Message Trace Office 365May 2013

Message Trace Office 365Mark Bauer Sujata Tamang

Agenda

•What is message trace?•How does it help us?•Difference between Message Trace and Delivery Reports.•Different methods of message tracing.•Mail flow and message tracing.

What is Message Trace?• The message trace feature enables administrator to

follow email messages as they pass through Exchange Online or Exchange Online Protection service.

• It helps to determine whether a targeted email message was:

ReceivedRejectedDeferredDeliveredFailed

• Shows what actions have occurred to the message before reaching its final status.

How does it help us?• It helps us obtain detailed information about a specific message that lets us efficiently:Answer user’s questionsTroubleshoot mail flow issuesValidate policy changesAlleviate the need to contact technical support for assistance

Difference between message trace and delivery reports Message Trace

 Delivery Reports

Message trace enables administrators to search for specific messages using basic information such as : sender, recipient, date and message ID to obtain the status of the message

Delivery reports allow end users to track delivery of e-mail messages 

The email status will help us determine if the message was received by the EOP filtering service; whether it was scanned, blocked, deleted or delivered successfully within the last 7days.

Delivery Reports help us discover answers to questions such as: why was a message not delivered, where is the message now, who received the message, why the message was delivered to a particular folder, etc.These reports are only retained for 14 days.

Message Trace - Admin UI: Delivery Reports - Admin UI:

   

Message Trace: Overview Message trace results are available to administrators for the last 7 days and outline the status of a message:

• Delivered: The message was successfully delivered to the intended destination.

• Failed: The message was not delivered. Either it was attempted and failed or it was not delivered as a result of actions taken by the filtering service. For example, if the message was determined to contain malware.

• Pending: Delivery of the message is being attempted or re-attempted.

• Expanded: The message was sent to a distribution list and was expanded to the recipients of the distribution list.

• Unknown: The message delivery status is unknown at this time. When the results of the query are listed, the delivery details fields will not contain any information.

Message Tracing in Office 365 is very similar to the message tracing capabilities of Wave 14 with a number of improvements. The biggest improvement is the ability to use the following wildcard conditions for either the sender or recipient or both: 

*@domain alias@* *@* or blank

Message Trace: Considerations/Limitations

At this time we know of the following issues for message trace:

1) Include a Message ID string that contains opening and closing angle brackets (<>) .

2) Show only results for messages that have been scanned/processed by EOP.

3) Message trace cannot be performed a on a message that was Edge-blocked. Messages blocked by reputation block lists will be included in the spam data for real time reports.

4) Redirect to email address are not traceable in a single search. Need to provide new recipients.

5) The message trace tool uses the MAIL FROM value presented at the initiation of the SMTP conversation as the Sender in a search, regardless of what the DATA section of the message shows.

6) When a message matches a transport rule, the ID is stored in the message trace and real time reporting databases. If you trace one of these messages, or drill down on rule details in a report, the message trace and real time reporting user interfaces dynamically pull the current rule information from the hosted services network based on the rule ID in the reporting database. If the rule is changed at a later time the rule ID remains the same. You can then use the auditing report feature in order to determine when the rule was changed and the properties that were changed.

Message Trace: UI

Additional Details:

Message Trace through Office 365 Remote PowerShell.In addition to tracking messages via the Exchange Admin Center UI administrators can also track messages through Office 365 Remote PowerShell.

>>Get-MessageTrace

>>Get-MessageTraceDetails

• These cmdlets are available only in the cloud-based service.

• We use the Get-MessageTrace cmdlet to trace messages as they pass through the cloud-based organization.

