API Reference

Copy Markdown

Open in Claude

Open in ChatGPT

Open in Cursor

---

Copy Markdown

View as Markdown

Email Security

Email SecurityInvestigate

Search email messages

GET/accounts/{account_id}/email-security/investigate

Get message details

GET/accounts/{account_id}/email-security/investigate/{postfix_id}

ModelsExpand Collapse

InvestigateListResponse object { id, action_log, client_recipients, 29 more }

id: string

Deprecatedaction_log: unknown

Deprecated: use /investigate/{id}/action_log instead.

client_recipients: array of string

detection_reasons: array of string

is_phish_submission: boolean

is_quarantined: boolean

postfix_id: string

The identifier of the message.

properties: object { allowlisted_pattern, allowlisted_pattern_type, blocklisted_message, 2 more }

allowlisted_pattern: optional string

allowlisted_pattern_type: optional "quarantine_release" or "acceptable_sender" or "allowed_sender" or 5 more

One of the following:

"quarantine_release"

"acceptable_sender"

"allowed_sender"

"allowed_recipient"

"domain_similarity"

"domain_recency"

"managed_acceptable_sender"

"outbound_ndr"

blocklisted_message: optional boolean

blocklisted_pattern: optional string

whitelisted_pattern_type: optional "quarantine_release" or "acceptable_sender" or "allowed_sender" or 5 more

One of the following:

"quarantine_release"

"acceptable_sender"

"allowed_sender"

"allowed_recipient"

"domain_similarity"

"domain_recency"

"managed_acceptable_sender"

"outbound_ndr"

Deprecatedts: string

Deprecated, use scanned_at instead

alert_id: optional string

delivery_mode: optional "DIRECT" or "BCC" or "JOURNAL" or 8 more

One of the following:

"DIRECT"

"BCC"

"JOURNAL"

"REVIEW_SUBMISSION"

"DMARC_UNVERIFIED"

"DMARC_FAILURE_REPORT"

"DMARC_AGGREGATE_REPORT"

"THREAT_INTEL_SUBMISSION"

"SIMULATION_SUBMISSION"

"API"

"RETRO_SCAN"

delivery_status: optional array of "delivered" or "moved" or "quarantined" or 4 more

One of the following:

"delivered"

"moved"

"quarantined"

"rejected"

"deferred"

"bounced"

"queued"

edf_hash: optional string

envelope_from: optional string

envelope_to: optional array of string

final_disposition: optional "MALICIOUS" or "MALICIOUS-BEC" or "SUSPICIOUS" or 7 more

One of the following:

"MALICIOUS"

"MALICIOUS-BEC"

"SUSPICIOUS"

"SPOOF"

"SPAM"

"BULK"

"ENCRYPTED"

"EXTERNAL"

"UNKNOWN"

"NONE"

Deprecatedfindings: optional array of object { attachment, detail, detection, 6 more }

Deprecated: use /investigate/{id}/detections instead.

attachment: optional string

detail: optional string

detection: optional "MALICIOUS" or "MALICIOUS-BEC" or "SUSPICIOUS" or 7 more

One of the following:

"MALICIOUS"

"MALICIOUS-BEC"

"SUSPICIOUS"

"SPOOF"

"SPAM"

"BULK"

"ENCRYPTED"

"EXTERNAL"

"UNKNOWN"

"NONE"

field: optional string

name: optional string

portion: optional string

reason: optional string

score: optional number

formatdouble

value: optional string

from: optional string

from_name: optional string

htmltext_structure_hash: optional string

message_id: optional string

post_delivery_operations: optional array of "PREVIEW" or "QUARANTINE_RELEASE" or "SUBMISSION" or "MOVE"

One of the following:

"PREVIEW"

"QUARANTINE_RELEASE"

"SUBMISSION"

"MOVE"

postfix_id_outbound: optional string

replyto: optional string

scanned_at: optional string

formatdate-time

sent_at: optional string

formatdate-time

Deprecatedsent_date: optional string

Deprecated, use sent_at instead

subject: optional string

threat_categories: optional array of string

to: optional array of string

to_name: optional array of string

validation: optional object { comment, dkim, dmarc, spf }

comment: optional string

dkim: optional "pass" or "neutral" or "fail" or 2 more

One of the following:

"pass"

"neutral"

"fail"

"error"

"none"

dmarc: optional "pass" or "neutral" or "fail" or 2 more

One of the following:

"pass"

"neutral"

"fail"

"error"

"none"

spf: optional "pass" or "neutral" or "fail" or 2 more

One of the following:

"pass"

"neutral"

"fail"

"error"

"none"

InvestigateGetResponse object { id, action_log, client_recipients, 29 more }

id: string

Deprecatedaction_log: unknown

Deprecated: use /investigate/{id}/action_log instead.

