API Reference

Copy Markdown

Open in Claude

Open in ChatGPT

Open in Cursor

---

Copy Markdown

View as Markdown

Email Security

Email SecurityInvestigate

Search email messages

GET/accounts/{account_id}/email-security/investigate

Get message details

GET/accounts/{account_id}/email-security/investigate/{investigate_id}

ModelsExpand Collapse

InvestigateListResponse object { id, action_log, client_recipients, 29 more }

id: string

Unique identifier for a message retrieved from investigation

Deprecatedaction_log: array of object { completed_at, operation, completed_timestamp, 2 more }

Deprecated, use GET /investigate/{investigate_id}/action_log instead. End of life: November 1, 2026.

completed_at: string

Timestamp when action completed

formatdate-time

operation: "MOVE" or "RELEASE" or "RECLASSIFY" or 3 more

Type of action performed

One of the following:

"MOVE"

"RELEASE"

"RECLASSIFY"

"SUBMISSION"

"QUARANTINE_RELEASE"

"PREVIEW"

Deprecatedcompleted_timestamp: optional string

Deprecated, use completed_at instead. End of life: November 1, 2026.

properties: optional object { folder, requested_by }

Additional properties for the action

folder: optional string

Target folder for move operations

requested_by: optional string

User who requested the action

status: optional string

Status of the action

client_recipients: array of string

detection_reasons: array of string

is_phish_submission: boolean

is_quarantined: boolean

postfix_id: string

The identifier of the message

properties: object { allowlisted_pattern, allowlisted_pattern_type, blocklisted_message, 2 more }

Message processing properties

allowlisted_pattern: optional string

Pattern that allowlisted this message

allowlisted_pattern_type: optional "quarantine_release" or "acceptable_sender" or "allowed_sender" or 5 more

Type of allowlist pattern

One of the following:

"quarantine_release"

"acceptable_sender"

"allowed_sender"

"allowed_recipient"

"domain_similarity"

"domain_recency"

"managed_acceptable_sender"

"outbound_ndr"

blocklisted_message: optional boolean

Whether message was blocklisted

blocklisted_pattern: optional string

Pattern that blocklisted this message

whitelisted_pattern_type: optional "quarantine_release" or "acceptable_sender" or "allowed_sender" or 5 more

Legacy field for allowlist pattern type

One of the following:

"quarantine_release"

"acceptable_sender"

"allowed_sender"

"allowed_recipient"

"domain_similarity"

"domain_recency"

"managed_acceptable_sender"

"outbound_ndr"

Deprecatedts: string

Deprecated, use scanned_at instead. End of life: November 1, 2026.

alert_id: optional string

delivery_mode: optional "DIRECT" or "BCC" or "JOURNAL" or 8 more

One of the following:

"DIRECT"

"BCC"

"JOURNAL"

"REVIEW_SUBMISSION"

"DMARC_UNVERIFIED"

"DMARC_FAILURE_REPORT"

"DMARC_AGGREGATE_REPORT"

"THREAT_INTEL_SUBMISSION"

"SIMULATION_SUBMISSION"

"API"

"RETRO_SCAN"

delivery_status: optional array of "delivered" or "moved" or "quarantined" or 4 more

One of the following:

"delivered"

"moved"

"quarantined"

"rejected"

"deferred"

"bounced"

"queued"

edf_hash: optional string

envelope_from: optional string

envelope_to: optional array of string

final_disposition: optional "MALICIOUS" or "MALICIOUS-BEC" or "SUSPICIOUS" or 7 more

One of the following:

"MALICIOUS"

"MALICIOUS-BEC"

"SUSPICIOUS"

"SPOOF"

"SPAM"

"BULK"

"ENCRYPTED"

"EXTERNAL"

"UNKNOWN"

"NONE"

Deprecatedfindings: optional array of object { attachment, detail, detection, 6 more }

Deprecated, use the findings field from GET /investigate/{investigate_id}/detections instead. End of life: November 1, 2026. Detection findings for this message.

attachment: optional string

detail: optional string

detection: optional "MALICIOUS" or "MALICIOUS-BEC" or "SUSPICIOUS" or 7 more

One of the following:

"MALICIOUS"

"MALICIOUS-BEC"

"SUSPICIOUS"

"SPOOF"

"SPAM"

"BULK"

"ENCRYPTED"

"EXTERNAL"

"UNKNOWN"

"NONE"

field: optional string

name: optional string

portion: optional string

reason: optional string

score: optional number

formatdouble

value: optional string

from: optional string

from_name: optional string

htmltext_structure_hash: optional string

message_id: optional string

post_delivery_operations: optional array of "PREVIEW" or "QUARANTINE_RELEASE" or "SUBMISSION" or "MOVE"

Post-delivery operations performed on this message

One of the following:

"PREVIEW"

"QUARANTINE_RELEASE"

"SUBMISSION"

"MOVE"

postfix_id_outbound: optional string

replyto: optional string

scanned_at: optional string

When the message was scanned (UTC)

formatdate-time

sent_at: optional string

When the message was sent (UTC)

formatdate-time

sent_date: optional string

subject: optional string

threat_categories: optional array of string

to: optional array of string

to_name: optional array of string

validation: optional object { comment, dkim, dmarc, spf }

comment: optional string

dkim: optional "pass" or "neutral" or "fail" or 2 more

One of the following:

"pass"

"neutral"

"fail"

"error"

"none"

dmarc: optional "pass" or "neutral" or "fail" or 2 more

One of the following:

"pass"

"neutral"

"fail"

"error"

"none"

spf: optional "pass" or "neutral" or "fail" or 2 more

One of the following:

"pass"

"neutral"

"fail"

"error"

"none"

InvestigateGetResponse object { id, action_log, client_recipients, 29 more }

id: string

Unique identifier for a message retrieved from investigation

Deprecatedaction_log: array of object { completed_at, operation, completed_timestamp, 2 more }

