Exchange
United States (English) Sign in
Home Online 2013 2010 Other Versions Library Forums Gallery EHLO Blog
0 out of 1 rated this helpful - Rate this topic

Run a Message Trace and View Results

Exchange Online
 

Applies to: Exchange Online Protection, Exchange Online

Topic Last Modified: 2013-04-16

As an administrator, you can run a message trace in the Exchange admin center (EAC). After running the message trace, you can view results in a list, and then view the details of a specific message.

  1. Estimated time to complete this task: 5-30 minutes
  2. You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the “Message trace” entry in the Feature Permissions in Exchange Online topic.
  3. For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard Shortcuts in the Exchange Admin Center.
tipTip:
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange Online Protection
  1. In the EAC, navigate to Mail flow > Message trace.
  2. Depending on what you are searching for, you can enter values in the following fields. None of these fields are required. You can also simply click Search to retrieve all message trace data over the default time period, which is the last 48 hours.
    1. Sender   You can narrow the search for specific sender or senders by clicking the Add users button next to the Sender field. In the subsequent dialog box, select one or more senders from your company from the user picker list and then click Add. To add senders who aren’t on the list, type their email addresses and click Check names. In this box, you can also use wildcards for multiple email addresses (for example: *@domainname). When you are done with your selections, click OK.
    2. Recipient   You can narrow the search for specific recipients by clicking the Add users button next to the Recipient field. In the subsequent dialog box, select one or more recipients from your company from the user picker list and then click Add. To add recipients who aren’t on the list, type their email addresses and click Check names. In this box, you can also use wildcards for multiple email addresses (for example: *@domainname). When you are done with your selections, click OK.
    3. Message was sent or received   Using the drop-down list, select the interval during which the message was sent or received. Possible values are:
      • Last 24 hours   The message trace searches for messages sent or received within the last 24 hours from when the request is run.
      • Last 48 hours   The message trace searches for messages sent or received within the last 48 hours from when the request is run. This is the default value.
      • Last 7 days   The message trace searches for messages sent or received within the last 7 days, starting at 12:00 am on the day the request is run.
      • Custom   When you select this option, you are presented with a dialog box where you can change the time zone used and specify a custom interval (start date, end date, and time) during which to search for when the message was sent or received.
        importantImportant:
        Data is retained by the service for 7 days.
    4. Delivery status   Using the drop-down list, select the status of the message you want to view information about. Leave this field blank to cover all statuses. Other possible values are:
      • Delivered   The message was successfully delivered to the intended destination.
      • Failed   The message was not delivered. Either it was attempted and failed or it was not delivered as a result of actions taken by the filtering service. For example, if the message was determined to contain malware.
      • Pending   Delivery of the message is being attempted or re-attempted.
      • Expanded   The message was sent to a distribution list and was expanded so the members of the list can be viewed individually.
      • Unknown   The message delivery status is unknown at this time. When the results of the query are listed, the delivery details fields will not contain any information.
    5. Message ID   This is the Internet message ID (also known as the Client ID) found in the header of the message with the “Message-ID:” token. Users can provide you with this information in order to investigate specific messages.
      The form of this ID varies depending on the sending mail system. The following is an example: <08f1e0f6806a47b4ac103961109ae6ef@server.domain>.
      noteNote:
      Be sure to include the full Message ID string. This may include angle brackets (<>).
      This ID should be unique; however, it is dependent on the sending mail system for generation and not all sending mail systems behave the same way. As a result, there is a possibility that you may get results for multiple messages when querying upon a single Message ID.
  3. Click Search to run the message trace.

To search for a different message, you can click the Clear button and then re-specify your search criteria.

After running the message trace in the EAC, the results will be listed, sorted by date, with the most recent message appearing first. You can sort on any of the listed fields by clicking their headers. Clicking a column header a second time will reverse the sort order. When viewing message trace results, the following information is provided about each message:

  • Date   The date and time at which the message was received by the service, using the Coordinated Universal Time (UTC) time standard.
  • Sender   The email address of the sender in the form alias@domain.
  • Recipient   The email address of the recipient or recipients. For messages sent to more than one recipient, there is one line per recipient. If the recipient is a distribution list, the distribution list will be the first recipient, and then each member of the distribution list will be included on a separate line so that you can check the status for all recipients.
  • Subject   The subject line text of the message. If necessary, this is truncated to the first 256 characters.
  • Status   This field specifies whether the message was Delivered to the recipient, Failed to be delivered to the recipient (either because it failed to reach its destination or because it was filtered), is Pending delivery (it is either in the process of being delivered or the delivery was deferred but is being re-attempted), was Expanded (there was no delivery because the message was sent to a distribution list (DL) that was expanded to the recipients of the DL), or has a status of None (there is no status of delivery for the message to the recipient because the message was either rejected or redirected to a different recipient).
noteNote:
The message trace results are displayed in a scrollable list that can display a maximum of 500 entries per page. You can scroll to additional pages if you have more than 500 entries.

After you review the list of items returned by running the message trace in the EAC, you can double-click an individual message to view the following additional details about the message:

  • Message size   The size of the message, including attachments, in kilobytes (KB), or, if the message size is greater than 999 KBs, in megabytes (MB).
  • Message ID   This is the Internet message ID (also known as the Client ID) found in the header of the message with the “Message-ID:” token. The form of this varies depending on the sending mail system. The following is an example: <08f1e0f6806a47b4ac103961109ae6ef@server.domain>.
    This ID should be unique, however, it is dependent on the sending mail system for generation and not all sending mail systems behave the same way. As a result, there is a possibility that you may get results for multiple messages when querying upon a single Message ID.
    This is given as output so that trace entries and the messages in question can be co-related.
  • To IP   The IP address or addresses to which the service attempted to deliver the message. If there are multiple recipients, these are displayed. For inbound messages sent to Exchange Online, this value is blank.
  • From IP   The IP address of the computer that sent the message. For outbound messages sent from Exchange Online, this value is blank.

In the events section, the following fields provide information about the events that occurred to the message as it passed through the messaging pipeline. It is recommended that you read these events from bottom to top.

  • Date   The date and time that the event occurred.
  • Event   This field briefly informs you of what happened, for example if the message was received by the service, if it was delivered or failed to be delivered to the intended recipient, and so on. The following are examples of events that may be listed:
    • RECEIVE   The message was received by the service.
    • SEND   The message was sent by the service.
    • FAIL   The message failed to be delivered.
    • DELIVER   The message was delivered to a mailbox.
    • EXPAND   The message was sent to a distribution group that was expanded.
    • TRANSFER   Recipients were moved to a bifurcated message because of content conversion, message recipient limits, or agents.
    • DEFER   The message delivery was postponed and may be re-attempted later.
  • Action   This field shows the action that was performed if the message was filtered due to a malware or spam detection or a rule match. For example, it will let you know if the message was deleted or if it was sent to the quarantine.
  • Detail   This field provides detailed information that elaborates on what happened. For example, it may inform you which specific transport rule was matched, and what happened to the message as a result of that match. It can also inform you which specific malware was detected in which specific attachment, or why a message was detected as spam. If the message was successfully delivered, it can tell you the IP address to which it was delivered.
 
Did you find this helpful?
(1500 characters remaining)
© 2013 Microsoft. All rights reserved.