Understanding Journal Reports
Microsoft Exchange Server 2007 will reach end of support on April 11, 2017. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.
Applies to: Exchange Server 2007, Exchange Server 2007 SP1, Exchange Server 2007 SP2, Exchange Server 2007 SP3
This topic describes the structure of journal reports in Microsoft Exchange Server 2007 and how to interpret the information in these reports.
What is a Journal Report?
A journal report is the message that Microsoft Exchange generates when a message matches a journal rule and is to be submitted to the journaling mailbox. The original message that matches the journal rule is included unaltered as an attachment to the journal report. This type of journal report is called an envelope journal report.
Note
Exchange 2007 supports envelope journaling only.
The information that is contained in the journal report is organized so that every value in each header field has its own line in the journal report. This enables you to easily parse the reports manually or by using an automated process, depending on your requirements.
When the Journaling agent journals a message, the Journaling agent tries to capture as much detail as possible about the original message. This information is very important in determining the intent of the message, its recipients, and its senders. For example, whether the recipients that are identified on the message are directly addressed on the To field, the Cc field or are included as part of a distribution list may determine how the recipient is involved in the discussion in the message.
Depending on the situation, Exchange 2007 may generate more than one journal report for a single message. Whether a single message generates one journal report or multiple journal reports depends on several reasons, such as bifurcation or whether there are distribution groups that have been expanded.
Journal reports can contain very sensitive information and must be protected so that they can't be viewed by unauthorized individuals. For more information about how you can protect journal reports, see Protecting Journal Reports.
For more information about journaling and journal reports, see the following topics:
Journal Report Fields
The following sections describe each field that is contained within journal reports that are generated by Exchange 2007. These fields are separated into the basic fields and the extended fields that are shown in the following table.
Basic and extended journal report fields
| Basic journal report fields | Extended journal report fields |
|---|---|
Sender |
To |
Subject |
Cc |
Message-ID |
Bcc |
Recipient |
On-Behalf-Of |
Whether extended journal report fields are populated depends on the following circumstances:
MAPI submission to a Hub Transport server Recipient addressing can be determined when a message is submitted to a Hub Transport server that uses MAPI from a client such as Microsoft Office Outlook 2007 or Outlook on a mobile device.
Authenticated SMTP submission to a Hub Transport server Recipient addressing can also be determined when a message is submitted to a Hub Transport server by using authenticated Simple Mail Transfer Protocol (SMTP). The sender must not have Send-As-Anyone permissions as this indicates that the sender was a server.
If recipient addressing can be determined for a particular recipient, the recipient e-mail address is inserted into the appropriate extended To, Cc, or Bcc field, which are described in the "Extended journal report fields" table later in this topic. The recipient e-mail address is not inserted into the basic Recipient field, which is described in the "Basic journal report fields" table later in this topic.
If a message is submitted to a Hub Transport server by using any other method, such as anonymous submission from an Edge Transport server or submission from a server that is running Exchange Server 2003, Exchange cannot verify that the recipient addressing has not been tampered with. If recipient addressing cannot be verified, the recipient e-mail address is inserted in the basic Recipient field and not into an extended To, Cc, or Bcc field.
For each recipient addressed on a message, one recipient journal report field is added. No recipient field contains more than one recipient e-mail address, except as follows:
Recipient fields that contain recipients that have been expanded from a distribution group
Recipient fields that contain recipients that have received a message forwarded from another mailbox
For expanded or forwarded messages, the e-mail address of the recipient that received final delivery of the message and the e-mail address of the distribution group or mailbox that was originally addressed are included.
Basic Journal Report Fields
Basic fields in Exchange 2007 journal reports include the sender, subject, and Message-ID of the original message. All journal reports include this information if it is present in the original message.
The fourth basic field is the Recipient field. Exchange 2007 only classifies information that it knows is correct. If Exchange can't determine whether a recipient was included in the To, Cc, or Bcc recipient fields, the recipient is put into the Recipient field in the journal report.
The following table lists the basic fields that are included in the body of journal reports.
