How To Run A Message Trace In Exchange

Jason Moore

A message trace is a feature in the Exchange admin center and you can use it to find out what happened to an email.

Introduction

You will need a certain set of permissions in order to access and use the Exchange admin center. Your organization will provide you with the proper credentials.

Why Run a Message Trace

One of the main reasons to run a message trace is a user will report they did not receive a message they were expecting. This is an instance where you can check whether it delivered a particular message to a certain mailbox. You can also see if it was quarantined or rejected outright.

Another reason you would want to do a message trace is that users sometimes forget and delete their messages. You can show them that their email is just in a deleted folder.

How To Run A Message Trace

Here are the basic steps to perform a message trace:

  • Open the admin center

  • https://admin.exchange.microsoft.com/

  • Select Mail Flow from the left menu

  • Select message trace under the Mail Flow category

  • In the middle of the screen, select <Start a trace>

  • In the <Senders> box, input the email address you want to check

  • In the <Recipients> box, input the email address you want.

  • Under <Time range>, select anything from 0 to 10 days for immediate response.

  • If longer than 10 days is needed, it will take longer because it prepares a downloadable report

  • There are other options you can play with, but when done, select <Search>

Message tracing gives you a lot of flexibility. You can do a lot with it too. I used it yesterday to see if emails were being sent from one user to another. There are many other scenarios you can check for as needed.

A Few Details To Note

Another thing I should mention is that you can leave all the fields blank in the message trace section except for either <Sender> or <Recipient>. When done this way, it will default to the last 48 hours of emails sent from or received by a certain address. You can also put in a certain sender or recipient and leave the rest blank and it will still default to the last 48 hours.

When doing custom searches, pay attention to the time zone. This field often goes unnoticed and introduces confusion. So, if you wondered why you emailed someone at 3 am while you were asleep, it is probably the time zone setting.

In the <Delivery status> section, there is a drop down menu there that can further refine your search. This is very helpful when you need to narrow down your list to go over.

When you need to look at a certain email, the message will have a unique ID that you can use to get more details about that message.

You can also add multiple recipients or senders to any trace. This is helpful if you want to find out more information.

Interpreting The Results

After the trace results come back, it will list them in the most recent order. There are several fields there and we can click them to sort under that header. Clicking the same header again will reverse the sort.

For any message, you can double click it to get additional details. The unique message ID is located here. IP information is also located here, which is useful.

How Long Does It Take

If your time interval is under 10 days, the results appear immediately. However, if the time interval is longer, then you will get a downloadable csv file sent to your email in a few hours. So, take that in mind whenever you need to do a trace.

Message Tracing With PowerShell

This is another way to do message tracing. You can do whichever method is more comfortable for you. The first thing you need to do is import the Exchange module. I do it like this:

Import-Module ExchangeOnlineManagement

Now you need to connect to the module within your PowerShell session.

Connect-ExchangeOnline -UserPrincipalName <user>

Now you can perform message tracing. The format of the command is:

Get-MessageTrace -SenderAddress <email> -StartDate 05/08/2022 -EndDate 05/18/2022

The <SenderAddress> is where the mail is coming from. The date ranges must be within 10 days or the command will fail.

Many times you will want to get the <MessageID> of emails so you can investigate a particular email. You do that like this:

Get-MessageTrace -RecipientAddress <email> -StartDate 05/05/2022 -EndDate 05/10/2022 | Format-list -Property Received,SenderAddress,Status,MessageTraceId

This will return a list of emails with their ID. You can copy this ID into the next command. It will give you details of a particular message.

Get-MessageTraceDetail -MessageTraceId ae5c1219-4c90-41bf-fef5-08d837917e7c -RecipientAddress <email>

The <MessageTraceID> is a unique value that is got from the previous command.

Finally, we can do a historical search. This is useful when you need a longer period of messages.

Start-HistoricalSearch -ReportTitle ExtendedMessageTrace -StartDate 5/11/2022 -EndDate 5/18/2022 -ReportType MessageTraceDetail -NotifyAddress [email protected] -SenderAddress [email protected] -RecipientAddress jasonmoore@magnolia.com

You will get a job ID when it is successful.

Conclusion

This document was about performing a message trace in the Exchange admin center. We talked about why do this and also how it is done. Then we discussed some details about messages and the resulting reports.

Then we talked about how to do these tasks in PowerShell. That is useful because they can scripted and automated, which is what we should all be striving to do.

 

 

 

You should also read: