API Reference

Email Security

Copy Markdown

Open in Claude

Open in ChatGPT

Open in Cursor

---

Copy Markdown

View as Markdown

Investigate

Search email messages

GET/accounts/{account_id}/email-security/investigate

Get message details

GET/accounts/{account_id}/email-security/investigate/{investigate_id}

ModelsExpand Collapse

InvestigateListResponse object { id, action_log, client_recipients, 32 more }

id: string

Unique identifier for a message retrieved from investigation

Deprecatedaction_log: array of object { completed_at, operation, completed_timestamp, 2 more }

Deprecated, use GET /investigate/{investigate_id}/action_log instead. End of life: November 1, 2026.

completed_at: string

Timestamp when action completed

formatdate-time

operation: "MOVE" or "RELEASE" or "RECLASSIFY" or 3 more

Type of action performed

One of the following:

"MOVE"

"RELEASE"

"RECLASSIFY"

"SUBMISSION"

"QUARANTINE_RELEASE"

"PREVIEW"

Deprecatedcompleted_timestamp: optional string

Deprecated, use completed_at instead. End of life: November 1, 2026.

properties: optional object { folder, requested_by }

Additional properties for the action

folder: optional string

Target folder for move operations

requested_by: optional string

User who requested the action

status: optional string

Status of the action

client_recipients: array of string

detection_reasons: array of string

is_phish_submission: boolean

is_quarantined: boolean

postfix_id: string

The identifier of the message

properties: object { allowlisted_pattern, allowlisted_pattern_type, blocklisted_message, 2 more }

Message processing properties

allowlisted_pattern: optional string

Pattern that allowlisted this message

allowlisted_pattern_type: optional "quarantine_release" or "acceptable_sender" or "allowed_sender" or 5 more

Type of allowlist pattern

One of the following:

"quarantine_release"

"acceptable_sender"

"allowed_sender"

"allowed_recipient"

"domain_similarity"

"domain_recency"

"managed_acceptable_sender"

"outbound_ndr"

blocklisted_message: optional boolean

Whether message was blocklisted

blocklisted_pattern: optional string

Pattern that blocklisted this message

whitelisted_pattern_type: optional "quarantine_release" or "acceptable_sender" or "allowed_sender" or 5 more

Legacy field for allowlist pattern type

One of the following:

"quarantine_release"

"acceptable_sender"

"allowed_sender"

"allowed_recipient"

"domain_similarity"

"domain_recency"

"managed_acceptable_sender"

"outbound_ndr"

Deprecatedts: string

Deprecated, use scanned_at instead. End of life: November 1, 2026.

alert_id: optional string

delivery_mode: optional "DIRECT" or "BCC" or "JOURNAL" or 8 more

One of the following:

"DIRECT"

"BCC"

"JOURNAL"

"REVIEW_SUBMISSION"

"DMARC_UNVERIFIED"

"DMARC_FAILURE_REPORT"

"DMARC_AGGREGATE_REPORT"

"THREAT_INTEL_SUBMISSION"

"SIMULATION_SUBMISSION"

"API"

"RETRO_SCAN"

delivery_status: optional array of "delivered" or "moved" or "quarantined" or 4 more

One of the following:

"delivered"

"moved"

"quarantined"

"rejected"

"deferred"

"bounced"

"queued"

edf_hash: optional string

envelope_from: optional string

envelope_to: optional array of string

final_disposition: optional "MALICIOUS" or "MALICIOUS-BEC" or "SUSPICIOUS" or 7 more

One of the following:

"MALICIOUS"

"MALICIOUS-BEC"

"SUSPICIOUS"

"SPOOF"

"SPAM"

"BULK"

"ENCRYPTED"

"EXTERNAL"

"UNKNOWN"

"NONE"

Deprecatedfindings: optional array of object { attachment, detail, detection, 6 more }

Deprecated, use the findings field from GET /investigate/{investigate_id}/detections instead. End of life: November 1, 2026. Detection findings for this message.

