# Investigate ## Search email messages `client.EmailSecurity.Investigate.List(ctx, params) (*V4PagePaginationArray[InvestigateListResponse], error)` **get** `/accounts/{account_id}/email-security/investigate` Returns information for each email that matches the search parameter(s). ### Parameters - `params InvestigateListParams` - `AccountID param.Field[string]` Path param: Identifier. - `ActionLog param.Field[bool]` Query param: Whether to include the message action log in the response. - `AlertID param.Field[string]` Query param - `Cursor param.Field[string]` Query param - `DetectionsOnly param.Field[bool]` Query param: Whether to include only detections in search results. - `Domain param.Field[string]` Query param: Sender domains to filter by. - `End param.Field[Time]` Query param: The end of the search date range. Defaults to `now`. - `FinalDisposition param.Field[InvestigateListParamsFinalDisposition]` Query param: Dispositions to filter by. - `const InvestigateListParamsFinalDispositionMalicious InvestigateListParamsFinalDisposition = "MALICIOUS"` - `const InvestigateListParamsFinalDispositionSuspicious InvestigateListParamsFinalDisposition = "SUSPICIOUS"` - `const InvestigateListParamsFinalDispositionSpoof InvestigateListParamsFinalDisposition = "SPOOF"` - `const InvestigateListParamsFinalDispositionSpam InvestigateListParamsFinalDisposition = "SPAM"` - `const InvestigateListParamsFinalDispositionBulk InvestigateListParamsFinalDisposition = "BULK"` - `const InvestigateListParamsFinalDispositionNone InvestigateListParamsFinalDisposition = "NONE"` - `MessageAction param.Field[InvestigateListParamsMessageAction]` Query param: Message actions to filter by. - `const InvestigateListParamsMessageActionPreview InvestigateListParamsMessageAction = "PREVIEW"` - `const InvestigateListParamsMessageActionQuarantineReleased InvestigateListParamsMessageAction = "QUARANTINE_RELEASED"` - `const InvestigateListParamsMessageActionMoved InvestigateListParamsMessageAction = "MOVED"` - `MessageID param.Field[string]` Query param - `Metric param.Field[string]` Query param - `Page param.Field[int64]` Query param: Deprecated: Use cursor pagination instead. End of life: November 1, 2026. - `PerPage param.Field[int64]` Query param: The number of results per page. Maximum value is 1000. - `Query param.Field[string]` Query param: Space-delimited search term. Case-insensitive. - `Recipient param.Field[string]` Query param - `Sender param.Field[string]` Query param - `Start param.Field[Time]` Query param: The beginning of the search date range. Defaults to `now - 30 days`. - `Subject param.Field[string]` Query param ### Returns - `type InvestigateListResponse struct{…}` - `ID string` Unique identifier for a message retrieved from investigation - `ActionLog []InvestigateListResponseActionLog` Deprecated, use `GET /investigate/{investigate_id}/action_log` instead. End of life: November 1, 2026. - `CompletedAt Time` Timestamp when action completed - `Operation InvestigateListResponseActionLogOperation` Type of action performed - `const InvestigateListResponseActionLogOperationMove InvestigateListResponseActionLogOperation = "MOVE"` - `const InvestigateListResponseActionLogOperationRelease InvestigateListResponseActionLogOperation = "RELEASE"` - `const InvestigateListResponseActionLogOperationReclassify InvestigateListResponseActionLogOperation = "RECLASSIFY"` - `const InvestigateListResponseActionLogOperationSubmission InvestigateListResponseActionLogOperation = "SUBMISSION"` - `const InvestigateListResponseActionLogOperationQuarantineRelease InvestigateListResponseActionLogOperation = "QUARANTINE_RELEASE"` - `const InvestigateListResponseActionLogOperationPreview InvestigateListResponseActionLogOperation = "PREVIEW"` - `CompletedTimestamp string` Deprecated, use `completed_at` instead. End of life: November 1, 2026. - `Properties InvestigateListResponseActionLogProperties` Additional properties for the action - `Folder string` Target folder for move operations - `RequestedBy string` User who requested the action - `Status string` Status of the action - `ClientRecipients []string` - `DetectionReasons []string` - `IsPhishSubmission bool` - `IsQuarantined bool` - `PostfixID string` The identifier of the message - `Properties InvestigateListResponseProperties` Message processing properties - `AllowlistedPattern string` Pattern that allowlisted this message - `AllowlistedPatternType InvestigateListResponsePropertiesAllowlistedPatternType` Type of allowlist pattern - `const InvestigateListResponsePropertiesAllowlistedPatternTypeQuarantineRelease InvestigateListResponsePropertiesAllowlistedPatternType = "quarantine_release"` - `const InvestigateListResponsePropertiesAllowlistedPatternTypeAcceptableSender InvestigateListResponsePropertiesAllowlistedPatternType = "acceptable_sender"` - `const InvestigateListResponsePropertiesAllowlistedPatternTypeAllowedSender InvestigateListResponsePropertiesAllowlistedPatternType = "allowed_sender"` - `const InvestigateListResponsePropertiesAllowlistedPatternTypeAllowedRecipient InvestigateListResponsePropertiesAllowlistedPatternType = "allowed_recipient"` - `const InvestigateListResponsePropertiesAllowlistedPatternTypeDomainSimilarity InvestigateListResponsePropertiesAllowlistedPatternType = "domain_similarity"` - `const InvestigateListResponsePropertiesAllowlistedPatternTypeDomainRecency InvestigateListResponsePropertiesAllowlistedPatternType = "domain_recency"` - `const InvestigateListResponsePropertiesAllowlistedPatternTypeManagedAcceptableSender InvestigateListResponsePropertiesAllowlistedPatternType = "managed_acceptable_sender"` - `const InvestigateListResponsePropertiesAllowlistedPatternTypeOutboundNdr InvestigateListResponsePropertiesAllowlistedPatternType = "outbound_ndr"` - `BlocklistedMessage bool` Whether message was blocklisted - `BlocklistedPattern string` Pattern that blocklisted this message - `WhitelistedPatternType InvestigateListResponsePropertiesWhitelistedPatternType` Legacy field for allowlist pattern type - `const InvestigateListResponsePropertiesWhitelistedPatternTypeQuarantineRelease InvestigateListResponsePropertiesWhitelistedPatternType = "quarantine_release"` - `const InvestigateListResponsePropertiesWhitelistedPatternTypeAcceptableSender InvestigateListResponsePropertiesWhitelistedPatternType = "acceptable_sender"` - `const InvestigateListResponsePropertiesWhitelistedPatternTypeAllowedSender InvestigateListResponsePropertiesWhitelistedPatternType = "allowed_sender"` - `const InvestigateListResponsePropertiesWhitelistedPatternTypeAllowedRecipient InvestigateListResponsePropertiesWhitelistedPatternType = "allowed_recipient"` - `const InvestigateListResponsePropertiesWhitelistedPatternTypeDomainSimilarity InvestigateListResponsePropertiesWhitelistedPatternType = "domain_similarity"` - `const InvestigateListResponsePropertiesWhitelistedPatternTypeDomainRecency InvestigateListResponsePropertiesWhitelistedPatternType = "domain_recency"` - `const