Proofpoint on Demand (PoD) Log API

November 2020
Revision C

Proofpoint, Inc. Proprietary and Confidential © 2019 Page 1 of 23

Contents

PoD Log API .................................................................................................................................... 3

Connection Notes ....................................................................................................................... 3

API Features .................................................................................................................................... 3

Endpoint ..................................................................................................................................... 3

Fields .......................................................................................................................................... 5

Authentication ............................................................................................................................. 5

Signing Key......................................................................................................................... 6

Examples for Testing Streaming Requests ..................................................................................... 6

Error Codes ................................................................................................................................ 7

Message Schema ............................................................................................................................ 7

Top Level Elements .................................................................................................................... 7

Connection/Session Object Data ............................................................................................... 8

Envelope Object Data ................................................................................................................ 9

Message Object Data ................................................................................................................. 9

Message Parts Object Data ..................................................................................................... 10

Filter Object Data...................................................................................................................... 12

PPS Object Data ...................................................................................................................... 16

Mail Schema .................................................................................................................................. 17

Field Properties ........................................................................................................................ 17

Mail Schema ............................................................................................................................. 20

Example ............................................................................................................................ 22

Proofpoint, Inc - Proprietary and Confidential © 2020 PoD Log API - Rev C - Page 2 of 23
PoD Log API
The PoD Log service is a webservice for Proofpoint on Demand customers that offers a
real-time email processing log feed for use with Security Information and Event Management
(SIEM) solutions. This webservice uses the secure WebSocket (WSS) protocol to stream logs to
supporting solutions.

This log feed can be used to identify mail and message filtering events.

Connection Notes
The PoD Log API does not allow use of the same token for more than one session at the same
time. If you need to open more than one simultaneous connection to receive the same type of
data, additional token(s) must be requested.

When the connection between the client and the service is dropped and restored within one hour,
the data will be sent from the moment of time when the previous session had dropped, so there is
no need to perform any additional action from the client side.

In the case where the client was connected to the PoD Log service and disconnected for more
than one hour, after a new session is established, the client will start receiving the accumulated
data starting from the last one hour of the new session.

For example:

The previous session was terminated at 1PM EST on 11/17/2020 and at 3PM EST 11/17/2020 a
new connection was established. In this case the client will start receiving "real-time" data from
2PM EST 11/17/2020. To backfill the gap and retrieve the data from 1PM EST to 2PM EST, a
separate request to the archive must be made. To do this, the sinceTime parameter should be
set as 2020-11-17T14:00:00-0005 and the toTime as 2020-11-17T14:59:59-0005.

API Features

Endpoint
The PoD Logging Service production endpoint is

wss://logstream.proofpoint.com/

Proofpoint, Inc - Proprietary and Confidential © 2020 PoD Log API - Rev C - Page 3 of 23
The API signature is

/v1/stream?cid={clusterId}&type=[message|maillog]&sinceTime={sinceTime}
&toTime={toTime}

The sinceTime and toTime parameters must be specified to request the archived data.

The date format is YYY-MM-DDTHH:SS-0000 where 0000 is the time zone.

Correct zones are shown here:

EST = 0500 EDT = 0400

CST= 0600 CDT = 0500

MST = 0700 MDT = 0600

PST = 0800 PDT = 0700

Part Required Type Example Default Description

type yes string message N/A Valid values are “message”

maillog or “maillog”

sinceTime no string 2018-01-25T02:37:40- N/A Start time to begin streaming

0800 log data, in ISO8601 format,
which includes timezone
2018-01- information. Data timestamp
25T02:37:40.000-0800 is specific to the millisecond.
Is used only if the specified
timestamp is older than at
least one hour from now.
Rounds down to the nearest
hour.

