[{"data":1,"prerenderedAt":12},["ShallowReactive",2],{"$fjHWwtlWvbModB7ie9ZsVgbgI7nIMd4M3hYxKXR8ilYY":3},{"title":4,"slug":5,"excerpt":6,"category":7,"order":8,"screens":9,"html":11},"What's in your webhook payload","webhook-payload-reference","Complete reference of every field in your EmailConnect webhook payload, including enrichment features by plan","configuration",4,[10],"webhooks","\u003Cp>Every email that arrives at your alias is transformed into structured JSON and delivered to your webhook endpoint. This reference covers every field you can expect, including the enrichment features available on each plan.\u003C\u002Fp>\n\u003Ch2>Full payload example\u003C\u002Fh2>\n\u003Cp>Below is a complete payload with all fields present. Your actual payload will vary depending on the email content and your plan. The payload has five top-level sections: \u003Ccode>spam\u003C\u002Fcode>, \u003Ccode>message\u003C\u002Fcode>, \u003Ccode>integrity\u003C\u002Fcode>, \u003Ccode>classification\u003C\u002Fcode>, and \u003Ccode>security\u003C\u002Fcode>.\u003C\u002Fp>\n\u003Cpre>\u003Ccode class=\"language-json\">{\n  "domainId": "cm1a2b3c4d5e6f7g8h9i0j1k2",\n  "aliasId": "cm9z8y7x6w5v4u3t2s1r0q9p8",\n  "spam": {\n    "score": -0.99,\n    "action": "default",\n    "engine": "rspamd",\n    "isSpam": false,\n    "report": "default: False [-0.99 \u002F 0.00]; DMARC_POLICY_ALLOW(-0.50)[example.com,none]; R_DKIM_ALLOW(-0.20)[example.com:s=selector1]; R_SPF_ALLOW(-0.20)[+ip4:198.51.100.0\u002F24]; ...",\n    "symbols": [\n      {\n        "name": "DMARC_POLICY_ALLOW",\n        "weight": -0.5,\n        "description": "example.com,none"\n      },\n      {\n        "name": "R_DKIM_ALLOW",\n        "weight": -0.2,\n        "description": "example.com:s=selector1"\n      },\n      {\n        "name": "R_SPF_ALLOW",\n        "weight": -0.2,\n        "description": "+ip4:198.51.100.0\u002F24"\n      }\n    ],\n    "threshold": 0,\n    "authentication": {\n      "spf": { "result": "pass" },\n      "dkim": { "result": "pass" },\n      "dmarc": { "result": "pass" }\n    }\n  },\n  "message": {\n    "date": "2026-02-12T10:30:00.000Z",\n    "sender": {\n      "name": "Alice Martin",\n      "email": "alice@example.com"\n    },\n    "content": {\n      "text": "Hi team,\\n\\nPlease find invoice #2026-0042 attached.\\n\\nBest,\\nAlice",\n      "html": "<p>Hi team,<\u002Fp><p>Please find invoice #2026-0042 attached.<\u002Fp><p>Best,<br>Alice<\u002Fp>",\n      "links": [\n        {\n          "url": "https:\u002F\u002Fbilling.example.com\u002Finv\u002F2026-0042",\n          "text": "View it online"\n        }\n      ],\n      "markdown": "Hi team,\\n\\nPlease find invoice #2026-0042 attached.