Office 365 Message Trace

Report
Message Trace Office 365
May 2013
• What is message trace?
• How does it help us?
• Difference between Message Trace and
Delivery Reports.
• Different methods of message tracing.
• Mail flow and message tracing.
What is Message Trace?
• The message trace feature enables administrator to follow email
messages as they pass through Exchange Online or Exchange
Online Protection service.
• It helps to determine whether a targeted email message was:
Received
Rejected
Deferred
Delivered
Failed
• Shows what actions have occurred to the message before
reaching its final status.
How does it help us?
• It helps us obtain detailed information about a
specific message that lets us efficiently:
 Answer user’s questions
 Troubleshoot mail flow issues
 Validate policy changes
 Alleviate the need to contact technical support
for assistance
Difference between message trace and
delivery reports
Message Trace
Message trace enables administrators to
search for specific messages using basic
information such as : sender, recipient, date
and message ID to obtain the status of the
message
The email status will help us determine if the
message was received by the EOP filtering
service; whether it was scanned, blocked,
deleted or delivered successfully within the
last 7days.
Delivery Reports
Delivery reports allow end users to track
delivery of e-mail messages
Delivery Reports help us discover answers
to questions such as: why was a message
not delivered, where is the message now,
who received the message, why the message
was delivered to a particular folder, etc.
These reports are only retained for 14 days.
Message Trace - Admin UI:
Delivery Reports - Admin UI:
Message Trace: Overview
Message trace results are available to administrators for the last 7 days and outline the status of a message:
• Delivered: The message was successfully delivered to the intended destination.
• Failed: The message was not delivered. Either it was attempted and failed or it was not delivered as
a result of actions taken by the filtering service. For example, if the message was determined to
contain malware.
• Pending: Delivery of the message is being attempted or re-attempted.
• Expanded: The message was sent to a distribution list and was expanded to the recipients of the
distribution list.
• Unknown: The message delivery status is unknown at this time. When the results of the query are
listed, the delivery details fields will not contain any information.
Message Tracing in Office 365 is very similar to the message tracing capabilities of Wave 14 with a number
of improvements. The biggest improvement is the ability to use the following wildcard conditions for either
the sender or recipient or both:
 [email protected]
 alias@*
 *@* or blank
Message Trace:
Considerations/Limitations
At this time we know of the following issues for message trace:
1) Include a Message ID string that contains opening and closing angle brackets (<>) .
2) Show only results for messages that have been scanned/processed by EOP.
3) Message trace cannot be performed a on a message that was Edge-blocked. Messages blocked by
reputation block lists will be included in the spam data for real time reports.
4) Redirect to email address are not traceable in a single search. Need to provide new recipients.
5) The message trace tool uses the MAIL FROM value presented at the initiation of the SMTP
conversation as the Sender in a search, regardless of what the DATA section of the message shows.
6) When a message matches a transport rule, the ID is stored in the message trace and real time
reporting databases. If you trace one of these messages, or drill down on rule details in a report, the
message trace and real time reporting user interfaces dynamically pull the current rule information
from the hosted services network based on the rule ID in the reporting database. If the rule is
changed at a later time the rule ID remains the same. You can then use the auditing report feature in
order to determine when the rule was changed and the properties that were changed.
Message Trace: UI
Additional Details:
Message Trace through Office 365
Remote PowerShell.
In addition to tracking messages via the Exchange Admin Center UI
administrators can also track messages through Office 365 Remote PowerShell.
>>Get-MessageTrace
>>Get-MessageTraceDetails
• These cmdlets are available only in the cloud-based service.
• We use the Get-MessageTrace cmdlet to trace messages as they pass through
the cloud-based organization.
Message Trace commands:
>>Get-MessageTrace -SenderAddress [email protected] -StartDate 06/13/2012 -EndDate 06/15/2012
>>Get-MessageTrace
Received
Sender Address
Recipient Address
Subject
------------------------------------------4/30/2013 5:20:2... [email protected] [email protected].. Inbound
4/30/2013 5:19:0... [email protected].. [email protected] Outbound
Inbound Message:
>>Get-MessageTrace -SenderAddress john2contoso.com -RecipientAddress
[email protected] | fl
Outbound Message:
>>Get-MessageTrace -SenderAddress [email protected] -RecipientAddress
[email protected] | fl
Status
-----Delivered
Delivered
Inbound Mailflow:
Mail flow Scenario: Internet to Exchange Online
Get-MessageTrace -SenderAddress [email protected] -RecipientAddress
[email protected] | fl
Message Trace ID
: 67fad3d2-b9e8-48a6-9fce-08d013de20a9
Message ID
:
<[email protected]
.com>
Received
: 4/30/2013 5:20:21 PM
Sender Address
: [email protected]
Recipient Address : [email protected]
From IP
: 209.85.217.169
To IP
:
Subject
: Inbound
Status
: Delivered
Size
: 3548
Get-MessageTrace -MessageTraceId 67fad3d2-b9e8-48a6-9fce-08d013de20a9
Received
Sender Address
Recipient Address
Subject
Status
--------
--------------
-----------------
-------
------
4/30/2013 5:20:2... [email protected] [email protected].. Inbound
Delivered
Get-MessageTraceDetail -MessageTraceId 67fad3d2-b9e8-48a6-9fce-08d013de20a9 -RecipientAddress
[email protected]
Message ID
---------<[email protected]com>
<[email protected]com>
Get-MessageTraceDetail -MessageTraceId 67fad3d2-b9e8-48a6-9fce-08d013de20a9 -RecipientAddress
[email protected] | fl
Message Trace ID : 67fad3d2-b9e8-48a6-9fce-08d013de20a9
Message ID
:
<[email protected]com>
Date
: 4/30/2013 5:20:21 PM
Event
: RECEIVE
Action
:
Detail
: Message received by: BN1PR03MB071
Data
: <root><MEP Name="ConnectorId" String="BN1PR03MB071\Default
BN1PR03MB071"/><MEP Name="ClientIP" String="10.255.109.25"/><MEP
Name="ServerHostName" String="BN1PR03MB071"/></root>
Message Trace ID : 67fad3d2-b9e8-48a6-9fce-08d013de20a9
Message ID
:
<[email protected]c
om>
Date
: 4/30/2013 5:20:22 PM
Event
: DELIVER
Action
:
Detail
: The message was successfully delivered.