Proofpoint, Inc - Proprietary and Confidential © 2020 PoD Log API - Rev C - Page 4 of 23
Part Required Type Example Default Description

toTime no string 2018-02-25T02:37:40- N/A End time to stop streaming

0800 log data, in ISO 8601 format.
Data timestamp is specific to
2018-02- the millisecond. Defaults to
25T02:37:40.000-0800 Now when the sinceTime
is defined. If specified, must
be greater than sinceTime.
Rounds up to the nearest
hour.
cid yes string customer hosted N/A The Cluster ID must be a
legal user group string. This
is required for server
authentication purposes.

Note: If a time is not specified, it means “now.” The limit to data availability is 30 days.
You can specify a query going back in time 30 days from the present time. The archived
data granularity is one (1) hour, not a minute or second. The service rounds down the
sinceTime and rounds up the toTime parameter values to the nearest hour.

For example, sinceTime=2018-01-25T14:12:34-0800 will be rounded down to

2018-01-25T14:00:00-0800 and toTime=2018-01-25T14:31:23-0800 will be
rounded up to 2018-01-25T15:00:0800.

Fields
The JSON schema format is used to describe each field. This service supports only JSON.

Authentication
The authorization header must be set as part of the request to authenticate and be authorized to
stream log data.

Proofpoint will provide the token and credentials to connect to the webservice.

Required header:

Authorization: Bearer <token>

The token value is uniquely generated and provided by Proofpoint for a customer cluster to
authenticate with the service. The service uses JSON Web Token (JWT) to communicate the
client identity to the service.

Proofpoint, Inc - Proprietary and Confidential © 2020 PoD Log API - Rev C - Page 5 of 23
Signing Key

This is your CLUSTER_ID assigned by Proofpoint. The CLUSTER_ID is displayed in the upper-right
corner of the management interface next to the release number.

Examples for Testing Streaming Requests

This section contains examples to test connectivity between your system and the Proofpoint PoD
log service. In the examples sinceTime is optional to stream historical data. If sinceTime is
not specified, the server will stream data in real time.

Example for curl command to receive uncompressed data:

curl -i --no-buffer -H "Connection: Upgrade" -H "Upgrade: websocket" -H

"Host: logstream.proofpoint.com:443" -H "Authorization: Bearer
<ACCESS_TOKEN>" -H "Sec-WebSocket-Key: SGVsbG8sIHdvcmxkIQ==" -H "Sec-
WebSocket-Version: 13"
"https://logstream.proofpoint.com:443/v1/stream?cid=<CLUSTER_ID>&type=m
essage&sinceTime=2018-08-31T00:00:00-0800"

Example for curl command to request a data stream compressed by the Deflate
algorithm:

curl -i --no-buffer -H "Connection: Upgrade" -H "Upgrade: websocket" -H

"Host: logstream.proofpoint.com:443" -H "Sec-WebSocket-Extensions:
permessage-deflate; client_no_context_takeover;
server_no_context_takeover" -H "Authorization: Bearer <ACCESS_TOKEN>" -
H "Sec-WebSocket-Key: SGVsbG8sIHdvcmxkIQ==" -H "Sec-WebSocket-Version:
13"
"https://logstream.proofpoint.com:443/v1/stream?cid=<CLUSTER_ID>&type=m
essage&sinceTime=2018-08-31T00:00:00-0800"

Note: The PoD Log API service supports only the permessage-deflate,
client_no_context_takeover, and server_no_context_takeover extensions.
Refer to RFC7692 for a description of Compression Extensions for WebSocket.

Proofpoint, Inc - Proprietary and Confidential © 2020 PoD Log API - Rev C - Page 6 of 23
Error Codes
The following table describes error handling codes.

Code Protocol Message Scenarios

Malformed URL query:

- missing or empty clusterID
400 HTTP Bad Request
- missing or empty message type
- invalid sinceTime or toTime (if present)
- Missing or empty Authorization Header
- Invalid type of access token
- Missing or empty access token
401 HTTP Unauthorized - Invalid or expired access token
- Invalid clusterID
- Missing or expired remote syslog
license for the given clusterID
- Invalid URL
404 HTTP Not Found - Invalid protocol (for example, http/https
are not supported

405 HTTP Method not allowed - Client is sending non GET requests

Exceeded maximum
The access token is being used by
409 HTTP number of sessions per
another session
token

Message Schema
The following tables describe the message data fields. Fields that are required are indicated as
such in the Description column.

