## Search email messages **get** `/accounts/{account_id}/email-security/investigate` Returns information for each email that matches the search parameter(s). If the search takes too long, the endpoint returns 202 with a Location header pointing to a polling endpoint where results can be retrieved once ready. ### Path Parameters - `account_id: string` Account Identifier ### Query Parameters - `action_log: optional boolean` Determines if the message action log is included in the response. - `alert_id: optional string` - `cursor: optional string` - `detections_only: optional boolean` Determines if the search results will include detections or not. - `domain: optional string` Filter by a domain found in the email: sender domain, recipient domain, or a domain in a link. - `end: optional string` The end of the search date range. Defaults to `now` if not provided. - `exact_subject: optional string` Search for messages with an exact subject match. - `final_disposition: optional "MALICIOUS" or "SUSPICIOUS" or "SPOOF" or 3 more` The dispositions the search filters by. - `"MALICIOUS"` - `"SUSPICIOUS"` - `"SPOOF"` - `"SPAM"` - `"BULK"` - `"NONE"` - `message_action: optional "PREVIEW" or "QUARANTINE_RELEASED" or "MOVED" or "SUBMITTED"` The message actions the search filters by. - `"PREVIEW"` - `"QUARANTINE_RELEASED"` - `"MOVED"` - `"SUBMITTED"` - `message_id: optional string` - `metric: optional string` - `page: optional number` Deprecated: Use cursor pagination instead. - `per_page: optional number` The number of results per page. - `query: optional string` The space-delimited term used in the query. The search is case-insensitive. The content of the following email metadata fields are searched: * alert_id * CC * From (envelope_from) * From Name * final_disposition * md5 hash (of any attachment) * sha1 hash (of any attachment) * sha256 hash (of any attachment) * name (of any attachment) * Reason * Received DateTime (yyyy-mm-ddThh:mm:ss) * Sent DateTime (yyyy-mm-ddThh:mm:ss) * ReplyTo * To (envelope_to) * To Name * Message-ID * smtp_helo_server_ip * smtp_previous_hop_ip * x_originating_ip * Subject - `recipient: optional string` Filter by recipient. Matches either an email address or a domain. - `sender: optional string` Filter by sender. Matches either an email address or a domain. - `start: optional string` The beginning of the search date range. Defaults to `now - 30 days` if not provided. - `subject: optional string` Search for messages containing individual keywords in any order within the subject. - `submissions: optional boolean` Search for submissions instead of original messages ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `result: array of object { id, action_log, client_recipients, 28 more }` - `id: string` - `action_log: unknown` - `client_recipients: array of string` - `detection_reasons: array of string` - `is_phish_submission: boolean` - `is_quarantined: boolean` - `postfix_id: string` The identifier of the message. - `properties: object { allowlisted_pattern, allowlisted_pattern_type, blocklisted_message, 2 more }` - `allowlisted_pattern: optional string` - `allowlisted_pattern_type: optional "quarantine_release" or "acceptable_sender" or "allowed_sender" or 5 more` - `"quarantine_release"` - `"acceptable_sender"` - `"allowed_sender"` - `"allowed_recipient"` - `"domain_similarity"` - `"domain_recency"` - `"managed_acceptable_sender"` - `"outbound_ndr"` - `blocklisted_message: optional boolean` - `blocklisted_pattern: optional string` - `whitelisted_pattern_type: optional "quarantine_release" or "acceptable_sender" or "allowed_sender" or 5 more` - `"quarantine_release"` - `"acceptable_sender"` - `"allowed_sender"` - `"allowed_recipient"` - `"domain_similarity"` - `"domain_recency"` - `"managed_acceptable_sender"` - `"outbound_ndr"` - `ts: string` Deprecated, use `scanned_at` instead - `alert_id: optional string` - `delivery_mode: optional "DIRECT" or "BCC" or "JOURNAL" or 8 more` - `"DIRECT"` - `"BCC"` - `"JOURNAL"` - `"REVIEW_SUBMISSION"` - `"DMARC_UNVERIFIED"` - `"DMARC_FAILURE_REPORT"` - `"DMARC_AGGREGATE_REPORT"` - `"THREAT_INTEL_SUBMISSION"` - `"SIMULATION_SUBMISSION"` - `"API"` - `"RETRO_SCAN"` - `edf_hash: optional string` - `envelope_from: optional string` - `envelope_to: optional array of string` - `final_disposition: optional "MALICIOUS" or "MALICIOUS-BEC" or "SUSPICIOUS" or 7 more` - `"MALICIOUS"` - `"MALICIOUS-BEC"` - `"SUSPICIOUS"` - `"SPOOF"` - `"SPAM"` - `"BULK"` - `"ENCRYPTED"` - `"EXTERNAL"` - `"UNKNOWN"` - `"NONE"` - `findings: optional array of object { attachment, detail, detection, 6 more }` - `attachment: optional string` - `detail: optional string` - `detection: optional "MALICIOUS" or "MALICIOUS-BEC" or "SUSPICIOUS" or 7 more` - `"MALICIOUS"` - `"MALICIOUS-BEC"` - `"SUSPICIOUS"` - `"SPOOF"` - `"SPAM"` - `"BULK"` - `"ENCRYPTED"` - `"EXTERNAL"` - `"UNKNOWN"` - `"NONE"` - `field: optional string` - `name: optional string` - `portion: optional string` - `reason: optional string` - `score: optional number` - `value: optional string` - `from: optional string` - `from_name: optional string` - `htmltext_structure_hash: optional string` - `message_id: optional string` - `post_delivery_operations: optional array of "PREVIEW" or "QUARANTINE_RELEASE" or "SUBMISSION" or "MOVE"` - `"PREVIEW"` - `"QUARANTINE_RELEASE"` - `"SUBMISSION"` - `"MOVE"` - `postfix_id_outbound: optional string` - `replyto: optional string` - `scanned_at: optional string` - `sent_at: optional string` - `sent_date: optional string` Deprecated, use `sent_at` instead - `subject: optional string` - `threat_categories: optional array of string` - `to: optional array of string` - `to_name: optional array of string` - `validation: optional object { comment, dkim, dmarc, spf }` - `comment: optional string` - `dkim: optional "pass" or "neutral" or "fail" or 2 more` - `"pass"` - `"neutral"` - `"fail"` - `"error"` - `"none"` - `dmarc: optional "pass" or "neutral" or "fail" or 2 more` - `"pass"` - `"neutral"` - `"fail"` - `"error"` - `"none"` - `spf: optional "pass" or "neutral" or "fail" or 2 more` - `"pass"` - `"neutral"` - `"fail"` - `"error"` - `"none"` - `result_info: object { count, page, per_page, 3 more }` - `count: number` - `page: number` Deprecated: Returns always 0 - `per_page: number` number of items per page - `total_count: number` Deprecated: Returns always 0 - `next: optional string` - `previous: optional string` - `success: boolean` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/email-security/investigate \ -H "X-Auth-Email: $CLOUDFLARE_EMAIL" \ -H "X-Auth-Key: $CLOUDFLARE_API_KEY" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "id": "4Njp3P0STMz2c02Q-2022-12-30T02:44:49-2a539d65", "action_log": [], "client_recipients": [ "email@example.com" ], "detection_reasons": [ "Selector is a source of spam/uce : Smtp-Helo-Server-Ip=127.0.0[dot]186" ], "is_phish_submission": false, "is_quarantined": false, "postfix_id": "47JJcT1w6GztQV7", "properties": { "allowlisted_pattern": "allowlisted_pattern", "allowlisted_pattern_type": "quarantine_release", "blocklisted_message": true, "blocklisted_pattern": "blocklisted_pattern", "whitelisted_pattern_type": "quarantine_release" }, "ts": "2019-11-20T23:22:01", "alert_id": "4Njp3P0STMz2c02Q-2022-12-30T02:44:49", "delivery_mode": "DIRECT", "edf_hash": null, "envelope_from": "d1994@example.com", "envelope_to": [ "email@example.com" ], "final_disposition": "MALICIOUS", "findings": [ { "attachment": "attachment", "detail": "detail", "detection": "MALICIOUS", "field": "field", "name": "name", "portion": "portion", "reason": "reason", "score": 0, "value": "value" } ], "from": "d1994@example.com", "from_name": "Sender Name", "htmltext_structure_hash": null, "message_id": "<4VAZPrAdg7IGNxdt1DWRNu0gvOeL_iZiwP4BQfo4DaE.Yw-woXuugQbeFhBpzwFQtqq_v2v1HOKznoMBqbciQpE@example.com>", "post_delivery_operations": [ "PREVIEW" ], "postfix_id_outbound": null, "replyto": "email@example.com", "scanned_at": "2019-11-20T23:22:01Z", "sent_at": "2019-11-21T00:22:01Z", "sent_date": "2019-11-21T00:22:01", "subject": "listen, I highly recommend u to read that email, just to ensure not a thing will take place", "threat_categories": [ "IPReputation", "ASNReputation" ], "to": [ "email@example.com" ], "to_name": [ "Recipient Name" ], "validation": { "comment": null, "dkim": "pass", "dmarc": "none", "spf": "fail" } } ], "result_info": { "count": 0, "page": 0, "per_page": 0, "total_count": 0, "next": "next", "previous": "previous" }, "success": true } ```