Basic journal report fields
| Field name | Description |
|---|---|
Sender |
The Sender field displays the SMTP address of the sender of the e-mail message that is specified in the message's From header field or, if the message is sent on behalf of another mailbox, the Sender header field. |
Subject |
The Subject field displays the MIME subject header value. |
Message-ID |
The Message-ID field displays the internal Exchange Message-ID. This matches the same Message-ID that is found in the message tracking log files. |
Recipient |
The Recipient field displays the SMTP address of a recipient that is included on an e-mail message if Exchange cannot determine the recipient addressing of that message. This includes messages that originated from legacy Exchange servers and messages from the Internet. |
Extended Journal Report Fields
Extended fields in Exchange 2007 journal reports provide a more detailed level of recipient detail when that detail is available. The To, Cc, and Bcc fields in the journal report let you view how recipients are addressed in the original message.
The On-Behalf-Of field is populated if the SMTP headers of a message contain both the From: and Sender: header fields, regardless of whether the message was submitted directly to a Hub Transport server. The SMTP address contained in the From: header field is value that populated in the On-Behalf-Of field.
The following table lists the extended fields that may be included in the body of journal reports.
Extended journal report fields
| Field name | Description |
|---|---|
On-Behalf-Of |
The On-Behalf-Of field displays the SMTP address of the mailbox from which the message appears if the Send On Behalf Of feature is specified by the sender. |
To |
The To field displays the SMTP address of a recipient that is included in the message envelope and in the To header field of the message. The recipient address can be included either directly by the sender, or indirectly through distribution list expansion or if the message was forwarded to the recipient by another mailbox. To indicate whether the message went through distribution list expansion or was forwarded, the To field may also contain one Expanded field or one Forwarded field, separated with commas. For more information about these fields, see the Expanded and Forwarded entries later in this table. |
Cc |
The Cc field displays the SMTP address of a recipient that is included in the message envelope and in the Cc header field of the message. The recipient address can be included either directly by the sender, or indirectly through distribution list expansion or if the message was forwarded to the recipient by another mailbox. To indicate whether the message went through distribution list expansion or was forwarded, the Cc field may also contain one Expanded field or one Forwarded field, separated with commas. These fields are discussed later in this table. |
Bcc |
The Bcc field displays the SMTP address of a recipient that is included in the message envelope and in the Bcc header field of the message. The recipient address can be included either directly by the sender, or indirectly through distribution list expansion or if the message was forwarded to the recipient by another mailbox. To indicate whether the message went through distribution list expansion or was forwarded, the Bcc field may also contain one Expanded field or one Forwarded field, separated with commas. These fields are discussed later in this topic. |
Expanded and Forwarded Fields
The Expanded and Forwarded fields are included as sub-fields on Recipient, To, Cc, or Bcc fields when that recipient has either been expanded from a distribution group or has had the message forwarded from another mailbox. The following table describes the Expanded and Forwarded extended fields.
Expanded and Forwarded fields
| Field | Description |
|---|---|
Expanded |
The Expanded field is displayed as a sub-field of the To, Cc, and Bcc fields that are described earlier in this table. The Expanded field is preceded by a comma. The SMTP address that is displayed in the Expanded field is the address of the distribution list that contains either the recipient that is specified in the To, Cc, or Bcc field or the nested distribution lists that contain the specified recipient. The address that is displayed in this field is always the first distribution list to be expanded, regardless of how many nested distribution lists may be between the original parent distribution list and the expanded final recipient that is specified in the To, Cc, or Bcc field. |
Forwarded |
The Forwarded field is displayed as a sub-field of the To, Cc, and Bcc fields that are described earlier in this table. The Forwarded field is preceded by a comma. Usually, the Forwarded field displays the e-mail address of a mailbox that is configured to forward e-mail messages to the account that is specified in the To, Cc, or Bcc field. However, you can configure a chain of forwarding mailboxes so that each mailbox forwards to the next one. If a chain of forwarding mailboxes is configured, the first forwarding mailbox is displayed in this field, and the SMTP address of the final, non-forwarding mailbox in the chain is displayed in the To, Cc, or Bcc field. |
Journal Report Headers
In Exchange 2003, the journaling of messages and the identification of journal reports are controlled by using the X-EXCH50 binary large object (BLOB). In Exchange 2007, the X-EXCH50 BLOB is deprecated and replaced with SMTP headers to which header firewall is applied. These SMTP headers can be accessed only by the Exchange 2007 transport components. They are removed from messages before delivery to mailboxes or delivery outside the Exchange 2007 organization. The X-MS-Exchange-Organization-Journal-Report SMTP header identifies an Exchange 2007 journal report. The X-MS-Exchange-Organization-Processed-By-Journaling SMTP header identifies messages that have been processed by the Exchange 2007 Journaling agent.