Top Level Elements

Name Required? Description Data Type

guid Required Globally unique identifier for the message object. string

Required
connection Connection-related data. object

Proofpoint, Inc - Proprietary and Confidential © 2020 PoD Log API - Rev C - Page 7 of 23
Name Required? Description Data Type

envelope Required Envelope-related data. object

msg Required Message-related data. object

Message Parts-related data (includes attachment

msgParts Required array
data).

filter Required Email filtering data. object

pps Required PPS-specific data. object

Connection/Session Object Data

Name
(Connection/Session Required? Description Data Type
Object Data)
The ID of the connection/session object; this is
sid Required string
otherwise known as the "sid" in filter.log

country The country code of the sender IP. string

The FQDN or IP reported via the HELO or

helo Required string
EHLO command.

The host name of the reverse lookup of the string

host Required
sender IP. (hostname)

ip Required The sender IP in IPv4 or IPv6 format. string (ipv4/ipv6)

protocol Required The connection protocol info. string

Can the sender IP be resolved with a reverse

resolveStatus string
lookup.

tls.inbound.cipher Inbound TLS cipher algorithm detected. string

Inbound TLS cipher algorithm strength (in

tls.inbound.cipherBits integer
#bits).

Proofpoint, Inc - Proprietary and Confidential © 2020 PoD Log API - Rev C - Page 8 of 23
Name
(Connection/Session Required? Description Data Type
Object Data)

tls.inbound.policy Inbound TLS policy. string

tls.inbound.version Required Inbound TLS protocol version. string

Envelope Object Data

Name (Envelope
Required? Description Data Type
Object Data)

rcpts Required The envelope recipients. array

from Required The envelope sender. string (email)

Message Object Data

Note: None of these fields is required.

Name (Message Object Data) Description Data Type

header.cc Carbon copy of email addresses. array of strings

header.from The header sender. array of strings

header.message-id The header message-id. array of strings

header.reply-to The header Reply to address. array of strings

header.return-path The header return path address. array of strings

header.subject The header subject. array of strings

Proofpoint, Inc - Proprietary and Confidential © 2020 PoD Log API - Rev C - Page 9 of 23
Name (Message Object Data) Description Data Type

header.to The header recipients. array of strings

lang The detected language of the message. string

The "normalized" counterpart to the "header"

normalizedHeader object
object.

parsedAddresses.cc array of strings

parsedAddresses.from array of strings

parsedAddresses.to array of strings

sizeBytes The original, raw message size in bytes. integer

Message Parts Object Data

Multiple message parts, in-line or attached, can be associated to an email message and this table
lists the allowed fields for each attachment object.

Name (Message Parts

Required? Description Data Type
Object Data)

detectedCharset Required The detected charset of the message part. string

The detected extension of the message

detectedExt Required string
part.

The detected MIME type of the message

detectedMime Required string
part.

The detected file name of the message

detectedName Required string
part.

The detected file size of the message part

detectedSizeBytes Required integer
in bytes.

disposition Required The content disposition value. string

md5 Required The ID of the message part in MD5. string

Proofpoint, Inc - Proprietary and Confidential © 2020 PoD Log API - Rev C - Page 10 of 23
Name (Message Parts
Required? Description Data Type
Object Data)

sha256 Required The ID of the message part in SHA256. string

isArchive Required Is the message part an archive type? boolean

isCorrupted Required Is the message part corrupted? boolean

isDeleted Required Is the message part deleted? boolean

isProtected Required Is the message part password protected? boolean

Did the message part analysis or text

isTimedOut Required boolean
extraction time out?

