Understanding mail flow reports available in the Microsoft 365 Exchange Admin Center is essential for troubleshooting mail flow issues, reviewing email traffic, and formulating your security policies for mail flow; these are everyday tasks for Exchange admins. Mail flow reports can not only help you in these tasks but also give you early indications of impending issues.

Prerequisites ^

Access to a Microsoft 365 tenant. If you don't have one, you can always sign up for a trial version here.

The following roles are required to view the reports in the Exchange Admin Center (EAC):

  • Organization Management
  • Security Administrator (assigned from the Azure portal)
  • Security Reader
  • View-Only Organization Management
  • View-Only Recipients

Locating the Mailflow report in the Exchange Admin Center ^

Mail flow reports are available in multiple locations. Let's explore the ones available in the Exchange Admin Center. These reports can be found at this path: Exchange Admin Center > Reports > Mail Flow. Note that this is applicable to the new Microsoft 365 Admin portal only.

Inbound and Outbound messages report ^

The Inbound messages report displays the number of emails received by your tenant. It divides the emails according to how they were received: from the internet or from your on-premises servers (in hybrid Exchange); they are further categorized according to the TLS version used. Hence, this can serve as the first step for you to identify the load of TLS 1.0 or 1.1, which will be deprecated.

The overview is as follows:

Inbound messages report showing emails received from external and on premises mailboxes

Inbound messages report showing emails received from external and on premises mailboxes

You can also export the report to an Excel file. The maximum duration of this report is 90 days. It provides more information than the GUI, as it shows the connector name and type, as well as the percentage of emails using TLS 1.0, 1.1, or 1.2.

Excel report displaying inbound emails

Excel report displaying inbound emails

The Outbound messages report is the opposite of what we just discussed. It shows the details of the emails that were sent from your tenant, including the volume of outbound emails and the breakup of the TLS versions used. Again, you can export this report to an Excel file.

If you have any connectors configured to send emails to your partners and also to your on-premises servers, they would be displayed here.

Outbound email report displaying emails sent to external on premises and partner mailboxes

Outbound email report displaying emails sent to external on premises and partner mailboxes

Top domain mailflow status report ^

This report shows the status of your domains in Microsoft 365. It's particularly helpful to detect any misconfigurations in MX records for your domains. The information displayed here includes the domain name, its status, previous and current MC records, and whether the domain has received emails in the last six hours.

A list of domains in the tenant displaying healthy and erroneous domain status

A list of domains in the tenant displaying healthy and erroneous domain status

Domains marked as "erroneous" will also display recommended checks and steps when clicked.

Corrective actions for erroneous domains

Corrective actions for erroneous domains

Faulty domains must be checked for MX record issues. This will help you avoid major mailflow issues.

Auto forwarded messages report ^

Auto-forwarding of emails from your tenant to external domains can be a security threat. If you have this enabled in your tenant, you must analyze this report regularly.

Overview of auto forwarded emails on the portal

Overview of auto forwarded emails on the portal

You can export the report to Excel. It displays the first forward date, number of forwards, forwarding type, recipient domain and name, and the sender address.

Forwarding can also be set up via mailbox rules. The report will display which method was used. This report can help you determine which users are forwarding the most emails from your tenant. You can then verify whether the emails are valid or whether you need to block the user as potentially compromised.

Auto forwarded report displayed in Excel

Auto forwarded report displayed in Excel

Non-accepted domain report ^

This report is applicable to Exchange hybrid setups. The report captures emails that originate from your on-premises Exchange Servers and are sent to your Microsoft 365 tenant using connectors where the sender domain is not an accepted domain. If your Exchange Servers are being used to send emails using non-accepted domains, then it is possible some of them are being sent from compromised accounts. Such emails may even be blocked or marked as junk if EOP suspects anything.

Graphical view of emails sent from non accepted domains

Graphical view of emails sent from non accepted domains

You can export the report. It will show you the connector name, date the emails were sent, sender domain, a few sample message IDs, and the message count.

Excel downloaded from the portal displaying the non accepted domain report

Excel downloaded from the portal displaying the non accepted domain report

This report could serve as the first step in regulating email traffic from your on-premises servers. There may not be any reason for anyone to send emails using nonaccepted domains from your on-premises servers; hence, this could be suspicious activity, and you must investigate it to determine whether it's a legitimate case or not.