attachment: optional string

detail: optional string

detection: optional "MALICIOUS" or "MALICIOUS-BEC" or "SUSPICIOUS" or 7 more

One of the following:

"MALICIOUS"

"MALICIOUS-BEC"

"SUSPICIOUS"

"SPOOF"

"SPAM"

"BULK"

"ENCRYPTED"

"EXTERNAL"

"UNKNOWN"

"NONE"

field: optional string

name: optional string

portion: optional string

reason: optional string

score: optional number

formatdouble

value: optional string

from: optional string

from_name: optional string

htmltext_structure_hash: optional string

message_id: optional string

post_delivery_operations: optional array of "PREVIEW" or "QUARANTINE_RELEASE" or "SUBMISSION" or "MOVE"

Post-delivery operations performed on this message

One of the following:

"PREVIEW"

"QUARANTINE_RELEASE"

"SUBMISSION"

"MOVE"

postfix_id_outbound: optional string

replyto: optional string

scanned_at: optional string

When the message was scanned (UTC)

formatdate-time

sent_at: optional string

When the message was sent (UTC)

formatdate-time

sent_date: optional string

smtp_helo_server_ip: optional string

smtp_previous_hop_ip: optional string

subject: optional string

threat_categories: optional array of string

to: optional array of string

to_name: optional array of string

validation: optional object { comment, dkim, dmarc, spf }

comment: optional string

dkim: optional "pass" or "neutral" or "fail" or 2 more

One of the following:

"pass"

"neutral"

"fail"

"error"

"none"

dmarc: optional "pass" or "neutral" or "fail" or 2 more

One of the following:

"pass"

"neutral"

"fail"

"error"

"none"

spf: optional "pass" or "neutral" or "fail" or 2 more

One of the following:

"pass"

"neutral"

"fail"

"error"

"none"

x_originating_ip: optional string

InvestigateGetResponse object { id, action_log, client_recipients, 32 more }

id: string

Unique identifier for a message retrieved from investigation

Deprecatedaction_log: array of object { completed_at, operation, completed_timestamp, 2 more }

Deprecated, use GET /investigate/{investigate_id}/action_log instead. End of life: November 1, 2026.

completed_at: string

Timestamp when action completed

formatdate-time

operation: "MOVE" or "RELEASE" or "RECLASSIFY" or 3 more

Type of action performed

One of the following:

"MOVE"

"RELEASE"

"RECLASSIFY"

"SUBMISSION"

"QUARANTINE_RELEASE"

"PREVIEW"

Deprecatedcompleted_timestamp: optional string

Deprecated, use completed_at instead. End of life: November 1, 2026.

properties: optional object { folder, requested_by }

Additional properties for the action

folder: optional string

Target folder for move operations

requested_by: optional string

User who requested the action

status: optional string

Status of the action

client_recipients: array of string

detection_reasons: array of string

is_phish_submission: boolean

is_quarantined: boolean

postfix_id: string

The identifier of the message

properties: object { allowlisted_pattern, allowlisted_pattern_type, blocklisted_message, 2 more }

Message processing properties

allowlisted_pattern: optional string

Pattern that allowlisted this message

allowlisted_pattern_type: optional "quarantine_release" or "acceptable_sender" or "allowed_sender" or 5 more

Type of allowlist pattern

One of the following:

"quarantine_release"

"acceptable_sender"

"allowed_sender"

"allowed_recipient"

"domain_similarity"

"domain_recency"

"managed_acceptable_sender"

"outbound_ndr"

blocklisted_message: optional boolean

Whether message was blocklisted

blocklisted_pattern: optional string

Pattern that blocklisted this message

whitelisted_pattern_type: optional "quarantine_release" or "acceptable_sender" or "allowed_sender" or 5 more

Legacy field for allowlist pattern type

One of the following:

"quarantine_release"

"acceptable_sender"

"allowed_sender"

"allowed_recipient"