If the X-MS-Exchange-Organization-Journal-Report SMTP header is included on a message, Exchange 2007 knows the message is a journal report and allows the message to act a system message and bypass message size and mailbox recipient restrictions. If the X-MS-Exchange-Organization-Processed-By-Journaling SMTP header is included on a message, Exchange 2007 recognizes that the message has already been processed by the Journaling agent on a previous Hub Transport server and does not re-journal the message.
Note
Because the X-MS-Exchange-Organization-Journal-Report SMTP header is removed by the header firewall when the journal report is delivered to a journal mailbox, the X-MS-Journal-Report SMTP header is added to the journal report. The X-MS-Journal-Report SMTP header lets you differentiate a journal report from a regular message but is not used by any Exchange 2007 transport components.
The X-MS-Exchange-Organization-Journal-Report SMTP header, X-MS-Exchange-Organization-Processed-By-Journaling SMTP header, and X-MS-Journal-Report SMTP header do not contain values. The existence of these SMTP headers on a message as described above determines whether the message is a journal report or has been processed by journaling.
For more information, see the following topics:
SMTP header firewall Understanding Header Firewall.
Exchange 2003 and Exchange 2007 interoperability Understanding Journaling in a Mixed Exchange 2003 and Exchange 2007 Environment
Examples of Journal Reports
The first figure in this section shows an example of a journal report that was generated when a message was sent from an Exchange 2007 mailbox to a Hub Transport server. The recipients of the original message were addressed as follows:
The To field contains the Sales Group distribution group. The following are the four members of the Sales Group distribution group: Brian Smith, David Simpson, Maria Cameron, and Ray Chow.
The Cc field contains the recipient Christine Hughes. The mailbox for Christine Hughes is configured to automatically forward messages to the mailbox for Katie Jordan.
The Bcc field contains the recipient Blaine Dockter.
In Exchange 2000, three journal reports were created when the original message was sent. The journal report shown in the following figure lists only the recipients expanded from the Sales Group distribution group.
Journal report that displays extended recipient fields
.gif "Journal report showing extended To recipients")
Note
In Exchange 2007 SP1, only a single journal report is generated.
In Exchange 2007, two additional journal reports were generated from the previous example message. The journal reports for the Cc and Bcc recipients are identical to the preceding figure, except instead of the To journal report fields, the following fields are present in each journal report respectively:
Cc: katie@adatum.com, Forwarded: christine@adatum.comBcc: blaine@adatum.com
The following figure shows an example of a journal report that was generated when a message that originated from the Internet was processed by a Hub Transport server. The recipients in this message were addressed the same as the recipients in the previous example. However, in the journal report in this figure, the recipients are put in the Recipient field because the original message was sent from the Internet. Because the message originated from the Internet, Exchange cannot verify that the recipient addressing has not been tampered with. As with the first example, three journal reports were created for the single message. The following figure shows only the recipients that were expanded from the Sales Group distribution list.
Journal report that displays basic recipient fields
.gif "Journal report showing basic recipient fields")
Note
In Exchange 2007 SP1, only a single journal report is generated.
In Exchange 2007, two additional journal reports were generated from the second example message. The journal reports for the Cc and Bcc recipients are identical to the "Journal report that displays basic recipient fields" figure, except each journal report contains the remaining recipients addressed in the second example message:
Recipient: katie@adatum.com, Forwarded: christine@adatum.comRecipient: blaine@adatum.com