Deprecated, use GET /investigate/{investigate_id}/action_log instead. End of life: November 1, 2026.

completed_at: string

Timestamp when action completed

formatdate-time

operation: "MOVE" or "RELEASE" or "RECLASSIFY" or 3 more

Type of action performed

One of the following:

"MOVE"

"RELEASE"

"RECLASSIFY"

"SUBMISSION"

"QUARANTINE_RELEASE"

"PREVIEW"

Deprecatedcompleted_timestamp: optional string

Deprecated, use completed_at instead. End of life: November 1, 2026.

properties: optional object { folder, requested_by }

Additional properties for the action

folder: optional string

Target folder for move operations

requested_by: optional string

User who requested the action

status: optional string

Status of the action

client_recipients: array of string

detection_reasons: array of string

is_phish_submission: boolean

is_quarantined: boolean

postfix_id: string

The identifier of the message

properties: object { allowlisted_pattern, allowlisted_pattern_type, blocklisted_message, 2 more }

Message processing properties

allowlisted_pattern: optional string

Pattern that allowlisted this message

allowlisted_pattern_type: optional "quarantine_release" or "acceptable_sender" or "allowed_sender" or 5 more

Type of allowlist pattern

One of the following:

"quarantine_release"

"acceptable_sender"

"allowed_sender"

"allowed_recipient"

"domain_similarity"

"domain_recency"

"managed_acceptable_sender"

"outbound_ndr"

blocklisted_message: optional boolean

Whether message was blocklisted

blocklisted_pattern: optional string

Pattern that blocklisted this message

whitelisted_pattern_type: optional "quarantine_release" or "acceptable_sender" or "allowed_sender" or 5 more

Legacy field for allowlist pattern type

One of the following:

"quarantine_release"

"acceptable_sender"

"allowed_sender"

"allowed_recipient"

"domain_similarity"

"domain_recency"

"managed_acceptable_sender"

"outbound_ndr"

Deprecatedts: string

Deprecated, use scanned_at instead. End of life: November 1, 2026.

alert_id: optional string

delivery_mode: optional "DIRECT" or "BCC" or "JOURNAL" or 8 more

One of the following:

"DIRECT"

"BCC"

"JOURNAL"

"REVIEW_SUBMISSION"

"DMARC_UNVERIFIED"

"DMARC_FAILURE_REPORT"

"DMARC_AGGREGATE_REPORT"

"THREAT_INTEL_SUBMISSION"

"SIMULATION_SUBMISSION"

"API"

"RETRO_SCAN"

delivery_status: optional array of "delivered" or "moved" or "quarantined" or 4 more

One of the following:

"delivered"

"moved"

"quarantined"

"rejected"

"deferred"

"bounced"

"queued"

edf_hash: optional string

envelope_from: optional string

envelope_to: optional array of string

final_disposition: optional "MALICIOUS" or "MALICIOUS-BEC" or "SUSPICIOUS" or 7 more

One of the following:

"MALICIOUS"

"MALICIOUS-BEC"

"SUSPICIOUS"

"SPOOF"

"SPAM"

"BULK"

"ENCRYPTED"

"EXTERNAL"

"UNKNOWN"

"NONE"

Deprecatedfindings: optional array of object { attachment, detail, detection, 6 more }

Deprecated, use the findings field from GET /investigate/{investigate_id}/detections instead. End of life: November 1, 2026. Detection findings for this message.

attachment: optional string

detail: optional string

detection: optional "MALICIOUS" or "MALICIOUS-BEC" or "SUSPICIOUS" or 7 more

One of the following:

"MALICIOUS"

"MALICIOUS-BEC"

"SUSPICIOUS"

"SPOOF"

"SPAM"

"BULK"

"ENCRYPTED"

"EXTERNAL"

"UNKNOWN"

"NONE"

field: optional string

name: optional string

portion: optional string

reason: optional string

score: optional number

formatdouble

value: optional string

from: optional string

from_name: optional string

htmltext_structure_hash: optional string

message_id: optional string

post_delivery_operations: optional array of "PREVIEW" or "QUARANTINE_RELEASE" or "SUBMISSION" or "MOVE"

Post-delivery operations performed on this message

One of the following:

"PREVIEW"

"QUARANTINE_RELEASE"

"SUBMISSION"

"MOVE"

postfix_id_outbound: optional string

replyto: optional string

scanned_at: optional string

When the message was scanned (UTC)

formatdate-time

sent_at: optional string

When the message was sent (UTC)

formatdate-time

sent_date: optional string

subject: optional string

threat_categories: optional array of string

to: optional array of string

to_name: optional array of string

validation: optional object { comment, dkim, dmarc, spf }

comment: optional string

dkim: optional "pass" or "neutral" or "fail" or 2 more

One of the following:

"pass"

"neutral"

"fail"

"error"

"none"

dmarc: optional "pass" or "neutral" or "fail" or 2 more

One of the following:

"pass"

"neutral"

"fail"

"error"

"none"

spf: optional "pass" or "neutral" or "fail" or 2 more

One of the following:

"pass"

"neutral"

"fail"

"error"

"none"

Email SecurityInvestigateDetections

Get message detection details

GET/accounts/{account_id}/email-security/investigate/{investigate_id}/detections

ModelsExpand Collapse

DetectionGetResponse object { action, attachments, findings, 6 more }

action: string

attachments: array of object { size, content_type, detection, 6 more }

size: number

Size of the attachment in bytes

minimum0

content_type: optional string

MIME type of the attachment

detection: optional "MALICIOUS" or "MALICIOUS-BEC" or "SUSPICIOUS" or 7 more

Detection result for this attachment

One of the following:

"MALICIOUS"

"MALICIOUS-BEC"

"SUSPICIOUS"

"SPOOF"

"SPAM"

"BULK"

"ENCRYPTED"

"EXTERNAL"

"UNKNOWN"

