Skip to content
Cloudflare API
Start here
API Reference
Email Security
Investigate

Get message details

email_security.investigate.get(strinvestigate_id, InvestigateGetParams**kwargs) -> InvestigateGetResponse
GET/accounts/{account_id}/email-security/investigate/{investigate_id}

Retrieves comprehensive details for a specific email message including headers, recipients, sender information, and current quarantine status. Use the investigate_id from search results to fetch detailed information.

Security
API Token

The preferred authorization scheme for interacting with the Cloudflare API. Create a token.

Example:Authorization: Bearer Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY
API Email + API Key

The previous authorization scheme for interacting with the Cloudflare API, used in conjunction with a Global API key.

Example:X-Auth-Email: user@example.com

The previous authorization scheme for interacting with the Cloudflare API. When possible, use API tokens instead of Global API keys.

Example:X-Auth-Key: 144c9defac04969c7bfad8efaa8ea194
Accepted Permissions (at least one required)
Cloud Email Security: WriteCloud Email Security: Read
ParametersExpand Collapse
account_id: str

Identifier.

maxLength32
investigate_id: str

Unique identifier for a message retrieved from investigation

submission: Optional[bool]

When true, search the submissions datastore only. When false or omitted, search the regular datastore only.

ReturnsExpand Collapse
class InvestigateGetResponse:
id: str

Unique identifier for a message retrieved from investigation

Deprecatedaction_log: List[ActionLog]

Deprecated, use GET /investigate/{investigate_id}/action_log instead. End of life: November 1, 2026.

completed_at: datetime

Timestamp when action completed

formatdate-time
operation: Literal["MOVE", "RELEASE", "RECLASSIFY", 3 more]

Type of action performed

One of the following:
"MOVE"
"RELEASE"
"RECLASSIFY"
"SUBMISSION"
"QUARANTINE_RELEASE"
"PREVIEW"
Deprecatedcompleted_timestamp: Optional[str]

Deprecated, use completed_at instead. End of life: November 1, 2026.

properties: Optional[ActionLogProperties]

Additional properties for the action

folder: Optional[str]

Target folder for move operations

requested_by: Optional[str]

User who requested the action

status: Optional[str]

Status of the action

client_recipients: List[str]
detection_reasons: List[str]
is_phish_submission: bool
is_quarantined: bool
postfix_id: str

The identifier of the message

properties: Properties

Message processing properties

allowlisted_pattern: Optional[str]

Pattern that allowlisted this message

allowlisted_pattern_type: Optional[Literal["quarantine_release", "acceptable_sender", "allowed_sender", 5 more]]

Type of allowlist pattern

One of the following:
"quarantine_release"
"acceptable_sender"
"allowed_sender"
"allowed_recipient"
"domain_similarity"
"domain_recency"
"managed_acceptable_sender"
"outbound_ndr"
blocklisted_message: Optional[bool]

Whether message was blocklisted

blocklisted_pattern: Optional[str]

Pattern that blocklisted this message

whitelisted_pattern_type: Optional[Literal["quarantine_release", "acceptable_sender", "allowed_sender", 5 more]]

Legacy field for allowlist pattern type

One of the following:
"quarantine_release"
"acceptable_sender"
"allowed_sender"
"allowed_recipient"
"domain_similarity"
"domain_recency"
"managed_acceptable_sender"
"outbound_ndr"
Deprecatedts: str

Deprecated, use scanned_at instead. End of life: November 1, 2026.

