Investigate

Search email messages

email_security.investigate.list() -> SyncV4PagePaginationArray[InvestigateListResponse]

GET/accounts/{account_id}/email-security/investigate

Get message details

email_security.investigate.get(, ) -> InvestigateGetResponse

GET/accounts/{account_id}/email-security/investigate/{investigate_id}

ModelsExpand Collapse

class InvestigateListResponse: …

id: str

Unique identifier for a message retrieved from investigation

Deprecatedaction_log: List[ActionLog]

Deprecated, use GET /investigate/{investigate_id}/action_log instead. End of life: November 1, 2026.

completed_at: datetime

Timestamp when action completed

formatdate-time

operation: Literal["MOVE", "RELEASE", "RECLASSIFY", 3 more]

Type of action performed

One of the following:

"MOVE"

"RELEASE"

"RECLASSIFY"

"SUBMISSION"

"QUARANTINE_RELEASE"

"PREVIEW"

Deprecatedcompleted_timestamp: Optional[str]

Deprecated, use completed_at instead. End of life: November 1, 2026.

properties: Optional[ActionLogProperties]

Additional properties for the action

folder: Optional[str]

Target folder for move operations

requested_by: Optional[str]

User who requested the action

status: Optional[str]

Status of the action

client_recipients: List[str]

detection_reasons: List[str]

is_phish_submission: bool

is_quarantined: bool

postfix_id: str

The identifier of the message

properties: Properties

Message processing properties

allowlisted_pattern: Optional[str]

Pattern that allowlisted this message

allowlisted_pattern_type: Optional[Literal["quarantine_release", "acceptable_sender", "allowed_sender", 5 more]]

Type of allowlist pattern

One of the following:

"quarantine_release"

"acceptable_sender"

"allowed_sender"

"allowed_recipient"

"domain_similarity"

"domain_recency"

"managed_acceptable_sender"

"outbound_ndr"

blocklisted_message: Optional[bool]

Whether message was blocklisted

blocklisted_pattern: Optional[str]

Pattern that blocklisted this message

whitelisted_pattern_type: Optional[Literal["quarantine_release", "acceptable_sender", "allowed_sender", 5 more]]

Legacy field for allowlist pattern type

One of the following:

"quarantine_release"

"acceptable_sender"

"allowed_sender"

"allowed_recipient"

"domain_similarity"

"domain_recency"

"managed_acceptable_sender"

"outbound_ndr"

Deprecatedts: str

Deprecated, use scanned_at instead. End of life: November 1, 2026.

alert_id: Optional[str]

delivery_mode: Optional[Literal["DIRECT", "BCC", "JOURNAL", 8 more]]

One of the following:

"DIRECT"

"BCC"

"JOURNAL"

"REVIEW_SUBMISSION"

"DMARC_UNVERIFIED"

"DMARC_FAILURE_REPORT"

"DMARC_AGGREGATE_REPORT"

"THREAT_INTEL_SUBMISSION"

"SIMULATION_SUBMISSION"

"API"

"RETRO_SCAN"

delivery_status: Optional[List[Literal["delivered", "moved", "quarantined", 4 more]]]

One of the following:

"delivered"

"moved"

"quarantined"

"rejected"

"deferred"

"bounced"

"queued"

edf_hash: Optional[str]

envelope_from: Optional[str]

envelope_to: Optional[List[str]]

final_disposition: Optional[Literal["MALICIOUS", "MALICIOUS-BEC", "SUSPICIOUS", 7 more]]

One of the following:

"MALICIOUS"

"MALICIOUS-BEC"

"SUSPICIOUS"

"SPOOF"

"SPAM"

"BULK"

"ENCRYPTED"

"EXTERNAL"

"UNKNOWN"

"NONE"

Deprecatedfindings: Optional[List[Finding]]

Deprecated, use the findings field from GET /investigate/{investigate_id}/detections instead. End of life: November 1, 2026. Detection findings for this message.

attachment: Optional[str]

detail: Optional[str]

detection: Optional[Literal["MALICIOUS", "MALICIOUS-BEC", "SUSPICIOUS", 7 more]]

One of the following:

"MALICIOUS"

"MALICIOUS-BEC"

"SUSPICIOUS"

"SPOOF"

"SPAM"

"BULK"

"ENCRYPTED"

"EXTERNAL"

"UNKNOWN"

"NONE"

field: Optional[str]

portion: Optional[str]

reason: Optional[str]

score: Optional[float]

formatdouble

value: Optional[str]

from_: Optional[str]

from_name: Optional[str]

htmltext_structure_hash: Optional[str]

message_id: Optional[str]

post_delivery_operations: Optional[List[Literal["PREVIEW", "QUARANTINE_RELEASE", "SUBMISSION", "MOVE"]]]