"NONE"

encrypted: optional boolean

Whether the attachment is encrypted

filename: optional string

Name of the attached file

md5: optional string

MD5 hash of the attachment

name: optional string

Attachment name (alternative to filename)

sha1: optional string

SHA1 hash of the attachment

sha256: optional string

SHA256 hash of the attachment

findings: array of object { attachment, detail, detection, 6 more }

attachment: optional string

detail: optional string

detection: optional "MALICIOUS" or "MALICIOUS-BEC" or "SUSPICIOUS" or 7 more

One of the following:

"MALICIOUS"

"MALICIOUS-BEC"

"SUSPICIOUS"

"SPOOF"

"SPAM"

"BULK"

"ENCRYPTED"

"EXTERNAL"

"UNKNOWN"

"NONE"

field: optional string

name: optional string

portion: optional string

reason: optional string

score: optional number

formatdouble

value: optional string

headers: array of object { name, value }

name: string

value: string

links: array of object { href, text }

href: string

text: optional string

sender_info: object { as_name, as_number, geo, 2 more }

as_name: optional string

The name of the autonomous system.

as_number: optional number

The number of the autonomous system.

geo: optional string

ip: optional string

pld: optional string

threat_categories: array of object { id, description, name }

id: optional number

description: optional string

name: optional string

validation: object { comment, dkim, dmarc, spf }

comment: optional string

dkim: optional "pass" or "neutral" or "fail" or 2 more

One of the following:

"pass"

"neutral"

"fail"

"error"

"none"

dmarc: optional "pass" or "neutral" or "fail" or 2 more

One of the following:

"pass"

"neutral"

"fail"

"error"

"none"

spf: optional "pass" or "neutral" or "fail" or 2 more

One of the following:

"pass"

"neutral"

"fail"

"error"

"none"

final_disposition: optional "MALICIOUS" or "MALICIOUS-BEC" or "SUSPICIOUS" or 7 more

One of the following:

"MALICIOUS"

"MALICIOUS-BEC"

"SUSPICIOUS"

"SPOOF"

"SPAM"

"BULK"

"ENCRYPTED"

"EXTERNAL"

"UNKNOWN"

"NONE"

Email SecurityInvestigatePreview

Get email preview

GET/accounts/{account_id}/email-security/investigate/{investigate_id}/preview

Preview for non-detection messages

POST/accounts/{account_id}/email-security/investigate/preview

ModelsExpand Collapse

PreviewGetResponse object { screenshot }

screenshot: string

A base64 encoded PNG image of the email.

PreviewCreateResponse object { screenshot }

screenshot: string

A base64 encoded PNG image of the email.

Email SecurityInvestigateRaw

Get raw email content

GET/accounts/{account_id}/email-security/investigate/{investigate_id}/raw

ModelsExpand Collapse

RawGetResponse object { raw }

raw: string

A UTF-8 encoded eml file of the email.

Email SecurityInvestigateTrace

Get email trace

GET/accounts/{account_id}/email-security/investigate/{investigate_id}/trace

ModelsExpand Collapse

TraceGetResponse object { inbound, outbound }

inbound: object { lines, pending }

lines: optional array of object { lineno, logged_at, message, ts }

lineno: optional number

Line number in the trace log

logged_at: optional string

formatdate-time

message: optional string

Deprecatedts: optional string

Deprecated, use logged_at instead. End of life: November 1, 2026.

pending: optional boolean

outbound: object { lines, pending }

lines: optional array of object { lineno, logged_at, message, ts }

lineno: optional number

Line number in the trace log

logged_at: optional string

formatdate-time

message: optional string

Deprecatedts: optional string

Deprecated, use logged_at instead. End of life: November 1, 2026.

pending: optional boolean

Email SecurityInvestigateMove

Move a message

POST/accounts/{account_id}/email-security/investigate/{investigate_id}/move

Move multiple messages

POST/accounts/{account_id}/email-security/investigate/move

ModelsExpand Collapse

MoveCreateResponse object { success, completed_at, completed_timestamp, 6 more }

success: boolean

Whether the operation succeeded

completed_at: optional string

When the move operation completed (UTC)

formatdate-time

Deprecatedcompleted_timestamp: optional string

Deprecated, use completed_at instead. End of life: November 1, 2026.

formatdate-time

destination: optional string

Destination folder for the message

Deprecateditem_count: optional number

Number of items moved. End of life: November 1, 2026.

message_id: optional string

Message identifier

operation: optional string

Type of operation performed

recipient: optional string

Recipient email address

status: optional string

Operation status

MoveBulkResponse object { success, completed_at, completed_timestamp, 6 more }

success: boolean

Whether the operation succeeded

completed_at: optional string

When the move operation completed (UTC)

formatdate-time

Deprecatedcompleted_timestamp: optional string

Deprecated, use completed_at instead. End of life: November 1, 2026.

formatdate-time

destination: optional string

Destination folder for the message

Deprecateditem_count: optional number

Number of items moved. End of life: November 1, 2026.

message_id: optional string

Message identifier

operation: optional string

Type of operation performed

recipient: optional string

Recipient email address

status: optional string

Operation status

Email SecurityInvestigateReclassify

Change email classification

POST/accounts/{account_id}/email-security/investigate/{investigate_id}/reclassify

ModelsExpand Collapse

ReclassifyCreateResponse = unknown

Email SecurityInvestigateRelease

Release messages from quarantine

POST/accounts/{account_id}/email-security/investigate/release

ModelsExpand Collapse

ReleaseBulkResponse object { id, delivered, failed, 2 more }

id: string

Unique identifier for a message retrieved from investigation

delivered: optional array of string

failed: optional array of string

Deprecatedpostfix_id: optional string

Deprecated, use id instead. End of life: November 1, 2026.

undelivered: optional array of string

Email SecurityPhishguard

Email SecurityPhishguardReports

Get PhishGuard reports

GET/accounts/{account_id}/email-security/phishguard/reports

ModelsExpand Collapse

ReportListResponse object { id, content, disposition, 7 more }

id: number

content: string

disposition: "MALICIOUS" or "MALICIOUS-BEC" or "SUSPICIOUS" or 7 more

One of the following:

"MALICIOUS"

"MALICIOUS-BEC"

"SUSPICIOUS"

"SPOOF"

"SPAM"

"BULK"

"ENCRYPTED"

"EXTERNAL"

"UNKNOWN"

"NONE"

fields: object { to, from, occurred_at, 2 more }

to: array of string

from: optional string

occurred_at: optional string

formatdate-time

postfix_id: optional string

Deprecatedts: optional string

Deprecated, use occurred_at instead

formatdate-time

priority: string

title: string

created_at: optional string

formatdate-time

tags: optional array of object { category, value }

category: string

value: string

Deprecatedts: optional string

Deprecated, use created_at instead

formatdate-time

updated_at: optional string

formatdate-time

Email SecuritySettings

Email SecuritySettingsAllow Policies

List email allow policies

GET/accounts/{account_id}/email-security/settings/allow_policies

Get an email allow policy

GET/accounts/{account_id}/email-security/settings/allow_policies/{policy_id}

Create email allow policy

POST/accounts/{account_id}/email-security/settings/allow_policies

Update an email allow policy

PATCH/accounts/{account_id}/email-security/settings/allow_policies/{policy_id}

Delete an email allow policy

DELETE/accounts/{account_id}/email-security/settings/allow_policies/{policy_id}

ModelsExpand Collapse

AllowPolicyListResponse object { id, created_at, last_modified, 12 more }

An email allow policy

id: string

Allow policy identifier

formatuuid

created_at: string

formatdate-time

Deprecatedlast_modified: string

Deprecated, use modified_at instead. End of life: November 1, 2026.

formatdate-time

comments: optional string

maxLength1024

is_acceptable_sender: optional boolean

Messages from this sender will be exempted from Spam, Spoof and Bulk dispositions. Note - This will not exempt messages with Malicious or Suspicious dispositions.

is_exempt_recipient: optional boolean

Messages to this recipient will bypass all detections

Deprecatedis_recipient: optional boolean

Deprecated as of July 1, 2025. Use is_exempt_recipient instead. End of life: July 1, 2026.

is_regex: optional boolean

Deprecatedis_sender: optional boolean

Deprecated as of July 1, 2025. Use is_trusted_sender instead. End of life: July 1, 2026.

Deprecatedis_spoof: optional boolean

Deprecated as of July 1, 2025. Use is_acceptable_sender instead. End of life: July 1, 2026.

is_trusted_sender: optional boolean

Messages from this sender will bypass all detections and link following

modified_at: optional string

formatdate-time

pattern: optional string

maxLength1024

minLength1

pattern_type: optional "EMAIL" or "DOMAIN" or "IP" or "UNKNOWN"

Type of pattern matching. Note: UNKNOWN is deprecated and cannot be used when creating or updating policies, but may be returned for existing entries.

One of the following:

"EMAIL"

"DOMAIN"

"IP"

"UNKNOWN"

verify_sender: optional boolean

Enforce DMARC, SPF or DKIM authentication. When on, Email Security only honors policies that pass authentication.

AllowPolicyGetResponse object { id, created_at, last_modified, 12 more }

An email allow policy

id: string

Allow policy identifier

formatuuid

created_at: string

formatdate-time

Deprecatedlast_modified: string

Deprecated, use modified_at instead. End of life: November 1, 2026.

formatdate-time

comments: optional string

maxLength1024

is_acceptable_sender: optional boolean

Messages from this sender will be exempted from Spam, Spoof and Bulk dispositions. Note - This will not exempt messages with Malicious or Suspicious dispositions.

is_exempt_recipient: optional boolean

Messages to this recipient will bypass all detections

Deprecatedis_recipient: optional boolean

Deprecated as of July 1, 2025. Use is_exempt_recipient instead. End of life: July 1, 2026.

is_regex: optional boolean

Deprecatedis_sender: optional boolean

Deprecated as of July 1, 2025. Use is_trusted_sender instead. End of life: July 1, 2026.

Deprecatedis_spoof: optional boolean

Deprecated as of July 1, 2025. Use is_acceptable_sender instead. End of life: July 1, 2026.

is_trusted_sender: optional boolean

Messages from this sender will bypass all detections and link following

modified_at: optional string

formatdate-time

pattern: optional string

maxLength1024

minLength1

pattern_type: optional "EMAIL" or "DOMAIN" or "IP" or "UNKNOWN"

Type of pattern matching. Note: UNKNOWN is deprecated and cannot be used when creating or updating policies, but may be returned for existing entries.

One of the following:

"EMAIL"

"DOMAIN"

"IP"

"UNKNOWN"

verify_sender: optional boolean

Enforce DMARC, SPF or DKIM authentication. When on, Email Security only honors policies that pass authentication.

AllowPolicyCreateResponse object { id, created_at, last_modified, 12 more }

An email allow policy

id: string

Allow policy identifier

formatuuid

created_at: string

formatdate-time

Deprecatedlast_modified: string

Deprecated, use modified_at instead. End of life: November 1, 2026.

formatdate-time

comments: optional string

maxLength1024

is_acceptable_sender: optional boolean

Messages from this sender will be exempted from Spam, Spoof and Bulk dispositions. Note - This will not exempt messages with Malicious or Suspicious dispositions.

is_exempt_recipient: optional boolean

Messages to this recipient will bypass all detections

Deprecatedis_recipient: optional boolean

Deprecated as of July 1, 2025. Use is_exempt_recipient instead. End of life: July 1, 2026.

is_regex: optional boolean

Deprecatedis_sender: optional boolean

Deprecated as of July 1, 2025. Use is_trusted_sender instead. End of life: July 1, 2026.

