From time to time, we have probably all run into a situation in which email messages went missing. Most of the time, a spam filter is to blame, but every once in a while, an email message inexplicably vanishes into a black hole in cyberspace. If this only happens once in a while, it might not be a big deal. However, if email messages are consistently not being delivered, then you may want to investigate the situation. Thankfully, Exchange Online includes a message trace tool that you can use to track email messages.
You can access the message trace tool by opening the Exchange admin center, expanding the Mail Flow tab, and selecting the message trace option. You can see what the message trace screen looks like in the image below.
As you can see in the screen capture above, several default queries are already set up to help you find your missing email, but you can also perform a custom query. For this article, I am going to walk you through the process of performing a default query. Creating a custom query works in a very similar way to what I am about to show you.
Performing a default query
To perform a default query, just click on the query that you want to run. For demonstration, I will click on the All Quarantined Messages for the Last 7 Days query.
At this point, you will see the New message trace window appear, as shown in the image below. You can also access this window by clicking on the Start a Trace icon (shown in the previous image) rather than clicking on a default query.
The first thing you will need to do is specify the sender whose message you want to trace. By default, the message trace will examine messages from all senders, but if you are trying to diagnose a problem or track down a specific message that went missing, you can specify an individual sender.
The next thing that you will need to do is to specify a recipient. Once again, the interface defaults to all recipients, but you can limit the query to one specific recipient if you have the need.
Once you have specified a sender and a recipient, you will need to adjust the time range. If you look closely at the previous image, you can see that the time range slide bar actually contains two sliders. By adjusting these two sliders, you can set a range. For example, you could look for messages sent more than six hours ago but less than 12 hours ago.
Limiting the time range
As a best practice, you should carefully select your time range so that it does not include any more time than is necessary. Limiting the time range helps to reduce the amount of time that the query takes to complete, and it also limits the results that are returned. You can look for missing email that was sent as much as 90 days ago, but if you are trying to diagnose a problem that only started recently, you would want to use a much shorter time range.
The next thing you will need to do is specify the type of report you want to receive. All of the reports that are created by a message trace include information that is going to be essential in helping you to diagnose the problem. Still, the enhanced and extended reports provide far more detailed information. Those reports can only be downloaded as CSV files, whereas a summary report can be viewed on-screen. My advice is to create a summary report and then move on to creating an enhanced or extended report if you need more information. This approach will likely save you time in the long run.
At this point, you could click the Search button to begin the query. However, there are some additional search options that you can specify if necessary. You might have noticed in the previous image that there is a Detailed Search Options dropdown. Clicking on this dropdown reveals fields for delivery status, message ID, direction, and original client IP address. These are the types of fields that are shown if you perform a custom query. You usually won’t have to worry about these fields if you are running one of the default queries. That’s why the fields are initially hidden. You can see what this looks like in the image below.
As you can see in the above message trace screen, you can include detailed search options if necessary.
When you click the Search button, Exchange will automatically begin the query process. The image below shows an example of a summary report. This summary report was created when I searched for all quarantined messages sent to my mailbox within the last seven days.
If you are satisfied with the results, you can click on the Export Results icon to export the messages to a spreadsheet. The summary screen also provides you with an Edit message trace icon that you can use to revise your query if necessary.
In case you are wondering, you can click on an individual message to see detailed information about that message. For instance, in the screenshot below, I clicked on a random message, and Exchange Online indicates that the message contains malware and even identified the malware variant. Exchange Online also confirms that the message has not yet been delivered.
Message trace: More than just for finding missing email messages
The message trace tool can be extremely useful for tracking down messages that have gone missing. It can also be useful as a tool for helping you gain a better sense of the types of malware targeted against your organization.
Featured image: Shutterstock