\\n\\n[View it online](https:\u002F\u002Fbilling.example.com\u002Finv\u002F2026-0042)\\n\\nBest,\\nAlice"\n    },\n    "subject": "Invoice #2026-0042 attached",\n    "recipient": {\n      "name": null,\n      "email": "invoices@yourdomain.com"\n    },\n    "attachments": [\n      {\n        "filename": "invoice-2026-0042.pdf",\n        "contentType": "application\u002Fpdf",\n        "size": 245680,\n        "content": "JVBERi0xLjQK...",\n        "virusScan": {\n          "status": "clean"\n        }\n      }\n    ]\n  },\n  "integrity": {\n    "contentHash": "a3f2b8c1d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1",\n    "rawEmailHash": "9f8e7d6c5b4a3f2e1d0c9b8a7f6e5d4c3b2a1f0e9d8c7b6a5f4e3d2c1b0a9f8e"\n  },\n  "classification": {\n    "type": "normal",\n    "signals": ["has_attachment", "single_recipient"],\n    "confidence": "definite"\n  },\n  "security": {\n    "virusScan": {\n      "scanned": true,\n      "engine": "clamav",\n      "engineVersion": "1.5.1",\n      "definitionsUpdated": "2026-02-12T06:00:00.000Z",\n      "attachmentsScanned": 1,\n      "attachmentsSkipped": 0,\n      "threatsFound": 0\n    }\n  }\n}\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch2>Routing metadata\u003C\u002Fh2>\n\u003Cp>Every payload includes two top-level identifiers so you can correlate deliveries back to specific resources in your account:\u003C\u002Fp>\n\u003Ctable>\n\u003Cthead>\n\u003Ctr>\n\u003Cth>Field\u003C\u002Fth>\n\u003Cth>Type\u003C\u002Fth>\n\u003Cth>Description\u003C\u002Fth>\n\u003C\u002Ftr>\n\u003C\u002Fthead>\n\u003Ctbody>\u003Ctr>\n\u003Ctd>\u003Ccode>domainId\u003C\u002Fcode>\u003C\u002Ftd>\n\u003Ctd>string\u003C\u002Ftd>\n\u003Ctd>The ID of the domain that received the email\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003Ctr>\n\u003Ctd>\u003Ccode>aliasId\u003C\u002Fcode>\u003C\u002Ftd>\n\u003Ctd>string\u003C\u002Ftd>\n\u003Ctd>The ID of the alias that matched the recipient\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003C\u002Ftbody>\u003C\u002Ftable>\n\u003Cp>These are useful when you have multiple aliases pointing to the same webhook endpoint and need to distinguish which one triggered the delivery.\u003C\u002Fp>\n\u003Ch2>Field reference by section\u003C\u002Fh2>\n\u003Ch3>Message\u003C\u002Fh3>\n\u003Ctable>\n\u003Cthead>\n\u003Ctr>\n\u003Cth>Field\u003C\u002Fth>\n\u003Cth>Type\u003C\u002Fth>\n\u003Cth>Description\u003C\u002Fth>\n\u003C\u002Ftr>\n\u003C\u002Fthead>\n\u003Ctbody>\u003Ctr>\n\u003Ctd>\u003Ccode>message.date\u003C\u002Fcode>\u003C\u002Ftd>\n\u003Ctd>string (ISO 8601)\u003C\u002Ftd>\n\u003Ctd>When the email was sent\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003Ctr>\n\u003Ctd>\u003Ccode>message.sender.name\u003C\u002Fcode>\u003C\u002Ftd>\n\u003Ctd>string\u003C\u002Ftd>\n\u003Ctd>Sender display name\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003Ctr>\n\u003Ctd>\u003Ccode>message.sender.email\u003C\u002Fcode>\u003C\u002Ftd>\n\u003Ctd>string\u003C\u002Ftd>\n\u003Ctd>Sender email address\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003Ctr>\n\u003Ctd>\u003Ccode>message.recipient.name\u003C\u002Fcode>\u003C\u002Ftd>\n\u003Ctd>string | null\u003C\u002Ftd>\n\u003Ctd>Recipient display name (the alias that