UPDATE This article was updated on October 14, 2021
Message tracking, or message tracing, as it is called in Office 365, is one of the most basic tools used by administrators to monitor the email flow. As emails travel through Office 365, some information about them gets stored in logs and is available for administrative purposes. No matter if users delete or purge messages, the administrator is able to view basic information about sent and received emails.
Message tracing does not allow you to peek into a message’s contents. Still, it can provide quite a lot of important data about emails:
- Sender and Recipient
- Send and receive dates
- Subject and size
- Status and details of events. There are seven possible values in the delivery status field: delivered, failed, pending, expanded, quarantined, filtered as spam and unknown.
- IP address used to send the message
- Message ID a unique number identifying a message. If a message is sent to more than one recipient, it will display once for every recipient in the message trace search, but all those entries will have the same Message ID and different Message Trace ID
There are a few significant differences between message tracking logs in the on-prem Exchange and message tracking in Office 365. The most important one is that message tracking logs are simple text files you can access directly and copy for backup purposes, but also – delete manually.
Differences between message tracking logs and Office 365 Message tracing
|Message tracking logs (on-prem Exchange)||Message tracing (Exchange Online)|
|Access||PowerShell, alternatively - a text editor.||PowerShell, EAC.|
|Size limits||Configurable, by default 1000 MB for all message tracking log files in the set directory.||No known size limits.|
|Age limits||By default, 30 days before the oldest files are overwritten. Can be increased (or decreased.)||10 days for easily accessible message trace, 90 days for “Historical Search” – where results can only be viewed in a downloadable CSV file.|
|Availability||All data about messages is available as soon as they are sent or received.||Messages less than 4 hours old might not be available.|
|Delay||All searches start immediately||Searching for emails older than ten days might take up to a few hours. It takes some time before search request even starts to be processed.|
Practical application of message tracking
Message tracing makes it possible to learn what happened to certain messages, even if they are not delivered, or get deleted. There are quite a few different uses for this kind of information:
- Find and fix mail-delivery issues – the most basic and ‘traditional’ purpose for message tracing. Whenever a user or a client reports that some message seems to be missing, administrators can get to the bottom of the problem. Of course, finding the right message quickly depends on how much info the user provides. Finding a message that “someone was supposed to send me last week” might take a while, especially in larger organizations
- Monitor mail flow – as message tracing collects data about all messages processed within the organization, the results can be used to gather statistic data.
- Check if your mail flow rules work the way they should – it is not hard to make a mistake while configuring mail flow rules, especially in a large organization and when there are possible conflicts between different rules. As message tracing details provide detailed information about failures, you will be able to pinpoint which mail flow rule is at fault.
- Message forensics – although message tracking logs and results of message tracing do not let the Administrator into the contents of an email, information about the sender, recipients, date, time, and size of the message can prove very valuable, for example, in case of litigation. If an important email is purged before a litigation hold, or a retention policy is activated, logs can act as key evidence.
Permissions required to trace messages
Like any action in Office 365, message trace search requires certain permissions or roles
- Security Admin
- Security Reader
- View-Only Recipients
- Compliance Admin
- Data Loss Prevention
By default, role group Organization Management has all of the required permissions.
Now, before going through how to do it, it might be useful to learn a bit of theory. Namely, the possible values of a delivery status. Or to put it more bluntly – what happened to the email.
Possible delivery statuses
There is a total of 7 values of the delivery status for a message:
- Delivered – the message reached the recipient. If a user cannot find a message with this status, it might have been deleted, or moved by an Outlook rule.
- Expanded – the email was sent to a distribution group. Then, Exchange Server creates separate copies to send them to each distribution group member.
- Failed – delivery failed. Message trace for such a message should include reasons for delivery failure.
- Pending – Exchange Online attempts to send the email.
- Quarantined – email never reached the mailbox, as it is held in quarantine.
- Filtered as spam – server filtered the message, which means it went to the Junk Email folder.
- Getting status – the delivery status is not known at a time. It’s best to retry the message trace in a few minutes.
There are two ways to track messages in Office 365 – PowerShell and EAC. Let’s have a look at them.
Office 365 message tracing using PowerShell
You can use PowerShell to search through message tracking logs on on-premises servers as well as to trace messages in Exchange Online. And although the experience is somehow similar, there are some differences worth mentioning.
