- Configuring data loss prevention for email from the Compliance Center in Microsoft 365 - Fri, Dec 3 2021
- Mail flow reports in the Microsoft 365 Defender portal - Wed, Nov 24 2021
- Microsoft 365 mail flow reports in the Exchange Admin Center - Tue, Jul 20 2021
You must have a Global Administrator or Exchange Administrator role in the tenant to follow the instructions in this article. Please check this link to understand the process needed to elevate a user to an administrator role.
Let's consider the following scenario. A user reports that an email sent by an external mailbox wasn't delivered to their mailbox. The most important aspect of troubleshooting mail flow issues is tracking the emails. There are multiple ways to do this.
You can access the new Exchange Admin Center by clicking on the Exchange tab in the Microsoft 365 Admin Center. To start a message trace, expand the Mail flow option and select Message trace.
To start a trace, you'll need the following information:
- Sender email address
- Recipient email address
- Date the email was sent
You can, of course, run the trace with only the sender address or the recipient address.
After entering the required information, you must then decide whether you want the report to be short and concise or detailed. Select Summary report if you want instant reports and if the duration of your search is less than 10 days.
An enhanced summary report provides a detailed report of the mail flow, which includes the sender, recipient address, and original_client_ip. It can return up to 50,000 results. Extended report does pretty much the same, except that it can return 1000 results at a time. Both of these reports can be downloaded from the download center in CSV format.
For this demonstration, you can select Summary report. The result clearly states that the email was filtered as spam and delivered to the user's Junk folder.
The email was deemed spam by Exchange Online Protection (EOP). If you feel this is a legitimate email, you can ask the user to whitelist it from their mailbox, or if you think other users may also need this sender's emails to be delivered to their inboxes, then you can whitelist the sender in EOP.
This link shows how you can whitelist an email address in Microsoft 365.
Message trace status ^
In the previous section, you learned about the filtered as spam status for a message trace. It's important to understand the different status types you might encounter while running message traces. You will learn about them in this section.
Scenario: You have noticed that some emails sent to a specific user do not get delivered. Your aim is to find the cause of the issue and to ensure that a permanent fix is applied.
Since we are still exploring the portal to run message traces, we will pursue that path. Run a message trace again with the sender and recipient addresses and the appropriate timeline. This time, you get the following result:
Let's analyze this result. The Microsoft 365 servers did receive the email from the external sender; however, the recipient wasn't found in the tenant.
The first task is to ascertain whether the user mailbox exists in your tenant. You can search for the mailbox in the Exchange Admin Center (EAC).
Even if the mailbox is found, you must check whether the address used in the email is present in the proxies of the recipient mailbox. This is a common issue in which the recipient mailbox does not contain the proxy address; if this is the case, the proxy address must be added to the mailbox.
You may see different types of errors; you can refer to this article to get an overview of all the error codes and possible fixes.
One common scenario is that the sender's email is quarantined. This depends entirely on the policies set up in Microsoft 365. See this link to learn more about configuring antimalware policies to quarantine specific types of emails.
The following is an example of an email that was quarantined by Microsoft 365, as it matched the settings in the antimalware policy for that tenant.
You can release the email from the quarantine through the Quarantine Center. However, even end users can release their emails via the same link. The difference is that end users will be able to view and act only on their own emails.
Scenario: Email sent to a distribution group was not delivered to one of its members.
Exchange Online tracks emails sent to distribution groups up to the email's arrival at the distribution group. After that, the status is set to "Expanded" in message traces, indicating that the email was distributed to all the recipients of the group in the cloud. This confirms that the email was forwarded to the members of the group.
However, this does not mean that the email was delivered to all the members of the group. Since you already have the email address of the user who didn't receive the email, you must run a trace of the email being sent to that specific user. This will tell you whether the email was delivered. If there is any issue, you can proceed accordingly.
Filtered as spam
This scenario was explained in the Quarantine section.
There are a few different reasons for an email to be in the "Pending" status. Let's look at some of them here.
Pending due to Advanced Threat Protection scanning
Take this scenario as an example. The user complains of an email being delayed in delivery.
As always, you must run a message trace. When you do, you might see the status as "Pending."
Upon further investigation, you can see that the email was deferred, as Advanced Threat Protection was scanning it. The initial malware verdict was allowed. However, delivery was temporarily stopped during the next scan. The email will be delivered once the scan is complete.
In addition, Exchange Online Protection may also defer email delivery due to other scans or checks that it might be performing.
Mailbox size issue with the recipient mailbox
However, there could be other reasons for emails to be stuck in the "Pending" state like this one, if the recipient's mailbox size is over the quota. In this case, the recipient must take action either to increase the mailbox size or to clear out some space.
Relay Access Denied
In the next example, you will see that the sender is not allowed to relay emails through the server and hence gets the error. A possible fix here is to check the SMTP server used to send the emails and whether the server is allowed to connect to the recipient servers.
This error clearly states that the connection to the external environment was blocked, probably due to a firewall blocking the connection from Microsoft 365 IPs. The fix here is to contact the external environment and ask them to check and allow Microsoft 365 IPs in their firewall.
This is the strangest Microsoft 365 message trace status. It literally means that Microsoft has received the email; however, it does not have any more information on it, and you should check later for further information. If the email eventually failed, there would be some NDRs that you could investigate for more information.
This means that the email was successfully delivered to the intended recipient. The screenshots here show how an email sent to my test address was successfully delivered to the mailbox.
How to choose the right type of message trace report ^
The choice of a message trace report depends on a couple of factors. Let's look at them in this section.
If the email trace duration is less than 10 days, you must use this report type. The results will be displayed instantly.
This shows the message events, such as receive, send, fail, defer, deliver, etc.
Enhanced summary report
If you want to have a CSV file with in-depth details of the message trace, then you should run this trace report. The information displayed in the CSV includes origin_timestamp, sender_address, recipient_status, message_id, original_client_ip, directionality, connector_id, and more.
Here is an example:
See this link to understand how to parse an extended message trace report.
This is also a downloadable CSV report type. All the information available in the Enhanced Summary Report is accessible via this report, except origin_timestamp and delivery_priority.
In effect, this report will not show the date and time when the email was received by Microsoft 365.
In this post, I discussed various scenarios for finding lost emails in the Microsoft 365 portal. In my next article, I will show you how you can trace emails in Microsoft 365 with PowerShell.