"domain_similarity"

"domain_recency"

"managed_acceptable_sender"

"outbound_ndr"

Deprecatedts: string

Deprecated, use scanned_at instead. End of life: November 1, 2026.

alert_id: optional string

delivery_mode: optional "DIRECT" or "BCC" or "JOURNAL" or 8 more

One of the following:

"DIRECT"

"BCC"

"JOURNAL"

"REVIEW_SUBMISSION"

"DMARC_UNVERIFIED"

"DMARC_FAILURE_REPORT"

"DMARC_AGGREGATE_REPORT"

"THREAT_INTEL_SUBMISSION"

"SIMULATION_SUBMISSION"

"API"

"RETRO_SCAN"

delivery_status: optional array of "delivered" or "moved" or "quarantined" or 4 more

One of the following:

"delivered"

"moved"

"quarantined"

"rejected"

"deferred"

"bounced"

"queued"

edf_hash: optional string

envelope_from: optional string

envelope_to: optional array of string

final_disposition: optional "MALICIOUS" or "MALICIOUS-BEC" or "SUSPICIOUS" or 7 more

One of the following:

"MALICIOUS"

"MALICIOUS-BEC"

"SUSPICIOUS"

"SPOOF"

"SPAM"

"BULK"

"ENCRYPTED"

"EXTERNAL"

"UNKNOWN"

"NONE"

Deprecatedfindings: optional array of object { attachment, detail, detection, 6 more }

Deprecated, use the findings field from GET /investigate/{investigate_id}/detections instead. End of life: November 1, 2026. Detection findings for this message.

attachment: optional string

detail: optional string

detection: optional "MALICIOUS" or "MALICIOUS-BEC" or "SUSPICIOUS" or 7 more

One of the following:

"MALICIOUS"

"MALICIOUS-BEC"

"SUSPICIOUS"

"SPOOF"

"SPAM"

"BULK"

"ENCRYPTED"

"EXTERNAL"

"UNKNOWN"

"NONE"

field: optional string

name: optional string

portion: optional string

reason: optional string

score: optional number

formatdouble

value: optional string

from: optional string

from_name: optional string

htmltext_structure_hash: optional string

message_id: optional string

post_delivery_operations: optional array of "PREVIEW" or "QUARANTINE_RELEASE" or "SUBMISSION" or "MOVE"

Post-delivery operations performed on this message

One of the following:

"PREVIEW"

"QUARANTINE_RELEASE"

"SUBMISSION"

"MOVE"

postfix_id_outbound: optional string

replyto: optional string

scanned_at: optional string

When the message was scanned (UTC)

formatdate-time

sent_at: optional string

When the message was sent (UTC)

formatdate-time

sent_date: optional string

smtp_helo_server_ip: optional string

smtp_previous_hop_ip: optional string

subject: optional string

threat_categories: optional array of string

to: optional array of string

to_name: optional array of string

validation: optional object { comment, dkim, dmarc, spf }

comment: optional string

dkim: optional "pass" or "neutral" or "fail" or 2 more

One of the following:

"pass"

"neutral"

"fail"

"error"

"none"

dmarc: optional "pass" or "neutral" or "fail" or 2 more

One of the following:

"pass"

"neutral"

"fail"

"error"

"none"

spf: optional "pass" or "neutral" or "fail" or 2 more

One of the following:

"pass"

"neutral"

"fail"

"error"

"none"

x_originating_ip: optional string

InvestigateDetections

Get message detection details

GET/accounts/{account_id}/email-security/investigate/{investigate_id}/detections

ModelsExpand Collapse

DetectionGetResponse object { action, attachments, findings, 6 more }

action: string

attachments: array of object { size, content_type, detection, 6 more }

size: number

Size of the attachment in bytes

minimum0

content_type: optional string

MIME type of the attachment

detection: optional "MALICIOUS" or "MALICIOUS-BEC" or "SUSPICIOUS" or 7 more

Detection result for this attachment

One of the following:

"MALICIOUS"

"MALICIOUS-BEC"

"SUSPICIOUS"

"SPOOF"

"SPAM"

"BULK"

"ENCRYPTED"

"EXTERNAL"

"UNKNOWN"

"NONE"

encrypted: optional boolean

Whether the attachment is encrypted

filename: optional string

Name of the attached file

md5: optional string

MD5 hash of the attachment

name: optional string

Attachment name (alternative to filename)

sha1: optional string

SHA1 hash of the attachment

sha256: optional string

SHA256 hash of the attachment

findings: array of object { attachment, detail, detection, 6 more }

attachment: optional string

detail: optional string

detection: optional "MALICIOUS" or "MALICIOUS-BEC" or "SUSPICIOUS" or 7 more

One of the following:

"MALICIOUS"

"MALICIOUS-BEC"

"SUSPICIOUS"

"SPOOF"

"SPAM"

"BULK"

"ENCRYPTED"

"EXTERNAL"

"UNKNOWN"

"NONE"

field: optional string

name: optional string

portion: optional string

reason: optional string

score: optional number

formatdouble

value: optional string

headers: array of object { name, value }

name: string

value: string

links: array of object { href, text }

href: string

text: optional string

sender_info: object { as_name, as_number, geo, 2 more }

as_name: optional string

The name of the autonomous system.

as_number: optional number

The number of the autonomous system.

geo: optional string

ip: optional string

pld: optional string

threat_categories: array of object { id, description, name }

id: optional number

description: optional string

name: optional string

validation: object { comment, dkim, dmarc, spf }

comment: optional string

dkim: optional "pass" or "neutral" or "fail" or 2 more

One of the following:

"pass"

"neutral"

"fail"

"error"

"none"

dmarc: optional "pass" or "neutral" or "fail" or 2 more

One of the following:

"pass"

"neutral"

"fail"

"error"

"none"

spf: optional "pass" or "neutral" or "fail" or 2 more

One of the following:

"pass"

"neutral"

"fail"

"error"

"none"

final_disposition: optional "MALICIOUS" or "MALICIOUS-BEC" or "SUSPICIOUS" or 7 more

One of the following:

"MALICIOUS"

"MALICIOUS-BEC"

"SUSPICIOUS"

"SPOOF"

"SPAM"

"BULK"

"ENCRYPTED"

"EXTERNAL"

"UNKNOWN"

"NONE"

InvestigatePreview

Get email preview

GET/accounts/{account_id}/email-security/investigate/{investigate_id}/preview

Preview for non-detection messages

POST/accounts/{account_id}/email-security/investigate/preview

ModelsExpand Collapse

PreviewGetResponse object { screenshot }

screenshot: string

A base64 encoded PNG image of the email.

PreviewCreateResponse object { screenshot }

screenshot: string

A base64 encoded PNG image of the email.

InvestigateRaw

Get raw email content

GET/accounts/{account_id}/email-security/investigate/{investigate_id}/raw

ModelsExpand Collapse

RawGetResponse object { raw }

raw: string

A UTF-8 encoded eml file of the email.

InvestigateTrace

Get email trace

GET/accounts/{account_id}/email-security/investigate/{investigate_id}/trace

ModelsExpand Collapse

TraceGetResponse object { inbound, outbound }

inbound: object { lines, pending }

lines: optional array of object { lineno, logged_at, message, ts }

lineno: optional number

Line number in the trace log

logged_at: optional string

formatdate-time

message: optional string

Deprecatedts: optional string

Deprecated, use logged_at instead. End of life: November 1, 2026.

pending: optional boolean

outbound: object { lines, pending }

lines: optional array of object { lineno, logged_at, message, ts }

lineno: optional number

Line number in the trace log

logged_at: optional string

formatdate-time

message: optional string

Deprecatedts: optional string

Deprecated, use logged_at instead. End of life: November 1, 2026.