received the email)\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003Ctr>\n\u003Ctd>\u003Ccode>message.recipient.email\u003C\u002Fcode>\u003C\u002Ftd>\n\u003Ctd>string\u003C\u002Ftd>\n\u003Ctd>Recipient email address (the alias address)\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003Ctr>\n\u003Ctd>\u003Ccode>message.subject\u003C\u002Fcode>\u003C\u002Ftd>\n\u003Ctd>string\u003C\u002Ftd>\n\u003Ctd>Email subject line\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003C\u002Ftbody>\u003C\u002Ftable>\n\u003Ch3>Content\u003C\u002Fh3>\n\u003Ctable>\n\u003Cthead>\n\u003Ctr>\n\u003Cth>Field\u003C\u002Fth>\n\u003Cth>Type\u003C\u002Fth>\n\u003Cth>Plan\u003C\u002Fth>\n\u003Cth>Description\u003C\u002Fth>\n\u003C\u002Ftr>\n\u003C\u002Fthead>\n\u003Ctbody>\u003Ctr>\n\u003Ctd>\u003Ccode>message.content.text\u003C\u002Fcode>\u003C\u002Ftd>\n\u003Ctd>string\u003C\u002Ftd>\n\u003Ctd>All\u003C\u002Ftd>\n\u003Ctd>Plain text body\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003Ctr>\n\u003Ctd>\u003Ccode>message.content.html\u003C\u002Fcode>\u003C\u002Ftd>\n\u003Ctd>string\u003C\u002Ftd>\n\u003Ctd>All\u003C\u002Ftd>\n\u003Ctd>HTML body\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003Ctr>\n\u003Ctd>\u003Ccode>message.content.markdown\u003C\u002Fcode>\u003C\u002Ftd>\n\u003Ctd>string\u003C\u002Ftd>\n\u003Ctd>Maker+\u003C\u002Ftd>\n\u003Ctd>HTML body converted to clean Markdown\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003Ctr>\n\u003Ctd>\u003Ccode>message.content.links\u003C\u002Fcode>\u003C\u002Ftd>\n\u003Ctd>array\u003C\u002Ftd>\n\u003Ctd>All\u003C\u002Ftd>\n\u003Ctd>URLs extracted from the email body, each with \u003Ccode>url\u003C\u002Fcode> and \u003Ccode>text\u003C\u002Fcode>\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003C\u002Ftbody>\u003C\u002Ftable>\n\u003Cp>\u003Cstrong>Markdown\u003C\u002Fstrong> is generated server-side from the HTML body. It's useful for LLM pipelines, content extraction, and readable logging without needing an HTML parser.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Links\u003C\u002Fstrong> are extracted from both HTML and plain text bodies. Each entry includes the \u003Ccode>url\u003C\u002Fcode> and the link \u003Ccode>text\u003C\u002Fcode> (anchor text from HTML, or the URL itself for plain text links).\u003C\u002Fp>\n\u003Ch3>Attachments\u003C\u002Fh3>\n\u003Ctable>\n\u003Cthead>\n\u003Ctr>\n\u003Cth>Field\u003C\u002Fth>\n\u003Cth>Type\u003C\u002Fth>\n\u003Cth>Description\u003C\u002Fth>\n\u003C\u002Ftr>\n\u003C\u002Fthead>\n\u003Ctbody>\u003Ctr>\n\u003Ctd>\u003Ccode>message.attachments[].filename\u003C\u002Fcode>\u003C\u002Ftd>\n\u003Ctd>string\u003C\u002Ftd>\n\u003Ctd>Original filename\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003Ctr>\n\u003Ctd>\u003Ccode>message.attachments[].contentType\u003C\u002Fcode>\u003C\u002Ftd>\n\u003Ctd>string\u003C\u002Ftd>\n\u003Ctd>MIME