Skip to content
Cloudflare API
Start here
API Reference
Email Security

Investigate

Search email messages
GET/accounts/{account_id}/email-security/investigate
Get message details
GET/accounts/{account_id}/email-security/investigate/{investigate_id}
ModelsExpand Collapse
InvestigateListResponse object { id, action_log, client_recipients, 29 more }
id: string

Unique identifier for a message retrieved from investigation

Deprecatedaction_log: array of object { completed_at, operation, completed_timestamp, 2 more }

Deprecated, use GET /investigate/{investigate_id}/action_log instead. End of life: November 1, 2026.

completed_at: string

Timestamp when action completed

formatdate-time
operation: "MOVE" or "RELEASE" or "RECLASSIFY" or 3 more

Type of action performed

One of the following:
"MOVE"
"RELEASE"
"RECLASSIFY"
"SUBMISSION"
"QUARANTINE_RELEASE"
"PREVIEW"
Deprecatedcompleted_timestamp: optional string

Deprecated, use completed_at instead. End of life: November 1, 2026.

properties: optional object { folder, requested_by }

Additional properties for the action

folder: optional string

Target folder for move operations

requested_by: optional string

User who requested the action

status: optional string

Status of the action

client_recipients: array of string
detection_reasons: array of string
is_phish_submission: boolean
is_quarantined: boolean
postfix_id: string

The identifier of the message

properties: object { allowlisted_pattern, allowlisted_pattern_type, blocklisted_message, 2 more }

Message processing properties

allowlisted_pattern: optional string

Pattern that allowlisted this message

allowlisted_pattern_type: optional "quarantine_release" or "acceptable_sender" or "allowed_sender" or 5 more

Type of allowlist pattern

One of the following:
"quarantine_release"
"acceptable_sender"
"allowed_sender"
"allowed_recipient"
"domain_similarity"
"domain_recency"
"managed_acceptable_sender"
"outbound_ndr"
blocklisted_message: optional boolean

Whether message was blocklisted

blocklisted_pattern: optional string

Pattern that blocklisted this message

whitelisted_pattern_type: optional "quarantine_release" or "acceptable_sender" or "allowed_sender" or 5 more

Legacy field for allowlist pattern type

One of the following:
"quarantine_release"
"acceptable_sender"
"allowed_sender"
"allowed_recipient"
"domain_similarity"
"domain_recency"
"managed_acceptable_sender"
"outbound_ndr"
Deprecatedts: string

Deprecated, use scanned_at instead. End of life: November 1, 2026.

alert_id: optional string
delivery_mode: optional "DIRECT" or "BCC" or "JOURNAL" or 8 more
One of the following:
"DIRECT"
"BCC"
"JOURNAL"
"REVIEW_SUBMISSION"
"DMARC_UNVERIFIED"
"DMARC_FAILURE_REPORT"
"DMARC_AGGREGATE_REPORT"
"THREAT_INTEL_SUBMISSION"
"SIMULATION_SUBMISSION"
"API"
"RETRO_SCAN"
delivery_status: optional array of "delivered" or "moved" or "quarantined" or 4 more
One of the following:
"delivered"
"moved"
"quarantined"
"rejected"
"deferred"
"bounced"
"queued"
edf_hash: optional string
envelope_from: optional string
envelope_to: optional array of string
final_disposition: optional "MALICIOUS" or "MALICIOUS-BEC" or "SUSPICIOUS" or 7 more
One of the following:
"MALICIOUS"
"MALICIOUS-BEC"
"SUSPICIOUS"
"SPOOF"
"SPAM"
"BULK"
"ENCRYPTED"
"EXTERNAL"
"UNKNOWN"
"NONE"
Deprecatedfindings: optional array of object { attachment, detail, detection, 6 more }

Deprecated, use the findings field from GET /investigate/{investigate_id}/detections instead. End of life: November 1, 2026. Detection findings for this message.

attachment: optional string
detail: optional string
detection: optional "MALICIOUS" or "MALICIOUS-BEC" or "SUSPICIOUS" or 7 more
One of the following:
"MALICIOUS"
"MALICIOUS-BEC"
"SUSPICIOUS"
"SPOOF"
"SPAM"
"BULK"
"ENCRYPTED"
"EXTERNAL"
"UNKNOWN"
"NONE"
field: optional string
name: optional string
portion: optional string
reason: optional string
score: optional number
formatdouble
value: optional string
from: optional string
from_name: optional string
htmltext_structure_hash: optional string
message_id: optional string
post_delivery_operations: optional array of "PREVIEW" or "QUARANTINE_RELEASE" or "SUBMISSION" or "MOVE"

