Blue Lantern Security
← Back to all posts

April 30, 2026 · Blue Lantern Team · Practical Applications

Automate Email Analysis with the Blue Lantern API

Clicking through the UI to evaluate phishing reports gets old fast. If you've got a shared phishing inbox or a SOAR pipeline, you want each email scored automatically — Blue Lantern's API gives you that.

This post walks through the end-to-end flow: submit an .eml file, poll for completion, fetch the result.

Prerequisites

  • A Blue Lantern API key — request one from your account.
  • A scripting environment (we'll use curl here, but anything that speaks HTTP works).
  • Each email under 4.5 MB.

Submitting an email

Pass the .eml file to the /runs endpoint with the EMAILANALYZER tool:

curl --location 'https://api.bluelanternsecurity.io/runs' \
  --header 'Authorization: [API KEY]' \
  --form 'tool="EMAILANALYZER"' \
  --form 'checkCost="false"' \
  --form 'file=@"[PATH TO EML]"'

The response includes a jobId you'll use to track and retrieve the analysis.

Polling for completion

Use the jobId to check status against /runs/[JOB ID]. The job stays in a non-COMPLETE state until results are ready — typically a few seconds.

curl --location 'https://api.bluelanternsecurity.io/runs/[JOB ID]' \
  --header 'Authorization: [API KEY]'

Fetching the analysis

Once the run is COMPLETE, POST to /results with the job ID:

curl --location 'https://api.bluelanternsecurity.io/results' \
  --header 'Content-Type: application/json' \
  --header 'Authorization: [API KEY]' \
  --data '{"jobId": "[JOB ID]"}'

What you get back

The result has two layers:

  • A pass/fail summary for 22 individual checks across the email's headers, body, links, sender domain, and attachments. Use these directly if you just want a downstream verdict.
  • A details object with the underlying evidence: SPF/DKIM/DMARC results, routing hops, lookalike domains, anchor-text mismatches, attachment metadata, and WHOIS-derived domain age.

The Checks_failed count is the simplest signal to alert on. The details object is what you give a SOC analyst when a verdict gets escalated.

A few things to know

  • Retention. Submitted emails are kept for at most one day. Reports are kept for at most one week.
  • Scope. Emails are processed for phishing-related signatures only.

That's it — drop the three calls into the script of your choice and you've replaced manual triage with an API.