Message Trace commands:>>Get-MessageTrace -SenderAddress john@contoso.com -StartDate 06/13/2012 -EndDate 06/15/2012

>>Get-MessageTrace

Received Sender Address Recipient Address Subject Status -------- -------------- ----------------- ------- ------ 4/30/2013 5:20:2... john@contoso.com admin@SUZ15.onmi... Inbound Delivered 4/30/2013 5:19:0... admin@SUZ15.onmi... john@contoso.com Outbound Delivered

Inbound Message:>>Get-MessageTrace -SenderAddress john2contoso.com -RecipientAddress admin@suz15.onmicrosoft.com | fl

Outbound Message:>>Get-MessageTrace -SenderAddress admin@suz15.onmicrosoft.com -RecipientAddress John@contoso.com | fl

Inbound Mailflow:Mail flow Scenario: Internet to Exchange Online

Get-MessageTrace -SenderAddress tamang.sujata@contoso.com -RecipientAddress admin@suz15.onmicrosoft.com | fl

Message Trace ID : 67fad3d2-b9e8-48a6-9fce-08d013de20a9

Message ID : <CAEaY4cP2pxjrta8xSoXApqrmwy0Fd+_j_9QABe_KVtanPRNrTQ@mail.contoso.com>

Received : 4/30/2013 5:20:21 PM

Sender Address : john@contso.com

Recipient Address : admin@SUZ15.onmicrosoft.com

From IP : 209.85.217.169

To IP :

Subject : Inbound

Status : Delivered

Size : 3548

Get-MessageTrace -MessageTraceId 67fad3d2-b9e8-48a6-9fce-08d013de20a9

Received Sender Address Recipient Address Subject Status

-------- -------------- ----------------- ------- ------

4/30/2013 5:20:2... john@contoso.com admin@SUZ15.onmi... Inbound Delivered

Get-MessageTraceDetail -MessageTraceId 67fad3d2-b9e8-48a6-9fce-08d013de20a9 -RecipientAddress admin@suz15.onmicrosoft.com Message ID ---------- <CAEaY4cP2pxjrta8xSoXApqrmwy0Fd+_j_9QABe_KVtanPRNrTQ@mail.contoso.com> <CAEaY4cP2pxjrta8xSoXApqrmwy0Fd+_j_9QABe_KVtanPRNrTQ@mail.contoso.com>

Get-MessageTraceDetail -MessageTraceId 67fad3d2-b9e8-48a6-9fce-08d013de20a9 -RecipientAddress admin@suz15.onmicrosoft.com | fl

Message Trace ID : 67fad3d2-b9e8-48a6-9fce-08d013de20a9

Message ID : <CAEaY4cP2pxjrta8xSoXApqrmwy0Fd+_j_9QABe_KVtanPRNrTQ@mail.contoso.com>

Date : 4/30/2013 5:20:21 PM

Event : RECEIVE

Action :

Detail : Message received by: BN1PR03MB071

Data : <root><MEP Name="ConnectorId" String="BN1PR03MB071\Default BN1PR03MB071"/><MEP Name="ClientIP" String="10.255.109.25"/><MEP Name="ServerHostName" String="BN1PR03MB071"/></root>

Message Trace ID : 67fad3d2-b9e8-48a6-9fce-08d013de20a9

Message ID : <CAEaY4cP2pxjrta8xSoXApqrmwy0Fd+_j_9QABe_KVtanPRNrTQ@mail.contoso.com>

Date : 4/30/2013 5:20:22 PM

Event : DELIVER

Action :

Detail : The message was successfully delivered.

Data : <root><MEP Name="SourceContext"

String="08D004CCF63B2FF9;2013-04-30T17:20:22.626Z;ClientSubmitTime:"/><MEP

Name="MailboxServer" String="BLUPR03MB067"/><MEP Name="MailboxDatabaseName"

String="NAMPR03DG005-db011"/><MEP Name="DeliveryPriority"

String="Normal"/></root>

Outbound MailflowMailflow Scenario: Exchange Online to Internet

Get-MessageTrace -SenderAddress admin@suz15.onmicrosoft.com -RecipientAddress john@contoso.com

