- Prerequisites
- Locating the Mailflow report in the Exchange Admin Center
- Inbound and Outbound messages report
- Top domain mailflow status report
- Auto forwarded messages report
- Non-accepted domain report
- Non-delivery report
- Mailboxes exceeding receiving limits report
- Queued messages report
- SMTP AUTH clients
- Conclusion
- Whitelist a domain in Microsoft 365 - Wed, Nov 29 2023
- Anti-spam policies in Microsoft 365 (Office 365) - Thu, Nov 23 2023
- Configure Quarantine Policies in Microsoft 365 - Fri, Aug 12 2022
Prerequisites
Access to a Microsoft 365 tenant. If you don't have one, you can always sign up for a trial version here.
The following roles are required to view the reports in the Exchange Admin Center (EAC):
- Organization Management
- Security Administrator (assigned from the Azure portal)
- Security Reader
- View-Only Organization Management
- View-Only Recipients
Locating the Mailflow report in the Exchange Admin Center
Mail flow reports are available in multiple locations. Let's explore the ones available in the Exchange Admin Center. These reports can be found at this path: Exchange Admin Center > Reports > Mail Flow. Note that this is applicable to the new Microsoft 365 Admin portal only.
Inbound and Outbound messages report
The Inbound messages report displays the number of emails received by your tenant. It divides the emails according to how they were received: from the internet or from your on-premises servers (in hybrid Exchange); they are further categorized according to the TLS version used. Hence, this can serve as the first step for you to identify the load of TLS 1.0 or 1.1, which will be deprecated.
The overview is as follows:
Inbound messages report showing emails received from external and on premises mailboxes
You can also export the report to an Excel file. The maximum duration of this report is 90 days. It provides more information than the GUI, as it shows the connector name and type, as well as the percentage of emails using TLS 1.0, 1.1, or 1.2.
Excel report displaying inbound emails
The Outbound messages report is the opposite of what we just discussed. It shows the details of the emails that were sent from your tenant, including the volume of outbound emails and the breakup of the TLS versions used. Again, you can export this report to an Excel file.
If you have any connectors configured to send emails to your partners and also to your on-premises servers, they would be displayed here.
Outbound email report displaying emails sent to external on premises and partner mailboxes
Top domain mailflow status report
This report shows the status of your domains in Microsoft 365. It's particularly helpful to detect any misconfigurations in MX records for your domains. The information displayed here includes the domain name, its status, previous and current MC records, and whether the domain has received emails in the last six hours.
A list of domains in the tenant displaying healthy and erroneous domain status
Domains marked as "erroneous" will also display recommended checks and steps when clicked.
Corrective actions for erroneous domains
Faulty domains must be checked for MX record issues. This will help you avoid major mailflow issues.
Auto forwarded messages report
Auto-forwarding of emails from your tenant to external domains can be a security threat. If you have this enabled in your tenant, you must analyze this report regularly.
Overview of auto forwarded emails on the portal
You can export the report to Excel. It displays the first forward date, number of forwards, forwarding type, recipient domain and name, and the sender address.
Forwarding can also be set up via mailbox rules. The report will display which method was used. This report can help you determine which users are forwarding the most emails from your tenant. You can then verify whether the emails are valid or whether you need to block the user as potentially compromised.
Auto forwarded report displayed in Excel
Non-accepted domain report
This report is applicable to Exchange hybrid setups. The report captures emails that originate from your on-premises Exchange Servers and are sent to your Microsoft 365 tenant using connectors where the sender domain is not an accepted domain. If your Exchange Servers are being used to send emails using non-accepted domains, then it is possible some of them are being sent from compromised accounts. Such emails may even be blocked or marked as junk if EOP suspects anything.
Graphical view of emails sent from non accepted domains
You can export the report. It will show you the connector name, date the emails were sent, sender domain, a few sample message IDs, and the message count.
Excel downloaded from the portal displaying the non accepted domain report
This report could serve as the first step in regulating email traffic from your on-premises servers. There may not be any reason for anyone to send emails using nonaccepted domains from your on-premises servers; hence, this could be suspicious activity, and you must investigate it to determine whether it's a legitimate case or not.
