openapi: 3.0.3
info:
title: EmailRep API
version: '1.0'
description: >-
EmailRep is an email-address reputation and threat-intelligence API
operated by Sublime Security, Inc. It crawls and enriches data across
social media profiles, professional networking sites, dark-web credential
leaks, data breaches, phishing kits, phishing emails, spam lists, open
mail relays, spam traps, domain age and reputation, and deliverability
signals to predict the risk associated with any email address. Callers
issue a `GET /{email}` lookup to receive a reputation verdict, a
`suspicious` flag, a `references` count, and a detailed signal block, or
`POST /report` to submit observations of malicious email behavior back
into the reputation graph.
contact:
name: Sublime Security
url: https://sublimesecurity.com
email: [email protected]
license:
name: EmailRep Terms of Use
url: https://emailrep.io/terms
x-generated-from: documentation
x-last-validated: '2026-05-30'
servers:
- url: https://emailrep.io
description: EmailRep production API
security:
- ApiKeyAuth: []
- {}
tags:
- name: Reputation
description: Query email address reputation and threat-intelligence signals.
- name: Reports
description: Report email addresses as malicious so the reputation graph picks up the signal.
paths:
/{email}:
get:
operationId: queryEmailReputation
summary: EmailRep Query Email Reputation
description: >-
Look up reputation, suspiciousness, references, and detailed
intelligence signals for an email address. Returns a `reputation` of
`high`, `medium`, `low`, or `none`, a boolean `suspicious` flag, a
`references` count, and a `details` block covering blacklisting,
malicious activity, credential leaks, data breaches, domain
reputation, deliverability, MX validity, SPF/DMARC posture,
spoofability, free-provider/disposable classification, and online
profile observations. Use `summary=true` to additionally receive a
human-readable `summary` field.
tags:
- Reputation
parameters:
- name: email
in: path
required: true
description: The email address to query.
schema:
type: string
format: email
example: [email protected]
- name: summary
in: query
required: false
description: When `true`, include a human-readable `summary` field in the response.
schema:
type: boolean
default: false
example: true
responses:
'200':
description: Reputation lookup succeeded.
content:
application/json:
schema:
$ref: '#/components/schemas/EmailReputation'
examples:
QueryEmailReputation200Example:
summary: Default queryEmailReputation 200 response
x-microcks-default: true
value:
email: [email protected]
reputation: high
suspicious: false
references: 79
details:
blacklisted: false
malicious_activity: false
malicious_activity_recent: false
credentials_leaked: true
credentials_leaked_recent: false
data_breach: true
first_seen: 07/01/2008
last_seen: 05/24/2019
domain_exists: true
domain_reputation: high
new_domain: false
days_since_domain_creation: 10341
suspicious_tld: false
spam: false
free_provider: false
disposable: false
deliverable: true
accept_all: true
valid_mx: true
spoofable: false
spf_strict: true
dmarc_enforced: true
profiles:
- myspace
- spotify
- twitter
- pinterest
- flickr
- linkedin
- vimeo
- angellist
'400':
description: Bad request — invalid email address.
content:
application/json:
schema:
$ref: '#/components/schemas/Error'
'401':
description: Unauthorized — missing or invalid API key.
content:
application/json:
schema:
$ref: '#/components/schemas/Error'
'429':
description: Rate limit exceeded for the caller's plan.
content:
application/json:
schema:
$ref: '#/components/schemas/Error'
'500':
description: Internal server error.
content:
application/json:
schema:
$ref: '#/components/schemas/Error'
x-microcks-operation:
delay: 0
dispatcher: FALLBACK
/report:
post:
operationId: reportEmail
summary: EmailRep Report Email
description: >-
Report an email address as exhibiting malicious behavior so the
EmailRep reputation graph picks up the signal. Requires an API key.
Submit one or more `tags` (such as `bec`, `maldoc`, `phishing`,
`account_takeover`, `spam`), an optional human-readable
`description`, the `timestamp` when the activity was observed (Unix
epoch seconds, defaults to now), and an optional `expires` window in
hours during which the address should be treated as risky.
tags:
- Reports
requestBody:
required: true
description: Report payload.
content:
application/json:
schema:
$ref: '#/components/schemas/ReportRequest'
examples:
ReportEmailRequestExample:
summary: Default reportEmail request
x-microcks-default: true
value:
email: [email protected]
tags:
- bec
- maldoc
description: Phishing email impersonating the CEO with a malicious attachment.
timestamp: 1748563200
expires: 168
responses:
'200':
description: Report accepted.
content:
application/json:
schema:
$ref: '#/components/schemas/ReportResponse'
examples:
ReportEmail200Example:
summary: Default reportEmail 200 response
x-microcks-default: true
value:
status: success
'400':
description: Bad request — missing or invalid fields.
content:
application/json:
schema:
$ref: '#/components/schemas/Error'
'401':
description: Unauthorized — API key required to submit reports.
content:
application/json:
schema:
$ref: '#/components/schemas/Error'
'429':
description: Rate limit exceeded for the caller's plan.
