Journaling in Exchange Online
Please refer to the Microsoft 365 security center and the Microsoft Purview compliance portal for Exchange security and compliance features. They are no longer available in the new Exchange admin center.
When possible, we recommend that you use Microsoft 365 retention to archive and manage data in-place to meet your compliance requirements. However, some organizations might need to use a third-party solution to receive a copy of emails for storage or other scenarios. Configure journaling to store that data outside Exchange.
Considerations for journaling
Journaling is an older feature from Exchange that moves data outside Microsoft 365, so you must take extra precautions to secure it and also resolve any duplication that might result from this solution. It will be your responsibility to monitor and follow up on any non-delivery receipts to the journaling mailbox that can occur because of external and dependent services.
You don't have these additional administrative overheads when you use Microsoft 365 retention and other Microsoft Purview compliance solutions that keep the data within your tenant. As a more modern compliance solution, they aren't restricted to just email but can also manage today's array of communication and productivity apps, such as Microsoft Teams.
The following are key aspects of journal rules:
- Journal rule scope: Defines which messages are journaled by the Journaling agent.
- Journal recipient: Specifies the SMTP address of the recipient you want to journal.
- Journaling mailbox: Specifies one or more mailboxes used for collecting journal reports.
In Exchange Online, there's a limit to the number of journal rules that you can create. For details, see Journal, Transport, and Inbox rule limits.
Journal rule scope
You can use a journal rule to journal only internal messages, only external messages, or both. The following list describes these scopes:
- Internal messages only: Journal rules with the scope set to journal internal messages sent between the recipients inside your Exchange organization.
- External messages only1: Journal rules with the scope set to journal external messages sent to recipients or received from senders outside your Exchange organization.
- All messages: Journal rules with the scope set to journal all messages that pass through your organization regardless of origin or destination. These include messages that may have already been processed by journal rules in the Internal and External scopes.
1If the sender and recipients are both in accepted domains of the same organization, the messages are not honored as external, even if the
x-ms-exchange-crosstenant-authas header in the messages has the value
anonymous. Accordingly, these messages are not journaled as external.
You can implement targeted journaling rules by specifying the SMTP address of the recipient you want to journal. The recipient can be a mailbox, distribution group, mail user, or contact. These recipients may be subject to regulatory requirements, or they may be involved in legal proceedings where email messages or other communications are collected as evidence. By targeting specific recipients or groups of recipients, you can easily configure a journaling environment that matches your organization's processes and meets regulatory and legal requirements. Targeting only the specific recipients that need to be journaled also minimizes storage and other costs associated with retention of large amounts of data.
All messages sent to or from the journaling recipients you specify in a journaling rule are journaled. If you specify a distribution group as the journaling recipient, all messages sent to or from members of the distribution group are journaled. If you don't specify a journaling recipient, all messages sent to or from recipients that match the journal rule scope are journaled.
The SMTP address specified for the journaling recipient cannot contain a wildcard character. For example, the SMTP address cannot be listed as
The journaling mailbox is used to collect journal reports. How you configure the journaling mailbox depends on your organization's policies, regulatory requirements, and legal requirements. You can specify one journaling mailbox to collect messages for all the journal rules configured in the organization, or you can use different journaling mailboxes for different journal rules or sets of journal rules.
You can't designate an Exchange Online mailbox as a journaling mailbox. You can deliver journal reports to an on-premises archiving system or a third-party archiving service. If you're running an Exchange hybrid deployment with your mailboxes split between on-premises servers and Exchange Online, you can designate an on-premises mailbox as the journaling mailbox for your Exchange Online and on-premises mailboxes.
Journaling mailboxes contain sensitive information. You must secure journaling mailboxes because they collect messages that are sent to and from recipients in your organization. These messages may be part of legal proceedings or may be subject to regulatory requirements. Various laws require that messages remain tamper-free before they're submitted to an investigatory authority. We recommend that you create policies that govern who can access the journaling mailboxes in your organization, limiting access to only those individuals who have a direct need to access them. Speak with your legal representatives to make sure that your journaling solution complies with all the laws and regulations that apply to your organization.
If you've configured a journaling rule to send the journal reports to a journaling mailbox that doesn't exist or is an invalid destination, the journal report remains in the transport queue on Microsoft datacenter servers. If this happens, Microsoft datacenter personnel will attempt to contact your organization and ask you to fix the problem so that the journal reports can be successfully delivered to a journaling mailbox. If you haven't resolved the issue after two days of being contacted, Microsoft will disable the problematic journaling rule.
Alternate journaling mailbox
When the journaling mailbox is unavailable, you may not want the undeliverable journal reports to collect in mail queues on Mailbox servers. Instead, you can configure an alternate journaling mailbox to store those journal reports. The alternate journaling mailbox receives the journal reports as attachments in the non-delivery reports (also known as NDRs or bounce messages) generated when the journaling mailbox or the server on which it's located refuses delivery of the journal report or becomes unavailable. As with the journaling mailbox, you can't designate an Exchange Online mailbox as an alternate journaling mailbox.
