocked email sender
email_security.settings.block_senders.create(BlockSenderCreateParams**kwargs) -> BlockSenderCreateResponse
POST/accounts/{account_id}/email-security/settings/block_senders
Update a blocked email sender
email_security.settings.block_senders.edit(strpattern_id, BlockSenderEditParams**kwargs) -> BlockSenderEditResponse
PATCH/accounts/{account_id}/email-security/settings/block_senders/{pattern_id}
Delete a blocked email sender
email_security.settings.block_senders.delete(strpattern_id, BlockSenderDeleteParams**kwargs) -> BlockSenderDeleteResponse
DELETE/accounts/{account_id}/email-security/settings/block_senders/{pattern_id}
ModelsExpand Collapse
class BlockSenderListResponse:

A blocked sender pattern

id: Optional[str]

Blocked sender pattern identifier

formatuuid
comments: Optional[str]
maxLength1024
created_at: Optional[datetime]
formatdate-time
is_regex: Optional[bool]
Deprecatedlast_modified: Optional[datetime]

Deprecated, use modified_at instead. End of life: November 1, 2026.

formatdate-time
modified_at: Optional[datetime]
formatdate-time
pattern: Optional[str]
maxLength1024
minLength1
pattern_type: Optional[Literal["EMAIL", "DOMAIN", "IP", "UNKNOWN"]]

Type of pattern matching. Note: UNKNOWN is deprecated and cannot be used when creating or updating policies, but may be returned for existing entries.

One of the following:
"EMAIL"
"DOMAIN"
"IP"
"UNKNOWN"
class BlockSenderGetResponse:

A blocked sender pattern

id: Optional[str]

Blocked sender pattern identifier

formatuuid
comments: Optional[str]
maxLength1024
created_at: Optional[datetime]
formatdate-time
is_regex: Optional[bool]
Deprecatedlast_modified: Optional[datetime]

Deprecated, use modified_at instead. End of life: November 1, 2026.

formatdate-time
modified_at: Optional[datetime]
formatdate-time
pattern: Optional[str]
maxLength1024
minLength1
pattern_type: Optional[Literal["EMAIL", "DOMAIN", "IP", "UNKNOWN"]]

Type of pattern matching. Note: UNKNOWN is deprecated and cannot be used when creating or updating policies, but may be returned for existing entries.

One of the following:
"EMAIL"
"DOMAIN"
"IP"
"UNKNOWN"
class BlockSenderCreateResponse:

A blocked sender pattern

id: Optional[str]

Blocked sender pattern identifier

formatuuid
comments: Optional[str]
maxLength1024
created_at: Optional[datetime]
formatdate-time
is_regex: Optional[bool]
Deprecatedlast_modified: Optional[datetime]

Deprecated, use modified_at instead. End of life: November 1, 2026.

formatdate-time
modified_at: Optional[datetime]
formatdate-time
pattern: Optional[str]
maxLength1024
minLength1
pattern_type: Optional[Literal["EMAIL", "DOMAIN", "IP", "UNKNOWN"]]

Type of pattern matching. Note: UNKNOWN is deprecated and cannot be used when creating or updating policies, but may be returned for existing entries.

One of the following:
"EMAIL"
"DOMAIN"
"IP"
"UNKNOWN"
class BlockSenderEditResponse:

A blocked sender pattern

id: Optional[str]

Blocked sender pattern identifier

formatuuid
comments: Optional[str]
maxLength1024
created_at: Optional[datetime]
formatdate-time
is_regex: Optional[bool]
Deprecatedlast_modified: Optional[datetime]

Deprecated, use modified_at instead. End of life: November 1, 2026.

formatdate-time
modified_at: Optional[datetime]
formatdate-time
pattern: Optional[str]
maxLength1024
minLength1
pattern_type: Optional[Literal["EMAIL", "DOMAIN", "IP", "UNKNOWN"]]

Type of pattern matching. Note: UNKNOWN is deprecated and cannot be used when creating or updating policies, but may be returned for existing entries.