alert_id: Optional[str]
delivery_mode: Optional[Literal["DIRECT", "BCC", "JOURNAL", 8 more]]
One of the following:
"DIRECT"
"BCC"
"JOURNAL"
"REVIEW_SUBMISSION"
"DMARC_UNVERIFIED"
"DMARC_FAILURE_REPORT"
"DMARC_AGGREGATE_REPORT"
"THREAT_INTEL_SUBMISSION"
"SIMULATION_SUBMISSION"
"API"
"RETRO_SCAN"
delivery_status: Optional[List[Literal["delivered", "moved", "quarantined", 4 more]]]
One of the following:
"delivered"
"moved"
"quarantined"
"rejected"
"deferred"
"bounced"
"queued"
edf_hash: Optional[str]
envelope_from: Optional[str]
envelope_to: Optional[List[str]]
final_disposition: Optional[Literal["MALICIOUS", "MALICIOUS-BEC", "SUSPICIOUS", 7 more]]
One of the following:
"MALICIOUS"
"MALICIOUS-BEC"
"SUSPICIOUS"
"SPOOF"
"SPAM"
"BULK"
"ENCRYPTED"
"EXTERNAL"
"UNKNOWN"
"NONE"
Deprecatedfindings: Optional[List[Finding]]

Deprecated, use the findings field from GET /investigate/{investigate_id}/detections instead. End of life: November 1, 2026. Detection findings for this message.

attachment: Optional[str]
detail: Optional[str]
detection: Optional[Literal["MALICIOUS", "MALICIOUS-BEC", "SUSPICIOUS", 7 more]]
One of the following:
"MALICIOUS"
"MALICIOUS-BEC"
"SUSPICIOUS"
"SPOOF"
"SPAM"
"BULK"
"ENCRYPTED"
"EXTERNAL"
"UNKNOWN"
"NONE"
field: Optional[str]
name: Optional[str]
portion: Optional[str]
reason: Optional[str]
score: Optional[float]
formatdouble
value: Optional[str]
from_: Optional[str]
from_name: Optional[str]
htmltext_structure_hash: Optional[str]
message_id: Optional[str]
post_delivery_operations: Optional[List[Literal["PREVIEW", "QUARANTINE_RELEASE", "SUBMISSION", "MOVE"]]]

Post-delivery operations performed on this message

One of the following:
"PREVIEW"
"QUARANTINE_RELEASE"
"SUBMISSION"
"MOVE"
postfix_id_outbound: Optional[str]
replyto: Optional[str]
scanned_at: Optional[datetime]

When the message was scanned (UTC)

formatdate-time
sent_at: Optional[datetime]

When the message was sent (UTC)

formatdate-time
sent_date: Optional[str]
subject: Optional[str]
threat_categories: Optional[List[str]]
to: Optional[List[str]]
to_name: Optional[List[str]]
validation: Optional[Validation]
comment: Optional[str]
dkim: Optional[Literal["pass", "neutral", "fail", 2 more]]
One of the following:
"pass"
"neutral"
"fail"
"error"
"none"
dmarc: Optional[Literal["pass", "neutral", "fail", 2 more]]
One of the following:
"pass"
"neutral"
"fail"
"error"
"none"
spf: Optional[Literal["pass", "neutral", "fail", 2 more]]
One of the following:
"pass"
"neutral"
"fail"
"error"
"none"

