Message trace in the Security & Compliance Center follows email messages as they travel through your Exchange Online organization. You can determine if a message was received, rejected, deferred, or delivered by the service. It also shows what actions were taken on the message before it reached its final status.
Note: To perform message trace, the administrator must be a member of Organization Management, Compliance Management or Help Desk role groups.
Message trace in the Security & Compliance Center improves upon message trace that was available in the Exchange admin center (EAC). You can use the information from message trace to efficiently answer user questions about what happened to their messages, troubleshoot mail flow issues, and validate policy changes.
Note: Only the first 50000 messages are displayed in the results. The Get-HistoricalSearch cmdlet in Exchange Online PowerShell or Exchange Online Protection PowerShell returns all messages in the results.
From here you can start a new default trace by clicking on the Start a trace button. This will search for all messages for all senders and recipients for the last two days. Or you can use one of the stored queries from the available query categories and either run them as-is or use them as starting points for your own queries:
Also on this page is a Downloadable reports section for the requests you’ve submitted, as well as the reports themselves when they’re, are available for download.
The default values are All senders and All recipients, but you can use the following fields to filter the results:
Note: You can also type the email addresses of external senders and recipients. Wildcards are supported (for example,
*@contoso.com
), but you can’t use multiple wildcard entries in the same field at the same time.
You can paste multiple senders or recipients lists separated by semicolons (;
). spaces (\s
), carriage returns (\r
), or next lines (\n
).
The default value is 2 days, but you can specify date/time ranges of up to 90 days. When you use date/time ranges, consider these issues:
You can leave the default value All selected, or you can select one of the following values to filter the results:
Note: The values Pending, Quarantined, and Filter as spam are only available for searches less than 10 days. Also, there might be a 5 to 10-minute delay between the actual and reported delivery status.
This is the internet message ID (also known as the Client ID) that’s found in the Message-ID: header field in the message header. Users can give you this value to investigate specific messages.
This value is constant for the lifetime of the message. For messages created in Office 365 or Exchange, the value is in the format <GUID@ServerFQDN>
, including the angle brackets (< >). For example, <d9683b4c-127b-413a-ae2e-fa7dfb32c69d@DM3NAM06BG401.Eop-nam06.prod.protection.outlook.com>
. Other messaging systems might use different syntax or values. This value is supposed to be unique, but not all email systems strictly follow this requirement. If the Message-ID: header field doesn’t exist or is blank for incoming messages from external sources, an arbitrary value is assigned.
When you use Message ID to filter the results, be sure to include the full string, including any angle brackets.
You can leave the default value All selected, or you can select Inbound (messages sent to recipients in your organization) or Outbound (messages sent from users in your organization) to filter the results.
You can filter the results by client IP address to investigate hacked computers that are sending large amounts of spam or malware. Although the messages might appear to come from multiple senders, it’s likely that the same computer is generating all of the messages.
Note: The client IP address information is only available for 10 days, and is only available in the Enhanced summary or Extended reports (downloadable CSV files).
The available report types are:
Notes:
When you click Next, you’re presented with a summary page that lists the filtering options that you selected, a unique (editable) title for the report, and the email address that receives the notification when the message trace completes (also editable, and must be in one of your organization’s accepted domains). Click Prepare report to submit the message trace. On the main Message trace page, you can see the status of the report in the Downloadable reports section.
For more information about the information that’s returned in the different report types, see the next section.
The different report types return different levels of information. The information that’s available in the different reports is described in the following sections.
After running the message trace, the results will be listed, sorted by descending date/time (most recent first).
The summary report contains the following information:
By default, the first 250 results are loaded and readily available. When you scroll down, there’s a slight pause as the next batch of results are loaded. Instead of scrolling, you can click Load all to load all of the results up to a maximum of 10,000.
You can click on the column headers to sort the results by the values in that column in ascending or descending order.
You can click Filter results to filter the results by one or more columns.
You can export the results after you’ve selected one or more rows by clicking Export results and then selecting Export all results, Export loaded results, or Export selected.
Related message records are records that shared the same Message ID. Remember, even a single message sent between two people can generate multiple records. The number of records increases when the message is affected by distribution group expansion, forwarding, mail flow rules (also known as transport rules), etc.
After you select a row’s checkbox, you can find related records for the message by clicking the Find related button that appears, or by selecting More options > Find related records for this message).
For more information about the Message ID, see the Message ID section earlier in this topic.
In the summary report output, you can view details about a message by using either of the following methods:
The message trace details contain the following additional information that’s not present in the summary report:
<d9683b4c-127b-413a-ae2e-fa7dfb32c69d@DM3NAM06BG401.Eop-nam06.prod.protection.outlook.com>
.Available (completed) Enhanced summary reports are available in the Downloadable reports section at the beginning message trace. The following information is available in the report:
<d9683b4c-127b-413a-ae2e-fa7dfb32c69d@DM3NAM06BG401.Eop-nam06.prod.protection.outlook.com>
.1341ac7b13fb42ab4d4408cf7f55890f
.*These properties are only available in Enhanced summary reports.