InvestigateListResponsePropertiesWhitelistedPatternTypeManagedAcceptableSender InvestigateListResponsePropertiesWhitelistedPatternType = "managed_acceptable_sender"` - `const InvestigateListResponsePropertiesWhitelistedPatternTypeOutboundNdr InvestigateListResponsePropertiesWhitelistedPatternType = "outbound_ndr"` - `Ts string` Deprecated, use `scanned_at` instead. End of life: November 1, 2026. - `AlertID string` - `DeliveryMode InvestigateListResponseDeliveryMode` - `const InvestigateListResponseDeliveryModeDirect InvestigateListResponseDeliveryMode = "DIRECT"` - `const InvestigateListResponseDeliveryModeBcc InvestigateListResponseDeliveryMode = "BCC"` - `const InvestigateListResponseDeliveryModeJournal InvestigateListResponseDeliveryMode = "JOURNAL"` - `const InvestigateListResponseDeliveryModeReviewSubmission InvestigateListResponseDeliveryMode = "REVIEW_SUBMISSION"` - `const InvestigateListResponseDeliveryModeDMARCUnverified InvestigateListResponseDeliveryMode = "DMARC_UNVERIFIED"` - `const InvestigateListResponseDeliveryModeDMARCFailureReport InvestigateListResponseDeliveryMode = "DMARC_FAILURE_REPORT"` - `const InvestigateListResponseDeliveryModeDMARCAggregateReport InvestigateListResponseDeliveryMode = "DMARC_AGGREGATE_REPORT"` - `const InvestigateListResponseDeliveryModeThreatIntelSubmission InvestigateListResponseDeliveryMode = "THREAT_INTEL_SUBMISSION"` - `const InvestigateListResponseDeliveryModeSimulationSubmission InvestigateListResponseDeliveryMode = "SIMULATION_SUBMISSION"` - `const InvestigateListResponseDeliveryModeAPI InvestigateListResponseDeliveryMode = "API"` - `const InvestigateListResponseDeliveryModeRetroScan InvestigateListResponseDeliveryMode = "RETRO_SCAN"` - `DeliveryStatus []InvestigateListResponseDeliveryStatus` - `const InvestigateListResponseDeliveryStatusDelivered InvestigateListResponseDeliveryStatus = "delivered"` - `const InvestigateListResponseDeliveryStatusMoved InvestigateListResponseDeliveryStatus = "moved"` - `const InvestigateListResponseDeliveryStatusQuarantined InvestigateListResponseDeliveryStatus = "quarantined"` - `const InvestigateListResponseDeliveryStatusRejected InvestigateListResponseDeliveryStatus = "rejected"` - `const InvestigateListResponseDeliveryStatusDeferred InvestigateListResponseDeliveryStatus = "deferred"` - `const InvestigateListResponseDeliveryStatusBounced InvestigateListResponseDeliveryStatus = "bounced"` - `const InvestigateListResponseDeliveryStatusQueued InvestigateListResponseDeliveryStatus = "queued"` - `EdfHash string` - `EnvelopeFrom string` - `EnvelopeTo []string` - `FinalDisposition InvestigateListResponseFinalDisposition` - `const InvestigateListResponseFinalDispositionMalicious InvestigateListResponseFinalDisposition = "MALICIOUS"` - `const InvestigateListResponseFinalDispositionMaliciousBec InvestigateListResponseFinalDisposition = "MALICIOUS-BEC"` - `const InvestigateListResponseFinalDispositionSuspicious InvestigateListResponseFinalDisposition = "SUSPICIOUS"` - `const InvestigateListResponseFinalDispositionSpoof InvestigateListResponseFinalDisposition = "SPOOF"` - `const InvestigateListResponseFinalDispositionSpam InvestigateListResponseFinalDisposition = "SPAM"` - `const InvestigateListResponseFinalDispositionBulk InvestigateListResponseFinalDisposition = "BULK"` - `const InvestigateListResponseFinalDispositionEncrypted InvestigateListResponseFinalDisposition = "ENCRYPTED"` - `const InvestigateListResponseFinalDispositionExternal InvestigateListResponseFinalDisposition = "EXTERNAL"` - `const InvestigateListResponseFinalDispositionUnknown InvestigateListResponseFinalDisposition = "UNKNOWN"` - `const InvestigateListResponseFinalDispositionNone InvestigateListResponseFinalDisposition = "NONE"` - `Findings []InvestigateListResponseFinding` Deprecated, use the `findings` field from `GET /investigate/{investigate_id}/detections` instead. End of life: November 1, 2026. Detection findings for this message. - `Attachment string` - `Detail string` - `Detection InvestigateListResponseFindingsDetection` - `const InvestigateListResponseFindingsDetectionMalicious InvestigateListResponseFindingsDetection = "MALICIOUS"` - `const InvestigateListResponseFindingsDetectionMaliciousBec InvestigateListResponseFindingsDetection = "MALICIOUS-BEC"` - `const InvestigateListResponseFindingsDetectionSuspicious InvestigateListResponseFindingsDetection = "SUSPICIOUS"` - `const InvestigateListResponseFindingsDetectionSpoof InvestigateListResponseFindingsDetection = "SPOOF"` - `const InvestigateListResponseFindingsDetectionSpam InvestigateListResponseFindingsDetection = "SPAM"` - `const InvestigateListResponseFindingsDetectionBulk InvestigateListResponseFindingsDetection = "BULK"` - `const InvestigateListResponseFindingsDetectionEncrypted InvestigateListResponseFindingsDetection = "ENCRYPTED"` - `const InvestigateListResponseFindingsDetectionExternal InvestigateListResponseFindingsDetection = "EXTERNAL"` - `const InvestigateListResponseFindingsDetectionUnknown InvestigateListResponseFindingsDetection = "UNKNOWN"` - `const InvestigateListResponseFindingsDetectionNone InvestigateListResponseFindingsDetection = "NONE"` - `Field string` - `Name string` - `Portion string` - `Reason string` - `Score float64` - `Value string` - `From string` - `FromName string` - `HtmltextStructureHash string` - `MessageID string` - `PostDeliveryOperations []InvestigateListResponsePostDeliveryOperation` Post-delivery operations performed on this message - `const InvestigateListResponsePostDeliveryOperationPreview InvestigateListResponsePostDeliveryOperation = "PREVIEW"` - `const InvestigateListResponsePostDeliveryOperationQuarantineRelease InvestigateListResponsePostDeliveryOperation = "QUARANTINE_RELEASE"` - `const InvestigateListResponsePostDeliveryOperationSubmission InvestigateListResponsePostDeliveryOperation = "SUBMISSION"` - `const InvestigateListResponsePostDeliveryOperationMove InvestigateListResponsePostDeliveryOperation = "MOVE"` - `PostfixIDOutbound string` - `Replyto string` - `ScannedAt Time` When the message was scanned (UTC) - `SentAt Time` When the message was sent (UTC) - `SentDate string` - `Subject string` - `ThreatCategories []string` - `To []string` - `ToName []string` - `Validation InvestigateListResponseValidation` - `Comment string` - `DKIM InvestigateListResponseValidationDKIM` - `const InvestigateListResponseValidationDKIMPass InvestigateListResponseValidationDKIM = "pass"` - `const InvestigateListResponseValidationDKIMNeutral InvestigateListResponseValidationDKIM = "neutral"` - `const InvestigateListResponseValidationDKIMFail InvestigateListResponseValidationDKIM = "fail"` - `const InvestigateListResponseValidationDKIMError InvestigateListResponseValidationDKIM = "error"` - `const InvestigateListResponseValidationDKIMNone InvestigateListResponseValidationDKIM = "none"` - `DMARC InvestigateListResponseValidationDMARC` - `const InvestigateListResponseValidationDMARCPass InvestigateListResponseValidationDMARC = "pass"` - `const