Message trace in the modern EAC in Exchange Online (2024)

Message trace in the modern Exchange admin center (EAC) follows email messages as they travel through your Exchange Online organization. You can determine if a message was received, rejected, deferred, or delivered by the service. Message trace also shows what actions were taken on the message before it reached its final status.

Message trace in the modern EAC improves upon the original message trace that was available in the classic EAC. You can use the information from message trace to efficiently answer user questions about what happened to messages, to troubleshoot mail flow issues, and to validate policy changes.

What do you need to know before you begin?

• To run a message trace, you need to be a member of one of the following role groups:

  • Global Administrator
  • Exchange Administrator

  For more information, see Manage role groups in Exchange Online and Permissions in Exchange Online.

• The maximum number of messages that are displayed in the results depends on the report type you selected (For more information, see the Choose report type section.). The Get-HistoricalSearch cmdlet in Exchange Online PowerShell or standalone EOP PowerShell returns all messages in the results.

Open message trace

You can open message trace in any of the following ways:

1. Launch the URL https://admin.exchange.microsoft.com, and select Mail flow < Message trace.
2. Launch the URL https://admin.exchange.microsoft.com/#/messagetrace.

Message trace page

From the Message trace page, you can start a new default trace by clicking Start a trace. This option triggers a search for all messages for all senders and recipients for the last 2 days. Or, you can use one of the stored queries from the available query categories and either run them as-is or use them as starting points for your own queries:

• Default queries: Built-in queries provided by Microsoft 365.

• Custom queries: Queries saved by administrators in your organization for future use.

• Autosaved queries: The last 10 most recently run queries. This list makes it simple to pick up from where you left off.

Also on this page is a Downloadable reports section, for the requests you've submitted and for the reports themselves when they're available for download.

Options for a new message trace

Filter by senders and recipients

The default values are All for Senders and All for Recipients, but you can filter the results for these fields:

• Senders: Click in this box and start typing to enter or select one or more senders from your organization.

• Recipients: Click in this box and start typing to enter or select one or more recipients in your organization.

Time range

The default value is 2 days, but you can specify date/time ranges of up to 90 days. When you use date/time ranges, consider the following issues:

• By default, you select the time range in Slider view using a timeline.

  

  But, you can also switch to Custom time range view where you can specify the Start date and End date values (including times), and you can also select the Time zone for the date/time range. The Time zone setting applies both to your query inputs and to your query results.

  

  For 10 days or less, the results are available instantly as a Summary report. If you specify a time range that's even slightly greater than 10 days, the results are delayed as they're only available as a downloadable CSV file ( Enhanced summary or Extended reports).

  For more information about the different report types, see Choose report type.

Detailed search options

When you expand Detailed search options, the following options are available:

• Delivery status
• Message ID
• Network Message ID
• Direction
• Original client IP address

Delivery status

You can leave the default value All selected, or you can select one of the following values to filter the results:

• Delivered: The message was successfully delivered to the intended destination.

• Expanded: A distribution group recipient was expanded before delivery to the individual members of the group.

• Failed: The message wasn't delivered.

• Pending: Delivery of the message is being attempted or reattempted.

• Quarantined: The message was quarantined (as spam, bulk mail, or phishing). For more information, see Quarantined email messages in EOP.

• Filtered as spam: The message was identified as spam, and was rejected or blocked (not quarantined).

• Getting status: The message was recently received by Microsoft 365, but no other status data is yet available. You can check again within a few minutes.

Message ID

Message ID is the internet message ID (also known as the Client ID) that's found in the Message-ID header field in the message header. Users can give you this value to investigate specific messages.

This value is constant for the lifetime of the message. For messages created in Microsoft 365 or Exchange, the Message ID value is in the format <GUID@ServerFQDN>, including the angled brackets (< >), for example, <d9683b4c-127b-413a-ae2e-fa7dfb32c69d@DM3NAM06BG401.Eop-nam06.prod.protection.outlook.com>. Other messaging systems might use different syntaxes or values. This value is supposed to be unique, but not all email systems strictly follow this requirement. If the Message-ID: header field doesn't exist or is blank for incoming messages from external sources, an arbitrary value is assigned.

When you use Message ID to filter the results, ensure that you include the full string, including any angled brackets.

Network Message ID

Network Message ID is a unique message ID value that prevails across copies of the message that may be created due to bifurcation, and across the message transport process. It's dynamic wherein its value differs for even a copy of the message's specific instance. Therefore, each copied version of the instance has a different Network Message ID value.

The differences between Network Message ID and Message ID are described in the following table:

For more information about Network Message ID, see:

• Message tracking logs in Exchange Servers
• Enhanced message trace reports in Exchange Online
• Message headers from Outlook

To trace the Network Message ID value and to use it to trace specific messages in Exchange Online, use the following message headers:

• X-MS-Exchange-Organization-Network-Message-Id, or

• X-MS-Exchange-CrossTenant-Network-Message-Id

These message headers enable you to trace the Network Message ID value. You can use this value to further retrieve specific messages, for example, messages - with the traced Network Message ID value - sent by a specific sender, addressed to a specific recipient, or sent during a specific time period.

You can also use the following command to trace the Network Message ID value:

Get-MessageTrace -MessageTraceId 2bbad36aa4674c7ba82f4b307fff549f -SenderAddress john@contoso.com -StartDate 06/13/2022 -EndDate 06/15/2022 | Get-MessageTraceDetail

This command enables you to identify:

• The Network Message ID value
• The specific messages retrieved with the help of the Network Message ID value

For example, in this command, the value of Message Trace ID is 2bbad36aa4674c7ba82f4b307fff549f which is effectively the Network Message ID value. The Get-MessageTrace cmdlet uses this value to retrieve the trace information for messages that have this value and that have been sent by john@contoso.com between June 13, 2022, and June 15, 2022.

The Get-MessageTrace cmdlet then pipes the retrieved trace information to the Get-MessageTraceDetail cmdlet.

Direction

You can leave the default value All selected, or you can select Inbound (messages sent to recipients in your organization) or Outbound (messages sent from users in your organization) to filter the results.

Original client IP address

You can filter the results by using the "client IP address" criteria to investigate hacked computers that are sending large amounts of spam or malware. Although the messages might appear to come from multiple senders, it's likely that the same computer is generating all of the messages.

Choose report type

The available report types are:

• Summary: Available if the time range is less than 10 days, and requires no other filtering options. The results are available almost immediately after you click Search. The report returns up to 20,000 results.

• Enhanced summary or Extended: These reports are only available as downloadable CSV files, and require one or more of the following filtering options regardless of the time range:

  • Senders
  • Recipients
  • Message ID

  You can use wildcards for the senders or the recipients (for example, *@contoso.com). The Enhanced summary report returns up to 100,000 results. The Extended report returns up to 1,000 results.

When you click Next, you're presented with a summary page that lists the filtering options that you selected, a unique (editable) title for the report, and the email address that receives the notification when the message trace completes (also editable, and must be in one of the accepted domains of your organization). Click Prepare report to submit the message trace. On the main Message trace page, you can see the status of the report in the Downloadable reports section.

For more information about the data that's returned in the different report types, see Message trace results.

Message trace results

The different report types return different levels of information. The information that's available in the different reports is described in the following sections:

• Summary report output
• Enhanced summary reports
• Extended reports

Summary report output

After the message trace is executed, the results will be listed, sorted by descending date/time (most recent displayed first).

The summary report contains the following information:

• Date: The date and time at which the message was received by the service, using the configured UTC time zone.

• Sender: The email address of the sender (alias@domain).

• Recipient: The email address of the recipient(s). For a message sent to multiple recipients, there's one line per recipient. If the recipient is a distribution group, dynamic distribution group, or mail-enabled security group, the group is the first recipient, and then each member of the group is on a separate line.

• Subject: The first 256 characters of the message's Subject: field.

• Status: These values are described in the Delivery status section.

By default, the first 250 results are loaded and readily available. When you scroll down, there's a slight pause as the next batch of results are loaded, up to a maximum of 10,000.

You can click on the column headers to sort the results by the values in that column in ascending or descending order.

You can click Search to filter the results.

You can export the results after you've selected one or more rows by clicking Export results.

Find related records for this message

Related message records are records that share the same Message ID. Remember, even a single message sent between two people can generate multiple records. The number of records increases when the message is affected by distribution group expansion, forwarding, mail flow rules (also known as transport rules), and so on.

After you select a row's check box, the Find related button appears. You can click this button to find the related records for the message.

For more information about the Message ID, see Message ID.

Message trace details

In the summary report output, you can view details about a message by selecting the row (click anywhere in the row but don't check the check box).

The message trace details contain the following additional information that's not present in the summary report:

• Message events: After you expand this section, you can see classifications that help categorize the actions that the service takes on messages. Some of the more interesting events that you might encounter are:

  • Receive: The message was received by the service.
  • Send: The message was sent by the service.
  • Fail: The message failed to be delivered.
  • Deliver: The message was delivered to a mailbox.
  • Expand: The message was sent to a distribution group that was expanded.
  • Transfer: Recipients were moved to a bifurcated message because of content conversion, message recipient limits, or agents.
  • Defer: The message delivery was postponed and might be reattempted later.
  • Resolved: The message was redirected to a new recipient address based on an Active Directory look up. When this event happens, the original recipient address is listed in a separate row in the message trace along with the final delivery status for the message.
  • DLP rule: The message had a DLP rule match.
  • Sensitivity label: A server-side labeling event occurred. For example, a label was automatically added to a message that includes an action to encrypt or was added via the web or mobile client. This action is completed by the Exchange server and is logged. A label added via Outlook won't be included in the event field.

  Notes:

  • An uneventful message that's successfully delivered will generate multiple Event entries in the message trace.

  • This list isn't meant to be exhaustive. For descriptions of more events, see Event types in the message tracking log. This link is an Exchange Server (on-premises Exchange) topic.

• More information: After you expand this section, you can view the following details:

  • Message ID: This value is described in Message ID. An example of a Message ID value is <d9683b4c-127b-413a-ae2e-fa7dfb32c69d@DM3NAM06BG401.Eop-nam06.prod.protection.outlook.com>.

  • Message size: The size of the sent message, including attachments/pictures/text.

  • From IP: The IP address of the computer that sent the message. For outbound messages sent from Exchange Online, this value is blank.

  • To IP: The IP address(es) to which the service attempted to deliver the message. If the message has multiple recipients, these addresses are displayed. For inbound messages sent to Exchange Online, this value is blank.

Enhanced summary reports

A generated report of the type Enhanced summary is available in Downloadable reports at the beginning of message trace.

Under the Downloadable reports tab, you can also view details of Enhanced summary reports which are yet to be generated. These reports are marked with Not started or In progress status.

The following information is available in a downloadable Enhanced summary report:

• origin_timestamp^*: The date and time when the message was initially received by the service, using the configured UTC time zone.

• sender_address: The sender's email address (alias@domain).

• Recipient_status: The status of the delivery of the message to the recipient. If the message was sent to multiple recipients, it shows all the recipients and the corresponding status for each, in the format: <email address>##<status>. Examples of the recipient statuses are:

  • ##Receive, Send means the message was received by the service and was sent to the intended destination.

  • ##Receive, Fail means the message was received by the service but delivery to the intended destination failed.

  • ##Receive, Deliver means the message was received by the service and was delivered to the recipient's mailbox.

• message_subject: The first 256 characters of the message's Subject field.

• total_bytes: The size of the message in bytes, including attachments.

• message_id: This value is described in Message ID. An example of a message_id value is <d9683b4c-127b-413a-ae2e-fa7dfb32c69d@DM3NAM06BG401.Eop-nam06.prod.protection.outlook.com>.

• network_message_id: A unique message ID value that persists across all copies of the message that might be created due to bifurcation or distribution group expansion. An example of network_message_id value is 1341ac7b13fb42ab4d4408cf7f55890f.

• original_client_ip: The IP address of the sender's SMTP server.

• directionality: Indicates whether the message was sent inbound (to your organization) or outbound (from your organization).

• connector_id: The name of the source or destination connector. For more information about connectors in Exchange Online, see Configure mail flow using connectors in Office 365.

• delivery_priority^*: Whether the message was sent with High, Low, or Normal priority.

^*These properties are only available in Enhanced summary reports.

Extended reports

A generated report of the type Extended is available in Downloadable reports at the beginning of message trace.

Under the Downloadable reports tab, you can also view details of Extended reports which are yet to be generated. These reports are marked with Not started or In progress status.

The following information is available in a downloadable Extended report:

• client_ip: The IP address of the email server or messaging client that submitted the message.

• client_hostname: The host name or FQDN of the email server or messaging client that submitted the message.

• server_ip: The IP address of the source or destination server.

• server_hostname: The host name or FQDN of the destination server.