Available (completed) Extended reports are available in the Downloadable reports section at the beginning of message trace. Virtually all of the information from an Enhanced summary report is available in an Extended report (with the exception of origin_timestamp and delivery_priority). The following additional information is only available in an Extended report:
<>
.DELIVER
and SEND
events. The origination date-time is the time when the message first entered the Exchange Online organization. The UTC date-time is represented in the ISO 8601 date-time format: yyyy-mm-ddThh:mm:ss.fffZ
, where yyyy
= year, mm
= month, dd
= day, T
indicates the beginning of the time component, hh
= hour, mm
= minute, ss
= second, fff
= fractions of a second, and Z
signifies Zulu
, which is another way to denote UTC.11a
and the type of authentication that was used when the authentication error occurred.39238e87-b5ab-4ef6-a559-af54c6b07b42
).The custom_data field for an AGENTINFO
event is used by a variety of Exchange Online agents to log message processing details. Some of the more interesting agents are described in the following sections.
A custom_data value that starts with S:SFA
is from the spam filter agent. The key details are described in the following table:
Value | Description |
---|---|
SFV=NSPM | The message was marked as non-spam and was sent to the intended recipients. |
SFV=SPM | The message was marked as spam by the content filter. |
SFV=BLK | Filtering was skipped and the message was blocked because it originated from a blocked sender. |
SFV=SKS | The message was marked as spam prior to being processed by the content filter. This includes messages where the message matched a Transport rule to automatically mark it as spam and bypass all additional filtering. |
SCL=<number> | For more information about the different SCL values and what they mean, see Spam confidence levels. |
PCL=<number> | The Phishing Confidence Level (PCL) value of the message. These can be interpreted the same way as the SCL values documented in Spam confidence levels. |
DI=SB | The sender of the message was blocked. |
DI=SQ | The message was quarantined. |
DI=SD | The message was deleted. |
DI=SJ | The message was sent to the recipient’s Junk Email folder. |
DI=SN | The message was routed through the higher risk delivery pool. For more information, see High-risk delivery pool for outbound messages. |
DI=SO | The message was routed through the normal outbound delivery pool. |
SFS=[a]|SFS=[b] | This denotes that spam rules were matched. |
IPV=CAL | The message was allowed through the spam filters because the IP address was specified in an IP Allow list in the connection filter. |
H=<EHLOstring> | The HELO or EHLO string of the connecting email server. |
PTR=<ReverseDNS> | The PTR record of the sending IP address, also known as the reverse DNS address. |
An example custom_data value for a message that’s filtered for spam like this:
S:SFA=SUM|SFV=SPM|IPV=CAL|SRV=BULK|SFS=470454002|SFS=349001|SCL=9|SCORE=-1|LIST=0|DI=SN|RD=ftmail.inc.com|H=ftmail.inc.com|CIP=98.129.140.74|SFP=1501|ASF=1|CTRY=US|CLTCTRY=|LANG=en|LAT=287|LAT=260|LAT=18;
A custom_data value that starts with S:AMA
is from the malware filter agent. The key details are described in the following table:
Value | Description |
---|---|
AMA=SUM|v=1| or AMA=EV|v=1 | The message was determined to contain malware. SUM indicates the malware could’ve been detected by any number of engines. EV indicates the malware was detected by a specific engine. When malware is detected by an engine this triggers the subsequent actions. |
Action=r | The message was replaced. |
Action=p | The message was bypassed. |
Action=d | The message was deferred. |
Action=s | The message was deleted. |
Action=st | The message was bypassed. |
Action=sy | The message was bypassed. |
Action=ni | The message was rejected. |
Action=ne | The message was rejected. |
Action=b | The message was blocked. |
Name=<malware> | The name of the malware that was detected. |
File=<filename> | The name of the file that contained the malware. |
An example custom_data value for a message that contains malware looks like this:
S:AMA=SUM|v=1|action=b|error=|atch=1;S:AMA=EV|engine=M|v=1|sig=1.155.974.0|name=DOS/Test_File|file=filename;S:AMA=EV|engine=A|v=1|sig=201707282038|name=Test_File|file=filename
A custom_data value that starts withS:TRA
is from the Transport Rule agent for mail flow rules (also known as transport rules). The key details are described in the following table:
Value | Description |
---|---|
ETR|ruleId=<guid> | The rule ID that was matched. |
St=<datetime> | The date and time in UTC when the rule match occurred. |
Action=<ActionDefinition> | The action that was applied. For a list of available actions, see Mail flow rule actions in Exchange Online. |
Mode=<Mode> | The mode of the rule. Valid values are: • Enforce: All actions on the rule will be enforced. • Test with Policy Tips:: Any Policy Tip actions will be sent, but other enforcement actions will not be acted on. • Test without Policy Tips: Actions will be listed in a log file, but senders will not be notified in any way, and enforcement actions will not be acted on. |
An example custom_data value for a messages that matches the conditions of a mail flow rule looks like this:
S:TRA=ETR|ruleId=19a25eb2-3e43-4896-ad9e-47b6c359779d|st=7/17/2017 12:31:25 AM|action=ApplyHtmlDisclaimer|sev=1|mode=Enforce