InvestigateListResponseValidationDMARCNeutral InvestigateListResponseValidationDMARC = "neutral"` - `const InvestigateListResponseValidationDMARCFail InvestigateListResponseValidationDMARC = "fail"` - `const InvestigateListResponseValidationDMARCError InvestigateListResponseValidationDMARC = "error"` - `const InvestigateListResponseValidationDMARCNone InvestigateListResponseValidationDMARC = "none"` - `SPF InvestigateListResponseValidationSPF` - `const InvestigateListResponseValidationSPFPass InvestigateListResponseValidationSPF = "pass"` - `const InvestigateListResponseValidationSPFNeutral InvestigateListResponseValidationSPF = "neutral"` - `const InvestigateListResponseValidationSPFFail InvestigateListResponseValidationSPF = "fail"` - `const InvestigateListResponseValidationSPFError InvestigateListResponseValidationSPF = "error"` - `const InvestigateListResponseValidationSPFNone InvestigateListResponseValidationSPF = "none"` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/email_security" "github.com/cloudflare/cloudflare-go/option" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.EmailSecurity.Investigate.List(context.TODO(), email_security.InvestigateListParams{ AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "id": "4Njp3P0STMz2c02Q-2024-01-05T10:00:00-12345678", "action_log": [ { "completed_at": "2019-12-27T18:11:19.117Z", "operation": "MOVE", "completed_timestamp": "completed_timestamp", "properties": { "folder": "folder", "requested_by": "requested_by" }, "status": "status" } ], "client_recipients": [ "string" ], "detection_reasons": [ "string" ], "is_phish_submission": true, "is_quarantined": true, "postfix_id": "4Njp3P0STMz2c02Q", "properties": { "allowlisted_pattern": "allowlisted_pattern", "allowlisted_pattern_type": "quarantine_release", "blocklisted_message": true, "blocklisted_pattern": "blocklisted_pattern", "whitelisted_pattern_type": "quarantine_release" }, "ts": "ts", "alert_id": "alert_id", "delivery_mode": "DIRECT", "delivery_status": [ "delivered" ], "edf_hash": "edf_hash", "envelope_from": "envelope_from", "envelope_to": [ "string" ], "final_disposition": "MALICIOUS", "findings": [ { "attachment": "attachment", "detail": "detail", "detection": "MALICIOUS", "field": "field", "name": "name", "portion": "portion", "reason": "reason", "score": 0, "value": "value" } ], "from": "from", "from_name": "from_name", "htmltext_structure_hash": "htmltext_structure_hash", "message_id": "message_id", "post_delivery_operations": [ "PREVIEW" ], "postfix_id_outbound": "postfix_id_outbound", "replyto": "replyto", "scanned_at": "2019-12-27T18:11:19.117Z", "sent_at": "2019-12-27T18:11:19.117Z", "sent_date": "sent_date", "subject": "subject", "threat_categories": [ "string" ], "to": [ "string" ], "to_name": [ "string" ], "validation": { "comment": "comment", "dkim": "pass", "dmarc": "pass", "spf": "pass" } } ], "result_info": { "count": 0, "per_page": 0, "total_count": 0, "next": "next", "page": 0, "previous": "previous" }, "success": true } ``` ## Get message details `client.EmailSecurity.Investigate.Get(ctx, investigateID, params) (*InvestigateGetResponse, error)` **get** `/accounts/{account_id}/email-security/investigate/{investigate_id}` Retrieves comprehensive details for a specific email message including headers, recipients, sender information, and current quarantine status. Use the investigate_id from search results to fetch detailed information. ### Parameters - `investigateID string` Unique identifier for a message retrieved from investigation - `params InvestigateGetParams` - `AccountID param.Field[string]` Path param: Identifier. - `Submission param.Field[bool]` Query param: When true, search the submissions datastore only. When false or omitted, search the regular datastore only. ### Returns - `type InvestigateGetResponse struct{…}` - `ID string` Unique identifier for a message retrieved from investigation - `ActionLog []InvestigateGetResponseActionLog` Deprecated, use `GET /investigate/{investigate_id}/action_log` instead. End of life: November 1, 2026. - `CompletedAt Time` Timestamp when action completed - `Operation InvestigateGetResponseActionLogOperation` Type of action performed - `const InvestigateGetResponseActionLogOperationMove InvestigateGetResponseActionLogOperation = "MOVE"` - `const InvestigateGetResponseActionLogOperationRelease InvestigateGetResponseActionLogOperation = "RELEASE"` - `const InvestigateGetResponseActionLogOperationReclassify InvestigateGetResponseActionLogOperation = "RECLASSIFY"` - `const InvestigateGetResponseActionLogOperationSubmission InvestigateGetResponseActionLogOperation = "SUBMISSION"` - `const InvestigateGetResponseActionLogOperationQuarantineRelease InvestigateGetResponseActionLogOperation = "QUARANTINE_RELEASE"` - `const InvestigateGetResponseActionLogOperationPreview InvestigateGetResponseActionLogOperation = "PREVIEW"` - `CompletedTimestamp string` Deprecated, use `completed_at` instead. End of life: November 1, 2026. - `Properties InvestigateGetResponseActionLogProperties` Additional properties for the action - `Folder string` Target folder for move operations - `RequestedBy string` User who requested the action - `Status string` Status of the action - `ClientRecipients []string` - `DetectionReasons []string` - `IsPhishSubmission bool` - `IsQuarantined bool` - `PostfixID string` The identifier of the message - `Properties InvestigateGetResponseProperties` Message processing properties - `AllowlistedPattern string` Pattern that allowlisted this message - `AllowlistedPatternType InvestigateGetResponsePropertiesAllowlistedPatternType` Type of allowlist pattern - `const InvestigateGetResponsePropertiesAllowlistedPatternTypeQuarantineRelease InvestigateGetResponsePropertiesAllowlistedPatternType = "quarantine_release"` - `const InvestigateGetResponsePropertiesAllowlistedPatternTypeAcceptableSender InvestigateGetResponsePropertiesAllowlistedPatternType = "acceptable_sender"` - `const InvestigateGetResponsePropertiesAllowlistedPatternTypeAllowedSender InvestigateGetResponsePropertiesAllowlistedPatternType = "allowed_sender"` - `const InvestigateGetResponsePropertiesAllowlistedPatternTypeAllowedRecipient InvestigateGetResponsePropertiesAllowlistedPatternType = "allowed_recipient"` - `const InvestigateGetResponsePropertiesAllowlistedPatternTypeDomainSimilarity InvestigateGetResponsePropertiesAllowlistedPatternType = "domain_similarity"` - `const InvestigateGetResponsePropertiesAllowlistedPatternTypeDomainRecency InvestigateGetResponsePropertiesAllowlistedPatternType = "domain_recency"` - `const InvestigateGetResponsePropertiesAllowlistedPatternTypeManagedAcceptableSender InvestigateGetResponsePropertiesAllowlistedPatternType = "managed_acceptable_sender"` - `const InvestigateGetResponsePropertiesAllowlistedPatternTypeOutboundNdr InvestigateGetResponsePropertiesAllowlistedPatternType = "outbound_ndr"` - `BlocklistedMessage bool` Whether message was blocklisted - `BlocklistedPattern string` Pattern that blocklisted