Post-delivery operations performed on this message

One of the following:
"PREVIEW"
"QUARANTINE_RELEASE"
"SUBMISSION"
"MOVE"
postfix_id_outbound: optional string
replyto: optional string
scanned_at: optional string

When the message was scanned (UTC)

formatdate-time
sent_at: optional string

When the message was sent (UTC)

formatdate-time
sent_date: optional string
subject: optional string
threat_categories: optional array of string
to: optional array of string
to_name: optional array of string
validation: optional object { comment, dkim, dmarc, spf }
comment: optional string
dkim: optional "pass" or "neutral" or "fail" or 2 more
One of the following:
"pass"
"neutral"
"fail"
"error"
"none"
dmarc: optional "pass" or "neutral" or "fail" or 2 more
One of the following:
"pass"
"neutral"
"fail"
"error"
"none"
spf: optional "pass" or "neutral" or "fail" or 2 more
One of the following:
"pass"
"neutral"
"fail"
"error"
"none"
InvestigateGetResponse object { id, action_log, client_recipients, 29 more }
id: string

Unique identifier for a message retrieved from investigation

Deprecatedaction_log: array of object { completed_at, operation, completed_timestamp, 2 more }

Deprecated, use GET /investigate/{investigate_id}/action_log instead. End of life: November 1, 2026.

completed_at: string

Timestamp when action completed

formatdate-time
operation: "MOVE" or "RELEASE" or "RECLASSIFY" or 3 more

Type of action performed

One of the following:
"MOVE"
"RELEASE"
"RECLASSIFY"
"SUBMISSION"
"QUARANTINE_RELEASE"
"PREVIEW"
Deprecatedcompleted_timestamp: optional string

Deprecated, use completed_at instead. End of life: November 1, 2026.

properties: optional object { folder, requested_by }

Additional properties for the action

folder: optional string

Target folder for move operations

requested_by: optional string

User who requested the action

status: optional string

Status of the action

client_recipients: array of string
detection_reasons: array of string
is_phish_submission: boolean
is_quarantined: boolean
postfix_id: string

The identifier of the message

properties: object { allowlisted_pattern, allowlisted_pattern_type, blocklisted_message, 2 more }

Message processing properties

allowlisted_pattern: optional string

Pattern that allowlisted this message

allowlisted_pattern_type: optional "quarantine_release" or "acceptable_sender" or "allowed_sender" or 5 more

Type of allowlist pattern

One of the following:
"quarantine_release"
"acceptable_sender"
"allowed_sender"
"allowed_recipient"
"domain_similarity"
"domain_recency"
"managed_acceptable_sender"
"outbound_ndr"
blocklisted_message: optional boolean

Whether message was blocklisted

blocklisted_pattern: optional string

Pattern that blocklisted this message

whitelisted_pattern_type: optional "quarantine_release" or "acceptable_sender" or "allowed_sender" or 5 more

Legacy field for allowlist pattern type

One of the following:
"quarantine_release"
"acceptable_sender"
"allowed_sender"
"allowed_recipient"
"domain_similarity"
"domain_recency"
"managed_acceptable_sender"
"outbound_ndr"
Deprecatedts: string

Deprecated, use scanned_at instead. End of life: November 1, 2026.

alert_id: optional string
delivery_mode: optional "DIRECT" or "BCC" or "JOURNAL" or 8 more
One of the following:
"DIRECT"
"BCC"
"JOURNAL"
"REVIEW_SUBMISSION"
"DMARC_UNVERIFIED"
"DMARC_FAILURE_REPORT"
"DMARC_AGGREGATE_REPORT"
"THREAT_INTEL_SUBMISSION"
"SIMULATION_SUBMISSION"
"API"
"RETRO_SCAN"
delivery_status: optional array of "delivered" or "moved" or "quarantined" or 4 more
One of the following:
"delivered"
"moved"
"quarantined"
"rejected"
"deferred"
"bounced"
"queued"
edf_hash: optional string
envelope_from: optional string
envelope_to: optional array of string
final_disposition: optional "MALICIOUS" or "MALICIOUS-BEC" or "SUSPICIOUS" or 7 more
One of the following:
"MALICIOUS"
"MALICIOUS-BEC"
"SUSPICIOUS"
"SPOOF"
"SPAM"
"BULK"
"ENCRYPTED"
"EXTERNAL"
"UNKNOWN"
"NONE"
Deprecatedfindings: optional array of object { attachment, detail, detection, 6 more }