content:
application/json:
schema:
$ref: '#/components/schemas/Error'
x-microcks-operation:
delay: 0
dispatcher: FALLBACK
components:
securitySchemes:
ApiKeyAuth:
type: apiKey
in: header
name: Key
description: >-
EmailRep API key issued at https://emailrep.io/key. Free tier is
available; the Commercial and Enterprise tiers raise the per-month
and per-day quotas. The key is passed in the `Key` HTTP header on
every request.
schemas:
EmailReputation:
type: object
title: EmailReputation
description: >-
Reputation verdict, suspicious flag, references count, and detailed
intelligence signal block returned for an email-address query.
required:
- email
- reputation
- suspicious
- references
- details
properties:
email:
type: string
format: email
description: The queried email address, echoed back.
example: [email protected]
reputation:
type: string
description: Overall reputation verdict for the address.
enum:
- high
- medium
- low
- none
example: high
suspicious:
type: boolean
description: Whether the email should be treated as suspicious or risky.
example: false
references:
type: integer
description: >-
Total number of positive and negative reputation sources observed
for the address or its associated domain. Not all references are
direct mentions of the address.
example: 79
summary:
type: string
description: >-
Human-readable summary of the reputation verdict. Returned only
when the caller passes `summary=true`.
example: "high reputation, seen on 8 profiles, found in 1 data breach"
details:
$ref: '#/components/schemas/EmailReputationDetails'
EmailReputationDetails:
type: object
title: EmailReputationDetails
description: Detailed intelligence signals about the email address and its domain.
properties:
blacklisted:
type: boolean
description: The email is believed to be malicious or spammy.
example: false
malicious_activity:
type: boolean
description: The email has exhibited malicious behavior (e.g. phishing or fraud).
example: false
malicious_activity_recent:
type: boolean
description: Malicious behavior observed within the last 90 days.
example: false
credentials_leaked:
type: boolean
description: Credentials for the email were leaked at some point (data breach, paste, dark web, etc.).
example: true
credentials_leaked_recent:
type: boolean
description: Credentials were leaked within the last 90 days.
example: false
data_breach:
type: boolean
description: The email appeared in a known data breach.
example: true
first_seen:
type: string
description: First date the email was observed in a breach, credential leak, or exhibiting malicious or spammy behavior. `never` if never seen.
example: 07/01/2008
last_seen:
type: string
description: Last date the email was observed in a breach, credential leak, or exhibiting malicious or spammy behavior. `never` if never seen.
example: 05/24/2019
domain_exists:
type: boolean
description: Whether the email's domain is a valid, resolvable domain.
example: true
domain_reputation:
type: string
description: Reputation verdict for the email's domain. `n/a` when the domain is a free provider, disposable, or does not exist.
enum:
- high
- medium
- low
- n/a
example: high
new_domain:
type: boolean
description: The domain was registered within the last year.
example: false
days_since_domain_creation:
type: integer
description: Days since the domain was created.
example: 10341
suspicious_tld:
type: boolean
description: The domain uses a top-level domain associated with abuse.
example: false
spam:
type: boolean
description: The email has exhibited spammy behavior (e.g. spam traps, login form abuse).
example: false
free_provider:
type: boolean
description: The email uses a free email provider (e.g. Gmail, Yahoo, Outlook).
example: false
disposable:
type: boolean
description: The email uses a temporary or disposable provider.
example: false
deliverable:
type: boolean
description: The address is deliverable based on SMTP probes and MX checks.
example: true
accept_all:
type: boolean
description: The mail server has a default accept-all policy.
example: true
valid_mx:
type: boolean
description: The domain has a valid MX record.
example: true
spoofable:
type: boolean
description: The email address can be spoofed (e.g. SPF is not strict or DMARC is not enforced).
example: false
spf_strict:
type: boolean
description: SPF record is sufficiently strict to prevent spoofing.
example: true
dmarc_enforced:
type: boolean
description: DMARC is configured correctly and enforced.
example: true
profiles:
type: array
description: Online profiles where the email has been observed.
items:
type: string
example:
- myspace
- spotify
- twitter
- pinterest
- flickr
- linkedin
- vimeo
- angellist
ReportRequest:
type: object
title: ReportRequest
description: Payload for reporting an email address as exhibiting malicious behavior.
required:
- email
- tags
properties:
email:
type: string
format: email
description: The email address being reported.
example: [email protected]
tags:
type: array
description: One or more tags classifying the malicious behavior.
items:
type: string
example:
- bec
- maldoc
description:
type: string
description: Additional information and context about the activity.
example: Phishing email impersonating the CEO with a malicious attachment.
timestamp:
type: integer
format: int64
description: Unix epoch seconds when the activity occurred. Defaults to now.
example: 1748563200
expires:
type: integer
description: Number of hours the reported email should be considered risky.
example: 168
ReportResponse:
type: object
title: ReportResponse
description: Outcome of a report submission.
required:
- status
properties:
status:
type: string
description: Outcome of the report submission.
enum:
- success
- fail
example: success
reason:
type: string
description: Human-readable failure reason. Present when `status` is `fail`.
example: invalid email address
Error:
type: object
title: Error
description: Error envelope returned for failed requests.
required:
- status
properties:
status:
type: string
description: Outcome of the request.
enum:
- fail
example: fail
reason:
type: string
description: Human-readable failure reason.
example: invalid email address