Can I download the email routing activity log using the API?

bpesner · April 6, 2025, 4:18pm

What is the name of the domain?

What is the error number?

No error

What is the error message?

No error

What is the issue you’re encountering

I’d like to see all the routed emails that weren’t delivered. At present the online activity log only shows a small percentage of them.

What steps have you taken to resolve the issue?

I’ve examined the online emaiil routing activity log but it doesn’t have complete information.

What are the steps to reproduce the issue?

Log into a Cloudflare accoutn with email routing activated. Go to the email routing dashboard. Compare the failed email counts in the Summary section with the emails shown in the Acitivity Log section.

DarkDeviL · April 6, 2025, 5:58pm

Can you elaborate on “small percentage”?

In my experience, it is showing you all of the entries, from within the past 24 hours.

What is “all” to you?

Should it also include an entry from five (5) years ago, or what exactly is it, that “all” is supposed to represent?

And what exactly do you mean, with “complete information”?

Definitions are often very “relative”, and will vary, from person to person, business to business, in regards to what they are expecting in given scenarios, and that is why I am asking, - so we’re hopefully on the exact same track!

→

I don’t know how long GraphQL would expose the data of the “Activity Log”, however, my understanding is that you can fetch (at least, some of all this) data from the “Activity Log”, through GraphQL.

I don’t have any information on whether there is a time limit on GraphQL at all, or if the data is only available for 24 hours, or if you maybe can go 5 years back in time with it.

But I’ve seen some discussions, that I interpreted as that GraphQL would also be able to expose the “Subject” field of a message, which isn’t even shown in the “Activity Log”.

bpesner · April 6, 2025, 7:05pm

Thanks for your reply. The UI seems to indicate that activity log records are kept for 7 days. I’d like to be able to see all of those. In particular, if the summary shows a count of errors in several categories, I’d like to see all of those errors.

You suggest that GraphQL might be able to access the Activity Log. I’m not familiar with GraphQL but would be happy to learn it. I assume there is a url I’d use to send GraphQL requests for the Activity Log. Do you know what that would be? Can you point me to any doc?

DarkDeviL · April 8, 2025, 10:43pm

The GraphQL endpoint will be “https://api.cloudflare.com/client/v4/graphql”.

It seems pretty sparse, - and I believe the best “example”, that I am able to find myself, is the one from 2022-05-13T20:14:05Z, by @Cyb3r-Jak3, over here:

An Activity Log of Email Routing using an API

Officially, there is no API for email routing yet. However, you can do it with the GraphQL. The endpoint is https://api.cloudflare.com/client/v4/graphql and a request with curl looks like

curl --location --request POST 'https://api.cloudflare.com/client/v4/graphql' \
--header 'X-AUTH-KEY: X-AUTH-KEY' \
--header 'X-AUTH-EMAIL: X-AUTH-EMAIL' \
--header 'Content-Type: application/json' \
--data-raw '{"query":"{\n    viewer {\n        zones(filter: {zoneTag: $zoneTag}) \n        {\n            emailRoutingAdaptive(limit: 1000, filter: $filter, orderBy: [datetime_DESC, from_ASC, to_ASC, status_ASC]){        datetime        id: sessionId        from        to       status        spf        dkim        dmarc        errorDetail        __typename      }      __typename    }    __typename  }\r\n}","variables":{"zoneTag":"<Zone ID>","filter":{"datetime_geq":<Start Date>"","datetime_leq":"<End Date>"}}}'

Example Start Date: 2022-05-12T19:45:00.000Z
Example End Date: 2022-05-13T19:45:00.000Z

Within the query there, where it is selecting both “``”. , the closest I can find to a list of possible key-value fields that you can obtain, will be the list posted over here:

→ Schema docs for the Cloudflare GraphQL Analytics API

# Beta. Raw email routing logs with adaptive sampling
type ZoneEmailRoutingAdaptive {
  # Action routing rule apply into source email
  action: string!
  # ARC check status of the source email
  arc: string!
  # The date and time the source email was received
  datetime: Time!
  # DKIM check status of the source email
  dkim: string!
  # DMARC check status of the source email
  dmarc: string!
  # Detailed error message (if any)
  errorDetail: string!
  # Origin of email (incoming|forward|reply|newEmail)
  eventType: string!
  # The sender email address of the source email
  from: string!
  # Is this event related to a NDR (bounce) email?
  isNDR: uint8!
  # Source email is spam
  isSpam: uint8!
  # The Message-ID header of the source email (if present)
  messageId: string!
  # The UUID of the routing rule matched by the source email
  ruleMatched: string!
  # ABR sample interval
  sampleInterval: uint32!
  # Unique identifier for the email log entry (note: retries for the same email may result in multiple log entries)
  sessionId: string!
  # Spam score value
  spamScore: uint32!
  # Spam threshold value
  spamThreshold: uint32!
  # SPF check status of the source email
  spf: string!
  # The resulting outcome (action) for the email
  status: string!
  # The subject of the source email
  subject: string!
  # The recipient email address of the source email
  to: string!
}

I don’t believe that (at least: the Free plan) has ever been supposed to show more than the ~ 24 hours, that seems to be what works flawlessly, when playing around with the options you see.

Previously, you could also change the Security Level of your website, and even though you have only been able to select lower “Essentially Off”, if your plan wasn’t Enterprise, it would still show you the “Off (Enterprise)” option anyway.

So my guess would be, that it might eventually have been something similar, with ideas of creating longer retention times for paid plans.

I am unable to find any concrete facts, regarding the retention time (via GraphQL).

bpesner · April 9, 2025, 1:08am

Thanks for the VERY useful information!

DarkDeviL · April 9, 2025, 8:05pm

Just to clarify, -

Not sure what went wrong here, -

But I actually meant to be referring to the list of fields, that you should be able to adapt exactly to your needs.

E.g. where the code from above appears to be requesting the fields “datetime”, “sessionId”, “from”, “to”, “status”, “spf”, “dkim”, “dmarc” and “errorDetail”.

There are a couple of unused ones, in the list, such as e.g. “action”, “arc”, “messageId”, “subject”, to mention a few, that you can also ask for, if needed.

You’re welcome, happy to hear it is considered very useful!

system · April 21, 2025, 4:18pm

This topic was automatically closed after 15 days. New replies are no longer allowed.

Topic		Replies	Views
An Activity Log of Email Routing using an API API	2	1794	May 13, 2022
Full Email Routing Activity Log Email Routing	2	1475	November 25, 2022
Summary graph shows failures not shown in Activity Log Email Routing	1	307	April 11, 2024
Email Routing Activity Log filter/query bug Email Routing	2	262	April 21, 2024
Error when accessing email routing activity logs Email Routing	0	14	March 25, 2025