On-prem Exchange had only one cmdlet used for the sole purpose of getting to the data of interest: Get-MessageTrackingLog. In Office 365, the correspondent cmdlet is Get-MessageTrace. Both cmdlets are executed immediately, but while Get-MessageTrackingLog searches through all existing logs, its Exchange Online counterpart can go back for only ten days. For older messages, there is another cmdlet which starts a “historical search” (more about the cmdlet in the further part of the article.)
Get-MessageTrace does not require any additional parameters; however, if you do not add any, it will return information about all messages processed by your tenant in the last 48 hours. Normally, that would provide you with too much data for diagnostic purposes. To find out what happened to a specific email, you will need to narrow your query down. For example:
Get-MessageTrace -RecipientAddress <user’s address> -StartDate 11/07/2017 -EndDate 11/14/2017
This cmdlet shows all mail flow directed to the user between the defined dates. If it does not give all the required details, change the format of the results and specify the properties you need, like FromIP or Size
Get-MessageTrace -RecipientAddress <user’s address> -StartDate 11/07/2017 -EndDate 11/14/2017 | Format-list -Property Received,SenderAddress,Status,MessageTraceId
The list provides you with just enough information to find the right message.
To check what happened to the message, for example, why did the delivery fail, you will need the Get-MessageTraceDetail. Instead of finding and copying Message Trace ID from the results of the previous cmdlet, let’s just use it in a pipeline:
Get-MessageTrace -RecipientAddress <user’s address> -StartDate 11/07/2017 -EndDate 11/14/2017 -Status Failed | Get-MessageTraceDetail
As you can easily see, the delivery failed because of a mail flow rule. This is one of the reasons you should always take a second to name mail flow rules properly. Name like “Rule 1” probably will not tell you much, even if you were the one to set up the rule in the past.
Running a message trace for emails older than a week is not possible directly, it requires running a Historical Search. To begin the search, run Start-HistoricalSearch. The required parameters are: StartDate, EndDate, ReportTitle and ReportType (MessageTrace or MessageTraceDetail). Make sure you have also specified the -NotifyAddress field, to receive the report as soon as it is ready. If the -NotifyAddress parameter is not specified, the only way to access the report is via EAC. Also, it is important to narrow down the search to include only the data you need, as historical search might take up to a few hours.
To check the status of any search started in the last ten days, use Get-HistoricalSearch.
Message tracking in Office 365 using EAC
On-prem Exchange did not allow message tracking via the Exchange admin center. In Office 365, EAC enables message tracing and offers quite a comfortable experience. Although usually I prefer administrating Exchange Online with PowerShell, I must say that in this case, EAC seems to do its job very efficiently.
Note: It was also possible to perform a message trace in the Microsoft 365 Security and Compliance center. However, Microsoft announced this method is blocked after November 2021 (it was rescheduled from October 5, 2021).
To access Message trace, you can either use this link, or go to Exchange admin center > Mail flow > Message trace:
Now, you can either click Start a trace to specify your search criteria from scratch or use one of the templates available below. Templates open the same New message trace window, but they have some fields predefined.
This window lets you define the criteria for the reports you want to generate. You can define the following criteria:
- Senders – defines senders the tool will incorporate in the reports. The field accepts wildcards, which allows you to easily limit results for a certain domain.
- Recipients – similar to the Senders fields, it accepts wildcards.
- Time range – can be configured by using a slider or entering a custom time range.
Additionally, you can click Detailed search options to make your query even more granular:
- Delivery status – lets you search only for the emails which were, for example, successfully delivered or quarantined. For a list of all available statuses and what they mean, see this section of the article.
- Message ID – lets you find a specific message. Message ID can be found in the email’s headers.
- Direction – lets you choose from Inbound, Outbound and All.
- Original client IP address.
Remember, tracing messages older than ten days is treated like a Historical Search, no matter if you use EAC or PS. It means that you will have to wait for your reports either way. Generating the reports might take up to a few hours. If you trace messages from the past ten days, clicking search will open a window with the results:
If you want to see details for a chosen email, click it, and a new window will open:
In this window, you can check what happened to the message. In the example above, you can see that the delivery failed because of a transport rule. You can easily check which transport rule caused the problem and fix the issue.
Back in the main message trace window, you can go to Downloadable reports tab to see a list of the historical searches and extended reports you have requested. If you have started a Historical Search using PowerShell and failed to specify the –NotifyAddress parameter, this is the only place to learn if the message trace is finished and to download the csv file with your report.
The downloaded report is in the CSV format. Each row displays information about a single email. To make your report more readable, you can open it in Excel or another spreadsheet.