client_recipients: array of string

detection_reasons: array of string

is_phish_submission: boolean

is_quarantined: boolean

postfix_id: string

The identifier of the message.

properties: object { allowlisted_pattern, allowlisted_pattern_type, blocklisted_message, 2 more }

allowlisted_pattern: optional string

allowlisted_pattern_type: optional "quarantine_release" or "acceptable_sender" or "allowed_sender" or 5 more

One of the following:

"quarantine_release"

"acceptable_sender"

"allowed_sender"

"allowed_recipient"

"domain_similarity"

"domain_recency"

"managed_acceptable_sender"

"outbound_ndr"

blocklisted_message: optional boolean

blocklisted_pattern: optional string

whitelisted_pattern_type: optional "quarantine_release" or "acceptable_sender" or "allowed_sender" or 5 more

One of the following:

"quarantine_release"

"acceptable_sender"

"allowed_sender"

"allowed_recipient"

"domain_similarity"

"domain_recency"

"managed_acceptable_sender"

"outbound_ndr"

Deprecatedts: string

Deprecated, use scanned_at instead

alert_id: optional string

delivery_mode: optional "DIRECT" or "BCC" or "JOURNAL" or 8 more

One of the following:

"DIRECT"

"BCC"

"JOURNAL"

"REVIEW_SUBMISSION"

"DMARC_UNVERIFIED"

"DMARC_FAILURE_REPORT"

"DMARC_AGGREGATE_REPORT"

"THREAT_INTEL_SUBMISSION"

"SIMULATION_SUBMISSION"

"API"

"RETRO_SCAN"

delivery_status: optional array of "delivered" or "moved" or "quarantined" or 4 more

One of the following:

"delivered"

"moved"

"quarantined"

"rejected"

"deferred"

"bounced"

"queued"

edf_hash: optional string

envelope_from: optional string

envelope_to: optional array of string

final_disposition: optional "MALICIOUS" or "MALICIOUS-BEC" or "SUSPICIOUS" or 7 more

One of the following:

"MALICIOUS"

"MALICIOUS-BEC"

"SUSPICIOUS"

"SPOOF"

"SPAM"

"BULK"

"ENCRYPTED"

"EXTERNAL"

"UNKNOWN"

"NONE"

Deprecatedfindings: optional array of object { attachment, detail, detection, 6 more }

Deprecated: use /investigate/{id}/detections instead.

attachment: optional string

detail: optional string

detection: optional "MALICIOUS" or "MALICIOUS-BEC" or "SUSPICIOUS" or 7 more

One of the following:

"MALICIOUS"

"MALICIOUS-BEC"

"SUSPICIOUS"

"SPOOF"

"SPAM"

"BULK"

"ENCRYPTED"

"EXTERNAL"

"UNKNOWN"

"NONE"

field: optional string

name: optional string

portion: optional string

reason: optional string

score: optional number

formatdouble

value: optional string

from: optional string

from_name: optional string

htmltext_structure_hash: optional string

message_id: optional string

post_delivery_operations: optional array of "PREVIEW" or "QUARANTINE_RELEASE" or "SUBMISSION" or "MOVE"

One of the following:

"PREVIEW"

"QUARANTINE_RELEASE"

"SUBMISSION"

"MOVE"

postfix_id_outbound: optional string

replyto: optional string

scanned_at: optional string

formatdate-time

sent_at: optional string

formatdate-time

Deprecatedsent_date: optional string

Deprecated, use sent_at instead

subject: optional string

threat_categories: optional array of string

to: optional array of string

to_name: optional array of string

validation: optional object { comment, dkim, dmarc, spf }

comment: optional string

dkim: optional "pass" or "neutral" or "fail" or 2 more

One of the following:

"pass"

"neutral"

"fail"

"error"

"none"

dmarc: optional "pass" or "neutral" or "fail" or 2 more

One of the following:

"pass"

"neutral"

"fail"

"error"

"none"

spf: optional "pass" or "neutral" or "fail" or 2 more

One of the following:

"pass"

"neutral"

"fail"

"error"

"none"

Email SecurityInvestigateDetections

Get message detection details

GET/accounts/{account_id}/email-security/investigate/{postfix_id}/detections

ModelsExpand Collapse

DetectionGetResponse object { action, attachments, findings, 6 more }

action: string

attachments: array of object { size, content_type, detection, 2 more }

size: number

minimum0

content_type: optional string

detection: optional "MALICIOUS" or "MALICIOUS-BEC" or "SUSPICIOUS" or 7 more

One of the following:

"MALICIOUS"

"MALICIOUS-BEC"

"SUSPICIOUS"

"SPOOF"

"SPAM"

"BULK"

"ENCRYPTED"

"EXTERNAL"

"UNKNOWN"

"NONE"

encrypted: optional boolean

name: optional string

findings: array of object { attachment, detail, detection, 6 more }

attachment: optional string

detail: optional string

detection: optional "MALICIOUS" or "MALICIOUS-BEC" or "SUSPICIOUS" or 7 more

One of the following:

"MALICIOUS"

"MALICIOUS-BEC"

"SUSPICIOUS"

"SPOOF"

"SPAM"

"BULK"

"ENCRYPTED"

"EXTERNAL"

"UNKNOWN"

"NONE"

field: optional string

name: optional string

portion: optional string

reason: optional string

score: optional number

formatdouble

value: optional string

headers: array of object { name, value }

name: string

value: string

links: array of object { href, text }

href: string

text: optional string

sender_info: object { as_name, as_number, geo, 2 more }

as_name: optional string

The name of the autonomous system.

as_number: optional number

The number of the autonomous system.

formatint64

geo: optional string

ip: optional string

pld: optional string

threat_categories: array of object { id, description, name }

id: number

formatint64

description: optional string

name: optional string

validation: object { comment, dkim, dmarc, spf }

comment: optional string

dkim: optional "pass" or "neutral" or "fail" or 2 more

One of the following:

"pass"

"neutral"

"fail"

"error"

"none"

dmarc: optional "pass" or "neutral" or "fail" or 2 more

One of the following:

"pass"

"neutral"

"fail"

"error"

"none"

spf: optional "pass" or "neutral" or "fail" or 2 more

One of the following:

"pass"

"neutral"

"fail"

"error"

"none"

final_disposition: optional "MALICIOUS" or "MALICIOUS-BEC" or "SUSPICIOUS" or 7 more

One of the following:

"MALICIOUS"

"MALICIOUS-BEC"

"SUSPICIOUS"

"SPOOF"

"SPAM"

"BULK"

"ENCRYPTED"

"EXTERNAL"

"UNKNOWN"

"NONE"

Email SecurityInvestigatePreview

Get email preview

GET/accounts/{account_id}/email-security/investigate/{postfix_id}/preview

Preview for non-detection messages

POST/accounts/{account_id}/email-security/investigate/preview

ModelsExpand Collapse

PreviewGetResponse object { screenshot }

screenshot: string

A base64 encoded PNG image of the email.

PreviewCreateResponse object { screenshot }

screenshot: string

A base64 encoded PNG image of the email.

Email SecurityInvestigateRaw

Get raw email content

GET/accounts/{account_id}/email-security/investigate/{postfix_id}/raw

ModelsExpand Collapse

RawGetResponse object { raw }

raw: string

A UTF-8 encoded eml file of the email.

Email SecurityInvestigateTrace

Get email trace

GET/accounts/{account_id}/email-security/investigate/{postfix_id}/trace

ModelsExpand Collapse

TraceGetResponse object { inbound, outbound }

inbound: object { lines, pending }

lines: optional array of object { lineno, message, ts }

lineno: number

formatint64

message: string

ts: string

formatdate-time

pending: optional boolean

outbound: object { lines, pending }

lines: optional array of object { lineno, message, ts }

lineno: number

formatint64

message: string

ts: string

formatdate-time

pending: optional boolean

Email SecurityInvestigateMove

Move a message

POST/accounts/{account_id}/email-security/investigate/{postfix_id}/move

Move multiple messages

POST/accounts/{account_id}/email-security/investigate/move

ModelsExpand Collapse

MoveCreateResponse = array of object { completed_timestamp, item_count, success, 6 more }

Deprecatedcompleted_timestamp: string

Deprecated, use completed_at instead

formatdate-time

Deprecateditem_count: number

formatint32

success: boolean

completed_at: optional string

formatdate-time

destination: optional string

message_id: optional string

operation: optional string

recipient: optional string

status: optional string

MoveBulkResponse object { completed_timestamp, item_count, success, 6 more }

Deprecatedcompleted_timestamp: string

Deprecated, use completed_at instead

formatdate-time

Deprecateditem_count: number

formatint32

success: boolean

completed_at: optional string

formatdate-time

destination: optional string

message_id: optional string

operation: optional string

recipient: optional string

status: optional string

Email SecurityInvestigateReclassify

Change email classification

POST/accounts/{account_id}/email-security/investigate/{postfix_id}/reclassify

ModelsExpand Collapse

ReclassifyCreateResponse = unknown

Email SecurityInvestigateRelease

Release messages from quarantine

POST/accounts/{account_id}/email-security/investigate/release

ModelsExpand Collapse

ReleaseBulkResponse object { id, postfix_id, delivered, 2 more }

id: string

postfix_id: string

The identifier of the message.

