Microsoft O365 - Message Trace in the Security & Compliance Center
Message trace in the Security and Compliance Center follows email messages as they travel through your Microsoft Exchange Online organization. You can figure out if a message was received, rejected, deferred, or delivered by the service.
Message trace in the Security and Compliance Center follows email messages as they travel through your Microsoft Exchange Online organization. You can figure out if a message was received, rejected, deferred, or delivered by the service. It also shows the actions which were taken on the message before it reached its final status.
You can use the information from message trace to troubleshoot mail flow issues, and validate policy changes.
Open message trace:
Sign in to admin.microsoft.com with your O365 admin account.
Expand Admin centers in the lower-left navigation and select Security & Compliance.
In the Security & Compliance page, expand Mail flow, and select Message trace.
Message trace page:
On this page, you can start a new default trace by clicking on the Start a trace button. The search will find all messages for all senders and recipients for the last two days or you can use one of the stored queries and either run them as-is or use those queries as starting points for your own queries:
Default queries: Built-in queries provided by Office 365.
Custom queries: Queries which are saved by admins in your organization for future use.
Autosaved queries: The last ten most recently run queries. This list makes it simple to pick up where you left off.
Also, you can download the requests you've submitted, as well as the reports themselves when they are available for download.
Options for a new message trace:
Filter by senders and recipients
The default values set in message trace are All senders and All recipients, but you can use the following fields to filter the results:
By these people: By clicking in this field you can select one or more senders from your organization. You can also start by typing a name and the items in the list will be filtered by what you've typed, much like how a search page behaves.
To these people: By clicking in this field you can select one or more recipients in your organization.
The default time range is 2 days, but you can specify date & time ranges of up to 90 days. When you use custom date & time ranges, consider these points:
By default, you select the time range in Slider view using a timeline. You can only select the day or time settings that are displayed as below. Trying to select an in-between value will automatically move start/end bubble to the nearest displayed setting.
But, you can also switch to custom view. Where you can specify the Start date & End date values(including times), and you can also select the time zone for the date/time range.
For 10 days or less, the results will be available instantly as a summary report. If you specify a time range and if it is even slightly greater than 10 days, the results will be delayed as they are only available as a downloadable CSV file.
More search options:
You can leave the default set up for All selected options, or you can select one of the following options to filter the results:
Delivered: The message was successfully delivered to the expected recipient.
Pending: Message delivery is being attempted or re-attempted.
Expanded: The distribution group recipient was expanded before delivery to the individual members of the group.
Failed: The message was not delivered.
Quarantined: The sent message was quarantined (as spam, bulk mail, or phishing).
Filtered as spam: The message was identified as spam and was rejected or blocked by recipient server(not quarantined).
Getting status: The message was recently received by Microsoft server, but no other status data is available yet. Check back in a few minutes.
Note: The status Pending, Quarantined, and Filter as spam are only available for searches less than 10 days. Also, there will be a 5 to 10 minutes delay between the actual report and reported delivery status.
Message trace results:
The different report types return different data of information. The information that is available in the different reports is described in the following sections.
Summary report output
When you are running the message trace, the results will be listed, sorted by descending date/time (most recent first).
The summary report contains the following information:
Date: The date and time when the message was received by the server,
Sender: The email address of the sender (alias@domain).
Recipient: The email address of the recipient. For the messages sent to multiple recipients, there will be one line per recipient. If the recipient is an official group like - distribution group, dynamic distribution group, or mail-enabled security group, the group addressed will be the first recipient, and then each member of the group is on a separate line.
Subject: The first 256 characters of the message's Subject: field.
Status: These data will describe the status of the message after sending an email.
Message trace details
In the summary output report, you can view details about any message by using either of the following methods:
Select the row for which you wanted to check the details (click anywhere in the row except the check box).
Select the row's checkbox and click More options > View message details.
The message trace details report contains the following additional information that is not present in the summary report:
Message events: This section contains the details that help categorize the actions that the server takes on messages. Some of the more interesting events that you might encounter are:
Receive: The message was received by the service.
Send: The message was sent by the service.
Fail: The message failed to be delivered.
Deliver: The message was delivered to a mailbox.
Expand: The message was sent to a distribution group that was recently expanded.
Transfer: The recipient was moved to a bifurcated message because of content conversion, message recipient limits, or agents.
Defer: The message delivery to the intended recipient was postponed and might be re-attempted later.
Resolved: The message was redirected to the new recipient address based on an Active Directory lookup. When this happens, the original recipient address will be listed in a separate row in the message trace along with the final delivery status for the message.