Non-delivery report ^

Non-delivery reports (NDR) are common occurrences in Exchange. Microsoft 365 provides you with this NDR report so that you can track these failures. In the NDR report panel, you will see the following graph with the DSN codes. These are the NDRs that senders receive when they try to email your tenant's users. There could be several reasons for this failure, as shown here.

Non delivery report with DSN codes in the portal

Non delivery report with DSN codes in the portal

You can download the report and analyze it in Excel.

Excel file showing the Non delivery report

Excel file showing the Non delivery report

Mailboxes exceeding receiving limits report ^

This is an interesting report that shows you the mailboxes that have hit the limit for the maximum number of emails that can be received in a specified amount of time. As per Exchange Online limits, a mailbox can receive 3600 messages/hour. The report is displayed as follows:

Example of mailboxes exceeding receiving limits report with the heatmaps

Example of mailboxes exceeding receiving limits report with the heatmaps

"Exceeded" status in the report means that the mailbox has hit the maximum receiving limit. "At risk" implies that the mailbox has received huge volumes of emails and is about to hit the throttling limit. The consequence of crossing the threshold is that the mailbox won't be able to receive emails for at least an hour.

The report is also available in tabular format, displaying the hours a mailbox exceeded the limits or was at risk, top email sender, proportion of spam emails, and emails received per hour.

In most cases, there won't be any data in this report, as there may be no mailbox near the email receiving limit.

Queued messages report ^

In a hybrid Exchange environment, emails from your Microsoft 365 tenant to your Exchange on-premises servers are sent using connectors. These emails might get queued up in Microsoft 365 if, say, your on-premises servers are unreachable due to some network issues or the connectors are misconfigured. Such emails will be retried for 24 hours, after which the senders will start receiving NDRs.

As Exchange admins, you will want to be notified immediately once emails start getting queued up. You can set this in the Alert Policies tab in the Mail flow section in EAC. The alert policy "Messages have been delayed" is the one that triggers the mail queue alerts. It's created by default.

Queued message alert created by default

Queued message alert created by default

You must decide on the recipients for this alert. The number of queued emails after which this alert would be triggered is also set here.

SMTP AUTH clients ^

SMTP AUTH is a legacy protocol that uses basic authentication; hence, it is vulnerable to compromise. As a result, it's important to know which mailboxes send emails using this protocol. This report helps you do exactly that. You can view the information classified by sender, domain, and TLS protocol.

SMTP AUTH report view in the portal

SMTP AUTH report view in the portal

The report can be exported to Excel.

Excel report of SMTP AUTH

Excel report of SMTP AUTH

Using this report, you can investigate the reason why these mailboxes still use the SMTP AUTH protocol.

Subscribe to 4sysops newsletter!

Conclusion ^

Now that you have in-depth knowledge of all the mail flow reports in EAC, you are better equipped to handle the vagaries of Exchange Online. In the next post when we explore mail flow reports available in the security center in Microsoft 365.

+3
7 Comments
  1. Marc 2 months ago

    The new report section isn't as interactive as the old one. In the old one, you could get a preview of the sample messages instead of just seeing the message ID. Now I need to run a discovery on those messages to see what they are. I don't like it!

    +1

  2. Author

    Yes. I felt the new reports section did miss out on some of the old portal's features.

    +1

  3. Author

    Previews would still be visible in the M365 Threat Explorer where you can run a trace and view previews of the emails, message headers and even download the emails.

    https://4sysops.com/archives/microsoft-365-threat-explorer-finding-malicious-emails/

    0

  4. Marc 2 months ago

    Yeah I mostly used the NDR report to quickly see where those issues are and being able to get a preview was super helpful. These don't show up in the Threat Explorer though 🙁

    0

  5. Author

    Yes that's a thing which was handy.

    0

  6. Sushant 2 months ago

    Hello Vignesh,

    Great post! Clear, concise and helpful for Mailflow reports.

    +1
    avatar

Leave a reply to Vignesh Mudliar (Rank: 3)
Click here to cancel the reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2021

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account