One of the following:
"EMAIL"
"DOMAIN"
"IP"
"UNKNOWN"
class BlockSenderDeleteResponse:
id: str

Blocked sender pattern identifier

formatuuid

Email SecuritySettingsDomains

List protected email domains
email_security.settings.domains.list(DomainListParams**kwargs) -> SyncV4PagePaginationArray[DomainListResponse]
GET/accounts/{account_id}/email-security/settings/domains
Get an email domain
email_security.settings.domains.get(strdomain_id, DomainGetParams**kwargs) -> DomainGetResponse
GET/accounts/{account_id}/email-security/settings/domains/{domain_id}
Update an email domain
email_security.settings.domains.edit(strdomain_id, DomainEditParams**kwargs) -> DomainEditResponse
PATCH/accounts/{account_id}/email-security/settings/domains/{domain_id}
Unprotect an email domain
email_security.settings.domains.delete(strdomain_id, DomainDeleteParams**kwargs) -> DomainDeleteResponse
DELETE/accounts/{account_id}/email-security/settings/domains/{domain_id}
ModelsExpand Collapse
class DomainListResponse:
id: Optional[str]

Domain identifier

formatuuid
allowed_delivery_modes: Optional[List[Literal["DIRECT", "BCC", "JOURNAL", 2 more]]]
One of the following:
"DIRECT"
"BCC"
"JOURNAL"
"API"
"RETRO_SCAN"
authorization: Optional[Authorization]
authorized: bool
timestamp: datetime
formatdate-time
status_message: Optional[str]
created_at: Optional[datetime]
formatdate-time
dmarc_status: Optional[Literal["none", "good", "invalid"]]
One of the following:
"none"
"good"
"invalid"
domain: Optional[str]
drop_dispositions: Optional[List[Literal["MALICIOUS", "MALICIOUS-BEC", "SUSPICIOUS", 7 more]]]
One of the following:
"MALICIOUS"
"MALICIOUS-BEC"
"SUSPICIOUS"
"SPOOF"
"SPAM"
"BULK"
"ENCRYPTED"
"EXTERNAL"
"UNKNOWN"
"NONE"
emails_processed: Optional[EmailsProcessed]
timestamp: datetime
formatdate-time
total_emails_processed: int
minimum0
total_emails_processed_previous: int
minimum0
folder: Optional[Literal["AllItems", "Inbox"]]
One of the following:
"AllItems"
"Inbox"
inbox_provider: Optional[Literal["Microsoft", "Google"]]
One of the following:
"Microsoft"
"Google"
integration_id: Optional[str]
formatuuid
ip_restrictions: Optional[List[str]]
Deprecatedlast_modified: Optional[datetime]

Deprecated, use modified_at instead. End of life: November 1, 2026.

formatdate-time
lookback_hops: Optional[int]
modified_at: Optional[datetime]
formatdate-time
o365_tenant_id: Optional[str]
regions: Optional[List[Literal["GLOBAL", "AU", "DE", 2 more]]]
One of the following:
"GLOBAL"
"AU"
"DE"
"IN"
"US"
require_tls_inbound: Optional[bool]
require_tls_outbound: Optional[bool]
spf_status: Optional[Literal["none", "good", "neutral", 2 more]]
One of the following:
"none"
"good"
"neutral"
"open"
"invalid"
status: Optional[Literal["pending", "active", "failed", "timeout"]]
One of the following:
"pending"
"active"
"failed"
"timeout"
transport: Optional[str]
class DomainGetResponse:
id: Optional[str]

