## Search email messages `client.emailSecurity.investigate.list(InvestigateListParamsparams, RequestOptionsoptions?): V4PagePaginationArray` **get** `/accounts/{account_id}/email-security/investigate` Returns information for each email that matches the search parameter(s). ### Parameters - `params: InvestigateListParams` - `account_id: string` Path param: Identifier. - `action_log?: boolean` Query param: Whether to include the message action log in the response. - `alert_id?: string` Query param - `cursor?: string` Query param - `detections_only?: boolean` Query param: Whether to include only detections in search results. - `domain?: string` Query param: Sender domains to filter by. - `end?: string` Query param: The end of the search date range. Defaults to `now`. - `final_disposition?: "MALICIOUS" | "SUSPICIOUS" | "SPOOF" | 3 more` Query param: Dispositions to filter by. - `"MALICIOUS"` - `"SUSPICIOUS"` - `"SPOOF"` - `"SPAM"` - `"BULK"` - `"NONE"` - `message_action?: "PREVIEW" | "QUARANTINE_RELEASED" | "MOVED"` Query param: Message actions to filter by. - `"PREVIEW"` - `"QUARANTINE_RELEASED"` - `"MOVED"` - `message_id?: string` Query param - `metric?: string` Query param - `page?: number | null` Query param: Deprecated: Use cursor pagination instead. End of life: November 1, 2026. - `per_page?: number` Query param: The number of results per page. Maximum value is 1000. - `query?: string` Query param: Space-delimited search term. Case-insensitive. - `recipient?: string` Query param - `sender?: string` Query param - `start?: string` Query param: The beginning of the search date range. Defaults to `now - 30 days`. - `subject?: string` Query param ### Returns - `InvestigateListResponse` - `id: string` Unique identifier for a message retrieved from investigation - `action_log: Array` Deprecated, use `GET /investigate/{investigate_id}/action_log` instead. End of life: November 1, 2026. - `completed_at: string` Timestamp when action completed - `operation: "MOVE" | "RELEASE" | "RECLASSIFY" | 3 more` Type of action performed - `"MOVE"` - `"RELEASE"` - `"RECLASSIFY"` - `"SUBMISSION"` - `"QUARANTINE_RELEASE"` - `"PREVIEW"` - `completed_timestamp?: string` Deprecated, use `completed_at` instead. End of life: November 1, 2026. - `properties?: Properties` Additional properties for the action - `folder?: string` Target folder for move operations - `requested_by?: string` User who requested the action - `status?: string | null` Status of the action - `client_recipients: Array` - `detection_reasons: Array` - `is_phish_submission: boolean` - `is_quarantined: boolean` - `postfix_id: string` The identifier of the message - `properties: Properties` Message processing properties - `allowlisted_pattern?: string | null` Pattern that allowlisted this message - `allowlisted_pattern_type?: "quarantine_release" | "acceptable_sender" | "allowed_sender" | 5 more | null` Type of allowlist pattern - `"quarantine_release"` - `"acceptable_sender"` - `"allowed_sender"` - `"allowed_recipient"` - `"domain_similarity"` - `"domain_recency"` - `"managed_acceptable_sender"` - `"outbound_ndr"` - `blocklisted_message?: boolean | null` Whether message was blocklisted - `blocklisted_pattern?: string | null` Pattern that blocklisted this message - `whitelisted_pattern_type?: "quarantine_release" | "acceptable_sender" | "allowed_sender" | 5 more | null` Legacy field for allowlist pattern type - `"quarantine_release"` - `"acceptable_sender"` - `"allowed_sender"` - `"allowed_recipient"` - `"domain_similarity"` - `"domain_recency"` - `"managed_acceptable_sender"` - `"outbound_ndr"` - `ts: string` Deprecated, use `scanned_at` instead. End of life: November 1, 2026. - `alert_id?: string | null` - `delivery_mode?: "DIRECT" | "BCC" | "JOURNAL" | 8 more` - `"DIRECT"` - `"BCC"` - `"JOURNAL"` - `"REVIEW_SUBMISSION"` - `"DMARC_UNVERIFIED"` - `"DMARC_FAILURE_REPORT"` - `"DMARC_AGGREGATE_REPORT"` - `"THREAT_INTEL_SUBMISSION"` - `"SIMULATION_SUBMISSION"` - `"API"` - `"RETRO_SCAN"` - `delivery_status?: Array<"delivered" | "moved" | "quarantined" | 4 more> | null` - `"delivered"` - `"moved"` - `"quarantined"` - `"rejected"` - `"deferred"` - `"bounced"` - `"queued"` - `edf_hash?: string | null` - `envelope_from?: string | null` - `envelope_to?: Array | null` - `final_disposition?: "MALICIOUS" | "MALICIOUS-BEC" | "SUSPICIOUS" | 7 more` - `"MALICIOUS"` - `"MALICIOUS-BEC"` - `"SUSPICIOUS"` - `"SPOOF"` - `"SPAM"` - `"BULK"` - `"ENCRYPTED"` - `"EXTERNAL"` - `"UNKNOWN"` - `"NONE"` - `findings?: Array | null` Deprecated, use the `findings` field from `GET /investigate/{investigate_id}/detections` instead. End of life: November 1, 2026. Detection findings for this message. - `attachment?: string | null` - `detail?: string | null` - `detection?: "MALICIOUS" | "MALICIOUS-BEC" | "SUSPICIOUS" | 7 more` - `"MALICIOUS"` - `"MALICIOUS-BEC"` - `"SUSPICIOUS"` - `"SPOOF"` - `"SPAM"` - `"BULK"` - `"ENCRYPTED"` - `"EXTERNAL"` - `"UNKNOWN"` - `"NONE"` - `field?: string | null` - `name?: string | null` - `portion?: string | null` - `reason?: string | null` - `score?: number | null` - `value?: string | null` - `from?: string | null` - `from_name?: string | null` - `htmltext_structure_hash?: string | null` - `message_id?: string | null` - `post_delivery_operations?: Array<"PREVIEW" | "QUARANTINE_RELEASE" | "SUBMISSION" | "MOVE"> | null` Post-delivery operations performed on this message - `"PREVIEW"` - `"QUARANTINE_RELEASE"` - `"SUBMISSION"` - `"MOVE"` - `postfix_id_outbound?: string | null` - `replyto?: string | null` - `scanned_at?: string | null` When the message was scanned (UTC) - `sent_at?: string | null` When the message was sent (UTC) - `sent_date?: string | null` - `subject?: string | null` - `threat_categories?: Array | null` - `to?: Array | null` - `to_name?: Array | null` - `validation?: Validation` - `comment?: string | null` - `dkim?: "pass" | "neutral" | "fail" | 2 more` - `"pass"` - `"neutral"` - `"fail"` - `"error"` - `"none"` - `dmarc?: "pass" | "neutral" | "fail" | 2 more` - `"pass"` - `"neutral"` - `"fail"` - `"error"` - `"none"` - `spf?: "pass" | "neutral" | "fail" | 2 more` - `"pass"` - `"neutral"` - `"fail"` - `"error"` - `"none"` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const investigateListResponse of client.emailSecurity.investigate.list({ account_id: '023e105f4ecef8ad9ca31a8372d0c353', })) { console.log(investigateListResponse.id); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "id": "4Njp3P0STMz2c02Q-2024-01-05T10:00:00-12345678", "action_log": [ { "completed_at": "2019-12-27T18:11:19.117Z", "operation": "MOVE", "completed_timestamp": "completed_timestamp", "properties": { "folder": "folder", "requested_by": "requested_by" }, "status": "status" } ], "client_recipients": [ "string" ], "detection_reasons": [ "string" ], "is_phish_submission": true, "is_quarantined": true, "postfix_id": "4Njp3P0STMz2c02Q", "properties": { "allowlisted_pattern": "allowlisted_pattern", "allowlisted_pattern_type": "quarantine_release", "blocklisted_message": true, "blocklisted_pattern": "blocklisted_pattern", "whitelisted_pattern_type": "quarantine_release" }, "ts": "ts", "alert_id": "alert_id", "delivery_mode": "DIRECT", "delivery_status": [ "delivered" ], "edf_hash": "edf_hash", "envelope_from": "envelope_from", "envelope_to": [ "string" ], "final_disposition": "MALICIOUS", "findings": [ { "attachment": "attachment", "detail": "detail", "detection": "MALICIOUS", "field": "field", "name": "name", "portion": "portion", "reason": "reason", "score": 0, "value": "value" } ], "from": "from", "from_name": "from_name", "htmltext_structure_hash": "htmltext_structure_hash", "message_id": "message_id", "post_delivery_operations": [ "PREVIEW" ], "postfix_id_outbound": "postfix_id_outbound", "replyto": "replyto", "scanned_at": "2019-12-27T18:11:19.117Z", "sent_at": "2019-12-27T18:11:19.117Z", "sent_date": "sent_date", "subject": "subject", "threat_categories": [ "string" ], "to": [ "string" ], "to_name": [ "string" ], "validation": { "comment": "comment", "dkim": "pass", "dmarc": "pass", "spf": "pass" } } ], "result_info": { "count": 0, "per_page": 0, "total_count": 0, "next": "next", "page": 0, "previous": "previous" }, "success": true } ```