delivered: optional array of string

failed: optional array of string

undelivered: optional array of string

Email SecurityPhishguard

Email SecurityPhishguardReports

Get `PhishGuard` reports

GET/accounts/{account_id}/email-security/phishguard/reports

ModelsExpand Collapse

ReportListResponse object { id, content, created_at, 7 more }

id: number

formatint32

content: string

created_at: string

formatdate-time

disposition: "MALICIOUS" or "MALICIOUS-BEC" or "SUSPICIOUS" or 7 more

One of the following:

"MALICIOUS"

"MALICIOUS-BEC"

"SUSPICIOUS"

"SPOOF"

"SPAM"

"BULK"

"ENCRYPTED"

"EXTERNAL"

"UNKNOWN"

"NONE"

fields: object { to, ts, from, postfix_id }

to: array of string

ts: string

formatdate-time

from: optional string

postfix_id: optional string

priority: string

title: string

ts: string

formatdate-time

updated_at: string

formatdate-time

tags: optional array of object { category, value }

category: string

value: string

Email SecuritySettings

Email SecuritySettingsAllow Policies

List email allow policies

GET/accounts/{account_id}/email-security/settings/allow_policies

Get an email allow policy

GET/accounts/{account_id}/email-security/settings/allow_policies/{policy_id}

Create an email allow policy

POST/accounts/{account_id}/email-security/settings/allow_policies

Update an email allow policy

PATCH/accounts/{account_id}/email-security/settings/allow_policies/{policy_id}

Delete an email allow policy

DELETE/accounts/{account_id}/email-security/settings/allow_policies/{policy_id}

ModelsExpand Collapse

AllowPolicyListResponse object { id, created_at, is_acceptable_sender, 11 more }

id: number

The unique identifier for the allow policy.

formatint32

created_at: string

formatdate-time

is_acceptable_sender: boolean

Messages from this sender will be exempted from Spam, Spoof and Bulk dispositions. Note: This will not exempt messages with Malicious or Suspicious dispositions.

is_exempt_recipient: boolean

Messages to this recipient will bypass all detections.

is_regex: boolean

is_trusted_sender: boolean

Messages from this sender will bypass all detections and link following.

last_modified: string

formatdate-time

pattern: string

maxLength1024

minLength1

pattern_type: "EMAIL" or "DOMAIN" or "IP" or "UNKNOWN"

One of the following:

"EMAIL"

"DOMAIN"

"IP"

"UNKNOWN"

verify_sender: boolean

Enforce DMARC, SPF or DKIM authentication. When on, Email Security only honors policies that pass authentication.

comments: optional string

maxLength1024

Deprecatedis_recipient: optional boolean

Deprecatedis_sender: optional boolean

Deprecatedis_spoof: optional boolean

AllowPolicyGetResponse object { id, created_at, is_acceptable_sender, 11 more }

id: number

The unique identifier for the allow policy.

formatint32

created_at: string

formatdate-time

is_acceptable_sender: boolean

Messages from this sender will be exempted from Spam, Spoof and Bulk dispositions. Note: This will not exempt messages with Malicious or Suspicious dispositions.

is_exempt_recipient: boolean

Messages to this recipient will bypass all detections.

is_regex: boolean

is_trusted_sender: boolean

Messages from this sender will bypass all detections and link following.

last_modified: string

formatdate-time

pattern: string

maxLength1024

minLength1

pattern_type: "EMAIL" or "DOMAIN" or "IP" or "UNKNOWN"

One of the following:

"EMAIL"

"DOMAIN"

"IP"

"UNKNOWN"

verify_sender: boolean

Enforce DMARC, SPF or DKIM authentication. When on, Email Security only honors policies that pass authentication.

comments: optional string

maxLength1024

Deprecatedis_recipient: optional boolean

Deprecatedis_sender: optional boolean

Deprecatedis_spoof: optional boolean

AllowPolicyCreateResponse object { id, created_at, is_acceptable_sender, 11 more }

id: number

The unique identifier for the allow policy.

formatint32

created_at: string

formatdate-time

is_acceptable_sender: boolean

Messages from this sender will be exempted from Spam, Spoof and Bulk dispositions. Note: This will not exempt messages with Malicious or Suspicious dispositions.

is_exempt_recipient: boolean

Messages to this recipient will bypass all detections.

is_regex: boolean

is_trusted_sender: boolean

Messages from this sender will bypass all detections and link following.

last_modified: string

formatdate-time

pattern: string

maxLength1024

minLength1

pattern_type: "EMAIL" or "DOMAIN" or "IP" or "UNKNOWN"

One of the following:

"EMAIL"

"DOMAIN"

"IP"

"UNKNOWN"

verify_sender: boolean

Enforce DMARC, SPF or DKIM authentication. When on, Email Security only honors policies that pass authentication.