pending: optional boolean

InvestigateMove

Move a message

POST/accounts/{account_id}/email-security/investigate/{investigate_id}/move

Move multiple messages

POST/accounts/{account_id}/email-security/investigate/move

ModelsExpand Collapse

MoveCreateResponse object { success, completed_at, completed_timestamp, 6 more }

success: boolean

Whether the operation succeeded

completed_at: optional string

When the move operation completed (UTC)

formatdate-time

Deprecatedcompleted_timestamp: optional string

Deprecated, use completed_at instead. End of life: November 1, 2026.

formatdate-time

destination: optional string

Destination folder for the message

Deprecateditem_count: optional number

Number of items moved. End of life: November 1, 2026.

message_id: optional string

Message identifier

operation: optional string

Type of operation performed

recipient: optional string

Recipient email address

status: optional string

Operation status

MoveBulkResponse object { success, completed_at, completed_timestamp, 6 more }

success: boolean

Whether the operation succeeded

completed_at: optional string

When the move operation completed (UTC)

formatdate-time

Deprecatedcompleted_timestamp: optional string

Deprecated, use completed_at instead. End of life: November 1, 2026.

formatdate-time

destination: optional string

Destination folder for the message

Deprecateditem_count: optional number

Number of items moved. End of life: November 1, 2026.

message_id: optional string

Message identifier

operation: optional string

Type of operation performed

recipient: optional string

Recipient email address

status: optional string

Operation status

InvestigateReclassify

Change email classification

POST/accounts/{account_id}/email-security/investigate/{investigate_id}/reclassify

ModelsExpand Collapse

ReclassifyCreateResponse = unknown

InvestigateRelease

Release messages from quarantine

POST/accounts/{account_id}/email-security/investigate/release

ModelsExpand Collapse

ReleaseBulkResponse object { id, delivered, failed, 2 more }

id: string

Unique identifier for a message retrieved from investigation

delivered: optional array of string

failed: optional array of string

Deprecatedpostfix_id: optional string

Deprecated, use id instead. End of life: November 1, 2026.

undelivered: optional array of string

InvestigateBulk

List bulk action jobs

GET/accounts/{account_id}/email-security/investigate/bulk

Create a bulk action job

POST/accounts/{account_id}/email-security/investigate/bulk

Get bulk action job details

GET/accounts/{account_id}/email-security/investigate/bulk/{job_id}

Delete a bulk action job

DELETE/accounts/{account_id}/email-security/investigate/bulk/{job_id}

ModelsExpand Collapse

BulkListResponse object { action_params, action_type, created_at, 11 more }

action_params: object { destination, type, expected_disposition } or object { type }

One of the following:

Move object { destination, type, expected_disposition }

destination: "Inbox" or "JunkEmail" or "DeletedItems" or 2 more

One of the following:

"Inbox"

"JunkEmail"

"DeletedItems"

"RecoverableItemsDeletions"

"RecoverableItemsPurges"

type: "MOVE"

expected_disposition: optional "MALICIOUS" or "MALICIOUS-BEC" or "SUSPICIOUS" or 7 more

One of the following:

"MALICIOUS"

"MALICIOUS-BEC"

"SUSPICIOUS"

"SPOOF"

"SPAM"

"BULK"

"ENCRYPTED"

"EXTERNAL"

"UNKNOWN"

"NONE"

Release object { type }

type: "RELEASE"

action_type: "MOVE" or "RELEASE"

One of the following:

"MOVE"

"RELEASE"

created_at: string

formatdate-time

job_id: string

formatuuid

messages_failed: number

messages_pending: number

messages_successful: number

search_params: object { action_log, alert_id, delivery_status, 14 more }

Deprecatedaction_log: optional boolean

Deprecated, use GET /investigate/{investigate_id}/action_log instead. End of life: November 1, 2026.

alert_id: optional string

delivery_status: optional "delivered" or "moved" or "quarantined" or 4 more

Delivery status of the message.