Domain identifier

formatuuid
allowed_delivery_modes: Optional[List[Literal["DIRECT", "BCC", "JOURNAL", 2 more]]]
One of the following:
"DIRECT"
"BCC"
"JOURNAL"
"API"
"RETRO_SCAN"
authorization: Optional[Authorization]
authorized: bool
timestamp: datetime
formatdate-time
status_message: Optional[str]
created_at: Optional[datetime]
formatdate-time
dmarc_status: Optional[Literal["none", "good", "invalid"]]
One of the following:
"none"
"good"
"invalid"
domain: Optional[str]
drop_dispositions: Optional[List[Literal["MALICIOUS", "MALICIOUS-BEC", "SUSPICIOUS", 7 more]]]
One of the following:
"MALICIOUS"
"MALICIOUS-BEC"
"SUSPICIOUS"
"SPOOF"
"SPAM"
"BULK"
"ENCRYPTED"
"EXTERNAL"
"UNKNOWN"
"NONE"
emails_processed: Optional[EmailsProcessed]
timestamp: datetime
formatdate-time
total_emails_processed: int
minimum0
total_emails_processed_previous: int
minimum0
folder: Optional[Literal["AllItems", "Inbox"]]
One of the following:
"AllItems"
"Inbox"
inbox_provider: Optional[Literal["Microsoft", "Google"]]
One of the following:
"Microsoft"
"Google"
integration_id: Optional[str]
formatuuid
ip_restrictions: Optional[List[str]]
Deprecatedlast_modified: Optional[datetime]

Deprecated, use modified_at instead. End of life: November 1, 2026.

formatdate-time
lookback_hops: Optional[int]
modified_at: Optional[datetime]
formatdate-time
o365_tenant_id: Optional[str]
regions: Optional[List[Literal["GLOBAL", "AU", "DE", 2 more]]]
One of the following:
"GLOBAL"
"AU"
"DE"
"IN"
"US"
require_tls_inbound: Optional[bool]
require_tls_outbound: Optional[bool]
spf_status: Optional[Literal["none", "good", "neutral", 2 more]]
One of the following:
"none"
"good"
"neutral"
"open"
"invalid"
status: Optional[Literal["pending", "active", "failed", "timeout"]]
One of the following:
"pending"
"active"
"failed"
"timeout"
transport: Optional[str]
class DomainEditResponse:
id: Optional[str]

Domain identifier

formatuuid
allowed_delivery_modes: Optional[List[Literal["DIRECT", "BCC", "JOURNAL", 2 more]]]
One of the following:
"DIRECT"
"BCC"
"JOURNAL"
"API"
"RETRO_SCAN"
authorization: Optional[Authorization]
authorized: bool
timestamp: datetime
formatdate-time
status_message: Optional[str]
created_at: Optional[datetime]
formatdate-time
dmarc_status: Optional[Literal["none", "good", "invalid"]]
One of the following:
"none"
"good"
"invalid"
domain: Optional[str]
drop_dispositions: Optional[List[Literal["MALICIOUS", "MALICIOUS-BEC", "SUSPICIOUS", 7 more]]]
One of the following:
"MALICIOUS"
"MALICIOUS-BEC"
"SUSPICIOUS"
"SPOOF"
"SPAM"
"BULK"
"ENCRYPTED"
"EXTERNAL"
"UNKNOWN"
"NONE"
emails_processed: Optional[EmailsProcessed]
timestamp: datetime
formatdate-time
total_emails_processed: int
minimum0
total_emails_processed_previous: int
minimum0
folder: Optional[Literal["AllItems", "Inbox"]]
One of the following:
"AllItems"
"Inbox"
inbox_provider: Optional[Literal["Microsoft", "Google"]]
One of the following:
"Microsoft"
"Google"
integration_id: Optional[str]
formatuuid
ip_restrictions: Optional[List[str]]
Deprecatedlast_modified: Optional[datetime]

Deprecated, use modified_at instead. End of life: November 1, 2026.

formatdate-time
lookback_hops: Optional[int]
modified_at: Optional[datetime]
formatdate-time
o365_tenant_id: Optional[str]
regions: Optional[List[Literal["GLOBAL", "AU", "DE", 2 more]]]
One of the following:
"GLOBAL"
"AU"
"DE"
"IN"
"US"
require_tls_inbound: Optional[bool]
require_tls_outbound: Optional[bool]
spf_status: Optional[Literal["none", "good", "neutral", 2 more]]
One of the following:
"none"
"good"
"neutral"
"open"
"invalid"
status: Optional[Literal["pending", "active", "failed", "timeout"]]
One of the following:
"pending"
"active"
"failed"
"timeout"
transport: Optional[str]
class DomainDeleteResponse:
id: str