Deprecated, use the findings field from GET /investigate/{investigate_id}/detections instead. End of life: November 1, 2026. Detection findings for this message.

attachment: optional string
detail: optional string
detection: optional "MALICIOUS" or "MALICIOUS-BEC" or "SUSPICIOUS" or 7 more
One of the following:
"MALICIOUS"
"MALICIOUS-BEC"
"SUSPICIOUS"
"SPOOF"
"SPAM"
"BULK"
"ENCRYPTED"
"EXTERNAL"
"UNKNOWN"
"NONE"
field: optional string
name: optional string
portion: optional string
reason: optional string
score: optional number
formatdouble
value: optional string
from: optional string
from_name: optional string
htmltext_structure_hash: optional string
message_id: optional string
post_delivery_operations: optional array of "PREVIEW" or "QUARANTINE_RELEASE" or "SUBMISSION" or "MOVE"

Post-delivery operations performed on this message

One of the following:
"PREVIEW"
"QUARANTINE_RELEASE"
"SUBMISSION"
"MOVE"
postfix_id_outbound: optional string
replyto: optional string
scanned_at: optional string

When the message was scanned (UTC)

formatdate-time
sent_at: optional string

When the message was sent (UTC)

formatdate-time
sent_date: optional string
subject: optional string
threat_categories: optional array of string
to: optional array of string
to_name: optional array of string
validation: optional object { comment, dkim, dmarc, spf }
comment: optional string
dkim: optional "pass" or "neutral" or "fail" or 2 more
One of the following:
"pass"
"neutral"
"fail"
"error"
"none"
dmarc: optional "pass" or "neutral" or "fail" or 2 more
One of the following:
"pass"
"neutral"
"fail"
"error"
"none"
spf: optional "pass" or "neutral" or "fail" or 2 more
One of the following:
"pass"
"neutral"
"fail"
"error"
"none"

InvestigateDetections

Get message detection details
GET/accounts/{account_id}/email-security/investigate/{investigate_id}/detections
ModelsExpand Collapse
DetectionGetResponse object { action, attachments, findings, 6 more }
action: string
attachments: array of object { size, content_type, detection, 6 more }
size: number

Size of the attachment in bytes

minimum0
content_type: optional string

MIME type of the attachment

detection: optional "MALICIOUS" or "MALICIOUS-BEC" or "SUSPICIOUS" or 7 more

Detection result for this attachment

One of the following:
"MALICIOUS"
"MALICIOUS-BEC"
"SUSPICIOUS"
"SPOOF"
"SPAM"
"BULK"
"ENCRYPTED"
"EXTERNAL"
"UNKNOWN"
"NONE"
encrypted: optional boolean

Whether the attachment is encrypted

filename: optional string

Name of the attached file

md5: optional string

MD5 hash of the attachment

name: optional string

Attachment name (alternative to filename)

sha1: optional string

SHA1 hash of the attachment

sha256: optional string

SHA256 hash of the attachment

findings: array of object { attachment, detail, detection, 6 more }
attachment: optional string
detail: optional string
detection: optional "MALICIOUS" or "MALICIOUS-BEC" or "SUSPICIOUS" or 7 more
One of the following:
"MALICIOUS"
"MALICIOUS-BEC"
"SUSPICIOUS"
"SPOOF"
"SPAM"
"BULK"
"ENCRYPTED"
"EXTERNAL"
"UNKNOWN"
"NONE"
field: optional string
name: optional string
portion: optional string
reason: optional string
score: optional number
formatdouble
value: optional string
headers: array of object { name, value }
name: string
value: string
text: optional string
sender_info: object { as_name, as_number, geo, 2 more }
as_name: optional string

The name of the autonomous system.

as_number: optional number

The number of the autonomous system.