type\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003Ctr>\n\u003Ctd>\u003Ccode>message.attachments[].size\u003C\u002Fcode>\u003C\u002Ftd>\n\u003Ctd>number\u003C\u002Ftd>\n\u003Ctd>Size in bytes\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003Ctr>\n\u003Ctd>\u003Ccode>message.attachments[].content\u003C\u002Fcode>\u003C\u002Ftd>\n\u003Ctd>string\u003C\u002Ftd>\n\u003Ctd>Base64-encoded content (inline delivery)\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003Ctr>\n\u003Ctd>\u003Ccode>message.attachments[].url\u003C\u002Fcode>\u003C\u002Ftd>\n\u003Ctd>string\u003C\u002Ftd>\n\u003Ctd>S3 download URL (offloaded delivery, Maker+)\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003Ctr>\n\u003Ctd>\u003Ccode>message.attachments[].status\u003C\u002Fcode>\u003C\u002Ftd>\n\u003Ctd>string\u003C\u002Ftd>\n\u003Ctd>Upload status: \u003Ccode>pending\u003C\u002Fcode>, \u003Ccode>uploading\u003C\u002Fcode>, \u003Ccode>completed\u003C\u002Fcode>, \u003Ccode>failed\u003C\u002Fcode>, or \u003Ccode>expired\u003C\u002Fcode>\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003Ctr>\n\u003Ctd>\u003Ccode>message.attachments[].uploadType\u003C\u002Fcode>\u003C\u002Ftd>\n\u003Ctd>string\u003C\u002Ftd>\n\u003Ctd>\u003Ccode>sync\u003C\u002Fcode> (immediate) or \u003Ccode>async\u003C\u002Fcode> (queued for large files)\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003Ctr>\n\u003Ctd>\u003Ccode>message.attachments[].virusScan.status\u003C\u002Fcode>\u003C\u002Ftd>\n\u003Ctd>string\u003C\u002Ftd>\n\u003Ctd>Scan result: \u003Ccode>clean\u003C\u002Fcode> or \u003Ccode>infected\u003C\u002Fcode> (Business+)\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003Ctr>\n\u003Ctd>\u003Ccode>message.attachments[].virusScan.threat\u003C\u002Fcode>\u003C\u002Ftd>\n\u003Ctd>string\u003C\u002Ftd>\n\u003Ctd>Threat name if infected (e.g. \u003Ccode>Eicar-Test-Signature\u003C\u002Fcode>)\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003Ctr>\n\u003Ctd>\u003Ccode>message.attachments[].virusScan.duration\u003C\u002Fcode>\u003C\u002Ftd>\n\u003Ctd>number\u003C\u002Ftd>\n\u003Ctd>Scan duration in milliseconds\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003Ctr>\n\u003Ctd>\u003Ccode>message.attachments[].excluded\u003C\u002Fcode>\u003C\u002Ftd>\n\u003Ctd>boolean\u003C\u002Ftd>\n\u003Ctd>\u003Ccode>true\u003C\u002Fcode> if attachment was excluded from delivery\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003Ctr>\n\u003Ctd>\u003Ccode>message.attachments[].excludeReason\u003C\u002Fcode>\u003C\u002Ftd>\n\u003Ctd>string\u003C\u002Ftd>\n\u003Ctd>Reason for exclusion (e.g. \u003Ccode>virus-detected\u003C\u002Fcode>)\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003C\u002Ftbody>\u003C\u002Ftable>\n\u003Cp>Small files are uploaded synchronously (≤ 2MB for text\u002Fimages\u002Fdocs, ≤ 1MB for archives\u002Fmedia) — the download URL is immediately usable with \u003Ccode>status: "completed"\u003C\u002Fcode>. Larger files are uploaded asynchronously via a queue with \u003Ccode>status: "pending"\u003C\u002Fcode>. Poll \u003Ccode>GET \u002Fattachments\u002F:fileId\u002Fdownload\u003C\u002Fcode> (returns 202 with \u003Ccode>retryAfter: 5\u003C\u002Fcode> until ready, then 200 with presigned URL) or the lighter \u003Ccode>GET \u002Fattachments\u002F:fileId\u002Fstatus\u003C\u002Fcode> for metadata only. See \u003Ca href=\"\u002Fhelp\u002Fattachment-processing\u002F\">Attachment processing\u003C\u002Fa> for details.