How to check and analyze the message trace

  • Last update on May 30th, 2025

Table of Contents

Tracing messages is a crucial task for Microsoft 365 administrators to diagnose mail delivery issues, audit activity, and maintain compliance. This guide covers three up-to-date methods to perform message traces using Exchange Online and CoreView.

1. Message trace in the Exchange Admin Center

To run a message trace, you need to be a member of one of the following role groups:

  • Global Administrator
  • Exchange Administrator

For more information, see the following Microsoft guides:

Step-by-step guide:

  • Navigate to the Exchange Admin Center.
  • In the left pane, expand “Mail flow”, and then select “Message trace”.
  • Click “Start a trace”.
  • Specify your desired search criteria (sender, recipient, and date range).
  • Click “Search”.
  • Review results, view details, and download reports as needed.

For more detailed information on Message Trace using Exchange Admin Center, please refer to the Message trace in the modern Exchange admin center in Exchange Online article.

2. Message trace via PowerShell

Leverage PowerShell for automated or advanced message tracing using the Exchange Online PowerShell V2 Module (EXO V2).

Preparation:

Open PowerShell and connect to Exchange Online:

Connect-ExchangeOnline

Basic message trace:

Get-MessageTrace

This returns messages from the last 48 hours if no parameters are specified.

Example:

# Trace messages sent by john@contoso.com within a specific date range
Get-MessageTrace -SenderAddress john@contoso.com -StartDate 12/20/2022 -EndDate 12/30/2022

Notes:

  • Get-MessageTrace retrieves data from the past 10 days only. Searching further back will produce an error.
  • To search for data older than 10 days, use the following:
Start-HistoricalSearch
Get-HistoricalSearch
  • By default, up to 1,000 results are returned. 
  • For large searches, consider dividing the query by using smaller -StartDate and -EndDate intervals.
  • All output is in UTC, which may differ from the time format used for the -StartDate and -EndDate parameters.
  • Ensure your account has appropriate Exchange Online roles.

For more, see Get-MessageTrace on Microsoft Learn.

3. Performing a message trace in Coreview

  • Go to the CoreView portal.
  • Go to Reports > Exchange > Message Trace. Or use the search bar at the top—type “Trace” to find the report.
  • Specify your criteria:
    • Sender or Recipient (type email addresses to select)
    • Date range (typically limited to 10 days; your tenant may require date selection before searching to improve performance). 
    • Use Advanced Filters for further refinement (e.g., subject, status).
  • Once completed, click on the “Search” option to run the query.
  • Click on the “MessageTraceID” arrow to view message details.

Key terms

  • Senders: Enter or select one or multiple senders from your organization.
  • Recipients: Enter or select one or multiple recipients.

Message statuses

  • Delivered: the message was successfully sent to the recipient.
  • Expanded: a distribution group was expanded before delivery to members.
  • Failed: the message wasn't delivered.
  • Pending: delivery of the message is being attempted or reattempted.
  • Quarantined: the message was quarantined (as spam, bulk mail, or phishing). For more information, please refer to Quarantined email messages in EOP.
  • Filtered as spam: The message was identified as spam, and was rejected or blocked (not quarantined).

Operators will only be able to view and manage mailboxes that are part of their defined V-Tenant scope.

 

Related Articles

DID THIS PAGE HELP YOU?