this message - `WhitelistedPatternType InvestigateGetResponsePropertiesWhitelistedPatternType` Legacy field for allowlist pattern type - `const InvestigateGetResponsePropertiesWhitelistedPatternTypeQuarantineRelease InvestigateGetResponsePropertiesWhitelistedPatternType = "quarantine_release"` - `const InvestigateGetResponsePropertiesWhitelistedPatternTypeAcceptableSender InvestigateGetResponsePropertiesWhitelistedPatternType = "acceptable_sender"` - `const InvestigateGetResponsePropertiesWhitelistedPatternTypeAllowedSender InvestigateGetResponsePropertiesWhitelistedPatternType = "allowed_sender"` - `const InvestigateGetResponsePropertiesWhitelistedPatternTypeAllowedRecipient InvestigateGetResponsePropertiesWhitelistedPatternType = "allowed_recipient"` - `const InvestigateGetResponsePropertiesWhitelistedPatternTypeDomainSimilarity InvestigateGetResponsePropertiesWhitelistedPatternType = "domain_similarity"` - `const InvestigateGetResponsePropertiesWhitelistedPatternTypeDomainRecency InvestigateGetResponsePropertiesWhitelistedPatternType = "domain_recency"` - `const InvestigateGetResponsePropertiesWhitelistedPatternTypeManagedAcceptableSender InvestigateGetResponsePropertiesWhitelistedPatternType = "managed_acceptable_sender"` - `const InvestigateGetResponsePropertiesWhitelistedPatternTypeOutboundNdr InvestigateGetResponsePropertiesWhitelistedPatternType = "outbound_ndr"` - `Ts string` Deprecated, use `scanned_at` instead. End of life: November 1, 2026. - `AlertID string` - `DeliveryMode InvestigateGetResponseDeliveryMode` - `const InvestigateGetResponseDeliveryModeDirect InvestigateGetResponseDeliveryMode = "DIRECT"` - `const InvestigateGetResponseDeliveryModeBcc InvestigateGetResponseDeliveryMode = "BCC"` - `const InvestigateGetResponseDeliveryModeJournal InvestigateGetResponseDeliveryMode = "JOURNAL"` - `const InvestigateGetResponseDeliveryModeReviewSubmission InvestigateGetResponseDeliveryMode = "REVIEW_SUBMISSION"` - `const InvestigateGetResponseDeliveryModeDMARCUnverified InvestigateGetResponseDeliveryMode = "DMARC_UNVERIFIED"` - `const InvestigateGetResponseDeliveryModeDMARCFailureReport InvestigateGetResponseDeliveryMode = "DMARC_FAILURE_REPORT"` - `const InvestigateGetResponseDeliveryModeDMARCAggregateReport InvestigateGetResponseDeliveryMode = "DMARC_AGGREGATE_REPORT"` - `const InvestigateGetResponseDeliveryModeThreatIntelSubmission InvestigateGetResponseDeliveryMode = "THREAT_INTEL_SUBMISSION"` - `const InvestigateGetResponseDeliveryModeSimulationSubmission InvestigateGetResponseDeliveryMode = "SIMULATION_SUBMISSION"` - `const InvestigateGetResponseDeliveryModeAPI InvestigateGetResponseDeliveryMode = "API"` - `const InvestigateGetResponseDeliveryModeRetroScan InvestigateGetResponseDeliveryMode = "RETRO_SCAN"` - `DeliveryStatus []InvestigateGetResponseDeliveryStatus` - `const InvestigateGetResponseDeliveryStatusDelivered InvestigateGetResponseDeliveryStatus = "delivered"` - `const InvestigateGetResponseDeliveryStatusMoved InvestigateGetResponseDeliveryStatus = "moved"` - `const InvestigateGetResponseDeliveryStatusQuarantined InvestigateGetResponseDeliveryStatus = "quarantined"` - `const InvestigateGetResponseDeliveryStatusRejected InvestigateGetResponseDeliveryStatus = "rejected"` - `const InvestigateGetResponseDeliveryStatusDeferred InvestigateGetResponseDeliveryStatus = "deferred"` - `const InvestigateGetResponseDeliveryStatusBounced InvestigateGetResponseDeliveryStatus = "bounced"` - `const InvestigateGetResponseDeliveryStatusQueued InvestigateGetResponseDeliveryStatus = "queued"` - `EdfHash string` - `EnvelopeFrom string` - `EnvelopeTo []string` - `FinalDisposition InvestigateGetResponseFinalDisposition` - `const InvestigateGetResponseFinalDispositionMalicious InvestigateGetResponseFinalDisposition = "MALICIOUS"` - `const InvestigateGetResponseFinalDispositionMaliciousBec InvestigateGetResponseFinalDisposition = "MALICIOUS-BEC"` - `const InvestigateGetResponseFinalDispositionSuspicious InvestigateGetResponseFinalDisposition = "SUSPICIOUS"` - `const InvestigateGetResponseFinalDispositionSpoof InvestigateGetResponseFinalDisposition = "SPOOF"` - `const InvestigateGetResponseFinalDispositionSpam InvestigateGetResponseFinalDisposition = "SPAM"` - `const InvestigateGetResponseFinalDispositionBulk InvestigateGetResponseFinalDisposition = "BULK"` - `const InvestigateGetResponseFinalDispositionEncrypted InvestigateGetResponseFinalDisposition = "ENCRYPTED"` - `const InvestigateGetResponseFinalDispositionExternal InvestigateGetResponseFinalDisposition = "EXTERNAL"` - `const InvestigateGetResponseFinalDispositionUnknown InvestigateGetResponseFinalDisposition = "UNKNOWN"` - `const InvestigateGetResponseFinalDispositionNone InvestigateGetResponseFinalDisposition = "NONE"` - `Findings []InvestigateGetResponseFinding` Deprecated, use the `findings` field from `GET /investigate/{investigate_id}/detections` instead. End of life: November 1, 2026. Detection findings for this message. - `Attachment string` - `Detail string` - `Detection InvestigateGetResponseFindingsDetection` - `const InvestigateGetResponseFindingsDetectionMalicious InvestigateGetResponseFindingsDetection = "MALICIOUS"` - `const InvestigateGetResponseFindingsDetectionMaliciousBec InvestigateGetResponseFindingsDetection = "MALICIOUS-BEC"` - `const InvestigateGetResponseFindingsDetectionSuspicious InvestigateGetResponseFindingsDetection = "SUSPICIOUS"` - `const InvestigateGetResponseFindingsDetectionSpoof InvestigateGetResponseFindingsDetection = "SPOOF"` - `const InvestigateGetResponseFindingsDetectionSpam InvestigateGetResponseFindingsDetection = "SPAM"` - `const InvestigateGetResponseFindingsDetectionBulk InvestigateGetResponseFindingsDetection = "BULK"` - `const InvestigateGetResponseFindingsDetectionEncrypted InvestigateGetResponseFindingsDetection = "ENCRYPTED"` - `const InvestigateGetResponseFindingsDetectionExternal InvestigateGetResponseFindingsDetection = "EXTERNAL"` - `const InvestigateGetResponseFindingsDetectionUnknown InvestigateGetResponseFindingsDetection = "UNKNOWN"` - `const InvestigateGetResponseFindingsDetectionNone InvestigateGetResponseFindingsDetection = "NONE"` - `Field string` - `Name string` - `Portion string` - `Reason string` - `Score float64` - `Value string` - `From string` - `FromName string` - `HtmltextStructureHash string` - `MessageID string` - `PostDeliveryOperations []InvestigateGetResponsePostDeliveryOperation` Post-delivery operations performed on this message - `const InvestigateGetResponsePostDeliveryOperationPreview InvestigateGetResponsePostDeliveryOperation = "PREVIEW"` - `const InvestigateGetResponsePostDeliveryOperationQuarantineRelease InvestigateGetResponsePostDeliveryOperation = "QUARANTINE_RELEASE"` - `const InvestigateGetResponsePostDeliveryOperationSubmission InvestigateGetResponsePostDeliveryOperation = "SUBMISSION"` - `const InvestigateGetResponsePostDeliveryOperationMove InvestigateGetResponsePostDeliveryOperation = "MOVE"` - `PostfixIDOutbound string` - `Replyto string` - `ScannedAt Time` When the message was scanned (UTC) - `SentAt Time` When the message was sent (UTC) - `SentDate string` - `Subject string` - `ThreatCategories []string` - `To []string` - `ToName []string` - `Validation InvestigateGetResponseValidation` - `Comment string` - `DKIM InvestigateGetResponseValidationDKIM` - `const InvestigateGetResponseValidationDKIMPass InvestigateGetResponseValidationDKIM = "pass"` - `const InvestigateGetResponseValidationDKIMNeutral InvestigateGetResponseValidationDKIM = "neutral"` - `const InvestigateGetResponseValidationDKIMFail InvestigateGetResponseValidationDKIM = "fail"` - `const InvestigateGetResponseValidationDKIMError InvestigateGetResponseValidationDKIM = "error"` - `const InvestigateGetResponseValidationDKIMNone InvestigateGetResponseValidationDKIM = "none"` - `DMARC InvestigateGetResponseValidationDMARC` - `const InvestigateGetResponseValidationDMARCPass InvestigateGetResponseValidationDMARC = "pass"` - `const InvestigateGetResponseValidationDMARCNeutral InvestigateGetResponseValidationDMARC = "neutral"` - `const InvestigateGetResponseValidationDMARCFail InvestigateGetResponseValidationDMARC = "fail"` - `const InvestigateGetResponseValidationDMARCError InvestigateGetResponseValidationDMARC = "error"` - `const InvestigateGetResponseValidationDMARCNone InvestigateGetResponseValidationDMARC = "none"` - `SPF InvestigateGetResponseValidationSPF` - `const InvestigateGetResponseValidationSPFPass InvestigateGetResponseValidationSPF = "pass"` - `const InvestigateGetResponseValidationSPFNeutral InvestigateGetResponseValidationSPF = "neutral"` - `const InvestigateGetResponseValidationSPFFail InvestigateGetResponseValidationSPF = "fail"` - `const InvestigateGetResponseValidationSPFError InvestigateGetResponseValidationSPF = "error"` - `const InvestigateGetResponseValidationSPFNone InvestigateGetResponseValidationSPF = "none"` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/email_security" "github.com/cloudflare/cloudflare-go/option" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) investigate, err := client.EmailSecurity.Investigate.Get( context.TODO(), "4Njp3P0STMz2c02Q-2024-01-05T10:00:00-12345678", email_security.InvestigateGetParams{ AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", investigate.ID) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "4Njp3P0STMz2c02Q-2024-01-05T10:00:00-12345678", "action_log": [ { "completed_at": "2019-12-27T18:11:19.117Z", "operation": "MOVE", "completed_timestamp": "completed_timestamp", "properties": { "folder": "folder", "requested_by": "requested_by" }, "status": "status" } ], "client_recipients": [ "string" ], "detection_reasons": [ "string" ], "is_phish_submission": true, "is_quarantined": true, "postfix_id": "4Njp3P0STMz2c02Q", "properties": { "allowlisted_pattern": "allowlisted_pattern", "allowlisted_pattern_type": "quarantine_release", "blocklisted_message": true, "blocklisted_pattern": "blocklisted_pattern", "whitelisted_pattern_type": "quarantine_release" }, "ts": "ts", "alert_id": "alert_id", "delivery_mode": "DIRECT", "delivery_status": [ "delivered" ], "edf_hash": "edf_hash", "envelope_from": "envelope_from", "envelope_to": [ "string" ], "final_disposition": "MALICIOUS", "findings": [ { "attachment": "attachment", "detail": "detail", "detection": "MALICIOUS", "field": "field", "name": "name", "portion": "portion", "reason": "reason", "score": 0, "value": "value" } ], "from": "from", "from_name": "from_name", "htmltext_structure_hash": "htmltext_structure_hash", "message_id": "message_id", "post_delivery_operations": [ "PREVIEW" ], "postfix_id_outbound": "postfix_id_outbound", "replyto": "replyto", "scanned_at": "2019-12-27T18:11:19.117Z", "sent_at": "2019-12-27T18:11:19.117Z", "sent_date": "sent_date", "subject": "subject", "threat_categories": [ "string" ], "to": [ "string" ], "to_name": [ "string" ], "validation": { "comment": "comment", "dkim": "pass", "dmarc": "pass", "spf": "pass" } }, "success": true } ``` # Detections ## Get message detection details `client.EmailSecurity.Investigate.Detections.Get(ctx, investigateID, query) (*InvestigateDetectionGetResponse, error)` **get** `/accounts/{account_id}/email-security/investigate/{investigate_id}/detections` Returns detection details such as threat categories and sender information for non-benign messages. ### Parameters - `investigateID string` Unique identifier for a message retrieved from investigation - `query InvestigateDetectionGetParams` - `AccountID param.Field[string]` Identifier. ### Returns - `type InvestigateDetectionGetResponse struct{…}` - `Action string` - `Attachments []InvestigateDetectionGetResponseAttachment` - `Size int64` Size of the attachment in bytes - `ContentType string` MIME type of the attachment - `Detection InvestigateDetectionGetResponseAttachmentsDetection` Detection result for this attachment - `const InvestigateDetectionGetResponseAttachmentsDetectionMalicious InvestigateDetectionGetResponseAttachmentsDetection = "MALICIOUS"` - `const InvestigateDetectionGetResponseAttachmentsDetectionMaliciousBec InvestigateDetectionGetResponseAttachmentsDetection = "MALICIOUS-BEC"` - `const InvestigateDetectionGetResponseAttachmentsDetectionSuspicious InvestigateDetectionGetResponseAttachmentsDetection = "SUSPICIOUS"` - `const InvestigateDetectionGetResponseAttachmentsDetectionSpoof InvestigateDetectionGetResponseAttachmentsDetection = "SPOOF"` - `const InvestigateDetectionGetResponseAttachmentsDetectionSpam InvestigateDetectionGetResponseAttachmentsDetection = "SPAM"` - `const InvestigateDetectionGetResponseAttachmentsDetectionBulk InvestigateDetectionGetResponseAttachmentsDetection = "BULK"` - `const InvestigateDetectionGetResponseAttachmentsDetectionEncrypted InvestigateDetectionGetResponseAttachmentsDetection = "ENCRYPTED"` - `const InvestigateDetectionGetResponseAttachmentsDetectionExternal InvestigateDetectionGetResponseAttachmentsDetection = "EXTERNAL"` - `const InvestigateDetectionGetResponseAttachmentsDetectionUnknown InvestigateDetectionGetResponseAttachmentsDetection = "UNKNOWN"` - `const InvestigateDetectionGetResponseAttachmentsDetectionNone InvestigateDetectionGetResponseAttachmentsDetection = "NONE"` - `Encrypted bool` Whether the attachment is encrypted - `Filename string` Name of the attached file - `Md5 string` MD5 hash of the attachment - `Name string` Attachment name (alternative to filename) - `Sha1 string` SHA1 hash of the attachment - `Sha256 string` SHA256 hash of the attachment - `Findings []InvestigateDetectionGetResponseFinding` - `Attachment string` - `Detail string` - `Detection InvestigateDetectionGetResponseFindingsDetection` - `const InvestigateDetectionGetResponseFindingsDetectionMalicious InvestigateDetectionGetResponseFindingsDetection = "MALICIOUS"` - `const InvestigateDetectionGetResponseFindingsDetectionMaliciousBec InvestigateDetectionGetResponseFindingsDetection = "MALICIOUS-BEC"` - `const InvestigateDetectionGetResponseFindingsDetectionSuspicious