Search email
With Email Security, you can use different screen criteria to search through your email, reclassify and move a certain volume of messages, find similar emails, and export messages.
Email Security allows you to use popular, regular, and advanced screening criteria to search through your inbox. Advanced screening will give you the most in-depth investigation of your inbox.
To screen through your email traffic:
- Log in to Zero Trust ↗.
- Select Email Security.
- Select Investigation, then Run new screen.
- Choose between Popular, Regular, and Advanced screen methods. Refer to the explanation below to learn what each method does.
The results will be displayed on a table. The table allows you to review and take action on the messages that match your chosen screening criteria.
A popular screen allows you to view messages based on common pre-defined criteria.
To use a popular screen criteria:
- Under Method, select Popular screens.
- Select one of the following criteria:
- Moved emails: View emails automatically or manually moved within the last seven days.
- Reclassified emails: Emails that had their disposition reclassified within the last seven days.
- Malicious emails: Emails assigned the malicious disposition within the last seven days.
- Spoof emails: Emails assigned the spoof disposition within the last seven days.
- Suspicious emails: Emails assigned the suspicious disposition within the last seven days.
- Spam emails: Emails assigned to the spam disposition within the last seven days.
 
- Select Run screen.
To modify your screening criteria, under Active screen criteria, select Modify.
A regular screen allows you to investigate your inbox by inserting a term to screen across all criteria.
To use a regular screen criteria:
- Under Method, select Regular screen.
- Select a Date range.
- Enter a keyword.
- Select Run screen.
To include all emails as part of the search, enable Include all mail.
To modify your screening criteria, under Active screen criteria, select Modify.
To reset your screening criteria, select Reset.
The advanced screen criteria gives you the option to narrow message results based on specific criteria. The advanced screen has several options (such as keywords, subject keywords, sender domain, and more) to scan your inbox.
To use advanced screen criteria:
- Under Method, select Advanced screen.
- (Required) Select a date range.
- (Optional) Fill in the other fields. All fields, except for Subject, must be filled with one value only.
- Select Run screen.
To include all emails as part of the search, enable Include all mail.
To modify your screening criteria, under Active screen criteria, select Modify.
To reset your screening criteria, select Reset.
Reclassifying messages allows you to choose the disposition of your messages if the disposition is incorrect.
To reclassify a message:
- In Zero Trust ↗, go to Email Security and select Investigation.
- On the Investigation page, under Your matching messages, select the message you want to reclassify.
- Select the three dots, then select Request reclassification.
- Under New disposition, select among the following:
- Malicious: Traffic invoked multiple phishing verdict triggers, met thresholds for bad behavior, and is associated with active campaigns.
- Spoof: Traffic associated with phishing campaigns that is either non-compliant with your email authentication policies (SPF, DKIM, DMARC) or has mismatching Envelope From and Header Fromvalues.
- Spam: Traffic associated with non-malicious, commercial campaigns.
- Bulk: Traffic associated with Graymail ↗, that falls in between the definitions of SPAMandSUSPICIOUS. For example, a marketing email that intentionally obscures its unsubscribe link.
- Clean: Traffic not associated with any phishing campaigns.
 
- Select Save.
To reclassify messages in bulk, select Select all messages > Action > Request reclassification.
To release messages in bulk, select Select all messages > Action > Release.
Email Security classifies certain emails as "Clean". If you disagree with the disposition, you can upload an EML file and reclassify the email.
On the Investigation page:
- Go to the email marked as Clean.
- Select the three dots > Request reclassification.
- Upload the EML file.
- Select a new disposition.
- Select Save.
Once you have reclassified your messages, you can access those on Reclassifications.
To view reclassifications:
- Log in to Zero Trust ↗.
- Select Email Security > Reclassifications.
- Choose Team submissions to view emails your security team submitted for reclassification, or User submissions to view emails your users submitted for reclassification.
Team submissions are the emails your security team submitted for reclassification. All team submissions receive a human review by Cloudflare.
Select among the following filters:
- Date Range: You can select a date range from the last 7, last 30, and last 90 days.
- Original disposition: Select among the available values.
- Submitted as: Select among the available values.
- Final disposition: Select among the available values.
- Escalation: Filter by team submissions that have been escalated or not. Select among Yes,No, orAll.
Once you have selected all the filters, select Apply filters.
The dashboard will populate the table with the list of emails your security team submitted for reclassification, including a Submission ID, and the Email subject.
To gain more details on a specific reclassification:
- Go to the reclassification you want to have more details for.
- Select the three dots > select among View more, View email message and View similar details.
User submissions are the emails your users submitted for reclassification. User submissions help enhance our detection model, but can be escalated for human review.
Any email that is reported as phish will be displayed under User submissions.
Select among the following filters:
- Date Range: Select a date range from the last 7, last 30, and last 90 days.
- Original disposition: Select among the available values.
- Submitted as: Select among the available values.
Once you have selected all the filters, select Apply filters.
The dashboard will populate the table with the list of emails your users submitted for reclassification, including a Submission ID, and the Email subject.
To gain more details on a specific reclassification:
- Go to the reclassification you want to have more details for.
- Select the three dots > select among View more, View email message, View similar details, and Escalate.
To escalate a reclassification:
- Go to the reclassification you want to escalate.
- Select the three dots > select Escalate.
- The dashboard will display a message to authorize escalation. Select Escalate.
A submission is invalid when:
- A submission has no EML file attached.
- A submission has been made with an incorrect file extension.
- A submission was made to the wrong team or user alias.
To ensure your submission is valid:
- Ensure your submission has a file attached with a .emlfile extension.
- Ensure you configure the domain you are submitting emails for.
- Ensure policies are configured correctly.
To view invalid submissions:
- Log in to Zero Trust ↗.
- Select Email Security > Reclassifications.
- Select Invalid submissions.
You can search by submission ID or submitted email.
You can filter based on Date Range and Submitted by (which will list emails that made the invalid submissions). Once you have configured your desired filters, select Apply filters.
Moving messages allows you to move messages to a specific folder. You can move up to 1,000 messages at a time.
To move messages:
- In Zero Trust ↗, go to Email Security, and select Investigation.
- On the Investigation page, select all the messages you want to move.
- Select the Action dropdown, then select Move.
- Select among one of the following folders:
- Inbox: Move messages to the primary email folder.
- Junk email: Move messages to the junk or spam folder.
- Trash: Move messages to the trash or deleted items email folder.
- Soft delete (user recoverable): Move messages to the user's Deleted Items folder. This option is for Microsoft 365 only.
- Hard delete (admin recoverable): Delete messages from a user's inbox.
 