Data
: <root><MEP Name="SourceContext"
String="08D004CCF63B2FF9;2013-0430T17:20:22.626Z;ClientSubmitTime:"/><MEP
Name="MailboxServer" String="BLUPR03MB067"/><MEP
Name="MailboxDatabaseName"
String="NAMPR03DG005-db011"/><MEP
Name="DeliveryPriority"
String="Normal"/></root>
Outbound Mailflow
Mailflow Scenario: Exchange Online to Internet
Get-MessageTrace -SenderAddress [email protected] -RecipientAddress [email protected]
Received
Sender Address
Recipient Address
Subject
Status
--------
--------------
-----------------
-------
------
4/30/2013 5:19:0... [email protected].. [email protected].. Outbound
Delivered
Get-MessageTrace -SenderAddress [email protected] -RecipientAddress [email protected] fl
Message Trace ID
: f8bce35b-bf45-4f20-6d1b-08d013ddf301
Message ID
:
<[email protected]ok.com>
Received
: 4/30/2013 5:19:04 PM
Sender Address
: [email protected]
Recipient Address : [email protected]
From IP
: 207.46.55.30
To IP
: 2607:f8b0:4003:c02::1b
Subject
: Outbound
Status
: Delivered
Size
: 6510
Get-MessageTraceDetail -MessageTraceId f8bce35b-bf45-4f20-6d1b-08d013ddf301 RecipientAddress [email protected]
Message ID
---------<[email protected]ok.com>
<[email protected]ok.com>
<[email protected]ok.com>
<[email protected]ok.com>
Get-MessageTraceDetail -MessageTraceId f8bce35b-bf45-4f20-6d1b-08d013ddf301 -RecipientAddress
[email protected] | fl
Message Trace ID : f8bce35b-bf45-4f20-6d1b-08d013ddf301
Message ID
:
<[email protected]ok.com>
Date
: 4/30/2013 5:19:04 PM
Event
: RECEIVE
Action
:
Detail
: Message received by: BLUPR03MB067
Data
: <root><MEP Name="ClientIP" String="169.254.1.87"/><MEP
Name="ServerHostName"
String="BLUPR03MB067"/></root>
Message Trace ID : f8bce35b-bf45-4f20-6d1b-08d013ddf301
Message ID
:
<[email protected]
ook.com>
Date
: 4/30/2013 5:19:27 PM
Event
: SUBMIT
Action
:
Detail
mailbox store.
: The message is awaiting submission to the
Data
:
Message Trace ID : f8bce35b-bf45-4f20-6d1b-08d013ddf301
Message ID
:
<[email protected]ok.com>
Date
: 4/30/2013 5:19:27 PM
Event
: RECEIVE
Action
:
Detail
: Message received by: BLUPR03MB068
Data
: <root><MEP Name="ConnectorId" String="BLUPR03MB068\Default
BLUPR03MB068"/><MEP
Name="ClientIP" String="10.255.209.155"/><MEP
Name="ServerHostName"
String="BLUPR03MB068"/></root>
Message Trace ID : f8bce35b-bf45-4f20-6d1b-08d013ddf301
Message ID
:
<[email protected]
look.com>
Date
: 4/30/2013 5:19:28 PM
Event
: SEND
Action
:
Detail
: Message transferred from:
To_DefaultOpportunisticTLS
Data
: <root><MEP Name="ConnectorId"
String="To_DefaultOpportunisticTLS"/><MEP
Name="ServerIP"
String="2607:f8b0:4003:c02::1b"/></root>
Resources
Message Trace:
http://technet.microsoft.com/en-us/library/jj200668(v=exchg.150).aspx
Run a Message Trace and View Results:
http://technet.microsoft.com/en-us/library/jj200712(v=exchg.150).aspx
Message Trace FAQ:
http://technet.microsoft.com/en-us/library/jj200741(v=exchg.150).aspx
27

similar documents