Non-delivery report
Non-delivery reports (NDR) are common occurrences in Exchange. Microsoft 365 provides you with this NDR report so that you can track these failures. In the NDR report panel, you will see the following graph with the DSN codes. These are the NDRs that senders receive when they try to email your tenant's users. There could be several reasons for this failure, as shown here.
Non delivery report with DSN codes in the portal
You can download the report and analyze it in Excel.
Excel file showing the Non delivery report
Mailboxes exceeding receiving limits report
This is an interesting report that shows you the mailboxes that have hit the limit for the maximum number of emails that can be received in a specified amount of time. As per Exchange Online limits, a mailbox can receive 3600 messages/hour. The report is displayed as follows:
Example of mailboxes exceeding receiving limits report with the heatmaps
"Exceeded" status in the report means that the mailbox has hit the maximum receiving limit. "At risk" implies that the mailbox has received huge volumes of emails and is about to hit the throttling limit. The consequence of crossing the threshold is that the mailbox won't be able to receive emails for at least an hour.
The report is also available in tabular format, displaying the hours a mailbox exceeded the limits or was at risk, top email sender, proportion of spam emails, and emails received per hour.
In most cases, there won't be any data in this report, as there may be no mailbox near the email receiving limit.
Queued messages report
In a hybrid Exchange environment, emails from your Microsoft 365 tenant to your Exchange on-premises servers are sent using connectors. These emails might get queued up in Microsoft 365 if, say, your on-premises servers are unreachable due to some network issues or the connectors are misconfigured. Such emails will be retried for 24 hours, after which the senders will start receiving NDRs.
As Exchange admins, you will want to be notified immediately once emails start getting queued up. You can set this in the Alert Policies tab in the Mail flow section in EAC. The alert policy "Messages have been delayed" is the one that triggers the mail queue alerts. It's created by default.
Queued message alert created by default
You must decide on the recipients for this alert. The number of queued emails after which this alert would be triggered is also set here.
SMTP AUTH clients
SMTP AUTH is a legacy protocol that uses basic authentication; hence, it is vulnerable to compromise. As a result, it's important to know which mailboxes send emails using this protocol. This report helps you do exactly that. You can view the information classified by sender, domain, and TLS protocol.
SMTP AUTH report view in the portal
The report can be exported to Excel.
Excel report of SMTP AUTH
Using this report, you can investigate the reason why these mailboxes still use the SMTP AUTH protocol.
Subscribe to 4sysops newsletter!
Conclusion
Now that you have in-depth knowledge of all the mail flow reports in EAC, you are better equipped to handle the vagaries of Exchange Online. In the next post when we explore mail flow reports available in the security center in Microsoft 365.
Read the latest IT news and community updates!
Join our IT community and read articles without ads!
Do you want to write for 4sysops? We are looking for new authors.
The new report section isn't as interactive as the old one. In the old one, you could get a preview of the sample messages instead of just seeing the message ID. Now I need to run a discovery on those messages to see what they are. I don't like it!
Yes. I felt the new reports section did miss out on some of the old portal's features.
Previews would still be visible in the M365 Threat Explorer where you can run a trace and view previews of the emails, message headers and even download the emails.
https://4sysops.com/archives/microsoft-365-threat-explorer-finding-malicious-emails/
Yeah I mostly used the NDR report to quickly see where those issues are and being able to get a preview was super helpful. These don't show up in the Threat Explorer though 🙁
Yes that's a thing which was handy.
Hello Vignesh,
Great post! Clear, concise and helpful for Mailflow reports.
Thank you!
The new portal is a bit confusing as the reports are scattered.
They have divided the reports in different portals based on the functionality. Hence, this post covers the mailflow reports in the EAC.
There is another post on this site: https://4sysops.com/archives/mail-flow-reports-in-the-microsoft-365-defender-portal/ which covers the mailflow reports available in M365 Defender portal.
Thank you!
Where in EAC we can check queued messages.. In protection. Office. Com we were able to see the mailflow dashboard here that is not vosiblr
You can find this in EAC, under Reports in the report named Queued messages report. However, this is only for emails stuck there for more than an hour. Hence, its not like the message queues we see in Exchange onpremise.