- Select Save.
To move messages in bulk, select Select all messages > Action > Move.
Each detection has an Email Detection Fingerprint (EDF) hash that Email Security sends to the Search API to retrieve similar detections.
To find similar detection results:
- In Zero Trust ↗, go to Email Security, and select Investigation.
- On the Investigation page, under Your matching messages, search for the Similar emails column.
- Select the number of similar emails. Selecting the number will show you a list of similar emails.
With Email Security, you can export messages to a CSV file.
To export messages:
- In Zero Trust ↗, go to Email Security, and select Investigation.
- On the Investigation page, under Your matching messages, select Export to CSV.
- Select Export messages on the pop-up message. You can export up to 500 messages from the dashboard. To export up to 1,000 matching messages, use the API.
To export messages in bulk, select Select all messages > Export to CSV.
Email Security allows you to review the status and actions of each email.
To view status and actions for each email:
- In Zero Trust ↗, go to Email Security, and select Investigation.
- On the Investigation page, select the three dots.
- Selecting the three dots will show you the following options:
- If the email is quarantined:
- View details: Refer to Email details to learn more.
- View similar emails: Find similar emails based on the value_edf_hash(Electronic Detection Fingerprint hash).
- Release: Email Security will no longer quarantine your chosen messages.
- Request reclassification: Choose the dispositions of your messages if they are incorrect. Refer to Reclassify messages to learn more.
 
 
- If the email is quarantined:
- If the email is not quarantined:
- View details.
- View similar emails.
- View submission detail.
- Move (only available if you authorized moves).
- Request reclassification.
 
Email Security shows you the following email detail information:
- Details
- Action log
- Raw message
- Mail trace
Email Security displays the following details:
- Threat type: Threat type of the email, for example, credential harvester, and IP-based spam.
- Validation: Email validation methods SPF ↗, DKIM ↗, DMARC ↗. The dashboard will display Pass if SPF, DKIM and DMARC checks have passed.
- Sender details: Information include:
- IP address
- Registered domain
- Autonomous sys number: This number identifies your autonomous system (AS) ↗.
- Autonomous sys name: This name identifies your autonomous system (AS).
- Country
 
- Links identified: A list of malicious links identified by Email Security. Refer to Open links to open links in Security Center, Browser Isolation or an external tool of your choice.
- Attachments: If an email has an attachment, the Cloudflare dashboard will display the filename, and the disposition assigned. You can open attachments in Browser Isolation. Only PDF files are currently supported.
- Reasons for disposition: Description of why the email was deemed as malicious, suspicious, or spam.
You can open links in Security Center or Browser Isolation, or copy and paste the link so you can investigate content in external tools.
To open links in Security Center:
- In Zero Trust ↗, go to Email Security > Investigation.
- Locate the message you want to open links for, select the three dots, then select View details.
- Under Details, go to Links identified.
- Locate the link you want to open, and select Open in Security Center.
- You will be redirected to Investigate in the Cloudflare dashboard.
- Select Scan now.
- The dashboard will generate a report for your link.
To open links in Browser Isolation:
- In Zero Trust ↗, go to Email Security > Investigation.
- Locate the message you want to open links for, select the three dots, then select View details.
- Under Details, go to Links identified.
- Locate the link you want to open, and select Open in Browser Isolation.
- The link will open in a separate window where you will be able to browse the content securely.
Alternatively, you can directly open links in Browser Isolation.
To open and investigate a link in an external tool:
- In Zero Trust ↗, go to Email Security > Investigation.
- Locate the message you want to open links for, select the three dots, then select View details.
- Under Details, go to Links identified.
- Locate the link you want to open, and select Copy URL.
- Paste the link in your external tool.
Action log allows you to review post-delivery actions performed on your selected message. The action log displays:
- Date: Date when the post-delivery action was performed.
- Activity: The activity taken on an email. For example, moving the email to the trash folder, releasing a quarantined email, and more.
Raw message allows you to view the raw details of the message. You can also choose to download the email message. To download the message, select Download .EML.
Mail trace allows you to track the path your selected message took from the sender to the recipient. Mail trace displays:
- Date: The date and time when the mail was tracked.
- Type: An email can be inbound (email sent to you from another email), or outbound (emails sent from your email address).
- Activity: The activity taken on an email. For example, moving the email to the trash folder, releasing a quarantined email, and more.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Directory
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- © 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark
-