Domain identifier

formatuuid

Email SecuritySettingsImpersonation Registry

List entries in impersonation registry
email_security.settings.impersonation_registry.list(ImpersonationRegistryListParams**kwargs) -> SyncV4PagePaginationArray[ImpersonationRegistryListResponse]
GET/accounts/{account_id}/email-security/settings/impersonation_registry
Get an impersonation registry entry
email_security.settings.impersonation_registry.get(strimpersonation_registry_id, ImpersonationRegistryGetParams**kwargs) -> ImpersonationRegistryGetResponse
GET/accounts/{account_id}/email-security/settings/impersonation_registry/{impersonation_registry_id}
Create impersonation registry entry
email_security.settings.impersonation_registry.create(ImpersonationRegistryCreateParams**kwargs) -> ImpersonationRegistryCreateResponse
POST/accounts/{account_id}/email-security/settings/impersonation_registry
Update an impersonation registry entry
email_security.settings.impersonation_registry.edit(strimpersonation_registry_id, ImpersonationRegistryEditParams**kwargs) -> ImpersonationRegistryEditResponse
PATCH/accounts/{account_id}/email-security/settings/impersonation_registry/{impersonation_registry_id}
Delete an impersonation registry entry
email_security.settings.impersonation_registry.delete(strimpersonation_registry_id, ImpersonationRegistryDeleteParams**kwargs) -> ImpersonationRegistryDeleteResponse
DELETE/accounts/{account_id}/email-security/settings/impersonation_registry/{impersonation_registry_id}
ModelsExpand Collapse
class ImpersonationRegistryListResponse:

An impersonation registry entry

id: Optional[str]

Impersonation registry entry identifier

formatuuid
comments: Optional[str]
created_at: Optional[datetime]
formatdate-time
directory_id: Optional[int]
directory_node_id: Optional[int]
email: Optional[str]
Deprecatedexternal_directory_node_id: Optional[str]
is_email_regex: Optional[bool]
Deprecatedlast_modified: Optional[datetime]

Deprecated, use modified_at instead. End of life: November 1, 2026.

formatdate-time
modified_at: Optional[datetime]
formatdate-time
name: Optional[str]
maxLength1024
provenance: Optional[Literal["A1S_INTERNAL", "SNOOPY-CASB_OFFICE_365", "SNOOPY-OFFICE_365", "SNOOPY-GOOGLE_DIRECTORY"]]
One of the following:
"A1S_INTERNAL"
"SNOOPY-CASB_OFFICE_365"
"SNOOPY-OFFICE_365"
"SNOOPY-GOOGLE_DIRECTORY"
class ImpersonationRegistryGetResponse:

An impersonation registry entry

id: Optional[str]

Impersonation registry entry identifier

formatuuid
comments: Optional[str]
created_at: Optional[datetime]
formatdate-time
directory_id: Optional[int]
directory_node_id: Optional[int]
email: Optional[str]
Deprecatedexternal_directory_node_id: Optional[str]
is_email_regex: Optional[bool]
Deprecatedlast_modified: Optional[datetime]

Deprecated, use modified_at instead. End of life: November 1, 2026.

formatdate-time
modified_at: Optional[datetime]
formatdate-time
name: Optional[str]
maxLength1024
provenance: Optional[Literal["A1S_INTERNAL", "SNOOPY-CASB_OFFICE_365", "SNOOPY-OFFICE_365", "SNOOPY-GOOGLE_DIRECTORY"]]
One of the following:
"A1S_INTERNAL"
"SNOOPY-CASB_OFFICE_365"
"SNOOPY-OFFICE_365"
"SNOOPY-GOOGLE_DIRECTORY"
class ImpersonationRegistryCreateResponse:

An impersonation registry entry

id: Optional[str]

Impersonation registry entry identifier

formatuuid
comments: Optional[str]
created_at: Optional[datetime]
formatdate-time
directory_id: Optional[int]
directory_node_id: Optional[int]
email: Optional[str]
Deprecatedexternal_directory_node_id: Optional[str]
is_email_regex: Optional[bool]
Deprecatedlast_modified: Optional[datetime]

Deprecated, use modified_at instead. End of life: November 1, 2026.