Received Sender Address Recipient Address Subject Status

-------- -------------- ----------------- ------- ------

4/30/2013 5:19:0... admin@SUZ15.onmi... john@co... Outbound Delivered

Get-MessageTrace -SenderAddress admin@suz15.onmicrosoft.com -RecipientAddress john@contoso.com fl

Message Trace ID : f8bce35b-bf45-4f20-6d1b-08d013ddf301

Message ID : <81ec090617d045a7ac06317c5a01a443@BLUPR03MB067.namprd03.prod.outlook.com>

Received : 4/30/2013 5:19:04 PM

Sender Address : admin@SUZ15.onmicrosoft.com

Recipient Address : john@contoso.com

From IP : 207.46.55.30

To IP : 2607:f8b0:4003:c02::1b

Subject : Outbound

Status : Delivered

Size : 6510

Get-MessageTraceDetail -MessageTraceId f8bce35b-bf45-4f20-6d1b-08d013ddf301 -RecipientAddress john@contoso.com

Message ID

----------

<81ec090617d045a7ac06317c5a01a443@BLUPR03MB067.namprd03.prod.outlook.com>

<81ec090617d045a7ac06317c5a01a443@BLUPR03MB067.namprd03.prod.outlook.com>

<81ec090617d045a7ac06317c5a01a443@BLUPR03MB067.namprd03.prod.outlook.com>

<81ec090617d045a7ac06317c5a01a443@BLUPR03MB067.namprd03.prod.outlook.com>

Get-MessageTraceDetail -MessageTraceId f8bce35b-bf45-4f20-6d1b-08d013ddf301 -RecipientAddress john@contoso.com | fl

Message Trace ID : f8bce35b-bf45-4f20-6d1b-08d013ddf301

Message ID : <81ec090617d045a7ac06317c5a01a443@BLUPR03MB067.namprd03.prod.outlook.com>

Date : 4/30/2013 5:19:04 PM

Event : RECEIVE

Action :

Detail : Message received by: BLUPR03MB067

Data : <root><MEP Name="ClientIP" String="169.254.1.87"/><MEP Name="ServerHostName"

String="BLUPR03MB067"/></root>

Message Trace ID : f8bce35b-bf45-4f20-6d1b-08d013ddf301

Message ID : <81ec090617d045a7ac06317c5a01a443@BLUPR03MB067.namprd03.prod.outlook.com>

Date : 4/30/2013 5:19:27 PM

Event : SUBMIT

Action :

Detail : The message is awaiting submission to the mailbox store.

Data :

 

Message Trace ID : f8bce35b-bf45-4f20-6d1b-08d013ddf301

Message ID : <81ec090617d045a7ac06317c5a01a443@BLUPR03MB067.namprd03.prod.outlook.com>

Date : 4/30/2013 5:19:27 PM

Event : RECEIVE

Action :

Detail : Message received by: BLUPR03MB068

Data : <root><MEP Name="ConnectorId" String="BLUPR03MB068\Default BLUPR03MB068"/><MEP

Name="ClientIP" String="10.255.209.155"/><MEP Name="ServerHostName"

String="BLUPR03MB068"/></root>

Message Trace ID : f8bce35b-bf45-4f20-6d1b-08d013ddf301

Message ID : <81ec090617d045a7ac06317c5a01a443@BLUPR03MB067.namprd03.prod.outlook.com>

Date : 4/30/2013 5:19:28 PM

Event : SEND

Action :

Detail : Message transferred from: To_DefaultOpportunisticTLS

Data : <root><MEP Name="ConnectorId" String="To_DefaultOpportunisticTLS"/><MEP

Name="ServerIP" String="2607:f8b0:4003:c02::1b"/></root>

Resources Message Trace:http://technet.microsoft.com/en-us/library/jj200668(v=exchg.150).aspx

Run a Message Trace and View Results:http://technet.microsoft.com/en-us/library/jj200712(v=exchg.150).aspx Message Trace FAQ:http://technet.microsoft.com/en-us/library/jj200741(v=exchg.150).aspx

27

28

Questions?

© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.