Deprecatedis_spoof: optional boolean

Deprecated as of July 1, 2025. Use is_acceptable_sender instead. End of life: July 1, 2026.

is_trusted_sender: optional boolean

Messages from this sender will bypass all detections and link following

modified_at: optional string

formatdate-time

pattern: optional string

maxLength1024

minLength1

pattern_type: optional "EMAIL" or "DOMAIN" or "IP" or "UNKNOWN"

Type of pattern matching. Note: UNKNOWN is deprecated and cannot be used when creating or updating policies, but may be returned for existing entries.

One of the following:

"EMAIL"

"DOMAIN"

"IP"

"UNKNOWN"

verify_sender: optional boolean

Enforce DMARC, SPF or DKIM authentication. When on, Email Security only honors policies that pass authentication.

AllowPolicyEditResponse object { id, created_at, last_modified, 12 more }

An email allow policy

id: string

Allow policy identifier

formatuuid

created_at: string

formatdate-time

Deprecatedlast_modified: string

Deprecated, use modified_at instead. End of life: November 1, 2026.

formatdate-time

comments: optional string

maxLength1024

is_acceptable_sender: optional boolean

Messages from this sender will be exempted from Spam, Spoof and Bulk dispositions. Note - This will not exempt messages with Malicious or Suspicious dispositions.

is_exempt_recipient: optional boolean

Messages to this recipient will bypass all detections

Deprecatedis_recipient: optional boolean

Deprecated as of July 1, 2025. Use is_exempt_recipient instead. End of life: July 1, 2026.

is_regex: optional boolean

Deprecatedis_sender: optional boolean

Deprecated as of July 1, 2025. Use is_trusted_sender instead. End of life: July 1, 2026.

Deprecatedis_spoof: optional boolean

Deprecated as of July 1, 2025. Use is_acceptable_sender instead. End of life: July 1, 2026.

is_trusted_sender: optional boolean

Messages from this sender will bypass all detections and link following

modified_at: optional string

formatdate-time

pattern: optional string

maxLength1024

minLength1

pattern_type: optional "EMAIL" or "DOMAIN" or "IP" or "UNKNOWN"

Type of pattern matching. Note: UNKNOWN is deprecated and cannot be used when creating or updating policies, but may be returned for existing entries.

One of the following:

"EMAIL"

"DOMAIN"

"IP"

"UNKNOWN"

verify_sender: optional boolean

Enforce DMARC, SPF or DKIM authentication. When on, Email Security only honors policies that pass authentication.

AllowPolicyDeleteResponse object { id }

id: string

Allow policy identifier

formatuuid

Email SecuritySettingsBlock Senders

List blocked email senders

GET/accounts/{account_id}/email-security/settings/block_senders

Get a blocked email sender

GET/accounts/{account_id}/email-security/settings/block_senders/{pattern_id}

Create blocked email sender

POST/accounts/{account_id}/email-security/settings/block_senders

Update a blocked email sender

PATCH/accounts/{account_id}/email-security/settings/block_senders/{pattern_id}

Delete a blocked email sender

DELETE/accounts/{account_id}/email-security/settings/block_senders/{pattern_id}

ModelsExpand Collapse

BlockSenderListResponse object { id, comments, created_at, 5 more }

A blocked sender pattern

id: optional string

Blocked sender pattern identifier

formatuuid

comments: optional string

maxLength1024

created_at: optional string

formatdate-time

is_regex: optional boolean

Deprecatedlast_modified: optional string

Deprecated, use modified_at instead. End of life: November 1, 2026.

formatdate-time

modified_at: optional string

formatdate-time

pattern: optional string

maxLength1024

minLength1

pattern_type: optional "EMAIL" or "DOMAIN" or "IP" or "UNKNOWN"

Type of pattern matching. Note: UNKNOWN is deprecated and cannot be used when creating or updating policies, but may be returned for existing entries.

One of the following:

"EMAIL"

"DOMAIN"

"IP"

"UNKNOWN"

BlockSenderGetResponse object { id, comments, created_at, 5 more }

A blocked sender pattern

id: optional string

Blocked sender pattern identifier

formatuuid

comments: optional string

maxLength1024

created_at: optional string

formatdate-time

is_regex: optional boolean

Deprecatedlast_modified: optional string

Deprecated, use modified_at instead. End of life: November 1, 2026.

formatdate-time

modified_at: optional string

formatdate-time

pattern: optional string

maxLength1024

minLength1

pattern_type: optional "EMAIL" or "DOMAIN" or "IP" or "UNKNOWN"

Type of pattern matching. Note: UNKNOWN is deprecated and cannot be used when creating or updating policies, but may be returned for existing entries.

One of the following:

"EMAIL"

"DOMAIN"

"IP"

"UNKNOWN"

BlockSenderCreateResponse object { id, comments, created_at, 5 more }

A blocked sender pattern

id: optional string

Blocked sender pattern identifier

formatuuid

comments: optional string

maxLength1024

created_at: optional string

formatdate-time

is_regex: optional boolean

Deprecatedlast_modified: optional string

Deprecated, use modified_at instead. End of life: November 1, 2026.

formatdate-time

modified_at: optional string

formatdate-time

pattern: optional string

maxLength1024

minLength1

pattern_type: optional "EMAIL" or "DOMAIN" or "IP" or "UNKNOWN"

Type of pattern matching. Note: UNKNOWN is deprecated and cannot be used when creating or updating policies, but may be returned for existing entries.

One of the following:

"EMAIL"

"DOMAIN"

"IP"

"UNKNOWN"

BlockSenderEditResponse object { id, comments, created_at, 5 more }

A blocked sender pattern

id: optional string

Blocked sender pattern identifier

formatuuid

comments: optional string

maxLength1024

created_at: optional string

formatdate-time

is_regex: optional boolean

Deprecatedlast_modified: optional string

Deprecated, use modified_at instead. End of life: November 1, 2026.

formatdate-time

modified_at: optional string

formatdate-time

pattern: optional string

maxLength1024

minLength1

pattern_type: optional "EMAIL" or "DOMAIN" or "IP" or "UNKNOWN"

Type of pattern matching. Note: UNKNOWN is deprecated and cannot be used when creating or updating policies, but may be returned for existing entries.