\u003C\u002Fp>\n\u003Ch3>Spam analysis\u003C\u002Fh3>\n\u003Cp>Available on \u003Cstrong>Maker+\u003C\u002Fstrong> plans. Powered by rspamd.\u003C\u002Fp>\n\u003Ctable>\n\u003Cthead>\n\u003Ctr>\n\u003Cth>Field\u003C\u002Fth>\n\u003Cth>Type\u003C\u002Fth>\n\u003Cth>Description\u003C\u002Fth>\n\u003C\u002Ftr>\n\u003C\u002Fthead>\n\u003Ctbody>\u003Ctr>\n\u003Ctd>\u003Ccode>spam.score\u003C\u002Fcode>\u003C\u002Ftd>\n\u003Ctd>number\u003C\u002Ftd>\n\u003Ctd>rspamd composite score (negative = cleaner, higher = more suspicious)\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003Ctr>\n\u003Ctd>\u003Ccode>spam.isSpam\u003C\u002Fcode>\u003C\u002Ftd>\n\u003Ctd>boolean\u003C\u002Ftd>\n\u003Ctd>Verdict based on the configured threshold\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003Ctr>\n\u003Ctd>\u003Ccode>spam.action\u003C\u002Fcode>\u003C\u002Ftd>\n\u003Ctd>string\u003C\u002Ftd>\n\u003Ctd>Recommended action (\u003Ccode>default\u003C\u002Fcode>, \u003Ccode>greylist\u003C\u002Fcode>, \u003Ccode>add header\u003C\u002Fcode>, \u003Ccode>reject\u003C\u002Fcode>)\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003Ctr>\n\u003Ctd>\u003Ccode>spam.engine\u003C\u002Fcode>\u003C\u002Ftd>\n\u003Ctd>string\u003C\u002Ftd>\n\u003Ctd>Spam engine used (currently \u003Ccode>rspamd\u003C\u002Fcode>)\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003Ctr>\n\u003Ctd>\u003Ccode>spam.symbols\u003C\u002Fcode>\u003C\u002Ftd>\n\u003Ctd>array\u003C\u002Ftd>\n\u003Ctd>rspamd rules that matched, each with \u003Ccode>name\u003C\u002Fcode> (string), \u003Ccode>weight\u003C\u002Fcode> (number), and \u003Ccode>description\u003C\u002Fcode> (string)\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003Ctr>\n\u003Ctd>\u003Ccode>spam.threshold\u003C\u002Fcode>\u003C\u002Ftd>\n\u003Ctd>number\u003C\u002Ftd>\n\u003Ctd>Score threshold used for the spam verdict\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003Ctr>\n\u003Ctd>\u003Ccode>spam.report\u003C\u002Fcode>\u003C\u002Ftd>\n\u003Ctd>string\u003C\u002Ftd>\n\u003Ctd>Full rspamd text report for debugging\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003Ctr>\n\u003Ctd>\u003Ccode>spam.authentication.spf\u003C\u002Fcode>\u003C\u002Ftd>\n\u003Ctd>object\u003C\u002Ftd>\n\u003Ctd>SPF result (\u003Ccode>pass\u003C\u002Fcode>, \u003Ccode>fail\u003C\u002Fcode>, \u003Ccode>softfail\u003C\u002Fcode>, \u003Ccode>none\u003C\u002Fcode>)\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003Ctr>\n\u003Ctd>\u003Ccode>spam.authentication.dkim\u003C\u002Fcode>\u003C\u002Ftd>\n\u003Ctd>object\u003C\u002Ftd>\n\u003Ctd>DKIM