formatdate-time
modified_at: Optional[datetime]
formatdate-time
name: Optional[str]
maxLength1024
provenance: Optional[Literal["A1S_INTERNAL", "SNOOPY-CASB_OFFICE_365", "SNOOPY-OFFICE_365", "SNOOPY-GOOGLE_DIRECTORY"]]
One of the following:
"A1S_INTERNAL"
"SNOOPY-CASB_OFFICE_365"
"SNOOPY-OFFICE_365"
"SNOOPY-GOOGLE_DIRECTORY"
class ImpersonationRegistryEditResponse:

An impersonation registry entry

id: Optional[str]

Impersonation registry entry identifier

formatuuid
comments: Optional[str]
created_at: Optional[datetime]
formatdate-time
directory_id: Optional[int]
directory_node_id: Optional[int]
email: Optional[str]
Deprecatedexternal_directory_node_id: Optional[str]
is_email_regex: Optional[bool]
Deprecatedlast_modified: Optional[datetime]

Deprecated, use modified_at instead. End of life: November 1, 2026.

formatdate-time
modified_at: Optional[datetime]
formatdate-time
name: Optional[str]
maxLength1024
provenance: Optional[Literal["A1S_INTERNAL", "SNOOPY-CASB_OFFICE_365", "SNOOPY-OFFICE_365", "SNOOPY-GOOGLE_DIRECTORY"]]
One of the following:
"A1S_INTERNAL"
"SNOOPY-CASB_OFFICE_365"
"SNOOPY-OFFICE_365"
"SNOOPY-GOOGLE_DIRECTORY"
class ImpersonationRegistryDeleteResponse:
id: str

Impersonation registry entry identifier

formatuuid

Email SecuritySettingsTrusted Domains

List trusted email domains
email_security.settings.trusted_domains.list(TrustedDomainListParams**kwargs) -> SyncV4PagePaginationArray[TrustedDomainListResponse]
GET/accounts/{account_id}/email-security/settings/trusted_domains
Get a trusted email domain
email_security.settings.trusted_domains.get(strtrusted_domain_id, TrustedDomainGetParams**kwargs) -> TrustedDomainGetResponse
GET/accounts/{account_id}/email-security/settings/trusted_domains/{trusted_domain_id}
Create trusted email domain
email_security.settings.trusted_domains.create(TrustedDomainCreateParams**kwargs) -> TrustedDomainCreateResponse
POST/accounts/{account_id}/email-security/settings/trusted_domains
Update a trusted email domain
email_security.settings.trusted_domains.edit(strtrusted_domain_id, TrustedDomainEditParams**kwargs) -> TrustedDomainEditResponse
PATCH/accounts/{account_id}/email-security/settings/trusted_domains/{trusted_domain_id}
Delete a trusted email domain
email_security.settings.trusted_domains.delete(strtrusted_domain_id, TrustedDomainDeleteParams**kwargs) -> TrustedDomainDeleteResponse
DELETE/accounts/{account_id}/email-security/settings/trusted_domains/{trusted_domain_id}
ModelsExpand Collapse
class TrustedDomainListResponse:

A trusted email domain

id: Optional[str]

Trusted domain identifier

formatuuid
comments: Optional[str]
maxLength1024
created_at: Optional[datetime]
formatdate-time
is_recent: Optional[bool]

Select to prevent recently registered domains from triggering a Suspicious or Malicious disposition.

is_regex: Optional[bool]
is_similarity: Optional[bool]

Select for partner or other approved domains that have similar spelling to your connected domains. Prevents listed domains from triggering a Spoof disposition.

Deprecatedlast_modified: Optional[datetime]

Deprecated, use modified_at instead. End of life: November 1, 2026.

formatdate-time
modified_at: Optional[datetime]
formatdate-time
pattern: Optional[str]
maxLength1024
minLength1
class TrustedDomainGetResponse:

A trusted email domain

id: Optional[str]

Trusted domain identifier

formatuuid
comments: Optional[str]
maxLength1024
created_at: Optional[datetime]
formatdate-time
is_recent: Optional[bool]

Select to prevent recently registered domains from triggering a Suspicious or Malicious disposition.

is_regex: Optional[bool]
is_similarity: Optional[bool]

Select for partner or other approved domains that have similar spelling to your connected domains. Prevents listed domains from triggering a Spoof disposition.