Is the message part virtual (a file member

isVirtual Required boolean
in an archive type of attachment)?

labeledCharset Required The charset of the message part as given. string

labeledExt Required The extension of the attachment as given. string

The detected MIME type of the message

labeledMime Required string
part as given.

labeledName Required The name of the message part as given. string

The metadata of the message part as

metadata reported by cvtd (interface to the object
document extraction engine).
The sandbox module status for the
sandboxStatus string
message part.

The size of the decoded message part in

sizeDecodedBytes integer
bytes.

The Structural ID of the message part with

structureId string
respect to container type attachments.

urls The URLs that were detected. array

The URL found in the corresponding

urls.[].url Required string
message part.

Proofpoint, Inc - Proprietary and Confidential © 2020 PoD Log API - Rev C - Page 11 of 23
Name (Message Parts
Required? Description Data Type
Object Data)

Whether the URL was rewritten by URL

urls.[].isRewritten boolean
Defense.
The reason why the corresponding URL
urls.[].notRewrittenReason Required was not rewritten by URL Defense. The string
value is an empty string if it was rewritten.

urls.[].src Required The PPS sources that detected the URL. array of strings

Filter Object Data

Data
Name (Filter Object Data) Required? Description
Type
The actions triggered; each array element is an
object consisting of the action, module, and
actions Required array
rule. The final disposition/action is marked with
isFinal.
The message disposition string as determined
disposition Required string
by filterd (the filtering engine daemon).

Recipients encrypted via Proofpoint

pe.rcpts array
Encryption.

Quarantine folder containing a copy of the

quarantine.folder Required string
message.

Rule that causes the message to be

quarantine.rule Required string
quarantined.

durationSecs Required Time spent processing the message. number

The folder to which the message is currently

currentFolder Required string
assigned.

isMsgEncrypted Required Is the message encrypted? boolean

isMsgReinjected Required Was the message reinjected? boolean

mid Required The message id. integer

modules.av.virusNames Required The virus names reported by the AV module. array

Proofpoint, Inc - Proprietary and Confidential © 2020 PoD Log API - Rev C - Page 12 of 23
 Data
Name (Filter Object Data) Required? Description
Type

modules.dkimv The DKIM module data. array

modules.dkimv.[].domain Required The DKIM d= value in the signature line. string

modules.dkimv.[].selector Required The DKIM s= value in the signature line. string

modules.dkimv.[].result Required The DKIM result. string

The rollup DMARC result (generated by filterd

modules.dmarc.filterdResult string
for the rules, i.e. $dmarcresult).

modules.dmarc.authResults The detailed authentication results. array

modules.dmarc.authResults The email identities for a DMARC authorization

.[].emailIdentities
modules.dmarc.authResults
.[].emailIdentities.header.fro
m
modules.dmarc.authResults
.[].emailIdentities.smtp.helo
modules.dmarc.authResults
.[].emailIdentities.smtp.mailf
rom
modules.dmarc.authResults
.[].method
object
result object.
The header.from email identity for a DMARC
string
authorization result object.
The smtp.helo email identity for a DMARC
string
authorization result object.
The smtp.mailfrom email identity for a DMARC
string
authorization result object
The authorization result method. string

modules.dmarc.authResults The property specification for the authorization

object
.[].propspec result per DMARC spec.
The header.s value for the property
modules.dmarc.authResults
specification for the authorization result per string
.[].propspec.header.s
DMARC spec.
modules.dmarc.authResults
The reason string for the authorization result. string
.[].reason

modules.dmarc.authResults
The result value for the authorization result. string
.[].result

modules.dmarc.records The actual raw DMARC TXT record. array

modules.dmarc.srvid DMARC Auth Service ID as defined in filter.cfg. string

Proofpoint, Inc - Proprietary and Confidential © 2020 PoD Log API - Rev C - Page 13 of 23
 Data
Name (Filter Object Data) Required? Description
Type

modules.dmarc.alignment DMARC alignment report data. array

modules.dmarc.alignment.[]
The DMARC TLD from the MAIL FROM data. string
.fromDomain
The DMARC results array object; there can be
modules.dmarc.alignment.[]
multiple of these per method-identity array
.results
combinations.
modules.dmarc.alignment.[] The DMARC domain identity as reported in the
string
.results.[].identity signature.

modules.dmarc.alignment.[] The DMARC identifying organization as a Top

string
.results.[].identityOrg Level Domain.

modules.dmarc.alignment.[] The DMARC method involved for an alignment

string
.results.[].method result object.

modules.dmarc.alignment.[] The DMARC result involved for the alignment

string
.results.[].result result object.