One of the following:

"EMAIL"

"DOMAIN"

"IP"

"UNKNOWN"

BlockSenderDeleteResponse object { id }

id: string

Blocked sender pattern identifier

formatuuid

Email SecuritySettingsDomains

List protected email domains

GET/accounts/{account_id}/email-security/settings/domains

Get an email domain

GET/accounts/{account_id}/email-security/settings/domains/{domain_id}

Update an email domain

PATCH/accounts/{account_id}/email-security/settings/domains/{domain_id}

Unprotect an email domain

DELETE/accounts/{account_id}/email-security/settings/domains/{domain_id}

ModelsExpand Collapse

DomainListResponse object { id, allowed_delivery_modes, authorization, 19 more }

id: optional string

Domain identifier

formatuuid

allowed_delivery_modes: optional array of "DIRECT" or "BCC" or "JOURNAL" or 2 more

One of the following:

"DIRECT"

"BCC"

"JOURNAL"

"API"

"RETRO_SCAN"

authorization: optional object { authorized, timestamp, status_message }

authorized: boolean

timestamp: string

formatdate-time

status_message: optional string

created_at: optional string

formatdate-time

dmarc_status: optional "none" or "good" or "invalid"

One of the following:

"none"

"good"

"invalid"

domain: optional string

drop_dispositions: optional array of "MALICIOUS" or "MALICIOUS-BEC" or "SUSPICIOUS" or 7 more

One of the following:

"MALICIOUS"

"MALICIOUS-BEC"

"SUSPICIOUS"

"SPOOF"

"SPAM"

"BULK"

"ENCRYPTED"

"EXTERNAL"

"UNKNOWN"

"NONE"

emails_processed: optional object { timestamp, total_emails_processed, total_emails_processed_previous }

timestamp: string

formatdate-time

total_emails_processed: number

minimum0

total_emails_processed_previous: number

minimum0

folder: optional "AllItems" or "Inbox"

One of the following:

"AllItems"

"Inbox"

inbox_provider: optional "Microsoft" or "Google"

One of the following:

"Microsoft"

"Google"

integration_id: optional string

formatuuid

ip_restrictions: optional array of string

Deprecatedlast_modified: optional string

Deprecated, use modified_at instead. End of life: November 1, 2026.

formatdate-time

lookback_hops: optional number

modified_at: optional string

formatdate-time

o365_tenant_id: optional string

regions: optional array of "GLOBAL" or "AU" or "DE" or 2 more

One of the following:

"GLOBAL"

"AU"

"DE"

"IN"

"US"

require_tls_inbound: optional boolean

require_tls_outbound: optional boolean

spf_status: optional "none" or "good" or "neutral" or 2 more

One of the following:

"none"

"good"

"neutral"

"open"

"invalid"

status: optional "pending" or "active" or "failed" or "timeout"

One of the following:

"pending"

"active"

"failed"

"timeout"

transport: optional string

DomainGetResponse object { id, allowed_delivery_modes, authorization, 19 more }

id: optional string

Domain identifier

formatuuid

allowed_delivery_modes: optional array of "DIRECT" or "BCC" or "JOURNAL" or 2 more

One of the following:

"DIRECT"

"BCC"

"JOURNAL"

"API"

"RETRO_SCAN"

authorization: optional object { authorized, timestamp, status_message }

authorized: boolean

timestamp: string

formatdate-time

status_message: optional string

created_at: optional string

formatdate-time

dmarc_status: optional "none" or "good" or "invalid"

One of the following:

"none"

"good"

"invalid"

domain: optional string

drop_dispositions: optional array of "MALICIOUS" or "MALICIOUS-BEC" or "SUSPICIOUS" or 7 more

One of the following:

"MALICIOUS"

"MALICIOUS-BEC"

"SUSPICIOUS"

"SPOOF"

"SPAM"

"BULK"

"ENCRYPTED"

"EXTERNAL"

"UNKNOWN"

"NONE"

emails_processed: optional object { timestamp, total_emails_processed, total_emails_processed_previous }

timestamp: string

formatdate-time

total_emails_processed: number

minimum0

total_emails_processed_previous: number

minimum0

folder: optional "AllItems" or "Inbox"

One of the following:

"AllItems"

"Inbox"

inbox_provider: optional "Microsoft" or "Google"

One of the following:

"Microsoft"

"Google"

integration_id: optional string

formatuuid

ip_restrictions: optional array of string

Deprecatedlast_modified: optional string

Deprecated, use modified_at instead. End of life: November 1, 2026.

formatdate-time

lookback_hops: optional number

modified_at: optional string

formatdate-time

o365_tenant_id: optional string

regions: optional array of "GLOBAL" or "AU" or "DE" or 2 more

One of the following:

"GLOBAL"

"AU"

"DE"

"IN"

"US"

require_tls_inbound: optional boolean

require_tls_outbound: optional boolean

spf_status: optional "none" or "good" or "neutral" or 2 more

One of the following:

"none"

"good"

"neutral"

"open"

"invalid"

status: optional "pending" or "active" or "failed" or "timeout"

One of the following:

"pending"

"active"

"failed"

"timeout"

transport: optional string

DomainEditResponse object { id, allowed_delivery_modes, authorization, 19 more }

id: optional string

Domain identifier

formatuuid

allowed_delivery_modes: optional array of "DIRECT" or "BCC" or "JOURNAL" or 2 more

One of the following:

"DIRECT"

"BCC"

"JOURNAL"

"API"

"RETRO_SCAN"

authorization: optional object { authorized, timestamp, status_message }

authorized: boolean

timestamp: string

formatdate-time

status_message: optional string

created_at: optional string

formatdate-time

dmarc_status: optional "none" or "good" or "invalid"

One of the following:

"none"

"good"

