diff --git a/packages/checkpoint/changelog.yml b/packages/checkpoint/changelog.yml
index c9071cb5799..a2475f41fb2 100644
--- a/packages/checkpoint/changelog.yml
+++ b/packages/checkpoint/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.41.3"
+  changes:
+    - description: Update KV split logic to take email headers into account.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/15745
 - version: "1.41.2"
   changes:
     - description: Update update_count, connection_count, aggregated_log_count types from integer to long.
diff --git a/packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml b/packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml
index ebe3a4d4028..c6fa89a0d92 100644
--- a/packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml
@@ -32,7 +32,7 @@ processors:
   - kv:
       tag: "kv_syslog_structured_semicolon_colon"
       field: syslog5424_sd
-      field_split: '(?<="); '
+      field_split: '(?<!\\")(?<="); (?=\w)'
       value_split: '(?i)(?<=[0-9a-z]):{1,2}(?=")'
       trim_key: " "
       trim_value: " "