result (\u003Ccode>pass\u003C\u002Fcode>, \u003Ccode>fail\u003C\u002Fcode>, \u003Ccode>none\u003C\u002Fcode>)\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003Ctr>\n\u003Ctd>\u003Ccode>spam.authentication.dmarc\u003C\u002Fcode>\u003C\u002Ftd>\n\u003Ctd>object\u003C\u002Ftd>\n\u003Ctd>DMARC result (\u003Ccode>pass\u003C\u002Fcode>, \u003Ccode>fail\u003C\u002Fcode>, \u003Ccode>none\u003C\u002Fcode>)\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003C\u002Ftbody>\u003C\u002Ftable>\n\u003Ch3>Classification\u003C\u002Fh3>\n\u003Ctable>\n\u003Cthead>\n\u003Ctr>\n\u003Cth>Field\u003C\u002Fth>\n\u003Cth>Type\u003C\u002Fth>\n\u003Cth>Plan\u003C\u002Fth>\n\u003Cth>Description\u003C\u002Fth>\n\u003C\u002Ftr>\n\u003C\u002Fthead>\n\u003Ctbody>\u003Ctr>\n\u003Ctd>\u003Ccode>classification.type\u003C\u002Fcode>\u003C\u002Ftd>\n\u003Ctd>string\u003C\u002Ftd>\n\u003Ctd>All\u003C\u002Ftd>\n\u003Ctd>Email type: \u003Ccode>normal\u003C\u002Fcode>, \u003Ccode>transactional\u003C\u002Fcode>, \u003Ccode>marketing\u003C\u002Fcode>, \u003Ccode>notification\u003C\u002Fcode>, \u003Ccode>automated\u003C\u002Fcode>\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003Ctr>\n\u003Ctd>\u003Ccode>classification.confidence\u003C\u002Fcode>\u003C\u002Ftd>\n\u003Ctd>string\u003C\u002Ftd>\n\u003Ctd>Maker+\u003C\u002Ftd>\n\u003Ctd>Confidence level (e.g. \u003Ccode>definite\u003C\u002Fcode>, \u003Ccode>likely\u003C\u002Fcode>)\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003Ctr>\n\u003Ctd>\u003Ccode>classification.signals\u003C\u002Fcode>\u003C\u002Ftd>\n\u003Ctd>array\u003C\u002Ftd>\n\u003Ctd>Maker+\u003C\u002Ftd>\n\u003Ctd>Signals that influenced classification (e.g. \u003Ccode>has_attachment\u003C\u002Fcode>, \u003Ccode>has_unsubscribe_link\u003C\u002Fcode>)\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003C\u002Ftbody>\u003C\u002Ftable>\n\u003Cp>Classification helps you route emails by type, filter out marketing, or prioritize transactional messages — all without writing your own heuristics.\u003C\u002Fp>\n\u003Ch3>Integrity\u003C\u002Fh3>\n\u003Cp>Available on \u003Cstrong>Maker+\u003C\u002Fstrong> plans.\u003C\u002Fp>\n\u003Ctable>\n\u003Cthead>\n\u003Ctr>\n\u003Cth>Field\u003C\u002Fth>\n\u003Cth>Type\u003C\u002Fth>\n\u003Cth>Description\u003C\u002Fth>\n\u003C\u002Ftr>\n\u003C\u002Fthead>\n\u003Ctbody>\u003Ctr>\n\u003Ctd>\u003Ccode>integrity.contentHash\u003C\u002Fcode>\u003C\u002Ftd>\n\u003Ctd>string\u003C\u002Ftd>\n\u003Ctd>SHA-256 hex hash of the processed payload content\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003Ctr>\n\u003Ctd>\u003Ccode>integrity.rawEmailHash\u003C\u002Fcode>\u003C\u002Ftd>\n\u003Ctd>string\u003C\u002Ftd>\n\u003Ctd>SHA-256 hex hash of the raw email before processing\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003C\u002Ftbody>\u003C\u002Ftable>\n\u003Cp>Use integrity hashes to verify that the payload wasn't tampered with in transit, detect duplicate deliveries, or build audit trails.