Post-delivery operations performed on this message

One of the following:

"PREVIEW"

"QUARANTINE_RELEASE"

"SUBMISSION"

"MOVE"

postfix_id_outbound: Optional[str]

replyto: Optional[str]

scanned_at: Optional[datetime]

When the message was scanned (UTC)

formatdate-time

sent_at: Optional[datetime]

When the message was sent (UTC)

formatdate-time

sent_date: Optional[str]

subject: Optional[str]

threat_categories: Optional[List[str]]

to: Optional[List[str]]

to_name: Optional[List[str]]

validation: Optional[Validation]

comment: Optional[str]

dkim: Optional[Literal["pass", "neutral", "fail", 2 more]]

One of the following:

"pass"

"neutral"

"fail"

"error"

"none"

dmarc: Optional[Literal["pass", "neutral", "fail", 2 more]]

One of the following:

"pass"

"neutral"

"fail"

"error"

"none"

spf: Optional[Literal["pass", "neutral", "fail", 2 more]]

One of the following:

"pass"

"neutral"

"fail"

"error"

"none"

class InvestigateGetResponse: …

id: str

Unique identifier for a message retrieved from investigation

Deprecatedaction_log: List[ActionLog]

Deprecated, use GET /investigate/{investigate_id}/action_log instead. End of life: November 1, 2026.

completed_at: datetime

Timestamp when action completed

formatdate-time

operation: Literal["MOVE", "RELEASE", "RECLASSIFY", 3 more]

Type of action performed

One of the following:

"MOVE"

"RELEASE"

"RECLASSIFY"

"SUBMISSION"

"QUARANTINE_RELEASE"

"PREVIEW"

Deprecatedcompleted_timestamp: Optional[str]

Deprecated, use completed_at instead. End of life: November 1, 2026.

properties: Optional[ActionLogProperties]

Additional properties for the action

folder: Optional[str]

Target folder for move operations

requested_by: Optional[str]

User who requested the action

status: Optional[str]

Status of the action

client_recipients: List[str]

detection_reasons: List[str]

is_phish_submission: bool

is_quarantined: bool

postfix_id: str

The identifier of the message

properties: Properties

Message processing properties

allowlisted_pattern: Optional[str]

Pattern that allowlisted this message

allowlisted_pattern_type: Optional[Literal["quarantine_release", "acceptable_sender", "allowed_sender", 5 more]]

Type of allowlist pattern

One of the following:

"quarantine_release"

"acceptable_sender"

"allowed_sender"

"allowed_recipient"

"domain_similarity"

"domain_recency"

"managed_acceptable_sender"

"outbound_ndr"

blocklisted_message: Optional[bool]

Whether message was blocklisted

blocklisted_pattern: Optional[str]

Pattern that blocklisted this message

whitelisted_pattern_type: Optional[Literal["quarantine_release", "acceptable_sender", "allowed_sender", 5 more]]

Legacy field for allowlist pattern type

One of the following:

"quarantine_release"

"acceptable_sender"

"allowed_sender"

"allowed_recipient"

"domain_similarity"

"domain_recency"

"managed_acceptable_sender"

"outbound_ndr"

Deprecatedts: str

Deprecated, use scanned_at instead. End of life: November 1, 2026.

alert_id: Optional[str]

delivery_mode: Optional[Literal["DIRECT", "BCC", "JOURNAL", 8 more]]

One of the following:

"DIRECT"

"BCC"

"JOURNAL"

"REVIEW_SUBMISSION"

"DMARC_UNVERIFIED"

"DMARC_FAILURE_REPORT"

"DMARC_AGGREGATE_REPORT"

"THREAT_INTEL_SUBMISSION"

"SIMULATION_SUBMISSION"

"API"

"RETRO_SCAN"

delivery_status: Optional[List[Literal["delivered", "moved", "quarantined", 4 more]]]

One of the following:

"delivered"

"moved"

"quarantined"

"rejected"

"deferred"

"bounced"

"queued"

edf_hash: Optional[str]

envelope_from: Optional[str]

envelope_to: Optional[List[str]]

final_disposition: Optional[Literal["MALICIOUS", "MALICIOUS-BEC", "SUSPICIOUS", 7 more]]

One of the following:

"MALICIOUS"

"MALICIOUS-BEC"

"SUSPICIOUS"

"SPOOF"

"SPAM"

"BULK"

"ENCRYPTED"

"EXTERNAL"

"UNKNOWN"

"NONE"