One of the following:

"delivered"

"moved"

"quarantined"

"rejected"

"deferred"

"bounced"

"queued"

detections_only: optional boolean

domain: optional string

end: optional string

End of search date range

formatdate-time

exact_subject: optional string

final_disposition: optional "MALICIOUS" or "MALICIOUS-BEC" or "SUSPICIOUS" or 7 more

One of the following:

"MALICIOUS"

"MALICIOUS-BEC"

"SUSPICIOUS"

"SPOOF"

"SPAM"

"BULK"

"ENCRYPTED"

"EXTERNAL"

"UNKNOWN"

"NONE"

message_action: optional "PREVIEW" or "QUARANTINE_RELEASED" or "MOVED"

One of the following:

"PREVIEW"

"QUARANTINE_RELEASED"

"MOVED"

message_id: optional string

metric: optional string

query: optional string

recipient: optional string

sender: optional string

start: optional string

Beginning of search date range

formatdate-time

subject: optional string

submissions: optional boolean

status: "PENDING" or "DISCOVERING" or "PROCESSING" or 4 more

One of the following:

"PENDING"

"DISCOVERING"

"PROCESSING"

"COMPLETED"

"FAILED"

"CANCELLED"

"SKIPPED"

total_messages_discovered: number

comment: optional string

completed_at: optional string

formatdate-time

started_at: optional string

formatdate-time

status_message: optional string

BulkCreateResponse object { action_params, action_type, created_at, 11 more }

action_params: object { destination, type, expected_disposition } or object { type }

One of the following:

Move object { destination, type, expected_disposition }

destination: "Inbox" or "JunkEmail" or "DeletedItems" or 2 more

One of the following:

"Inbox"

"JunkEmail"

"DeletedItems"

"RecoverableItemsDeletions"

"RecoverableItemsPurges"

type: "MOVE"

expected_disposition: optional "MALICIOUS" or "MALICIOUS-BEC" or "SUSPICIOUS" or 7 more

One of the following:

"MALICIOUS"

"MALICIOUS-BEC"

"SUSPICIOUS"

"SPOOF"

"SPAM"

"BULK"

"ENCRYPTED"

"EXTERNAL"

"UNKNOWN"

"NONE"

Release object { type }

type: "RELEASE"

action_type: "MOVE" or "RELEASE"

One of the following:

"MOVE"

"RELEASE"

created_at: string

formatdate-time

job_id: string

formatuuid

messages_failed: number

messages_pending: number

messages_successful: number

search_params: object { action_log, alert_id, delivery_status, 14 more }

Deprecatedaction_log: optional boolean

Deprecated, use GET /investigate/{investigate_id}/action_log instead. End of life: November 1, 2026.

alert_id: optional string

delivery_status: optional "delivered" or "moved" or "quarantined" or 4 more

Delivery status of the message.

One of the following:

"delivered"

"moved"

"quarantined"

"rejected"

"deferred"

"bounced"

"queued"

detections_only: optional boolean

domain: optional string

end: optional string

End of search date range

formatdate-time

exact_subject: optional string

final_disposition: optional "MALICIOUS" or "MALICIOUS-BEC" or "SUSPICIOUS" or 7 more

One of the following:

"MALICIOUS"

"MALICIOUS-BEC"

"SUSPICIOUS"

"SPOOF"

"SPAM"

"BULK"

"ENCRYPTED"

"EXTERNAL"

"UNKNOWN"

"NONE"

message_action: optional "PREVIEW" or "QUARANTINE_RELEASED" or "MOVED"

One of the following:

"PREVIEW"

"QUARANTINE_RELEASED"

"MOVED"

message_id: optional string

metric: optional string

query: optional string

recipient: optional string

sender: optional string

start: optional string

Beginning of search date range

formatdate-time

subject: optional string

submissions: optional boolean

status: "PENDING" or "DISCOVERING" or "PROCESSING" or 4 more

One of the following:

"PENDING"

"DISCOVERING"

"PROCESSING"