InvestigateDetectionGetResponseFindingsDetection = "SUSPICIOUS"` - `const InvestigateDetectionGetResponseFindingsDetectionSpoof InvestigateDetectionGetResponseFindingsDetection = "SPOOF"` - `const InvestigateDetectionGetResponseFindingsDetectionSpam InvestigateDetectionGetResponseFindingsDetection = "SPAM"` - `const InvestigateDetectionGetResponseFindingsDetectionBulk InvestigateDetectionGetResponseFindingsDetection = "BULK"` - `const InvestigateDetectionGetResponseFindingsDetectionEncrypted InvestigateDetectionGetResponseFindingsDetection = "ENCRYPTED"` - `const InvestigateDetectionGetResponseFindingsDetectionExternal InvestigateDetectionGetResponseFindingsDetection = "EXTERNAL"` - `const InvestigateDetectionGetResponseFindingsDetectionUnknown InvestigateDetectionGetResponseFindingsDetection = "UNKNOWN"` - `const InvestigateDetectionGetResponseFindingsDetectionNone InvestigateDetectionGetResponseFindingsDetection = "NONE"` - `Field string` - `Name string` - `Portion string` - `Reason string` - `Score float64` - `Value string` - `Headers []InvestigateDetectionGetResponseHeader` - `Name string` - `Value string` - `Links []InvestigateDetectionGetResponseLink` - `Href string` - `Text string` - `SenderInfo InvestigateDetectionGetResponseSenderInfo` - `AsName string` The name of the autonomous system. - `AsNumber int64` The number of the autonomous system. - `Geo string` - `IP string` - `Pld string` - `ThreatCategories []InvestigateDetectionGetResponseThreatCategory` - `ID int64` - `Description string` - `Name string` - `Validation InvestigateDetectionGetResponseValidation` - `Comment string` - `DKIM InvestigateDetectionGetResponseValidationDKIM` - `const InvestigateDetectionGetResponseValidationDKIMPass InvestigateDetectionGetResponseValidationDKIM = "pass"` - `const InvestigateDetectionGetResponseValidationDKIMNeutral InvestigateDetectionGetResponseValidationDKIM = "neutral"` - `const InvestigateDetectionGetResponseValidationDKIMFail InvestigateDetectionGetResponseValidationDKIM = "fail"` - `const InvestigateDetectionGetResponseValidationDKIMError InvestigateDetectionGetResponseValidationDKIM = "error"` - `const InvestigateDetectionGetResponseValidationDKIMNone InvestigateDetectionGetResponseValidationDKIM = "none"` - `DMARC InvestigateDetectionGetResponseValidationDMARC` - `const InvestigateDetectionGetResponseValidationDMARCPass InvestigateDetectionGetResponseValidationDMARC = "pass"` - `const InvestigateDetectionGetResponseValidationDMARCNeutral InvestigateDetectionGetResponseValidationDMARC = "neutral"` - `const InvestigateDetectionGetResponseValidationDMARCFail InvestigateDetectionGetResponseValidationDMARC = "fail"` - `const InvestigateDetectionGetResponseValidationDMARCError InvestigateDetectionGetResponseValidationDMARC = "error"` - `const InvestigateDetectionGetResponseValidationDMARCNone InvestigateDetectionGetResponseValidationDMARC = "none"` - `SPF InvestigateDetectionGetResponseValidationSPF` - `const InvestigateDetectionGetResponseValidationSPFPass InvestigateDetectionGetResponseValidationSPF = "pass"` - `const InvestigateDetectionGetResponseValidationSPFNeutral InvestigateDetectionGetResponseValidationSPF = "neutral"` - `const InvestigateDetectionGetResponseValidationSPFFail InvestigateDetectionGetResponseValidationSPF = "fail"` - `const InvestigateDetectionGetResponseValidationSPFError InvestigateDetectionGetResponseValidationSPF = "error"` - `const InvestigateDetectionGetResponseValidationSPFNone InvestigateDetectionGetResponseValidationSPF = "none"` - `FinalDisposition InvestigateDetectionGetResponseFinalDisposition` - `const InvestigateDetectionGetResponseFinalDispositionMalicious InvestigateDetectionGetResponseFinalDisposition = "MALICIOUS"` - `const InvestigateDetectionGetResponseFinalDispositionMaliciousBec InvestigateDetectionGetResponseFinalDisposition = "MALICIOUS-BEC"` - `const InvestigateDetectionGetResponseFinalDispositionSuspicious InvestigateDetectionGetResponseFinalDisposition = "SUSPICIOUS"` - `const InvestigateDetectionGetResponseFinalDispositionSpoof InvestigateDetectionGetResponseFinalDisposition = "SPOOF"` - `const InvestigateDetectionGetResponseFinalDispositionSpam InvestigateDetectionGetResponseFinalDisposition = "SPAM"` - `const InvestigateDetectionGetResponseFinalDispositionBulk InvestigateDetectionGetResponseFinalDisposition = "BULK"` - `const InvestigateDetectionGetResponseFinalDispositionEncrypted InvestigateDetectionGetResponseFinalDisposition = "ENCRYPTED"` - `const InvestigateDetectionGetResponseFinalDispositionExternal InvestigateDetectionGetResponseFinalDisposition = "EXTERNAL"` - `const InvestigateDetectionGetResponseFinalDispositionUnknown InvestigateDetectionGetResponseFinalDisposition = "UNKNOWN"` - `const InvestigateDetectionGetResponseFinalDispositionNone InvestigateDetectionGetResponseFinalDisposition = "NONE"` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/email_security" "github.com/cloudflare/cloudflare-go/option" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) detection, err := client.EmailSecurity.Investigate.Detections.Get( context.TODO(), "4Njp3P0STMz2c02Q-2024-01-05T10:00:00-12345678", email_security.InvestigateDetectionGetParams{ AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", detection.Validation) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "action": "action", "attachments": [ { "size": 0, "content_type": "content_type", "detection": "MALICIOUS", "encrypted": true, "filename": "filename", "md5": "md5", "name": "name", "sha1": "sha1", "sha256": "sha256" } ], "findings": [ { "attachment": "attachment", "detail": "detail", "detection": "MALICIOUS", "field": "field", "name": "name", "portion": "portion", "reason": "reason", "score": 0, "value": "value" } ], "headers": [ { "name": "name", "value": "value" } ], "links": [ { "href": "href", "text": "text" } ], "sender_info": { "as_name": "as_name", "as_number": 0, "geo": "geo", "ip": "ip", "pld": "pld" }, "threat_categories": [ { "id": 0, "description": "description", "name": "name" } ], "validation": { "comment": "comment", "dkim": "pass", "dmarc": "pass", "spf": "pass" }, "final_disposition": "MALICIOUS" }, "success": true } ``` # Preview ## Get email preview `client.EmailSecurity.Investigate.Preview.Get(ctx, investigateID, query) (*InvestigatePreviewGetResponse, error)` **get** `/accounts/{account_id}/email-security/investigate/{investigate_id}/preview` Returns a preview of the message body as a base64 encoded PNG image for non-benign messages. ### Parameters - `investigateID string` Unique identifier for a message retrieved from investigation - `query InvestigatePreviewGetParams` - `AccountID param.Field[string]` Identifier. ### Returns - `type InvestigatePreviewGetResponse struct{…}` - `Screenshot string` A base64 encoded PNG image of the email. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/email_security" "github.com/cloudflare/cloudflare-go/option" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) preview, err := client.EmailSecurity.Investigate.Preview.Get( context.TODO(), "4Njp3P0STMz2c02Q-2024-01-05T10:00:00-12345678", email_security.InvestigatePreviewGetParams{ AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", preview.Screenshot) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "screenshot": "screenshot" }, "success": true } ``` ## Preview for non-detection messages `client.EmailSecurity.Investigate.Preview.New(ctx, params) (*InvestigatePreviewNewResponse, error)` **post** `/accounts/{account_id}/email-security/investigate/preview` Generates a preview image for a message that was not flagged as a detection. Useful for investigating benign messages. Returns a base64-encoded PNG screenshot of the email body. ### Parameters - `params InvestigatePreviewNewParams` - `AccountID param.Field[string]` Path param: Identifier. - `PostfixID param.Field[string]` Body param: The identifier of the message ### Returns - `type InvestigatePreviewNewResponse struct{…}` - `Screenshot string` A base64 encoded PNG image of the email. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/email_security" "github.com/cloudflare/cloudflare-go/option" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) preview, err := client.EmailSecurity.Investigate.Preview.New(context.TODO(), email_security.InvestigatePreviewNewParams{ AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"), PostfixID: cloudflare.F("4Njp3P0STMz2c02Q"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", preview.Screenshot) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "screenshot": "screenshot" }, "success": true } ``` # Raw ## Get raw email content `client.EmailSecurity.Investigate.Raw.Get(ctx, investigateID, query) (*InvestigateRawGetResponse, error)` **get** `/accounts/{account_id}/email-security/investigate/{investigate_id}/raw` Returns the raw eml of any non-benign message. ### Parameters - `investigateID string` Unique identifier for a message retrieved from investigation - `query InvestigateRawGetParams` - `AccountID param.Field[string]` Identifier. ### Returns - `type InvestigateRawGetResponse struct{…}` - `Raw string` A UTF-8 encoded eml file of the email. ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/email_security" "github.com/cloudflare/cloudflare-go/option" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) raw, err := client.EmailSecurity.Investigate.Raw.Get( context.TODO(), "4Njp3P0STMz2c02Q-2024-01-05T10:00:00-12345678", email_security.InvestigateRawGetParams{ AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", raw.Raw) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "raw": "raw" }, "success": true } ``` # Trace ## Get email trace `client.EmailSecurity.Investigate.Trace.Get(ctx, investigateID, query) (*InvestigateTraceGetResponse, error)` **get** `/accounts/{account_id}/email-security/investigate/{investigate_id}/trace` Retrieves delivery and processing trace information for an email message. Shows the delivery path, retraction history, and move operations performed on the message. Useful for debugging delivery issues. ### Parameters - `investigateID string` Unique identifier for a message retrieved from investigation - `query InvestigateTraceGetParams` - `AccountID param.Field[string]` Identifier. ### Returns - `type InvestigateTraceGetResponse struct{…}` - `Inbound InvestigateTraceGetResponseInbound` - `Lines []InvestigateTraceGetResponseInboundLine` - `Lineno int64` Line number in the trace log - `LoggedAt Time` - `Message string` - `Ts string` Deprecated, use `logged_at` instead. End of life: November 1, 2026. - `Pending bool` - `Outbound InvestigateTraceGetResponseOutbound` - `Lines []InvestigateTraceGetResponseOutboundLine` - `Lineno int64` Line number in the trace log - `LoggedAt Time` - `Message string` - `Ts string` Deprecated, use `logged_at` instead. End of life: November 1, 2026. - `Pending bool` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/email_security" "github.com/cloudflare/cloudflare-go/option" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) trace, err := client.EmailSecurity.Investigate.Trace.Get( context.TODO(), "4Njp3P0STMz2c02Q-2024-01-05T10:00:00-12345678", email_security.InvestigateTraceGetParams{ AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", trace.Inbound) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "inbound": { "lines": [ { "lineno": 0, "logged_at": "2019-12-27T18:11:19.117Z", "message": "message", "ts": "ts" } ], "pending": true }, "outbound": { "lines": [ { "lineno": 0, "logged_at": "2019-12-27T18:11:19.117Z", "message": "message", "ts": "ts" } ], "pending": true } }, "success": true } ``` # Move ## Move a message `client.EmailSecurity.Investigate.Move.New(ctx, investigateID, params) (*SinglePage[InvestigateMoveNewResponse], error)` **post** `/accounts/{account_id}/email-security/investigate/{investigate_id}/move` Moves a single message to a specified mailbox folder (Inbox, JunkEmail, DeletedItems, RecoverableItemsDeletions, or RecoverableItemsPurges). Requires active integration. ### Parameters - `investigateID string` Unique identifier for a message retrieved from investigation - `params InvestigateMoveNewParams` - `AccountID param.Field[string]` Path param: Identifier. - `Destination param.Field[InvestigateMoveNewParamsDestination]` Body param - `const InvestigateMoveNewParamsDestinationInbox InvestigateMoveNewParamsDestination = "Inbox"` - `const InvestigateMoveNewParamsDestinationJunkEmail InvestigateMoveNewParamsDestination = "JunkEmail"` - `const InvestigateMoveNewParamsDestinationDeletedItems InvestigateMoveNewParamsDestination = "DeletedItems"` - `const InvestigateMoveNewParamsDestinationRecoverableItemsDeletions InvestigateMoveNewParamsDestination = "RecoverableItemsDeletions"` - `const InvestigateMoveNewParamsDestinationRecoverableItemsPurges InvestigateMoveNewParamsDestination = "RecoverableItemsPurges"` ### Returns - `type InvestigateMoveNewResponse struct{…}` - `Success bool` Whether the operation succeeded - `CompletedAt Time` When the move operation completed (UTC) - `CompletedTimestamp Time` Deprecated, use `completed_at` instead. End of life: November 1, 2026. - `Destination string` Destination folder for the message - `ItemCount int64` Number of items moved. End of life: November 1, 2026. - `MessageID string` Message identifier - `Operation string` Type of operation performed - `Recipient string` Recipient email address - `Status string` Operation status ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/email_security" "github.com/cloudflare/cloudflare-go/option" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.EmailSecurity.Investigate.Move.New( context.TODO(), "4Njp3P0STMz2c02Q-2024-01-05T10:00:00-12345678", email_security.InvestigateMoveNewParams{ AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"), Destination: cloudflare.F(email_security.InvestigateMoveNewParamsDestinationInbox), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "success": true, "completed_at": "2019-12-27T18:11:19.117Z", "completed_timestamp": "2019-12-27T18:11:19.117Z", "destination": "destination", "item_count": 