"invalid"

domain: optional string

drop_dispositions: optional array of "MALICIOUS" or "MALICIOUS-BEC" or "SUSPICIOUS" or 7 more

One of the following:

"MALICIOUS"

"MALICIOUS-BEC"

"SUSPICIOUS"

"SPOOF"

"SPAM"

"BULK"

"ENCRYPTED"

"EXTERNAL"

"UNKNOWN"

"NONE"

emails_processed: optional object { timestamp, total_emails_processed, total_emails_processed_previous }

timestamp: string

formatdate-time

total_emails_processed: number

minimum0

total_emails_processed_previous: number

minimum0

folder: optional "AllItems" or "Inbox"

One of the following:

"AllItems"

"Inbox"

inbox_provider: optional "Microsoft" or "Google"

One of the following:

"Microsoft"

"Google"

integration_id: optional string

formatuuid

ip_restrictions: optional array of string

Deprecatedlast_modified: optional string

Deprecated, use modified_at instead. End of life: November 1, 2026.

formatdate-time

lookback_hops: optional number

modified_at: optional string

formatdate-time

o365_tenant_id: optional string

regions: optional array of "GLOBAL" or "AU" or "DE" or 2 more

One of the following:

"GLOBAL"

"AU"

"DE"

"IN"

"US"

require_tls_inbound: optional boolean

require_tls_outbound: optional boolean

spf_status: optional "none" or "good" or "neutral" or 2 more

One of the following:

"none"

"good"

"neutral"

"open"

"invalid"

status: optional "pending" or "active" or "failed" or "timeout"

One of the following:

"pending"

"active"

"failed"

"timeout"

transport: optional string

DomainDeleteResponse object { id }

id: string

Domain identifier

formatuuid

Email SecuritySettingsImpersonation Registry

List entries in impersonation registry

GET/accounts/{account_id}/email-security/settings/impersonation_registry

Get an impersonation registry entry

GET/accounts/{account_id}/email-security/settings/impersonation_registry/{impersonation_registry_id}

Create impersonation registry entry

POST/accounts/{account_id}/email-security/settings/impersonation_registry

Update an impersonation registry entry

PATCH/accounts/{account_id}/email-security/settings/impersonation_registry/{impersonation_registry_id}

Delete an impersonation registry entry

DELETE/accounts/{account_id}/email-security/settings/impersonation_registry/{impersonation_registry_id}

ModelsExpand Collapse

ImpersonationRegistryListResponse object { id, comments, created_at, 9 more }

An impersonation registry entry

id: optional string

Impersonation registry entry identifier

formatuuid

comments: optional string

created_at: optional string

formatdate-time

directory_id: optional number

directory_node_id: optional number

email: optional string

Deprecatedexternal_directory_node_id: optional string

is_email_regex: optional boolean

Deprecatedlast_modified: optional string

Deprecated, use modified_at instead. End of life: November 1, 2026.

formatdate-time

modified_at: optional string

formatdate-time

name: optional string

maxLength1024

provenance: optional "A1S_INTERNAL" or "SNOOPY-CASB_OFFICE_365" or "SNOOPY-OFFICE_365" or "SNOOPY-GOOGLE_DIRECTORY"

One of the following:

"A1S_INTERNAL"

"SNOOPY-CASB_OFFICE_365"

"SNOOPY-OFFICE_365"

"SNOOPY-GOOGLE_DIRECTORY"

ImpersonationRegistryGetResponse object { id, comments, created_at, 9 more }

An impersonation registry entry

id: optional string

Impersonation registry entry identifier

formatuuid

comments: optional string

created_at: optional string

formatdate-time

directory_id: optional number

directory_node_id: optional number

email: optional string

Deprecatedexternal_directory_node_id: optional string

is_email_regex: optional boolean

Deprecatedlast_modified: optional string

Deprecated, use modified_at instead. End of life: November 1, 2026.

formatdate-time

modified_at: optional string

formatdate-time

name: optional string

maxLength1024

provenance: optional "A1S_INTERNAL" or "SNOOPY-CASB_OFFICE_365" or "SNOOPY-OFFICE_365" or "SNOOPY-GOOGLE_DIRECTORY"

One of the following:

"A1S_INTERNAL"

"SNOOPY-CASB_OFFICE_365"

"SNOOPY-OFFICE_365"

"SNOOPY-GOOGLE_DIRECTORY"

ImpersonationRegistryCreateResponse object { id, comments, created_at, 9 more }

An impersonation registry entry

id: optional string

Impersonation registry entry identifier

formatuuid

comments: optional string

created_at: optional string

formatdate-time

directory_id: optional number

directory_node_id: optional number

email: optional string

Deprecatedexternal_directory_node_id: optional string

is_email_regex: optional boolean

Deprecatedlast_modified: optional string

Deprecated, use modified_at instead. End of life: November 1, 2026.

formatdate-time

modified_at: optional string

formatdate-time

name: optional string

maxLength1024

provenance: optional "A1S_INTERNAL" or "SNOOPY-CASB_OFFICE_365" or "SNOOPY-OFFICE_365" or "SNOOPY-GOOGLE_DIRECTORY"

One of the following:

"A1S_INTERNAL"

"SNOOPY-CASB_OFFICE_365"

"SNOOPY-OFFICE_365"

"SNOOPY-GOOGLE_DIRECTORY"

ImpersonationRegistryEditResponse object { id, comments, created_at, 9 more }

An impersonation registry entry

id: optional string

Impersonation registry entry identifier

formatuuid

comments: optional string

created_at: optional string

formatdate-time

directory_id: optional number

directory_node_id: optional number

email: optional string

Deprecatedexternal_directory_node_id: optional string

is_email_regex: optional boolean

Deprecatedlast_modified: optional string

Deprecated, use modified_at instead. End of life: November 1, 2026.

formatdate-time

modified_at: optional string

formatdate-time

name: optional string

maxLength1024

provenance: optional "A1S_INTERNAL" or "SNOOPY-CASB_OFFICE_365" or "SNOOPY-OFFICE_365" or "SNOOPY-GOOGLE_DIRECTORY"