The PDR (Proofpoint Dynamic Reputation) v1

modules.pdr.v1.rscore integer
rscore value.

modules.pdr.v1.spamscore The PDR v1 spamscore value. integer

modules.pdr.v1.virusscore The PDR v1 virusscore value. integer

modules.pdr.v2.response The PDR v2 response status. string

modules.pdr.v2.rscore The PDR v2 rscore value. integer

modules.sandbox.errorStat
Required The Attachment Defense error status string. string
us

modules.spam Required The spam engine analysis on the message. object

modules.spam.triggeredCla The one spam classifier as defined by policy

string
ssifier rules that determined the spam disposition.

modules.spf.result The SPF (Sender Policy Framework) result. string

modules.urldefense.rewritte
Required The URLs rewritten by URL Defense. array
nUrls

Proofpoint, Inc - Proprietary and Confidential © 2020 PoD Log API - Rev C - Page 14 of 23
 Data
Name (Filter Object Data) Required? Description
Type

modules.urldefense Required Metadata reported by URL Defense. object

modules.urldefense.version Required Version info for URL Defense. object

modules.urldefense.version
Required Engine version for the URL Defense Module. string
.engine

Metrics about the URLs evaluated by the URL

modules.urldefense.counts Required object
Defense Module.
The configured defined maximum number of
modules.urldefense.counts.
unique URLs the URL Defense Module can integer
maxLimit
process.
modules.urldefense.counts. The total number of URLs the URL Defense
Required integer
total processed.

modules.urldefense.counts. The total unique number of URLs the URL

Required integer
unique Defense Module processed.

modules.urldefense.counts. The total number of URLs the URL Defense

Required integer
rewritten Module rewrote.

modules.urldefense.counts. The total number of URLs the URL Defense

noRewriteIsEmail
modules.urldefense.counts.
noRewriteIsLargeMsgPartS
ize
modules.urldefense.counts.
noRewriteIsExcludedDomai
n domain".
modules.urldefense.counts.
noRewriteIsUnsupportedSc
heme
modules.urldefense.counts.
noRewriteIsSchemeless
modules.urldefense.counts.
noRewriteIsMaxLengthExc
eeded
modules.urldefense.counts.
noRewriteIsContentTypeTe
xt
integer
Module did not rewrite due to "is email".
The total number of URLs the URL Defense
Module did not rewrite due to "is large integer
message part size".
The total number of URLs the URL Defense
Module did not rewrite due to "is excluded integer
The total number of URLs the URL Defense
Module did not rewrite due to "is unsupported integer
scheme".
The total number of URLs the URL Defense
integer
Module did not rewrite due to "is schemeless".
The total number of URLs the URL Defense
Module did not rewrite due to "is max length integer
exceeded".
The total number of URLs that the URL
Defense did not rewrite due to "is content type integer
text".

modules.zerohour.score Required The ZeroHour threat score. string

msgSizeBytes Required The size of the email in bytes. integer

Proofpoint, Inc - Proprietary and Confidential © 2020 PoD Log API - Rev C - Page 15 of 23
 Data
Name (Filter Object Data) Required? Description
Type

The parent GUID for the message from which

origGuid string
the current message was split.

qid Required The sendmail queue ID. string

routes Required The policy routes triggered by the message. array

inbound
outbound
routeDirection string
internal
external

smime.rcpts Recipients encrypted via S/MIME. array

smime.signedRcpts Recipients signed and encrypted via S/MIME. array

Timestamp for when message processing

startTime Required date-time
begins.

suborgs.sender Required string

suborgs.rcpts Required array

string
throttleIp The IP address being rate-controlled.
(ipv4/ipv6)

verified.rcpts Verified recipients. array

PPS Object Data

Name (PPS
Required? Description Data Type
Object Data)

The source/MFA host from which the email

agent Required string (hostname)
was received.