Get message details

import os
from cloudflare import Cloudflare

client = Cloudflare(
    api_token=os.environ.get("CLOUDFLARE_API_TOKEN"),  # This is the default and can be omitted
)
investigate = client.email_security.investigate.get(
    investigate_id="4Njp3P0STMz2c02Q-2024-01-05T10:00:00-12345678",
    account_id="023e105f4ecef8ad9ca31a8372d0c353",
)
print(investigate.id)
{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "result": {
    "id": "4Njp3P0STMz2c02Q-2024-01-05T10:00:00-12345678",
    "action_log": [
      {
        "completed_at": "2019-12-27T18:11:19.117Z",
        "operation": "MOVE",
        "completed_timestamp": "completed_timestamp",
        "properties": {
          "folder": "folder",
          "requested_by": "requested_by"
        },
        "status": "status"
      }
    ],
    "client_recipients": [
      "string"
    ],
    "detection_reasons": [
      "string"
    ],
    "is_phish_submission": true,
    "is_quarantined": true,
    "postfix_id": "4Njp3P0STMz2c02Q",
    "properties": {
      "allowlisted_pattern": "allowlisted_pattern",
      "allowlisted_pattern_type": "quarantine_release",
      "blocklisted_message": true,
      "blocklisted_pattern": "blocklisted_pattern",
      "whitelisted_pattern_type": "quarantine_release"
    },
    "ts": "ts",
    "alert_id": "alert_id",
    "delivery_mode": "DIRECT",
    "delivery_status": [
      "delivered"
    ],
    "edf_hash": "edf_hash",
    "envelope_from": "envelope_from",
    "envelope_to": [
      "string"
    ],
    "final_disposition": "MALICIOUS",
    "findings": [
      {
        "attachment": "attachment",
        "detail": "detail",
        "detection": "MALICIOUS",
        "field": "field",
        "name": "name",
        "portion": "portion",
        "reason": "reason",
        "score": 0,
        "value": "value"
      }
    ],
    "from": "from",
    "from_name": "from_name",
    "htmltext_structure_hash": "htmltext_structure_hash",
    "message_id": "message_id",
    "post_delivery_operations": [
      "PREVIEW"
    ],
    "postfix_id_outbound": "postfix_id_outbound",
    "replyto": "replyto",
    "scanned_at": "2019-12-27T18:11:19.117Z",
    "sent_at": "2019-12-27T18:11:19.117Z",
    "sent_date": "sent_date",
    "subject": "subject",
    "threat_categories": [
      "string"
    ],
    "to": [
      "string"
    ],
    "to_name": [
      "string"
    ],
    "validation": {
      "comment": "comment",
      "dkim": "pass",
      "dmarc": "pass",
      "spf": "pass"
    }
  },
  "success": true
}
Returns Examples
{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "result": {
    "id": "4Njp3P0STMz2c02Q-2024-01-05T10:00:00-12345678",
    "action_log": [
      {
        "completed_at": "2019-12-27T18:11:19.117Z",
        "operation": "MOVE",
        "completed_timestamp": "completed_timestamp",
        "properties": {
          "folder": "folder",
          "requested_by": "requested_by"
        },
        "status": "status"
      }
    ],
    "client_recipients": [
      "string"
    ],
    "detection_reasons": [
      "string"
    ],
    "is_phish_submission": true,
    "is_quarantined": true,
    "postfix_id": "4Njp3P0STMz2c02Q",
    "properties": {
      "allowlisted_pattern": "allowlisted_pattern",
      "allowlisted_pattern_type": "quarantine_release",
      "blocklisted_message": true,
      "blocklisted_pattern": "blocklisted_pattern",
      "whitelisted_pattern_type": "quarantine_release"
    },
    "ts": "ts",
    "alert_id": "alert_id",
    "delivery_mode": "DIRECT",
    "delivery_status": [
      "delivered"
    ],
    "edf_hash": "edf_hash",
    "envelope_from": "envelope_from",
    "envelope_to": [
      "string"
    ],
    "final_disposition": "MALICIOUS",
    "findings": [
      {
        "attachment": "attachment",
        "detail": "detail",
        "detection": "MALICIOUS",
        "field": "field",
        "name": "name",
        "portion": "portion",
        "reason": "reason",
        "score": 0,
        "value": "value"
      }
    ],
    "from": "from",
    "from_name": "from_name",
    "htmltext_structure_hash": "htmltext_structure_hash",
    "message_id": "message_id",
    "post_delivery_operations": [
      "PREVIEW"
    ],
    "postfix_id_outbound": "postfix_id_outbound",
    "replyto": "replyto",
    "scanned_at": "2019-12-27T18:11:19.117Z",
    "sent_at": "2019-12-27T18:11:19.117Z",
    "sent_date": "sent_date",
    "subject": "subject",
    "threat_categories": [
      "string"
    ],
    "to": [
      "string"
    ],
    "to_name": [
      "string"
    ],
    "validation": {
      "comment": "comment",
      "dkim": "pass",
      "dmarc": "pass",
      "spf": "pass"
    }
  },
  "success": true
}