One of the following:

"A1S_INTERNAL"

"SNOOPY-CASB_OFFICE_365"

"SNOOPY-OFFICE_365"

"SNOOPY-GOOGLE_DIRECTORY"

ImpersonationRegistryDeleteResponse object { id }

id: string

Impersonation registry entry identifier

formatuuid

Email SecuritySettingsTrusted Domains

List trusted email domains

GET/accounts/{account_id}/email-security/settings/trusted_domains

Get a trusted email domain

GET/accounts/{account_id}/email-security/settings/trusted_domains/{trusted_domain_id}

Create trusted email domain

POST/accounts/{account_id}/email-security/settings/trusted_domains

Update a trusted email domain

PATCH/accounts/{account_id}/email-security/settings/trusted_domains/{trusted_domain_id}

Delete a trusted email domain

DELETE/accounts/{account_id}/email-security/settings/trusted_domains/{trusted_domain_id}

ModelsExpand Collapse

TrustedDomainListResponse object { id, comments, created_at, 6 more }

A trusted email domain

id: optional string

Trusted domain identifier

formatuuid

comments: optional string

maxLength1024

created_at: optional string

formatdate-time

is_recent: optional boolean

Select to prevent recently registered domains from triggering a Suspicious or Malicious disposition.

is_regex: optional boolean

is_similarity: optional boolean

Select for partner or other approved domains that have similar spelling to your connected domains. Prevents listed domains from triggering a Spoof disposition.

Deprecatedlast_modified: optional string

Deprecated, use modified_at instead. End of life: November 1, 2026.

formatdate-time

modified_at: optional string

formatdate-time

pattern: optional string

maxLength1024

minLength1

TrustedDomainGetResponse object { id, comments, created_at, 6 more }

A trusted email domain

id: optional string

Trusted domain identifier

formatuuid

comments: optional string

maxLength1024

created_at: optional string

formatdate-time

is_recent: optional boolean

Select to prevent recently registered domains from triggering a Suspicious or Malicious disposition.

is_regex: optional boolean

is_similarity: optional boolean

Select for partner or other approved domains that have similar spelling to your connected domains. Prevents listed domains from triggering a Spoof disposition.

Deprecatedlast_modified: optional string

Deprecated, use modified_at instead. End of life: November 1, 2026.

formatdate-time

modified_at: optional string

formatdate-time

pattern: optional string

maxLength1024

minLength1

TrustedDomainCreateResponse object { id, comments, created_at, 6 more }

A trusted email domain

id: optional string

Trusted domain identifier

formatuuid

comments: optional string

maxLength1024

created_at: optional string

formatdate-time

is_recent: optional boolean

Select to prevent recently registered domains from triggering a Suspicious or Malicious disposition.

is_regex: optional boolean

is_similarity: optional boolean

Select for partner or other approved domains that have similar spelling to your connected domains. Prevents listed domains from triggering a Spoof disposition.

Deprecatedlast_modified: optional string

Deprecated, use modified_at instead. End of life: November 1, 2026.

formatdate-time

modified_at: optional string

formatdate-time

pattern: optional string

maxLength1024

minLength1

TrustedDomainEditResponse object { id, comments, created_at, 6 more }

A trusted email domain

id: optional string

Trusted domain identifier

formatuuid

comments: optional string

maxLength1024

created_at: optional string

formatdate-time

is_recent: optional boolean

Select to prevent recently registered domains from triggering a Suspicious or Malicious disposition.

is_regex: optional boolean

is_similarity: optional boolean

Select for partner or other approved domains that have similar spelling to your connected domains. Prevents listed domains from triggering a Spoof disposition.

Deprecatedlast_modified: optional string

Deprecated, use modified_at instead. End of life: November 1, 2026.

formatdate-time

modified_at: optional string

formatdate-time

pattern: optional string

maxLength1024

minLength1

TrustedDomainDeleteResponse object { id }

id: string

Trusted domain identifier

formatuuid

Email SecuritySubmissions

Get reclassify submissions

GET/accounts/{account_id}/email-security/submissions

ModelsExpand Collapse

SubmissionListResponse object { requested_at, submission_id, customer_status, 15 more }

requested_at: string

When the submission was requested (UTC).

formatdate-time

submission_id: string

customer_status: optional "escalated" or "reviewed" or "unreviewed"

One of the following:

"escalated"

"reviewed"

"unreviewed"

escalated_as: optional "MALICIOUS" or "SUSPICIOUS" or "SPOOF" or 3 more

One of the following:

"MALICIOUS"

"SUSPICIOUS"

"SPOOF"

"SPAM"

"BULK"

"NONE"

escalated_at: optional string

formatdate-time

escalated_by: optional string

escalated_submission_id: optional string

original_disposition: optional "MALICIOUS" or "SUSPICIOUS" or "SPOOF" or 3 more

One of the following:

"MALICIOUS"

"SUSPICIOUS"

"SPOOF"

"SPAM"

"BULK"

"NONE"

original_edf_hash: optional string

original_postfix_id: optional string

The postfix ID of the original message that was submitted

outcome: optional string

outcome_disposition: optional "MALICIOUS" or "SUSPICIOUS" or "SPOOF" or 3 more

One of the following:

"MALICIOUS"

"SUSPICIOUS"

"SPOOF"

"SPAM"

"BULK"

"NONE"

requested_by: optional string

requested_disposition: optional "MALICIOUS" or "SUSPICIOUS" or "SPOOF" or 3 more

One of the following:

"MALICIOUS"

"SUSPICIOUS"

"SPOOF"

"SPAM"

"BULK"

"NONE"

Deprecatedrequested_ts: optional string

Deprecated, use requested_at instead

status: optional string

subject: optional string

type: optional "Team" or "User"

Whether the submission was created by a team member or an end user.

One of the following:

"Team"

"User"