"COMPLETED"

"FAILED"

"CANCELLED"

"SKIPPED"

total_messages_discovered: number

comment: optional string

completed_at: optional string

formatdate-time

started_at: optional string

formatdate-time

status_message: optional string

BulkGetResponse object { action_params, action_type, created_at, 11 more }

action_params: object { destination, type, expected_disposition } or object { type }

One of the following:

Move object { destination, type, expected_disposition }

destination: "Inbox" or "JunkEmail" or "DeletedItems" or 2 more

One of the following:

"Inbox"

"JunkEmail"

"DeletedItems"

"RecoverableItemsDeletions"

"RecoverableItemsPurges"

type: "MOVE"

expected_disposition: optional "MALICIOUS" or "MALICIOUS-BEC" or "SUSPICIOUS" or 7 more

One of the following:

"MALICIOUS"

"MALICIOUS-BEC"

"SUSPICIOUS"

"SPOOF"

"SPAM"

"BULK"

"ENCRYPTED"

"EXTERNAL"

"UNKNOWN"

"NONE"

Release object { type }

type: "RELEASE"

action_type: "MOVE" or "RELEASE"

One of the following:

"MOVE"

"RELEASE"

created_at: string

formatdate-time

job_id: string

formatuuid

messages_failed: number

messages_pending: number

messages_successful: number

search_params: object { action_log, alert_id, delivery_status, 14 more }

Deprecatedaction_log: optional boolean

Deprecated, use GET /investigate/{investigate_id}/action_log instead. End of life: November 1, 2026.

alert_id: optional string

delivery_status: optional "delivered" or "moved" or "quarantined" or 4 more

Delivery status of the message.

One of the following:

"delivered"

"moved"

"quarantined"

"rejected"

"deferred"

"bounced"

"queued"

detections_only: optional boolean

domain: optional string

end: optional string

End of search date range

formatdate-time

exact_subject: optional string

final_disposition: optional "MALICIOUS" or "MALICIOUS-BEC" or "SUSPICIOUS" or 7 more

One of the following:

"MALICIOUS"

"MALICIOUS-BEC"

"SUSPICIOUS"

"SPOOF"

"SPAM"

"BULK"

"ENCRYPTED"

"EXTERNAL"

"UNKNOWN"

"NONE"

message_action: optional "PREVIEW" or "QUARANTINE_RELEASED" or "MOVED"

One of the following:

"PREVIEW"

"QUARANTINE_RELEASED"

"MOVED"

message_id: optional string

metric: optional string

query: optional string

recipient: optional string

sender: optional string

start: optional string

Beginning of search date range

formatdate-time

subject: optional string

submissions: optional boolean

status: "PENDING" or "DISCOVERING" or "PROCESSING" or 4 more

One of the following:

"PENDING"

"DISCOVERING"

"PROCESSING"

"COMPLETED"

"FAILED"

"CANCELLED"

"SKIPPED"

total_messages_discovered: number

comment: optional string

completed_at: optional string

formatdate-time

started_at: optional string

formatdate-time

status_message: optional string

BulkDeleteResponse object { id }

id: string

formatuuid

InvestigateBulkCancel

Cancel a bulk action job

POST/accounts/{account_id}/email-security/investigate/bulk/{job_id}/cancel

ModelsExpand Collapse

CancelCreateResponse object { action_params, action_type, created_at, 11 more }

action_params: object { destination, type, expected_disposition } or object { type }

One of the following:

Move object { destination, type, expected_disposition }

destination: "Inbox" or "JunkEmail" or "DeletedItems" or 2 more

One of the following:

"Inbox"

"JunkEmail"

"DeletedItems"

"RecoverableItemsDeletions"

"RecoverableItemsPurges"

type: "MOVE"

expected_disposition: optional "MALICIOUS" or "MALICIOUS-BEC" or "SUSPICIOUS" or 7 more

One of the following:

"MALICIOUS"

"MALICIOUS-BEC"

