If emails are missing in Microsoft 365 (formerly Office 365), that is, if users complain that they didn't receive emails, you need to know how to trace these messages. In this article, I will explain the various options available in the Microsoft 365 portal to troubleshoot email delivery email issues. In my next post, I will cover message tracing with PowerShell.

You must have a Global Administrator or Exchange Administrator role in the tenant to follow the instructions in this article. Please check this link to understand the process needed to elevate a user to an administrator role.

Let's consider the following scenario. A user reports that an email sent by an external mailbox wasn't delivered to their mailbox. The most important aspect of troubleshooting mail flow issues is tracking the emails. There are multiple ways to do this.

You can access the new Exchange Admin Center by clicking on the Exchange tab in the Microsoft 365 Admin Center. To start a message trace, expand the Mail flow option and select Message trace.

Message trace via the portal

Message trace via the portal

To start a trace, you'll need the following information:

  • Sender email address
  • Recipient email address
  • Date the email was sent

You can, of course, run the trace with only the sender address or the recipient address.

After entering the required information, you must then decide whether you want the report to be short and concise or detailed. Select Summary report if you want instant reports and if the duration of your search is less than 10 days.

An enhanced summary report provides a detailed report of the mail flow, which includes the sender, recipient address, and original_client_ip. It can return up to 50,000 results. Extended report does pretty much the same, except that it can return 1000 results at a time. Both of these reports can be downloaded from the download center in CSV format.

For this demonstration, you can select Summary report. The result clearly states that the email was filtered as spam and delivered to the user's Junk folder.

Filtered as spam

Filtered as spam

The email was deemed spam by Exchange Online Protection (EOP). If you feel this is a legitimate email, you can ask the user to whitelist it from their mailbox, or if you think other users may also need this sender's emails to be delivered to their inboxes, then you can whitelist the sender in EOP.

This link shows how you can whitelist an email address in Microsoft 365.

Message trace status ^

In the previous section, you learned about the filtered as spam status for a message trace. It's important to understand the different status types you might encounter while running message traces. You will learn about them in this section.

Failed

Scenario: You have noticed that some emails sent to a specific user do not get delivered. Your aim is to find the cause of the issue and to ensure that a permanent fix is applied.

Since we are still exploring the portal to run message traces, we will pursue that path. Run a message trace again with the sender and recipient addresses and the appropriate timeline. This time, you get the following result:

Message trace status Failed

Message trace status Failed

Let's analyze this result. The Microsoft 365 servers did receive the email from the external sender; however, the recipient wasn't found in the tenant.

The first task is to ascertain whether the user mailbox exists in your tenant. You can search for the mailbox in the Exchange Admin Center (EAC).

Even if the mailbox is found, you must check whether the address used in the email is present in the proxies of the recipient mailbox. This is a common issue in which the recipient mailbox does not contain the proxy address; if this is the case, the proxy address must be added to the mailbox.

You may see different types of errors; you can refer to this article to get an overview of all the error codes and possible fixes.

Quarantined

One common scenario is that the sender's email is quarantined. This depends entirely on the policies set up in Microsoft 365. See this link to learn more about configuring antimalware policies to quarantine specific types of emails.

The following is an example of an email that was quarantined by Microsoft 365, as it matched the settings in the antimalware policy for that tenant.

Message trace status Quarantined

Message trace status Quarantined

You can release the email from the quarantine through the Quarantine Center. However, even end users can release their emails via the same link. The difference is that end users will be able to view and act only on their own emails.

Expanded

Scenario: Email sent to a distribution group was not delivered to one of its members.

Exchange Online tracks emails sent to distribution groups up to the email's arrival at the distribution group. After that, the status is set to "Expanded" in message traces, indicating that the email was distributed to all the recipients of the group in the cloud. This confirms that the email was forwarded to the members of the group.

Distribution group Expanded 1

Distribution group Expanded 1

Distribution Group Expanded 2

Distribution Group Expanded 2

However, this does not mean that the email was delivered to all the members of the group. Since you already have the email address of the user who didn't receive the email, you must run a trace of the email being sent to that specific user. This will tell you whether the email was delivered. If there is any issue, you can proceed accordingly.

Filtered as spam

This scenario was explained in the Quarantine section.

Pending

There are a few different reasons for an email to be in the "Pending" status. Let's look at some of them here.

Pending due to Advanced Threat Protection scanning

Take this scenario as an example. The user complains of an email being delayed in delivery.

As always, you must run a message trace. When you do, you might see the status as "Pending."

Pending due to ATP scanning 1

Pending due to ATP scanning 1

Upon further investigation, you can see that the email was deferred, as Advanced Threat Protection was scanning it. The initial malware verdict was allowed. However, delivery was temporarily stopped during the next scan. The email will be delivered once the scan is complete.

Pending due to ATP Scanning 2

Pending due to ATP Scanning 2

In addition, Exchange Online Protection may also defer email delivery due to other scans or checks that it might be performing.

Mailbox size issue with the recipient mailbox

However, there could be other reasons for emails to be stuck in the "Pending" state like this one, if the recipient's mailbox size is over the quota. In this case, the recipient must take action either to increase the mailbox size or to clear out some space.

Pending due to mailbox size

Pending due to mailbox size

Relay Access Denied

In the next example, you will see that the sender is not allowed to relay emails through the server and hence gets the error. A possible fix here is to check the SMTP server used to send the emails and whether the server is allowed to connect to the recipient servers.

Pending because relay access was denied

Pending because relay access was denied

Connection refused

This error clearly states that the connection to the external environment was blocked, probably due to a firewall blocking the connection from Microsoft 365 IPs. The fix here is to contact the external environment and ask them to check and allow Microsoft 365 IPs in their firewall.

Pending because the connection was refused

Pending because the connection was refused

Getting status

This is the strangest Microsoft 365 message trace status. It literally means that Microsoft has received the email; however, it does not have any more information on it, and you should check later for further information. If the email eventually failed, there would be some NDRs that you could investigate for more information.

Delivered

This means that the email was successfully delivered to the intended recipient. The screenshots here show how an email sent to my test address was successfully delivered to the mailbox.

Message trace status Delivered 1

Message trace status Delivered 1

How to choose the right type of message trace report ^

The choice of a message trace report depends on a couple of factors. Let's look at them in this section.

Summary report

If the email trace duration is less than 10 days, you must use this report type. The results will be displayed instantly.

Summary report

Summary report

This shows the message events, such as receive, send, fail, defer, deliver, etc.

Enhanced summary report

If you want to have a CSV file with in-depth details of the message trace, then you should run this trace report. The information displayed in the CSV includes origin_timestamp, sender_address, recipient_status, message_id, original_client_ip, directionality, connector_id, and more.

Here is an example:

Enhanced summary report

Enhanced summary report

See this link to understand how to parse an extended message trace report.

Extended reports

This is also a downloadable CSV report type. All the information available in the Enhanced Summary Report is accessible via this report, except origin_timestamp and delivery_priority.

In effect, this report will not show the date and time when the email was received by Microsoft 365.

Conclusion ^

In this post, I discussed various scenarios for finding lost emails in the Microsoft 365 portal. In my next article, I will show you how you can trace emails in Microsoft 365 with PowerShell.

+4
1 Comment
  1. Klevi 5 months ago

    Great post Vignesh.

    I would recommend next to do how to find emails based on Subject, ID etc.

    +1
    avatar

Leave a reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2021

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account