Exchange Message Trace Extended and Enhanced Summary report result details:

 

Enhanced summary reports

Available (completed) Enhanced summary reports are available in the Downloadable reports section at the beginning message trace. The following information is available in the report:

• origin_timestamp^*: The date and time when the message was initially received by the service, using the configured UTC time zone.
• sender_address: The sender's email address (alias@domain).
• Recipient_status: The status of the delivery of the message to the recipient. If the message was sent to multiple recipients, it will show all the recipients and the corresponding status for each, in the format: <email address>##<status>. For example:
  • ##Receive, Send means the message was received by the service and was sent to the intended destination.
  • ##Receive, Fail means the message was received by the service but delivery to the intended destination failed.
  • ##Receive, Deliver means the message was received by the service and was delivered to the recipient's mailbox.
• message_subject: The first 256 characters of the message's Subjectfield.
• total_bytes: The size of the message in bytes, including attachments.
• message_id: This value is described in the Message ID section earlier in this topic. For example,<d9683b4c-127b-413a-ae2e-fa7dfb32c69d@DM3NAM06BG401.Eop-nam06.prod.protection.outlook.com>.
• network_message_id: A unique message ID value that persists across all copies of the message that might be created due to bifurcation or distribution group expansion. An example value is1341ac7b13fb42ab4d4408cf7f55890f.
• original_client_ip: The IP address of the sender's SMTP server.
• directionality: Indicates whether the message was sent inbound (1) to your organization, or whether it was sent outbound (2) from your organization.
• connector_id: The name of the source or destination connector. For more information about connectors in Exchange Online, see Configure mail flow using connectors in Office 365.
• delivery_priority^*: Whether the message was sent with High,Low, or Normal priority.

^*These properties are only available in Enhanced summary reports.

Extended reports

Available (completed) Extended reports are available in the Downloadable reports section at the beginning of message trace. Virtually all of the information from an Enhanced summary report is available in an Extended report (except for origin_timestamp and delivery_priority). The following additional information is only available in an Extended report:

• client_ip: The IP address of the email server or messaging client that submitted the message.
• client_hostname: The host name or FQDN of the email server or messaging client that submitted the message.
• server_ip: The IP address of the source or destination server.
• server_hostname: The host name or FQDN of the destination server.
• source_context: Extra information associated with the source field. For example:
  • Protocol Filter Agent
  • 3489061114359050000
• source: The Exchange Online component that's responsible for the event. For example:
  • AGENT
  • MAILBOXRULE
  • SMTP
• event_id: This value corresponds to the Message event values.
• internal_message_id: A message identifier that's assigned by the Exchange Online server that's currently processing the message.
• recipient_address: The email addresses of the message's recipients. Multiple email addresses are separated by the semicolon character (;).
• recipient_count: The total number of recipients in the message.
• related_recipient_address: Used withEXPAND,REDIRECT, andRESOLVEevents to display other recipient email addresses that are associated with the message.
• reference: This field contains additional information for specific types of events. For example:
  • DSN: Contains the report link, which is the message_id value of the associated delivery status notification (also known as a DSN, non-delivery report, NDR, or bounce message) if a DSN is generated subsequent to this event. If this message is a DSN message, this field contains the message_id value of the original message that the DSN was generated for.
  • EXPAND: Contains the related_recipient_address value of the related messages.
  • RECEIVE: Might contain the message_id value of the related message if the message was generated by other processes (for example, Inbox rules).
  • SEND: Contains the internal_message_id value of any DSN messages.
  • TRANSFER: Contains the internal_message_id value of the message that's being forked (for example, by content conversion, message recipient limits, or agents).
  • MAILBOXRULE: Contains the internal_message_id value of the inbound message that caused the Inbox rule to generate the outbound message.For other types of events, this field is blank.
• return_path: The return email address specified by the MAIL FROM command that sent the message. Although this field is never empty, it can have the null sender address value represented as<>.
• message_info: Additional information about the message. For example:
  • The message origination date-time in UTC forDELIVERandSENDevents. The origination date-time is the time when the message first entered the Exchange Online organization. The UTC date-time is represented in the ISO 8601 date-time format:yyyy-mm-ddThh:mm:ss.fffZ, whereyyyy= year,mm= month,dd= day,Tindicates the beginning of the time component,hh= hour,mm= minute,ss= second,fff= fractions of a second, andZsignifiesZulu, which is another way to denote UTC.
  • Authentication errors. For example, you might see the value11aand the type of authentication that was used when the authentication error occurred.
• tenant_id: A GUID value that represents the Exchange Online organization (for example,39238e87-b5ab-4ef6-a559-af54c6b07b42).
• original_server_ip: The IP address of the original server.
• custom_data: Contains data related to specific event types. For more information, see the following sections.

custom_data values

Thecustom_data field for anAGENTINFOevent is used by various Exchange Online agents to log message processing details. Some of the more interesting agents are described in the following sections.

Spam filter agent

A custom_data value that starts withS:SFAis from the spam filter agent. For more information, see X-Forefront-Antispam-Report message header fields.An example custom_data value for a message that's filtered for spam like this:S:SFA=SUM|SFV=SPM|IPV=CAL|SRV=BULK|SFS=470454002|SFS=349001|SCL=9|SCORE=-1|LIST=0|DI=SN|RD=ftmail.inc.com|H=ftmail.inc.com|CIP=98.129.140.74|SFP=1501|ASF=1|CTRY=US|CLTCTRY=|LANG=en|LAT=287|LAT=260|LAT=18;

Malware filter agent

A custom_data value that starts withS:AMAis from the malware filter agent. The key details are described in the following table: An example custom_data value for a message that contains malware looks like this:S:AMA=SUM|v=1|action=b|error=|atch=1;S:AMA=EV|engine=M|v=1|sig=1.155.974.0|name=DOS/Test_File|file=filename;S:AMA=EV|engine=A|v=1|sig=201707282038|name=Test_File|file=filename

Transport Rule agent

A custom_data value that starts withS:TRAis from the Transport Rule agent for mail flow rules (also known as transport rules). The key details are described in the following table: An example custom_data value for a message that matches the conditions of a mail flow rule looks like this:S:TRA=ETR|ruleId=19a25eb2-3e43-4896-ad9e-47b6c359779d|st=7/17/2017 12:31:25 AM|action=ApplyHtmlDisclaimer|sev=1|mode=Enforce