• source_context: Extra information associated with the source field. For example:

  • Protocol Filter Agent
  • 3489061114359050000

• source: The Exchange Online component that's responsible for the event. For example:

  • AGENT
  • MAILBOXRULE
  • SMTP

• event_id: This value corresponds to the Message event values that are explained in Find related records for this message.

• internal_message_id: A message identifier that's assigned by the Exchange Online server that's currently processing the message.

• recipient_address: The email addresses of the message's recipients. Multiple email addresses are separated by the semicolon character (;).

• recipient_count: The total number of recipients in the message.

• related_recipient_address: Used with EXPAND, REDIRECT, and RESOLVE events to display other recipients' email addresses that are associated with the message.

• reference: This field contains additional information for specific types of events. For example:

  • DSN: Contains the report link, which is the message_id value of the associated delivery status notification (also known as a DSN, nondelivery report, NDR, or bounce message) if a DSN is generated subsequent to this event. If this message is a DSN message, this field contains the message_id value of the original message that the DSN was generated for.

  • EXPAND: Contains the related_recipient_address value of the related messages.

  • RECEIVE: Might contain the message_id value of the related message if the message was generated by other processes (for example, Inbox rules).

  • SEND: Contains the internal_message_id value of any DSN message.

  • TRANSFER: Contains the internal_message_id value of the message that's being forked (for example, by content conversion, message recipient limits, or agents).

  • MAILBOXRULE: Contains the internal_message_id value of the inbound message that caused the Inbox rule to generate the outbound message.

    For other types of events, this field (internal_message_id) is blank.

• return_path: The return email address specified by the MAIL FROM command that sent the message. Although this field is never empty, it can have the null sender address value represented as <>.

• message_info: Additional information about the message. For example:

  • The message origination date-time in UTC for DELIVER and SEND events. The origination date-time is the time when the message first entered the Exchange Online organization. The UTC date-time is represented in the ISO 8601 date-time format: yyyy-mm-ddThh:mm:ss.fffZ, where yyyy = year, mm = month, dd = day, T indicates the beginning of the time component, hh = hour, mm = minute, ss = second, fff = fractions of a second, and Z signifies Zulu, which is another way to denote UTC.

  • Authentication errors. For example, you might see the value 11a and the type of authentication that was used when the authentication error occurred.

• tenant_id: A GUID value that represents the Exchange Online organization (for example, 39238e87-b5ab-4ef6-a559-af54c6b07b42).

• original_server_ip: The IP address of the original server.

• custom_data: Contains data related to specific event types. For more information, see the following sections:

  • custom_data values
  • Spam filter agent
  • Malware filter agent
  • Transport Rule agent

custom_data values

The custom_data field for an AGENTINFO event is used by various Exchange Online agents to log message-processing details. Some of the more interesting agents are described in the following sections.

• Spam filter agent
• Malware filter agent
• Transport Rule agent

Spam filter agent

A custom_data value that starts with S:SFA is from the spam filter agent. For more information, see X-Forefront-Antispam-Report message header fields.

An example of a custom_data value for a message that's filtered for spam looks like this:

S:SFA=SUM|SFV=SPM|IPV=CAL|SRV=BULK|SFS=470454002|SFS=349001|SCL=9|SCORE=-1|LIST=0|DI=SN|RD=ftmail.inc.com|H=ftmail.inc.com|CIP=98.129.140.74|SFP=1501|ASF=1|CTRY=US|CLTCTRY=|LANG=en|LAT=287|LAT=260|LAT=18;

Malware filter agent

A custom_data value that starts with S:AMA is from the malware filter agent. The key details are described in the following table:

An example of a custom_data value for a message that contains malware looks like this:

S:AMA=SUM|v=1|action=b|error=|atch=1;S:AMA=EV|engine=M|v=1|sig=1.155.974.0|name=DOS/Test_File|file=filename;S:AMA=EV|engine=A|v=1|sig=201707282038|name=Test_File|file=filename

Transport Rule agent

A custom_data value that starts withS:TRA is from the Transport Rule agent for mail flow rules (also known as transport rules). The key details are described in the following table:

An example of a custom_data value for a message that matches the conditions of a mail flow rule looks like this:

S:TRA=ETR|ruleId=19a25eb2-3e43-4896-ad9e-47b6c359779d|st=7/17/2017 12:31:25 AM|action=ApplyHtmlDisclaimer|sev=1|mode=Enforce