"SUSPICIOUS"

"SPOOF"

"SPAM"

"BULK"

"ENCRYPTED"

"EXTERNAL"

"UNKNOWN"

"NONE"

Release object { type }

type: "RELEASE"

action_type: "MOVE" or "RELEASE"

One of the following:

"MOVE"

"RELEASE"

created_at: string

formatdate-time

job_id: string

formatuuid

messages_failed: number

messages_pending: number

messages_successful: number

search_params: object { action_log, alert_id, delivery_status, 14 more }

Deprecatedaction_log: optional boolean

Deprecated, use GET /investigate/{investigate_id}/action_log instead. End of life: November 1, 2026.

alert_id: optional string

delivery_status: optional "delivered" or "moved" or "quarantined" or 4 more

Delivery status of the message.

One of the following:

"delivered"

"moved"

"quarantined"

"rejected"

"deferred"

"bounced"

"queued"

detections_only: optional boolean

domain: optional string

end: optional string

End of search date range

formatdate-time

exact_subject: optional string

final_disposition: optional "MALICIOUS" or "MALICIOUS-BEC" or "SUSPICIOUS" or 7 more

One of the following:

"MALICIOUS"

"MALICIOUS-BEC"

"SUSPICIOUS"

"SPOOF"

"SPAM"

"BULK"

"ENCRYPTED"

"EXTERNAL"

"UNKNOWN"

"NONE"

message_action: optional "PREVIEW" or "QUARANTINE_RELEASED" or "MOVED"

One of the following:

"PREVIEW"

"QUARANTINE_RELEASED"

"MOVED"

message_id: optional string

metric: optional string

query: optional string

recipient: optional string

sender: optional string

start: optional string

Beginning of search date range

formatdate-time

subject: optional string

submissions: optional boolean

status: "PENDING" or "DISCOVERING" or "PROCESSING" or 4 more

One of the following:

"PENDING"

"DISCOVERING"

"PROCESSING"

"COMPLETED"

"FAILED"

"CANCELLED"

"SKIPPED"

total_messages_discovered: number

comment: optional string

completed_at: optional string

formatdate-time

started_at: optional string

formatdate-time

status_message: optional string

InvestigateBulkMessages

List messages for a bulk action job

GET/accounts/{account_id}/email-security/investigate/bulk/{job_id}/messages

ModelsExpand Collapse

MessageListResponse object { action_params, action_type, created_at, 9 more }

action_params: object { client_recipient, destination, type, expected_disposition } or object { client_recipient, type }

One of the following:

Move object { client_recipient, destination, type, expected_disposition }

client_recipient: string

destination: "Inbox" or "JunkEmail" or "DeletedItems" or 2 more

One of the following:

"Inbox"

"JunkEmail"

"DeletedItems"

"RecoverableItemsDeletions"

"RecoverableItemsPurges"

type: "MOVE"

expected_disposition: optional "MALICIOUS" or "MALICIOUS-BEC" or "SUSPICIOUS" or 7 more

One of the following:

"MALICIOUS"

"MALICIOUS-BEC"

"SUSPICIOUS"

"SPOOF"

"SPAM"

"BULK"

"ENCRYPTED"

"EXTERNAL"

"UNKNOWN"

"NONE"

Release object { client_recipient, type }

client_recipient: string

type: "RELEASE"

action_type: "MOVE" or "RELEASE"

One of the following:

"MOVE"

"RELEASE"

created_at: string

formatdate-time

message_id: string

formatuuid

postfix_id: string

retry_count: number

status: "PENDING" or "DISCOVERING" or "PROCESSING" or 4 more

One of the following:

"PENDING"

"DISCOVERING"

"PROCESSING"

"COMPLETED"

"FAILED"

"CANCELLED"

"SKIPPED"

alert_id: optional string

email_message_id: optional string

processed_at: optional string

formatdate-time

retry_after: optional string

When to retry the action if it failed

formatdate-time

status_message: optional string