POST /accounts/{account_id}/email-security/settings/allow_policies/batch

Execute multiple operations atomically. All four operation arrays (deletes, patches, puts, posts) are required and executed in order. Send empty arrays for unused operations.

Servers

https://api.cloudflare.com/client/v4

Path parameters

Name	Type	Required	Description
`account_id`	String	Yes	Account identifier tag.

Request headers

Name	Type	Required	Description
`Content-Type`	String	Yes	The media type of the request body. Default value: "application/json"

Request body fields

Name	Type	Required	Description
`posts[]`	Array	Yes
`posts[].is_recipient`	Boolean	No	Deprecated as of July 1, 2025. Use `is_exempt_recipient` instead. End of life: July 1, 2026.
`posts[].is_exempt_recipient`	Boolean	Yes	Messages to this recipient will bypass all detections
`posts[].is_spoof`	Boolean	No	Deprecated as of July 1, 2025. Use `is_acceptable_sender` instead. End of life: July 1, 2026.
`posts[].verify_sender`	Boolean	Yes	Enforce DMARC, SPF or DKIM authentication. When on, Email Security only honors policies that pass authentication.
`posts[].last_modified`	String	Yes	Deprecated, use `modified_at` instead. End of life: November 1, 2026.
`posts[].modified_at`	String	No
`posts[].id`	String	Yes	Allow policy identifier
`posts[].pattern_type`	String	Yes	Type of pattern matching. Note: UNKNOWN is deprecated and cannot be used when creating or updating policies, but may be returned for existing entries. Valid values: `"EMAIL"` `"DOMAIN"` `"UNKNOWN"` `"IP"`
`posts[].is_sender`	Boolean	No	Deprecated as of July 1, 2025. Use `is_trusted_sender` instead. End of life: July 1, 2026.
`posts[].is_trusted_sender`	Boolean	Yes	Messages from this sender will bypass all detections and link following
`posts[].is_acceptable_sender`	Boolean	Yes	Messages from this sender will be exempted from Spam, Spoof and Bulk dispositions. Note - This will not exempt messages with Malicious or Suspicious dispositions.
`posts[].created_at`	String	Yes
`posts[].is_regex`	Boolean	Yes
`posts[].pattern`	String	Yes
`posts[].comments`	String	No
`deletes[]`	Array	Yes
`deletes[].id`	String	Yes	Allow policy identifier
`patches[]`	Array	Yes
`patches[].is_recipient`	Boolean	No	Deprecated as of July 1, 2025. Use `is_exempt_recipient` instead. End of life: July 1, 2026.
`patches[].is_exempt_recipient`	Boolean	No	Messages to this recipient will bypass all detections
`patches[].is_spoof`	Boolean	No	Deprecated as of July 1, 2025. Use `is_acceptable_sender` instead. End of life: July 1, 2026.
`patches[].verify_sender`	Boolean	No	Enforce DMARC, SPF or DKIM authentication. When on, Email Security only honors policies that pass authentication.
`patches[].last_modified`	String	Yes	Deprecated, use `modified_at` instead. End of life: November 1, 2026.
`patches[].modified_at`	String	No
`patches[].id`	String	Yes	Allow policy identifier
`patches[].pattern_type`	String	No	Type of pattern matching. Note: UNKNOWN is deprecated and cannot be used when creating or updating policies, but may be returned for existing entries. Valid values: `"EMAIL"` `"DOMAIN"` `"UNKNOWN"` `"IP"`
`patches[].is_sender`	Boolean	No	Deprecated as of July 1, 2025. Use `is_trusted_sender` instead. End of life: July 1, 2026.
`patches[].is_trusted_sender`	Boolean	No	Messages from this sender will bypass all detections and link following
`patches[].is_acceptable_sender`	Boolean	No	Messages from this sender will be exempted from Spam, Spoof and Bulk dispositions. Note - This will not exempt messages with Malicious or Suspicious dispositions.
`patches[].created_at`	String	Yes
`patches[].is_regex`	Boolean	No
`patches[].pattern`	String	No
`patches[].comments`	String	No
`puts[]`	Array	Yes
`puts[].is_recipient`	Boolean	No	Deprecated as of July 1, 2025. Use `is_exempt_recipient` instead. End of life: July 1, 2026.
`puts[].is_exempt_recipient`	Boolean	No	Messages to this recipient will bypass all detections
`puts[].is_spoof`	Boolean	No	Deprecated as of July 1, 2025. Use `is_acceptable_sender` instead. End of life: July 1, 2026.
`puts[].verify_sender`	Boolean	No	Enforce DMARC, SPF or DKIM authentication. When on, Email Security only honors policies that pass authentication.
`puts[].last_modified`	String	Yes	Deprecated, use `modified_at` instead. End of life: November 1, 2026.
`puts[].modified_at`	String	No
`puts[].id`	String	Yes	Allow policy identifier
`puts[].pattern_type`	String	No	Type of pattern matching. Note: UNKNOWN is deprecated and cannot be used when creating or updating policies, but may be returned for existing entries. Valid values: `"EMAIL"` `"DOMAIN"` `"UNKNOWN"` `"IP"`
`puts[].is_sender`	Boolean	No	Deprecated as of July 1, 2025. Use `is_trusted_sender` instead. End of life: July 1, 2026.
`puts[].is_trusted_sender`	Boolean	No	Messages from this sender will bypass all detections and link following
`puts[].is_acceptable_sender`	Boolean	No	Messages from this sender will be exempted from Spam, Spoof and Bulk dispositions. Note - This will not exempt messages with Malicious or Suspicious dispositions.
`puts[].created_at`	String	Yes
`puts[].is_regex`	Boolean	No
`puts[].pattern`	String	No
`puts[].comments`	String	No

How to start integrating

Add HTTP Task to your workflow definition.
Search for the API you want to integrate with and click on the name.
- This loads the API reference documentation and prepares the Http request settings.
Click Test request to test run your request to the API and see the API's response.