Deprecatedlast_modified: Optional[datetime]

Deprecated, use modified_at instead. End of life: November 1, 2026.

formatdate-time
modified_at: Optional[datetime]
formatdate-time
pattern: Optional[str]
maxLength1024
minLength1
class TrustedDomainCreateResponse:

A trusted email domain

id: Optional[str]

Trusted domain identifier

formatuuid
comments: Optional[str]
maxLength1024
created_at: Optional[datetime]
formatdate-time
is_recent: Optional[bool]

Select to prevent recently registered domains from triggering a Suspicious or Malicious disposition.

is_regex: Optional[bool]
is_similarity: Optional[bool]

Select for partner or other approved domains that have similar spelling to your connected domains. Prevents listed domains from triggering a Spoof disposition.

Deprecatedlast_modified: Optional[datetime]

Deprecated, use modified_at instead. End of life: November 1, 2026.

formatdate-time
modified_at: Optional[datetime]
formatdate-time
pattern: Optional[str]
maxLength1024
minLength1
class TrustedDomainEditResponse:

A trusted email domain

id: Optional[str]

Trusted domain identifier

formatuuid
comments: Optional[str]
maxLength1024
created_at: Optional[datetime]
formatdate-time
is_recent: Optional[bool]

Select to prevent recently registered domains from triggering a Suspicious or Malicious disposition.

is_regex: Optional[bool]
is_similarity: Optional[bool]

Select for partner or other approved domains that have similar spelling to your connected domains. Prevents listed domains from triggering a Spoof disposition.

Deprecatedlast_modified: Optional[datetime]

Deprecated, use modified_at instead. End of life: November 1, 2026.

formatdate-time
modified_at: Optional[datetime]
formatdate-time
pattern: Optional[str]
maxLength1024
minLength1
class TrustedDomainDeleteResponse:
id: str

Trusted domain identifier

formatuuid

Email SecuritySubmissions

Get reclassify submissions
email_security.submissions.list(SubmissionListParams**kwargs) -> SyncV4PagePaginationArray[SubmissionListResponse]
GET/accounts/{account_id}/email-security/submissions
ModelsExpand Collapse
class SubmissionListResponse:
requested_at: datetime

When the submission was requested (UTC).

formatdate-time
submission_id: str
customer_status: Optional[Literal["escalated", "reviewed", "unreviewed"]]
One of the following:
"escalated"
"reviewed"
"unreviewed"
escalated_as: Optional[Literal["MALICIOUS", "SUSPICIOUS", "SPOOF", 3 more]]
One of the following:
"MALICIOUS"
"SUSPICIOUS"
"SPOOF"
"SPAM"
"BULK"
"NONE"
escalated_at: Optional[datetime]
formatdate-time
escalated_by: Optional[str]
escalated_submission_id: Optional[str]
original_disposition: Optional[Literal["MALICIOUS", "SUSPICIOUS", "SPOOF", 3 more]]
One of the following:
"MALICIOUS"
"SUSPICIOUS"
"SPOOF"
"SPAM"
"BULK"
"NONE"
original_edf_hash: Optional[str]
original_postfix_id: Optional[str]

The postfix ID of the original message that was submitted

outcome: Optional[str]
outcome_disposition: Optional[Literal["MALICIOUS", "SUSPICIOUS", "SPOOF", 3 more]]
One of the following:
"MALICIOUS"
"SUSPICIOUS"
"SPOOF"
"SPAM"
"BULK"
"NONE"
requested_by: Optional[str]
requested_disposition: Optional[Literal["MALICIOUS", "SUSPICIOUS", "SPOOF", 3 more]]
One of the following:
"MALICIOUS"
"SUSPICIOUS"
"SPOOF"
"SPAM"
"BULK"
"NONE"
Deprecatedrequested_ts: Optional[str]

Deprecated, use requested_at instead

status: Optional[str]
subject: Optional[str]
type: Optional[Literal["Team", "User"]]

Whether the submission was created by a team member or an end user.

One of the following:
"Team"
"User"