geo: optional string
ip: optional string
pld: optional string
threat_categories: array of object { id, description, name }
id: optional number
description: optional string
name: optional string
validation: object { comment, dkim, dmarc, spf }
comment: optional string
dkim: optional "pass" or "neutral" or "fail" or 2 more
One of the following:
"pass"
"neutral"
"fail"
"error"
"none"
dmarc: optional "pass" or "neutral" or "fail" or 2 more
One of the following:
"pass"
"neutral"
"fail"
"error"
"none"
spf: optional "pass" or "neutral" or "fail" or 2 more
One of the following:
"pass"
"neutral"
"fail"
"error"
"none"
final_disposition: optional "MALICIOUS" or "MALICIOUS-BEC" or "SUSPICIOUS" or 7 more
One of the following:
"MALICIOUS"
"MALICIOUS-BEC"
"SUSPICIOUS"
"SPOOF"
"SPAM"
"BULK"
"ENCRYPTED"
"EXTERNAL"
"UNKNOWN"
"NONE"

InvestigatePreview

Get email preview
GET/accounts/{account_id}/email-security/investigate/{investigate_id}/preview
Preview for non-detection messages
POST/accounts/{account_id}/email-security/investigate/preview
ModelsExpand Collapse
PreviewGetResponse object { screenshot }
screenshot: string

A base64 encoded PNG image of the email.

PreviewCreateResponse object { screenshot }
screenshot: string

A base64 encoded PNG image of the email.

InvestigateRaw

Get raw email content
GET/accounts/{account_id}/email-security/investigate/{investigate_id}/raw
ModelsExpand Collapse
RawGetResponse object { raw }
raw: string

A UTF-8 encoded eml file of the email.

InvestigateTrace

Get email trace
GET/accounts/{account_id}/email-security/investigate/{investigate_id}/trace
ModelsExpand Collapse
TraceGetResponse object { inbound, outbound }
inbound: object { lines, pending }
lines: optional array of object { lineno, logged_at, message, ts }
lineno: optional number

Line number in the trace log

logged_at: optional string
formatdate-time
message: optional string
Deprecatedts: optional string

Deprecated, use logged_at instead. End of life: November 1, 2026.

pending: optional boolean
outbound: object { lines, pending }
lines: optional array of object { lineno, logged_at, message, ts }
lineno: optional number

Line number in the trace log

logged_at: optional string
formatdate-time
message: optional string
Deprecatedts: optional string

Deprecated, use logged_at instead. End of life: November 1, 2026.

pending: optional boolean

InvestigateMove

Move a message
POST/accounts/{account_id}/email-security/investigate/{investigate_id}/move
Move multiple messages
POST/accounts/{account_id}/email-security/investigate/move
ModelsExpand Collapse
MoveCreateResponse object { success, completed_at, completed_timestamp, 6 more }
success: boolean

Whether the operation succeeded

completed_at: optional string

When the move operation completed (UTC)

formatdate-time
Deprecatedcompleted_timestamp: optional string

Deprecated, use completed_at instead. End of life: November 1, 2026.

formatdate-time
destination: optional string

Destination folder for the message

Deprecateditem_count: optional number

Number of items moved. End of life: November 1, 2026.

message_id: optional string

Message identifier

operation: optional string

Type of operation performed

recipient: optional string

Recipient email address

status: optional string

Operation status

MoveBulkResponse object { success, completed_at, completed_timestamp, 6 more }
success: boolean

Whether the operation succeeded

completed_at: optional string

When the move operation completed (UTC)

formatdate-time
Deprecatedcompleted_timestamp: optional string

Deprecated, use completed_at instead. End of life: November 1, 2026.

formatdate-time
destination: optional string

Destination folder for the message

Deprecateditem_count: optional number

Number of items moved. End of life: November 1, 2026.

message_id: optional string

Message identifier

operation: optional string

Type of operation performed

recipient: optional string

Recipient email address

status: optional string

Operation status

InvestigateReclassify

Change email classification
POST/accounts/{account_id}/email-security/investigate/{investigate_id}/reclassify
ModelsExpand Collapse
ReclassifyCreateResponse = unknown

InvestigateRelease

Release messages from quarantine
POST/accounts/{account_id}/email-security/investigate/release
ModelsExpand Collapse
ReleaseBulkResponse object { id, delivered, failed, 2 more }
id: string

Unique identifier for a message retrieved from investigation

delivered: optional array of string
failed: optional array of string
Deprecatedpostfix_id: optional string

Deprecated, use id instead. End of life: November 1, 2026.

undelivered: optional array of string