The cluster ID license for the PPS

cid Required string
deployment.

version Required The release PPS version. string

Proofpoint, Inc - Proprietary and Confidential © 2020 PoD Log API - Rev C - Page 16 of 23
Mail Schema
These fields represent the data in the mail logs. Each record or object matches a log line in the
maillog given a particular qid (queue ID).

Field Properties
Name Required? Description Data Type

The raw data that corresponds to one log line from

data Required string
maillog.

id Required A unique ID for the object. string

The FQDN of the source agent on which the mail

pps.agent Required string
log line is produced.

The cluster ID from which the data log line

pps.cid Required string
originated.

sm.auth string

The class (i.e., numeric precedence) of the

sm.class string
message.

The "controlling user", that is, the name of the user

sm.ctladdr string
whose credentials are used for delivery.

The daemon name from

sm.daemon string
the DaemonPortOptions setting.
The total message delay: the time difference
between reception and final delivery or bounce).
sm.delay Format is delay=HH:MM::SS for a delay of less string
than one day and delay=days+HH:MM::SS
otherwise.

sm.dsn The enhanced error code (RFC2034) if available. string

sm.from The envelope sender address. string

The name of the mailer used to deliver to this

sm.mailer string
recipient.

sm.msgid Required The message id of the message (from the header). string

Proofpoint, Inc - Proprietary and Confidential © 2020 PoD Log API - Rev C - Page 17 of 23
Name Required? Description Data Type

The number of envelope recipients for this

sm.nrcpts number
message (after aliasing and forwarding).

The initial message priority (used for queue

sm.pri string
sorting).

The protocol used to receive this message (e.g.,

sm.proto string
ESMTP or UUCP).

The corresponding sendmail queue ID for the log

sm.qid Required string
line.
Shows which user or system sent / received the
sm.relay message; the format is one of relay=user(a)domain string
[IP], relay=user(a)localhost, or relay=fqdn host.
The size of the incoming message in bytes during
sm.sizeBytes number
the DATA phase, including end-of-line characters.
The delivery status of the message. For successful
delivery, stat=Sent (text) is printed, where text is
the actual text that the other host printed when it
sm.stat accepted the message, transmitted via SMTP. For string
local delivery, stat=Sent is printed. Other
possibilities are stat=Deferred: reason,
stat=queued, or stat=User unknown.

Proofpoint, Inc - Proprietary and Confidential © 2020 PoD Log API - Rev C - Page 18 of 23
Name Required? Description Data Type

The tls_verify data is included in two log lines.

When the data appears in the from= log line, it
describes TLS results when the message was
received by the Proofpoint Protection Server.
When the data appears in the to= log line, it
describes TLS results when the message was sent
from the Proofpoint Protection Server.

Results for tls_verify from = lines:

NONE - Client did not use STARTTLS or it was
disabled.
NOT - Client used STARTTLS; PPS was
configured to not request a client certificate.
NO - Client used STARTTLS and PPS requested a
client certificate, but the client did not send one.
FAIL - Client used STARTTLS, PPS requested a
sm.tls.verify client certificate, and the client sent one, but object
certificate validation failed.
OK - Client used STARTTLS, PPS requested a
client certificate, the client sent one, and certificate
validation succeeded.