comments: optional string

maxLength1024

Deprecatedis_recipient: optional boolean

Deprecatedis_sender: optional boolean

Deprecatedis_spoof: optional boolean

AllowPolicyEditResponse object { id, created_at, is_acceptable_sender, 11 more }

id: number

The unique identifier for the allow policy.

formatint32

created_at: string

formatdate-time

is_acceptable_sender: boolean

Messages from this sender will be exempted from Spam, Spoof and Bulk dispositions. Note: This will not exempt messages with Malicious or Suspicious dispositions.

is_exempt_recipient: boolean

Messages to this recipient will bypass all detections.

is_regex: boolean

is_trusted_sender: boolean

Messages from this sender will bypass all detections and link following.

last_modified: string

formatdate-time

pattern: string

maxLength1024

minLength1

pattern_type: "EMAIL" or "DOMAIN" or "IP" or "UNKNOWN"

One of the following:

"EMAIL"

"DOMAIN"

"IP"

"UNKNOWN"

verify_sender: boolean

Enforce DMARC, SPF or DKIM authentication. When on, Email Security only honors policies that pass authentication.

comments: optional string

maxLength1024

Deprecatedis_recipient: optional boolean

Deprecatedis_sender: optional boolean

Deprecatedis_spoof: optional boolean

AllowPolicyDeleteResponse object { id }

id: number

The unique identifier for the allow policy.

formatint32

Email SecuritySettingsBlock Senders

List blocked email senders

GET/accounts/{account_id}/email-security/settings/block_senders

Get a blocked email sender

GET/accounts/{account_id}/email-security/settings/block_senders/{pattern_id}

Create a blocked email sender

POST/accounts/{account_id}/email-security/settings/block_senders

Update a blocked email sender

PATCH/accounts/{account_id}/email-security/settings/block_senders/{pattern_id}

Delete a blocked email sender

DELETE/accounts/{account_id}/email-security/settings/block_senders/{pattern_id}

ModelsExpand Collapse

BlockSenderListResponse object { id, created_at, is_regex, 4 more }

id: number

The unique identifier for the allow policy.

formatint32

created_at: string

formatdate-time

is_regex: boolean

last_modified: string

formatdate-time

pattern: string

maxLength1024

minLength1

pattern_type: "EMAIL" or "DOMAIN" or "IP" or "UNKNOWN"

One of the following:

"EMAIL"

"DOMAIN"

"IP"

"UNKNOWN"

comments: optional string

maxLength1024

BlockSenderGetResponse object { id, created_at, is_regex, 4 more }

id: number

The unique identifier for the allow policy.

formatint32

created_at: string

formatdate-time

is_regex: boolean

last_modified: string

formatdate-time

pattern: string

maxLength1024

minLength1

pattern_type: "EMAIL" or "DOMAIN" or "IP" or "UNKNOWN"

One of the following:

"EMAIL"

"DOMAIN"

"IP"

"UNKNOWN"

comments: optional string

maxLength1024

BlockSenderCreateResponse object { id, created_at, is_regex, 4 more }

id: number

The unique identifier for the allow policy.

formatint32

created_at: string

formatdate-time

is_regex: boolean

last_modified: string

formatdate-time

pattern: string

maxLength1024

minLength1

pattern_type: "EMAIL" or "DOMAIN" or "IP" or "UNKNOWN"

One of the following:

"EMAIL"

"DOMAIN"

"IP"

"UNKNOWN"

comments: optional string

maxLength1024

BlockSenderEditResponse object { id, created_at, is_regex, 4 more }

id: number

The unique identifier for the allow policy.

formatint32

created_at: string

formatdate-time

is_regex: boolean

last_modified: string

formatdate-time

pattern: string

maxLength1024

minLength1

pattern_type: "EMAIL" or "DOMAIN" or "IP" or "UNKNOWN"

One of the following:

"EMAIL"

"DOMAIN"

"IP"

"UNKNOWN"

comments: optional string

maxLength1024

BlockSenderDeleteResponse object { id }

id: number

The unique identifier for the allow policy.

formatint32

Email SecuritySettingsDomains

List protected email domains

GET/accounts/{account_id}/email-security/settings/domains

Get an email domain

GET/accounts/{account_id}/email-security/settings/domains/{domain_id}

Update an email domain

PATCH/accounts/{account_id}/email-security/settings/domains/{domain_id}

Unprotect an email domain

DELETE/accounts/{account_id}/email-security/settings/domains/{domain_id}

Unprotect multiple email domains

DELETE/accounts/{account_id}/email-security/settings/domains

ModelsExpand Collapse

DomainListResponse object { id, allowed_delivery_modes, created_at, 17 more }

id: number

The unique identifier for the domain.

formatint32

allowed_delivery_modes: array of "DIRECT" or "BCC" or "JOURNAL" or 2 more

One of the following:

"DIRECT"

"BCC"

"JOURNAL"

"API"

"RETRO_SCAN"

created_at: string

formatdate-time

domain: string

drop_dispositions: array of "MALICIOUS" or "MALICIOUS-BEC" or "SUSPICIOUS" or 7 more

One of the following:

"MALICIOUS"

"MALICIOUS-BEC"

"SUSPICIOUS"

"SPOOF"

"SPAM"

"BULK"

"ENCRYPTED"

"EXTERNAL"

"UNKNOWN"

"NONE"

ip_restrictions: array of string

last_modified: string

formatdate-time

lookback_hops: number

formatint32

regions: array of "GLOBAL" or "AU" or "DE" or 2 more

One of the following:

"GLOBAL"

"AU"

"DE"

"IN"

"US"

transport: string

authorization: optional object { authorized, timestamp, status_message }

authorized: boolean

timestamp: string

formatdate-time

status_message: optional string

dmarc_status: optional "none" or "good" or "invalid"

One of the following:

"none"

"good"

"invalid"

emails_processed: optional object { timestamp, total_emails_processed, total_emails_processed_previous }

timestamp: string

formatdate-time

total_emails_processed: number

formatint32

minimum0

total_emails_processed_previous: number

formatint32

minimum0

folder: optional "AllItems" or "Inbox"

One of the following:

"AllItems"

"Inbox"

inbox_provider: optional "Microsoft" or "Google"

One of the following:

"Microsoft"

"Google"

integration_id: optional string

formatuuid

o365_tenant_id: optional string

require_tls_inbound: optional boolean

require_tls_outbound: optional boolean

spf_status: optional "none" or "good" or "neutral" or 2 more

One of the following:

"none"

"good"

"neutral"

"open"

"invalid"

DomainGetResponse object { id, allowed_delivery_modes, created_at, 17 more }

id: number

The unique identifier for the domain.

formatint32

allowed_delivery_modes: array of "DIRECT" or "BCC" or "JOURNAL" or 2 more

One of the following:

"DIRECT"

"BCC"

"JOURNAL"

"API"

"RETRO_SCAN"

created_at: string

formatdate-time

domain: string

drop_dispositions: array of "MALICIOUS" or "MALICIOUS-BEC" or "SUSPICIOUS" or 7 more

One of the following:

"MALICIOUS"

"MALICIOUS-BEC"

"SUSPICIOUS"

"SPOOF"

"SPAM"

"BULK"

"ENCRYPTED"

"EXTERNAL"

"UNKNOWN"

"NONE"

ip_restrictions: array of string

last_modified: string

formatdate-time

lookback_hops: number

formatint32

regions: array of "GLOBAL" or "AU" or "DE" or 2 more

One of the following:

"GLOBAL"

"AU"

"DE"

"IN"

"US"

transport: string

authorization: optional object { authorized, timestamp, status_message }

authorized: boolean

timestamp: string

formatdate-time

status_message: optional string

dmarc_status: optional "none" or "good" or "invalid"

One of the following:

"none"

"good"

"invalid"

emails_processed: optional object { timestamp, total_emails_processed, total_emails_processed_previous }

timestamp: string

formatdate-time

total_emails_processed: number

formatint32

minimum0

total_emails_processed_previous: number

formatint32

minimum0

folder: optional "AllItems" or "Inbox"

One of the following:

"AllItems"

"Inbox"

inbox_provider: optional "Microsoft" or "Google"

One of the following:

"Microsoft"

"Google"

integration_id: optional string

formatuuid

o365_tenant_id: optional string

require_tls_inbound: optional boolean

require_tls_outbound: optional boolean

spf_status: optional "none" or "good" or "neutral" or 2 more

One of the following:

"none"

"good"

"neutral"

"open"

"invalid"

DomainEditResponse object { id, allowed_delivery_modes, created_at, 17 more }

id: number

The unique identifier for the domain.

formatint32

allowed_delivery_modes: array of "DIRECT" or "BCC" or "JOURNAL" or 2 more

One of the following:

"DIRECT"

"BCC"

"JOURNAL"

"API"

"RETRO_SCAN"

created_at: string

formatdate-time

domain: string

drop_dispositions: array of "MALICIOUS" or "MALICIOUS-BEC" or "SUSPICIOUS" or 7 more

One of the following:

"MALICIOUS"

"MALICIOUS-BEC"

"SUSPICIOUS"

"SPOOF"

"SPAM"

"BULK"

"ENCRYPTED"

"EXTERNAL"

"UNKNOWN"

"NONE"

ip_restrictions: array of string

last_modified: string

formatdate-time

lookback_hops: number

formatint32

regions: array of "GLOBAL" or "AU" or "DE" or 2 more

One of the following:

"GLOBAL"

"AU"

"DE"

"IN"

"US"

transport: string

authorization: optional object { authorized, timestamp, status_message }

authorized: boolean

timestamp: string

formatdate-time

status_message: optional string

dmarc_status: optional "none" or "good" or "invalid"

One of the following:

"none"

"good"

"invalid"

emails_processed: optional object { timestamp, total_emails_processed, total_emails_processed_previous }

timestamp: string

formatdate-time

total_emails_processed: number

formatint32

minimum0

total_emails_processed_previous: number

formatint32

minimum0

folder: optional "AllItems" or "Inbox"

One of the following:

"AllItems"

"Inbox"

inbox_provider: optional "Microsoft" or "Google"

One of the following:

"Microsoft"

"Google"

integration_id: optional string

formatuuid

o365_tenant_id: optional string

require_tls_inbound: optional boolean

require_tls_outbound: optional boolean

spf_status: optional "none" or "good" or "neutral" or 2 more

One of the following:

"none"

"good"

"neutral"

"open"

"invalid"

DomainDeleteResponse object { id }

id: number

The unique identifier for the domain.

formatint32

DomainBulkDeleteResponse object { id }

id: number

The unique identifier for the domain.

formatint32

Email SecuritySettingsImpersonation Registry

List entries in impersonation registry

GET/accounts/{account_id}/email-security/settings/impersonation_registry

Get an entry in impersonation registry

GET/accounts/{account_id}/email-security/settings/impersonation_registry/{display_name_id}

Create an entry in impersonation registry

POST/accounts/{account_id}/email-security/settings/impersonation_registry

Update an entry in impersonation registry

PATCH/accounts/{account_id}/email-security/settings/impersonation_registry/{display_name_id}

Delete an entry from impersonation registry

DELETE/accounts/{account_id}/email-security/settings/impersonation_registry/{display_name_id}

ModelsExpand Collapse

ImpersonationRegistryListResponse object { id, created_at, email, 8 more }

id: number

formatint32

created_at: string

formatdate-time

email: string

is_email_regex: boolean

last_modified: string

formatdate-time

name: string

maxLength1024

comments: optional string

directory_id: optional number

formatint64

directory_node_id: optional number

formatint64

Deprecatedexternal_directory_node_id: optional string

provenance: optional string

ImpersonationRegistryGetResponse object { id, created_at, email, 8 more }

id: number

formatint32

created_at: string

formatdate-time

email: string

is_email_regex: boolean

last_modified: string

formatdate-time

name: string

maxLength1024

comments: optional string

directory_id: optional number

formatint64

directory_node_id: optional number

formatint64

Deprecatedexternal_directory_node_id: optional string

provenance: optional string

ImpersonationRegistryCreateResponse object { id, created_at, email, 8 more }

id: number

formatint32

created_at: string

formatdate-time

email: string

is_email_regex: boolean

last_modified: string

formatdate-time

name: string

maxLength1024

comments: optional string

directory_id: optional number

formatint64

directory_node_id: optional number

formatint64

Deprecatedexternal_directory_node_id: optional string

provenance: optional string

ImpersonationRegistryEditResponse object { id, created_at, email, 8 more }

id: number

formatint32

created_at: string

formatdate-time

email: string

is_email_regex: boolean

last_modified: string

formatdate-time

name: string

maxLength1024

comments: optional string

directory_id: optional number

formatint64

directory_node_id: optional number

formatint64

Deprecatedexternal_directory_node_id: optional string

provenance: optional string

ImpersonationRegistryDeleteResponse object { id }

id: number

formatint32

Email SecuritySettingsTrusted Domains

List trusted email domains

GET/accounts/{account_id}/email-security/settings/trusted_domains

Get a trusted email domain

GET/accounts/{account_id}/email-security/settings/trusted_domains/{trusted_domain_id}

Create a trusted email domain

POST/accounts/{account_id}/email-security/settings/trusted_domains

Update a trusted email domain

PATCH/accounts/{account_id}/email-security/settings/trusted_domains/{trusted_domain_id}

Delete a trusted email domain

DELETE/accounts/{account_id}/email-security/settings/trusted_domains/{trusted_domain_id}

ModelsExpand Collapse

TrustedDomainListResponse object { id, created_at, is_recent, 5 more }

id: number

The unique identifier for the trusted domain.

formatint32

created_at: string

formatdate-time

is_recent: boolean

Select to prevent recently registered domains from triggering a Suspicious or Malicious disposition.

is_regex: boolean

is_similarity: boolean

Select for partner or other approved domains that have similar spelling to your connected domains. Prevents listed domains from triggering a Spoof disposition.

