Run a message trace
Sometimes an email message gets lost in transit, or it can take a lot longer than expected for delivery. In either case, your users are left wondering what happened. As a messaging administrator, you can use the message trace feature to follow messages as they pass through your Exchange Online or Exchange Online Protection service. With message tracing, you can determine whether a targeted email message was received, rejected, deferred, or delivered by the service. It also shows what events have occurred to the message before reaching its final status. Getting detailed information about a specific message lets you efficiently answer your user's questions, troubleshoot mail flow issues, validate policy changes, and eliminate the need to contact technical support for assistance.
Tip
Message traces can be started in the Exchange admin center (EAC) and in the Exchange Management Shell. The Microsoft Defender portal also includes a link to the Exchange message trace feature in the EAC. By selecting Exchange message trace in the Microsoft Defender portal, the EAC will be displayed. You can then run the message trace from the EAC.
Trace data is available for the past 90 days. If a message is older than ten days, you can only view the results in a downloadable .CSV file that's generated from the message trace.
Note
Message traces are used with Exchange Online, while investigations using the message tracking log are for on-premises Exchange Servers.
Relevant information fields of message traces
The following information is available when viewing message trace results for messages that are less than ten days old.
Details
Description
Message size
The size of the message, including attachments, in kilobytes (KB). If the message size is greater than 999 kilobytes, then it's displayed in megabytes (MB).
Message ID
This field is the Internet message ID (also known as the Client ID) found in the header of the message with the “Message-ID:” token. The form of this field varies depending on the sending mail system.
To IP
The IP address or addresses to which the service attempted to deliver the message. If there are multiple recipients, these addresses are displayed. For inbound messages sent to Exchange Online, this value is blank.
From IP
The IP address of the computer that sent the message. For outbound messages sent from Exchange Online, this value is blank.
Date
The date and time that the event occurred.
Event
This field provides a summarized description of what happened with the message. For example, if the message was received by the service, if it was delivered or failed to be delivered to the intended recipient, and so on. The following are examples of events that may be listed:
- RECEIVE. The message was received by the service.
- SEND. The message was sent by the service.
- FAIL. The message failed to be delivered.
- DELIVER. The message was delivered to a mailbox.
- EXPAND. The message was sent to a distribution group that was expanded.
- TRANSFER. Recipients were moved to a bifurcated message because of content conversion, message recipient limits, or agents.
- DEFER. The message delivery was postponed and may be reattempted later.
- RESOLVED. The message was redirected to a new recipient address based on an Active Directory lookup. When this action occurs, the original recipient address is listed in a separate row in the message trace along with the final delivery status for the message.
Action
This field shows the action that was completed if the message was filtered because of a malware or spam detection or a rule match. For example, it will let you know if the message was deleted or if it was sent to the quarantine.
Detail
This field provides detailed information that elaborates on what happened. For example, it may inform you which specific mail flow rule (also known as a transport rule) was matched, and what happened to the message because of that match. It can also inform you which specific malware was detected in which specific attachment, or why a message was detected as spam. If the message was successfully delivered, it can tell you the IP address to which it was delivered.
Message trace results for messages that are older than ten days are provided in .CSV files. If you didn't include routing details when running the message trace, the following information is included in the .CSV file, which you can open in an application such as Microsoft Excel.
Details
Description
origin_timestamp
The date and time at which the message was received by the service, using the configured UTC time zone.
sender_address
The email address of the sender in the form alias@domain.
Recipient_status
The status of the delivery of the message to the recipient. If the message was sent to multiple recipients, it will show all the recipients and the corresponding status against each, in the format: <email address>##<status>. Message delivery statuses include:
- ##Receive, Send. Indicates the message was received by the service and sent to the intended destination.
- ##Receive, Fail. Indicates the message was received by the service but failed to be delivered to the intended destination.
- ##Receive, Deliver. Indicates the message was received by the service and delivered to the recipient's mailbox.
message_subject
The subject line text of the message. If necessary, this value is truncated to the first 256 characters.
total_bytes
The size of the message, including attachments, in bytes.
message_id
This field is the Internet message ID (also known as the Client ID) found in the header of the message with the “Message-ID:” token. The form of this field varies depending on the sending mail system. The following value is an example of a message ID: <08f1e0f6806a47b4ac103961109ae6ef@server.domain>.
network_message_id
This field is a unique message ID value that persists across copies of the message that may be created because of bifurcation or distribution group expansion. An example value is 1341ac7b13fb42ab4d4408cf7f55890f.
original_client_ip
The IP address of the sender's client.
Directionality
This field denotes whether the message was sent inbound (1) to your organization, or whether it was sent outbound (2) from your organization.
connector_id
The name of the source or destination Send connector or Receive connector. For example, ServerName \ ConnectorName or ConnectorName.
delivery_priority
Denotes whether the message was sent with High, Low, or Normal priority.
If you included routing details when running the message trace, all information from the message tracking logs is included in the .CSV file, which you can open in an application such as Microsoft Excel.
Further reading. For more information, see Message trace in the modern Exchange admin center in Exchange Online and Message Trace FAQ in Exchange Online.
Knowledge check
Choose the best response for the following question. Then select Check your answers.