Results for tls_verify to= lines

TEMP - Non-TLS temporary error occurred.
PROTOCOL - Non-TLS protocol error occurred.
SOFTWARE - TLS handshake error occurred.
NONE - STARTTLS was not offered by the remote
server or PPS was configured to not use it (with
this server).
NO - PPS used STARTTLS and managed to
negotiate an anonymous cipher suite.
FAIL - PPS used STARTTLS, but validation of the
remote server certificate failed.
OK - PPS used STARTTLS and validation of the
remote server certificate succeeded.

sm.to Recipients to this mailer. string array

The total time the message took to be transmitted

during final delivery. This differs from the delay=
sm.xdelay string
equate, in that the xdelay= equate only counts the
time in the actual final delivery.

ts Required Timestamp of logging time in ISO8601 format. string

Proofpoint, Inc - Proprietary and Confidential © 2020 PoD Log API - Rev C - Page 19 of 23
Mail Schema
{
"$schema": "http://json-schema.org/draft-04/schema#",
"id": "https://www.proofpoint.com/v2/schemas/maillog.json",
"properties": {
"data": {
"id": "/properties/data",
"type": "string"
},
"id": {
"id": "/properties/id",
"type": "string"
},
"pps": {
"id": "/properties/pps",
"properties": {
"agent": {
"id": "/properties/pps/properties/agent",
"type": "string"
},
"cid": {
"id": "/properties/pps/properties/cid",
"type": "string"
}
},
"required": [
"agent",
"cid"
],
"type": "object"
},
"sm": {
"id": "/properties/sm",
"properties": {
"ctladdr": {
"id": "/properties/sm/properties/ctladdr",
"type": "string"
},
"delay": {
"id": "/properties/sm/properties/delay",

Proofpoint, Inc - Proprietary and Confidential © 2020 PoD Log API - Rev C - Page 20 of 23
 "type": "string"
},
"dsn": {
"id": "/properties/sm/properties/dsn",
"type": "string"
},
"mailer": {
"id": "/properties/sm/properties/mailer",
"type": "string"
},
"pri": {
"id": "/properties/sm/properties/pri",
"type": "integer"
},
"qid": {
"id": "/properties/sm/properties/qid",
"type": "string"
},
"stat": {
"id": "/properties/sm/properties/stat",
"type": "string"
},
"tls": {
"id": "/properties/sm/properties/tls",
"properties": {
"verify": {
"id":
"/properties/sm/properties/tls/properties/verify",
"type": "string"
}
},
"required": [
"verify"
],
"type": "object"
},
"to": {
"id": "/properties/sm/properties/to",
"items": {
"id": "/properties/sm/properties/to/items",
"type": "string"
},

Proofpoint, Inc - Proprietary and Confidential © 2020 PoD Log API - Rev C - Page 21 of 23
 "type": "array"
},
"xdelay": {
"id": "/properties/sm/properties/xdelay",
"type": "string"
}
},
"required": [
"qid"
],
"type": "object"
},
"ts": {
"id": "/properties/ts",
"type": "string"
}
},
"required": [
"pps",
"data",
"ts",
"sm",
"id"
],
"type": "object"
}

Example
{
"pps": {
"agent": "example.proofpoint.com",
"cid": "mmeng_uivm071"
},
"ts": "2017-08-17T14:54:12.949180-07:00",
"data": "2017-08-17T14:54:12.949180-07:00 example sendmail[30641]:
v7HLqYbx029423: to=/dev/null, ctladdr=<[email protected]> (8/0),
delay=00:00:00, xdelay=00:00:00, mailer=*file*, tls_verify=NONE, pri=35342,
dsn=2.0.0, stat=Sent",

Proofpoint, Inc - Proprietary and Confidential © 2020 PoD Log API - Rev C - Page 22 of 23
 "sm": {
"tls": { "verify": "NONE" },
"stat": "Sent",
"qid": "v7HLqYbx029423",
"dsn": "2.0.0",
"mailer": "*file*",
"to": ["/dev/null"],
"ctladdr": "<[email protected]> (8/0)",
"delay": "00:00:00",
"xdelay": "00:00:00",
"pri": 35342
},
"id": "ZeYGULpZmL5N0151HN1OyA"
}

Proofpoint, Inc - Proprietary and Confidential © 2020 PoD Log API - Rev C - Page 23 of 23