\u003C\u002Fp>\n\u003Ch3>Security\u003C\u002Fh3>\n\u003Cp>Available on \u003Cstrong>Business+\u003C\u002Fstrong> plans. Powered by ClamAV.\u003C\u002Fp>\n\u003Ctable>\n\u003Cthead>\n\u003Ctr>\n\u003Cth>Field\u003C\u002Fth>\n\u003Cth>Type\u003C\u002Fth>\n\u003Cth>Description\u003C\u002Fth>\n\u003C\u002Ftr>\n\u003C\u002Fthead>\n\u003Ctbody>\u003Ctr>\n\u003Ctd>\u003Ccode>security.virusScan.scanned\u003C\u002Fcode>\u003C\u002Ftd>\n\u003Ctd>boolean\u003C\u002Ftd>\n\u003Ctd>Whether virus scanning was performed\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003Ctr>\n\u003Ctd>\u003Ccode>security.virusScan.engine\u003C\u002Fcode>\u003C\u002Ftd>\n\u003Ctd>string\u003C\u002Ftd>\n\u003Ctd>Scanning engine (currently \u003Ccode>clamav\u003C\u002Fcode>)\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003Ctr>\n\u003Ctd>\u003Ccode>security.virusScan.engineVersion\u003C\u002Fcode>\u003C\u002Ftd>\n\u003Ctd>string\u003C\u002Ftd>\n\u003Ctd>Engine version\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003Ctr>\n\u003Ctd>\u003Ccode>security.virusScan.definitionsUpdated\u003C\u002Fcode>\u003C\u002Ftd>\n\u003Ctd>string\u003C\u002Ftd>\n\u003Ctd>Virus definitions version\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003Ctr>\n\u003Ctd>\u003Ccode>security.virusScan.attachmentsScanned\u003C\u002Fcode>\u003C\u002Ftd>\n\u003Ctd>number\u003C\u002Ftd>\n\u003Ctd>Number of attachments scanned\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003Ctr>\n\u003Ctd>\u003Ccode>security.virusScan.attachmentsSkipped\u003C\u002Fcode>\u003C\u002Ftd>\n\u003Ctd>number\u003C\u002Ftd>\n\u003Ctd>Number of attachments skipped\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003Ctr>\n\u003Ctd>\u003Ccode>security.virusScan.threatsFound\u003C\u002Fcode>\u003C\u002Ftd>\n\u003Ctd>number\u003C\u002Ftd>\n\u003Ctd>Number of threats detected\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003C\u002Ftbody>\u003C\u002Ftable>\n\u003Cp>Infected attachments are excluded from the webhook payload. The attachment entry remains with \u003Ccode>excluded: true\u003C\u002Fcode>, \u003Ccode>excludeReason: "virus-detected"\u003C\u002Fcode>, and the \u003Ccode>virusScan\u003C\u002Fcode> object containing the threat name. No download URL is provided for infected files.\u003C\u002Fp>\n\u003Ch2>Features by plan\u003C\u002Fh2>\n\u003Ctable>\n\u003Cthead>\n\u003Ctr>\n\u003Cth>Feature\u003C\u002Fth>\n\u003Cth>Free\u003C\u002Fth>\n\u003Cth>Maker\u003C\u002Fth>\n\u003Cth>Business\u003C\u002Fth>\n\u003Cth>Platform\u003C\u002Fth>\n\u003C\u002Ftr>\n\u003C\u002Fthead>\n\u003Ctbody>\u003Ctr>\n\u003Ctd>Message basics (sender, recipient, subject, date)\u003C\u002Ftd>\n\u003Ctd>+\u003C\u002Ftd>\n\u003Ctd>+\u003C\u002Ftd>\n\u003Ctd>+\u003C\u002Ftd>\n\u003Ctd>+\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003Ctr>\n\u003Ctd>Text + HTML body\u003C\u002Ftd>\n\u003Ctd>+\u003C\u002Ftd>\n\u003Ctd>+\u003C\u002Ftd>\n\u003Ctd>+\u003C\u002Ftd>\n\u003Ctd>+\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003Ctr>\n\u003Ctd>\u003Cstrong>Link extraction\u003C\u002Fstrong>\u003C\u002Ftd>\n\u003Ctd>+\u003C\u002Ftd>\n\u003Ctd>+\u003C\u002Ftd>\n\u003Ctd>+\u003C\u002Ftd>\n\u003Ctd>+\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003Ctr>\n\u003Ctd>\u003Cstrong>Email classification\u003C\u002Fstrong> (type only)\u003C\u002Ftd>\n\u003Ctd>+\u003C\u002Ftd>\n\u003Ctd>+\u003C\u002Ftd>\n\u003Ctd>+\u003C\u002Ftd>\n\u003Ctd>+\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003Ctr>\n\u003Ctd>Attachments (inline base64)\u003C\u002Ftd>\n\u003Ctd>+\u003C\u002Ftd>\n\u003Ctd>+\u003C\u002Ftd>\n\u003Ctd>+\u003C\u002Ftd>\n\u003Ctd>+\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003Ctr>\n\u003Ctd>\u003Cstrong>Markdown conversion\u003C\u002Fstrong>\u003C\u002Ftd>\n\u003Ctd>-\u003C\u002Ftd>\n\u003Ctd>+\u003C\u002Ftd>\n\u003Ctd>+\u003C\u002Ftd>\n\u003Ctd>+\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003Ctr>\n\u003Ctd>\u003Cstrong>Classification confidence + signals\u003C\u002Fstrong>\u003C\u002Ftd>\n\u003Ctd>-\u003C\u002Ftd>\n\u003Ctd>+\u003C\u002Ftd>\n\u003Ctd>+\u003C\u002Ftd>\n\u003Ctd>+\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003Ctr>\n\u003Ctd>\u003Cstrong>Integrity hashes\u003C\u002Fstrong>\u003C\u002Ftd>\n\u003Ctd>-\u003C\u002Ftd>\n\u003Ctd>+\u003C\u002Ftd>\n\u003Ctd>+\u003C\u002Ftd>\n\u003Ctd>+\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003Ctr>\n\u003Ctd>Spam analysis (rspamd)\u003C\u002Ftd>\n\u003Ctd>-\u003C\u002Ftd>\n\u003Ctd>+\u003C\u002Ftd>\n\u003Ctd>+\u003C\u002Ftd>\n\u003Ctd>+\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003Ctr>\n\u003Ctd>S3 attachment offloading\u003C\u002Ftd>\n\u003Ctd>-\u003C\u002Ftd>\n\u003Ctd>+\u003C\u002Ftd>\n\u003Ctd>+\u003C\u002Ftd>\n\u003Ctd>+\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003Ctr>\n\u003Ctd>\u003Cstrong>Virus scanning\u003C\u002Fstrong> (ClamAV)\u003C\u002Ftd>\n\u003Ctd>-\u003C\u002Ftd>\n\u003Ctd>-\u003C\u002Ftd>\n\u003Ctd>+\u003C\u002Ftd>\n\u003Ctd>+\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003Ctr>\n\u003Ctd>\u003Cstrong>Custom payload builder\u003C\u002Fstrong>\u003C\u002Ftd>\n\u003Ctd>-\u003C\u002Ftd>\n\u003Ctd>-\u003C\u002Ftd>\n\u003Ctd>+\u003C\u002Ftd>\n\u003Ctd>+\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003C\u002Ftbody>\u003C\u002Ftable>\n\u003Ch2>Related topics\u003C\u002Fh2>\n\u003Cul>\n\u003Cli>\u003Ca href=\"\u002Fhelp\u002Femail-processing\u002F\">Email processing\u003C\u002Fa> — Full processing pipeline overview\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"\u002Fhelp\u002Fattachment-processing\u002F\">Attachment processing\u003C\u002Fa> — Inline vs S3 delivery, file type support\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"\u002Fhelp\u002Fwebhook-configuration\u002F\">Webhook configuration\u003C\u002Fa> — Set up and manage webhook endpoints\u003C\u002Fli>\n\u003C\u002Ful>\n",1781207679217]