Skip to main content

Run a message trace to check an email delivery status

Julio Soza
Updated

Message trace in the modern Exchange admin center (modern EAC) follows email messages as they travel through your Exchange Online organization. You can determine if a message was received, rejected, deferred, or delivered by the service. It also shows what actions were taken on the message before it reached its final status.

You can use the information from message trace to efficiently answer user questions about what happened to messages, troubleshoot mail flow issues, and validate policy changes.

 

When to use it:

  1. Message sent by external user to your organization but never received.
  2. Message never made it to your inbox and external user claimed he did not get any errors after sending it.
  3. User send an email externally but recipient never received it.

What do you need to know before you begin?

To run a message trace, you need to be a member of one of the following role groups:

  • Global Administrator
  • Exchange Administrator

The maximum number of messages that are displayed in the results of a message trace depends on the report type you selected.

How to Run a Message Trace:

  1. Open Exchange Admin Center https://admin.exchange.microsoft.com/ > expand Mail flow > then select Message trace.
  2. Click in Start a trace
  3. Enter the required information based on what you would like to trace. 

    • Senders and Recipientsmceclip0.png 

      • If you would like to trace emails sent only by an external user to your organization or by one of your users to external recipients enter the user's email in the Sender's box and leave the Recipient's box empty.
      • If you would like to trace emails sent by two users, either only internally or an external user included, enter the sender and recipients emails. Please keep in mind you could add multiple emails if required. 
      • If you would like to trace only emails received by one of your users, enter the user's email in the recipient section.  

    • Time Range

      The default value is 2 days, but you can specify date/time ranges of up to 90 days. When you use date/time ranges, consider these issues:

      By default, you select the time range in Slider view using a time line.

      A Slider time range in a new message trace in the modern EAC.

      But, you can also switch to Custom time range view where you can specify the Start date and End datevalues (including times), and you can also select the Time zone for the date/time range. The Time zone setting applies to both your query inputs and your query results.

      A Custom time range in a new message trace in the modern EAC.

      For 10 days or less, the results are available instantly as a Summary report. If you specify a time range that's even slightly greater than 10 days, the results will be delayed as they're only available as a downloadable CSV file (Enhanced summary or Extended reports).

       
    • Report Type

      • Summary: Available if the time range is less than 10 days, and requires no other filtering options. The results are available almost immediately after you click Search. The report returns up to 20000 results.

      • Enhanced summary or Extended: These reports are only available as downloadable CSV files, and require one or more of the following filtering options regardless of the time range: Senders, Recipients, or Message ID. You can use wildcards for the senders or the recipients (for example, *@contoso.com). The Enhanced summary report returns up to 50,000 results. The Extended report returns up to 1000 results. These reports can take several hours to be ready, you need to go back to the Exchange Admin Center when you receive the email notification that the report is ready.

  4. Click Search

Note: You can run the trace by only entering the details explained above, but if you would like to make it more specific, you can add other details such as Delivery Status, Message ID, Direction and/or Original Client IP address. 

Summary report output

After the message trace is executed, the results will be listed, sorted by descending date/time (most recent first).

The summary report contains the following information:

  • Date: The date and time at which the message was received by the service, using the configured UTC time zone.

  • Sender: The email address of the sender (alias@domain).

  • Recipient: The email address of the recipient or recipients. For a message sent to multiple recipients, there's one line per recipient. If the recipient is a distribution group, dynamic distribution group, or mail-enabled security group, the group will be the first recipient, and then each member of the group is on a separate line.

  • Subject: The first 256 characters of the message's Subject: field.

Message trace details

In the summary report output, you can view details about a message by selecting the row (click anywhere in the row except the check box).

Details after clicking a row in the summary report message trace results in the modern EAC.

The message trace details contain the following additional information that's not present in the summary report:

  • Message events: After you expand this section, the section contains classifications that help categorize the actions that the service takes on messages. Some of the more interesting events that you might encounter are:

    • Receive: The message was received by the service.
    • Send: The message was sent by the service.
    • Fail: The message failed to be delivered.
    • Deliver: The message was delivered to a mailbox.
    • Expand: The message was sent to a distribution group that was expanded.
    • Transfer: Recipients were moved to a bifurcated message because of content conversion, message recipient limits, or agents.
    • Defer: The message delivery was postponed and might be reattempted later.
    • Resolved: The message was redirected to a new recipient address based on an Active Directory look up. When this event happens, the original recipient address is listed in a separate row in the message trace along with the final delivery status for the message.
    • DLP rule: The message had a DLP rule match in this message.
    • Sensitivity label: A server-side labeling event occurred. For example, a label was automatically added to a message that includes an action to encrypt or was added via the web or mobile client. This action is completed by the Exchange server and logged. A label added via Outlook won't be included in the event field.

     

Important:

If you ran a message trace selecting Enhanced, Extended report or the Time Range was more than 10 days, you can refer to the the next article about Enhanced Summary and Extended report results details.

 

Source:

https://learn.microsoft.com/en-us/exchange/monitoring/trace-an-email-message/message-trace-modern-eac 

      •  

Related to

Related articles

Comments

0 comments

Please sign in to leave a comment.