0, "message_id": "message_id", "operation": "operation", "recipient": "recipient", "status": "status" } ], "success": true } ``` ## Move multiple messages `client.EmailSecurity.Investigate.Move.Bulk(ctx, params) (*SinglePage[InvestigateMoveBulkResponse], error)` **post** `/accounts/{account_id}/email-security/investigate/move` Moves multiple messages to a specified mailbox folder (Inbox, JunkEmail, DeletedItems, RecoverableItemsDeletions, or RecoverableItemsPurges). Requires active integration. ### Parameters - `params InvestigateMoveBulkParams` - `AccountID param.Field[string]` Path param: Identifier. - `Destination param.Field[InvestigateMoveBulkParamsDestination]` Body param - `const InvestigateMoveBulkParamsDestinationInbox InvestigateMoveBulkParamsDestination = "Inbox"` - `const InvestigateMoveBulkParamsDestinationJunkEmail InvestigateMoveBulkParamsDestination = "JunkEmail"` - `const InvestigateMoveBulkParamsDestinationDeletedItems InvestigateMoveBulkParamsDestination = "DeletedItems"` - `const InvestigateMoveBulkParamsDestinationRecoverableItemsDeletions InvestigateMoveBulkParamsDestination = "RecoverableItemsDeletions"` - `const InvestigateMoveBulkParamsDestinationRecoverableItemsPurges InvestigateMoveBulkParamsDestination = "RecoverableItemsPurges"` - `IDs param.Field[[]string]` Body param: List of message IDs to move - `PostfixIDs param.Field[[]string]` Body param: Deprecated, use `ids` instead. End of life: November 1, 2026. List of message IDs to move. ### Returns - `type InvestigateMoveBulkResponse struct{…}` - `Success bool` Whether the operation succeeded - `CompletedAt Time` When the move operation completed (UTC) - `CompletedTimestamp Time` Deprecated, use `completed_at` instead. End of life: November 1, 2026. - `Destination string` Destination folder for the message - `ItemCount int64` Number of items moved. End of life: November 1, 2026. - `MessageID string` Message identifier - `Operation string` Type of operation performed - `Recipient string` Recipient email address - `Status string` Operation status ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/email_security" "github.com/cloudflare/cloudflare-go/option" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.EmailSecurity.Investigate.Move.Bulk(context.TODO(), email_security.InvestigateMoveBulkParams{ AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"), Destination: cloudflare.F(email_security.InvestigateMoveBulkParamsDestinationInbox), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "success": true, "completed_at": "2019-12-27T18:11:19.117Z", "completed_timestamp": "2019-12-27T18:11:19.117Z", "destination": "destination", "item_count": 0, "message_id": "message_id", "operation": "operation", "recipient": "recipient", "status": "status" } ], "success": true } ``` # Reclassify ## Change email classification `client.EmailSecurity.Investigate.Reclassify.New(ctx, investigateID, params) (*InvestigateReclassifyNewResponse, error)` **post** `/accounts/{account_id}/email-security/investigate/{investigate_id}/reclassify` Submits a request to reclassify an email's disposition. Use for reporting false positives or false negatives. Optionally provide the raw EML content for reanalysis. The reclassification is processed asynchronously. ### Parameters - `investigateID string` Unique identifier for a message retrieved from investigation - `params InvestigateReclassifyNewParams` - `AccountID param.Field[string]` Path param: Identifier. - `ExpectedDisposition param.Field[InvestigateReclassifyNewParamsExpectedDisposition]` Body param - `const InvestigateReclassifyNewParamsExpectedDispositionNone InvestigateReclassifyNewParamsExpectedDisposition = "NONE"` - `const InvestigateReclassifyNewParamsExpectedDispositionBulk InvestigateReclassifyNewParamsExpectedDisposition = "BULK"` - `const InvestigateReclassifyNewParamsExpectedDispositionMalicious InvestigateReclassifyNewParamsExpectedDisposition = "MALICIOUS"` - `const InvestigateReclassifyNewParamsExpectedDispositionSpam InvestigateReclassifyNewParamsExpectedDisposition = "SPAM"` - `const InvestigateReclassifyNewParamsExpectedDispositionSpoof InvestigateReclassifyNewParamsExpectedDisposition = "SPOOF"` - `const InvestigateReclassifyNewParamsExpectedDispositionSuspicious InvestigateReclassifyNewParamsExpectedDisposition = "SUSPICIOUS"` - `EmlContent param.Field[string]` Body param: Base64 encoded content of the EML file. - `EscalatedSubmissionID param.Field[string]` Body param ### Returns - `type InvestigateReclassifyNewResponse interface{…}` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/email_security" "github.com/cloudflare/cloudflare-go/option" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) reclassify, err := client.EmailSecurity.Investigate.Reclassify.New( context.TODO(), "4Njp3P0STMz2c02Q-2024-01-05T10:00:00-12345678", email_security.InvestigateReclassifyNewParams{ AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"), ExpectedDisposition: cloudflare.F(email_security.InvestigateReclassifyNewParamsExpectedDispositionNone), }, ) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", reclassify) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": {}, "success": true } ``` # Release ## Release messages from quarantine `client.EmailSecurity.Investigate.Release.Bulk(ctx, params) (*SinglePage[InvestigateReleaseBulkResponse], error)` **post** `/accounts/{account_id}/email-security/investigate/release` Releases one or more quarantined messages, delivering them to the intended recipients. Use when a message was incorrectly quarantined. Returns delivery status for each recipient. ### Parameters - `params InvestigateReleaseBulkParams` - `AccountID param.Field[string]` Path param: Identifier. - `Body param.Field[[]string]` Body param ### Returns - `type InvestigateReleaseBulkResponse struct{…}` - `ID string` Unique identifier for a message retrieved from investigation - `Delivered []string` - `Failed []string` - `PostfixID string` Deprecated, use `id` instead. End of life: November 1, 2026. - `Undelivered []string` ### Example ```go package main import ( "context" "fmt" "github.com/cloudflare/cloudflare-go" "github.com/cloudflare/cloudflare-go/email_security" "github.com/cloudflare/cloudflare-go/option" ) func main() { client := cloudflare.NewClient( option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"), ) page, err := client.EmailSecurity.Investigate.Release.Bulk(context.TODO(), email_security.InvestigateReleaseBulkParams{ AccountID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"), Body: []string{"4Njp3P0STMz2c02Q-2024-01-05T10:00:00-12345678"}, }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", page) } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "id": "4Njp3P0STMz2c02Q-2024-01-05T10:00:00-12345678", "delivered": [ "string" ], "failed": [ "string" ], "postfix_id": "4Njp3P0STMz2c02Q", "undelivered": [ "string" ] } ], "success": true } ```