Deprecatedfindings: Optional[List[Finding]]

Deprecated, use the findings field from GET /investigate/{investigate_id}/detections instead. End of life: November 1, 2026. Detection findings for this message.

attachment: Optional[str]

detail: Optional[str]

detection: Optional[Literal["MALICIOUS", "MALICIOUS-BEC", "SUSPICIOUS", 7 more]]

One of the following:

"MALICIOUS"

"MALICIOUS-BEC"

"SUSPICIOUS"

"SPOOF"

"SPAM"

"BULK"

"ENCRYPTED"

"EXTERNAL"

"UNKNOWN"

"NONE"

field: Optional[str]

portion: Optional[str]

reason: Optional[str]

score: Optional[float]

formatdouble

value: Optional[str]

from_: Optional[str]

from_name: Optional[str]

htmltext_structure_hash: Optional[str]

message_id: Optional[str]

post_delivery_operations: Optional[List[Literal["PREVIEW", "QUARANTINE_RELEASE", "SUBMISSION", "MOVE"]]]

Post-delivery operations performed on this message

One of the following:

"PREVIEW"

"QUARANTINE_RELEASE"

"SUBMISSION"

"MOVE"

postfix_id_outbound: Optional[str]

replyto: Optional[str]

scanned_at: Optional[datetime]

When the message was scanned (UTC)

formatdate-time

sent_at: Optional[datetime]

When the message was sent (UTC)

formatdate-time

sent_date: Optional[str]

subject: Optional[str]

threat_categories: Optional[List[str]]

to: Optional[List[str]]

to_name: Optional[List[str]]

validation: Optional[Validation]

comment: Optional[str]

dkim: Optional[Literal["pass", "neutral", "fail", 2 more]]

One of the following:

"pass"

"neutral"

"fail"

"error"

"none"

dmarc: Optional[Literal["pass", "neutral", "fail", 2 more]]

One of the following:

"pass"

"neutral"

"fail"

"error"

"none"

spf: Optional[Literal["pass", "neutral", "fail", 2 more]]

One of the following:

"pass"

"neutral"

"fail"

"error"

"none"

InvestigateDetections

Get message detection details

email_security.investigate.detections.get(, ) -> DetectionGetResponse

GET/accounts/{account_id}/email-security/investigate/{investigate_id}/detections

ModelsExpand Collapse

class DetectionGetResponse: …

action: str

attachments: List[Attachment]

size: int

Size of the attachment in bytes

minimum0

content_type: Optional[str]

MIME type of the attachment

detection: Optional[Literal["MALICIOUS", "MALICIOUS-BEC", "SUSPICIOUS", 7 more]]

Detection result for this attachment

One of the following:

"MALICIOUS"

"MALICIOUS-BEC"

"SUSPICIOUS"

"SPOOF"

"SPAM"

"BULK"

"ENCRYPTED"

"EXTERNAL"

"UNKNOWN"

"NONE"

encrypted: Optional[bool]

Whether the attachment is encrypted

filename: Optional[str]

Name of the attached file

md5: Optional[str]

MD5 hash of the attachment

Attachment name (alternative to filename)

sha1: Optional[str]

SHA1 hash of the attachment

sha256: Optional[str]

SHA256 hash of the attachment

findings: Optional[List[Finding]]

attachment: Optional[str]

detail: Optional[str]

detection: Optional[Literal["MALICIOUS", "MALICIOUS-BEC", "SUSPICIOUS", 7 more]]

One of the following:

"MALICIOUS"

"MALICIOUS-BEC"

"SUSPICIOUS"

"SPOOF"

"SPAM"

"BULK"

"ENCRYPTED"

"EXTERNAL"

"UNKNOWN"

"NONE"

field: Optional[str]

portion: Optional[str]

reason: Optional[str]

score: Optional[float]

formatdouble

value: Optional[str]

headers: List[Header]

value: str

links: List[Link]

href: str

text: Optional[str]

sender_info: SenderInfo

as_name: Optional[str]

The name of the autonomous system.

as_number: Optional[int]

The number of the autonomous system.

geo: Optional[str]

ip: Optional[str]

pld: Optional[str]

threat_categories: List[ThreatCategory]

id: Optional[int]

description: Optional[str]

validation: Validation

comment: Optional[str]

dkim: Optional[Literal["pass", "neutral", "fail", 2 more]]

One of the following:

"pass"

"neutral"

"fail"

"error"

"none"

dmarc: Optional[Literal["pass", "neutral", "fail", 2 more]]

One of the following:

"pass"

"neutral"

"fail"

"error"

"none"

spf: Optional[Literal["pass", "neutral", "fail", 2 more]]