When the journaling mailbox becomes available again, you can use the Send Again feature in Outlook to submit journal reports for delivery to the journaling mailbox.
When you configure an alternate journaling mailbox, all the journal reports that are rejected or can't be delivered across your entire Exchange organization are delivered to the alternate journaling mailbox. Therefore, it's important to make sure that the alternate journaling mailbox and the Mailbox server where it's located can support many journal reports.
If you configure an alternate journaling mailbox, you must monitor the mailbox to make sure that it doesn't become unavailable at the same time as the journal mailboxes. If the alternate journaling mailbox also becomes unavailable or rejects journal reports at the same time, the rejected journal reports are lost and can't be retrieved. Due to existing limits on receiving email for Exchange Online mailboxes, configuring the alternate journaling mailbox to be an Exchange Online mailbox is not supported.
Because the alternate journaling mailbox collects all the rejected journal reports for the entire Exchange Online organization, you must make sure that this doesn't violate any laws or regulations that apply to your organization. If laws or regulations prohibit your organization from allowing journal reports sent to different journaling mailboxes from being stored in the same alternate journaling mailbox, you may be unable to configure an alternate journaling mailbox. Discuss this with your legal representatives to determine whether you can use an alternate journaling mailbox.
When you configure an alternate journaling mailbox, you should use the same criteria that you used when you configured the journaling mailbox.
The alternate journaling mailbox should be treated as a special dedicated mailbox. Any messages addressed directly to the alternate journaling mailbox aren't journaled.
A journal report is the message that the Journaling agent generates when a message matches a journal rule and is to be submitted to the journaling mailbox. The original message that matches the journal rule is included unaltered as an attachment to the journal report. The body of a journal report contains information from the original message such as the sender email address, message subject, message-ID, and recipient email addresses. This is also referred to as envelope journaling, and is the only journaling method supported by Microsoft 365 and Office 365.
Journal reports and IRM-protected messages
When implementing journaling, you must consider journaling reports and IRM-protected messages. IRM-protected messages will affect the search and discovery capabilities of third-party archiving systems that don't have RMS support built in. In Microsoft 365 and Office 365, you can configure journal report decryption to save a clear-text copy of the message in a journal report. The messages and attachments are decrypted if the encryption originates from the organization. Journaling doesn't decrypt items that are encrypted by external organizations.
To enable journal report decryption for the organization, complete these steps.
On your local computer, using a work or school account that has global administrator or compliance admin permissions in your organization, connect to Exchange Online PowerShell.
Set-IRMConfigurationcmdlet to enable journal report decryption.
Set-IRMConfiguration -JournalReportDecryptionEnabled $true
JournalReportDecryptionEnabled parameter to
true to enable decryption. Set the parameter to
false to disable decryption.
Journal report decryption doesn't currently support the explicit use of OME branding templates. If you use a mail flow rule (also known as a transport rule) to apply an OME branding template, the journal report won't contain a decrypted copy of the message. Currently, journal report decryption only works with the default OME branding template that's applied without a mail flow rule by Exchange Online. In other words, the branding template applied by OME implicitly on messages.
When a message matches the scope of multiple journal rules, all matching rules will be triggered.
- If the matching rules are configured with different journal mailboxes, a journal report will be sent to each journal mailbox.
- If the matching rules are all configured with the same journal mailbox, only one journal report is sent to the journal mailbox.
Journaling always identifies messages as internal if the email address in the SMTP MAIL FROM command is in a domain that's configured as an accepted domain in Exchange Online. These messages include spoofed messages from external sources (messages where the X-MS-Exchange-Organization-AuthAs header value is also Anonymous). Therefore, journal rules that are scoped to external messages won't be triggered by spoofed messages with SMTP MAIL FROM email addresses in accepted domains.
Duplicate journal report scenarios in a hybrid Exchange environment
In a hybrid Exchange environment, the following scenarios are known to result in duplicate journal reports and these are considered by design:
Cloud to cloud: Any situations where email is forked will lead to duplicate journaling, such as:
- Transport chipping (too many recipients on the message).
- Internal and external recipients exist on the same message – two forks are created for spam/phishing purposes (one in which internal recipients exist, and one in which external recipients exist).
- Any future needs where the cloud needs to fork the message.
On-premises to cloud: Once when on-premises journals and once when the cloud journals. This can be prevented by implementing the PreventDupJournaling flight in a tenant.
Cloud to on-premises: After the cloud has journaled, on-premises journals. We can't prevent this scenario.
If you're having trouble with the JournalingReportDNRTo mailbox, see Transport and Mailbox Rules in Exchange Online don't work as expected.