last_modified: string

formatdate-time

pattern: string

maxLength1024

minLength1

comments: optional string

maxLength1024

TrustedDomainGetResponse object { id, created_at, is_recent, 5 more }

id: number

The unique identifier for the trusted domain.

formatint32

created_at: string

formatdate-time

is_recent: boolean

Select to prevent recently registered domains from triggering a Suspicious or Malicious disposition.

is_regex: boolean

is_similarity: boolean

Select for partner or other approved domains that have similar spelling to your connected domains. Prevents listed domains from triggering a Spoof disposition.

last_modified: string

formatdate-time

pattern: string

maxLength1024

minLength1

comments: optional string

maxLength1024

TrustedDomainCreateResponse = object { id, created_at, is_recent, 5 more } or array of object { id, created_at, is_recent, 5 more }

One of the following:

EmailSecurityTrustedDomain object { id, created_at, is_recent, 5 more }

id: number

The unique identifier for the trusted domain.

formatint32

created_at: string

formatdate-time

is_recent: boolean

Select to prevent recently registered domains from triggering a Suspicious or Malicious disposition.

is_regex: boolean

is_similarity: boolean

Select for partner or other approved domains that have similar spelling to your connected domains. Prevents listed domains from triggering a Spoof disposition.

last_modified: string

formatdate-time

pattern: string

maxLength1024

minLength1

comments: optional string

maxLength1024

array of object { id, created_at, is_recent, 5 more }

id: number

The unique identifier for the trusted domain.

formatint32

created_at: string

formatdate-time

is_recent: boolean

Select to prevent recently registered domains from triggering a Suspicious or Malicious disposition.

is_regex: boolean

is_similarity: boolean

Select for partner or other approved domains that have similar spelling to your connected domains. Prevents listed domains from triggering a Spoof disposition.

last_modified: string

formatdate-time

pattern: string

maxLength1024

minLength1

comments: optional string

maxLength1024

TrustedDomainEditResponse object { id, created_at, is_recent, 5 more }

id: number

The unique identifier for the trusted domain.

formatint32

created_at: string

formatdate-time

is_recent: boolean

Select to prevent recently registered domains from triggering a Suspicious or Malicious disposition.

is_regex: boolean

is_similarity: boolean

Select for partner or other approved domains that have similar spelling to your connected domains. Prevents listed domains from triggering a Spoof disposition.

last_modified: string

formatdate-time

pattern: string

maxLength1024

minLength1

comments: optional string

maxLength1024

TrustedDomainDeleteResponse object { id }

id: number

The unique identifier for the trusted domain.

formatint32

Email SecuritySubmissions

Get reclassify submissions

GET/accounts/{account_id}/email-security/submissions

ModelsExpand Collapse

SubmissionListResponse object { requested_ts, submission_id, customer_status, 15 more }

Deprecatedrequested_ts: string

deprecated as of 2026-04-01, use requested_at instead.

formatdate-time

submission_id: string

customer_status: optional "escalated" or "reviewed" or "unreviewed"

One of the following:

"escalated"

"reviewed"

"unreviewed"

escalated_as: optional "MALICIOUS" or "MALICIOUS-BEC" or "SUSPICIOUS" or 7 more

One of the following:

"MALICIOUS"

"MALICIOUS-BEC"

"SUSPICIOUS"

"SPOOF"

"SPAM"

"BULK"

"ENCRYPTED"

"EXTERNAL"

"UNKNOWN"

"NONE"

escalated_at: optional string

formatdate-time

escalated_by: optional string

escalated_submission_id: optional string

original_disposition: optional "MALICIOUS" or "MALICIOUS-BEC" or "SUSPICIOUS" or 7 more

One of the following:

"MALICIOUS"

"MALICIOUS-BEC"

"SUSPICIOUS"

"SPOOF"

"SPAM"

"BULK"

"ENCRYPTED"

"EXTERNAL"

"UNKNOWN"

"NONE"

original_edf_hash: optional string

original_postfix_id: optional string

outcome: optional string

outcome_disposition: optional "MALICIOUS" or "MALICIOUS-BEC" or "SUSPICIOUS" or 7 more

One of the following:

"MALICIOUS"

"MALICIOUS-BEC"

"SUSPICIOUS"

"SPOOF"

"SPAM"

"BULK"

"ENCRYPTED"

"EXTERNAL"

"UNKNOWN"

"NONE"

requested_at: optional string

formatdate-time

requested_by: optional string

requested_disposition: optional "MALICIOUS" or "MALICIOUS-BEC" or "SUSPICIOUS" or 7 more

One of the following:

"MALICIOUS"

"MALICIOUS-BEC"

"SUSPICIOUS"

"SPOOF"

"SPAM"

"BULK"

"ENCRYPTED"

"EXTERNAL"

"UNKNOWN"

"NONE"

status: optional string

subject: optional string

type: optional string