One of the following:

"pass"

"neutral"

"fail"

"error"

"none"

final_disposition: Optional[Literal["MALICIOUS", "MALICIOUS-BEC", "SUSPICIOUS", 7 more]]

One of the following:

"MALICIOUS"

"MALICIOUS-BEC"

"SUSPICIOUS"

"SPOOF"

"SPAM"

"BULK"

"ENCRYPTED"

"EXTERNAL"

"UNKNOWN"

"NONE"

InvestigatePreview

Get email preview

email_security.investigate.preview.get(, ) -> PreviewGetResponse

GET/accounts/{account_id}/email-security/investigate/{investigate_id}/preview

Preview for non-detection messages

email_security.investigate.preview.create() -> PreviewCreateResponse

POST/accounts/{account_id}/email-security/investigate/preview

ModelsExpand Collapse

class PreviewGetResponse: …

screenshot: str

A base64 encoded PNG image of the email.

class PreviewCreateResponse: …

screenshot: str

A base64 encoded PNG image of the email.

InvestigateRaw

Get raw email content

email_security.investigate.raw.get(, ) -> RawGetResponse

GET/accounts/{account_id}/email-security/investigate/{investigate_id}/raw

ModelsExpand Collapse

class RawGetResponse: …

raw: str

A UTF-8 encoded eml file of the email.

InvestigateTrace

Get email trace

email_security.investigate.trace.get(, ) -> TraceGetResponse

GET/accounts/{account_id}/email-security/investigate/{investigate_id}/trace

ModelsExpand Collapse

class TraceGetResponse: …

inbound: Inbound

lines: Optional[List[InboundLine]]

lineno: Optional[int]

Line number in the trace log

logged_at: Optional[datetime]

formatdate-time

message: Optional[str]

Deprecatedts: Optional[str]

Deprecated, use logged_at instead. End of life: November 1, 2026.

pending: Optional[bool]

outbound: Outbound

lines: Optional[List[OutboundLine]]

lineno: Optional[int]

Line number in the trace log

logged_at: Optional[datetime]

formatdate-time

message: Optional[str]

Deprecatedts: Optional[str]

Deprecated, use logged_at instead. End of life: November 1, 2026.

pending: Optional[bool]

InvestigateMove

Move a message

email_security.investigate.move.create(, ) -> SyncSinglePage[MoveCreateResponse]

POST/accounts/{account_id}/email-security/investigate/{investigate_id}/move

Move multiple messages

email_security.investigate.move.bulk() -> SyncSinglePage[MoveBulkResponse]

POST/accounts/{account_id}/email-security/investigate/move

ModelsExpand Collapse

class MoveCreateResponse: …

success: bool

Whether the operation succeeded

completed_at: Optional[datetime]

When the move operation completed (UTC)

formatdate-time

Deprecatedcompleted_timestamp: Optional[datetime]

Deprecated, use completed_at instead. End of life: November 1, 2026.

formatdate-time

destination: Optional[str]

Destination folder for the message

Deprecateditem_count: Optional[int]

Number of items moved. End of life: November 1, 2026.

message_id: Optional[str]

Message identifier

operation: Optional[str]

Type of operation performed

recipient: Optional[str]

Recipient email address

status: Optional[str]

Operation status

class MoveBulkResponse: …

success: bool

Whether the operation succeeded

completed_at: Optional[datetime]

When the move operation completed (UTC)

formatdate-time

Deprecatedcompleted_timestamp: Optional[datetime]

Deprecated, use completed_at instead. End of life: November 1, 2026.

formatdate-time

destination: Optional[str]

Destination folder for the message

Deprecateditem_count: Optional[int]

Number of items moved. End of life: November 1, 2026.

message_id: Optional[str]

Message identifier

operation: Optional[str]

Type of operation performed

recipient: Optional[str]

Recipient email address

status: Optional[str]

Operation status

InvestigateReclassify

Change email classification

email_security.investigate.reclassify.create(, ) -> object

POST/accounts/{account_id}/email-security/investigate/{investigate_id}/reclassify

InvestigateRelease

Release messages from quarantine

email_security.investigate.release.bulk() -> SyncSinglePage[ReleaseBulkResponse]

POST/accounts/{account_id}/email-security/investigate/release

ModelsExpand Collapse

class ReleaseBulkResponse: …

id: str

Unique identifier for a message retrieved from investigation

delivered: Optional[List[str]]

failed: Optional[List[str]]

Deprecatedpostfix_id: Optional[str]

Deprecated, use id instead. End of life: November 1, 2026.

undelivered: Optional[List[str]]