Here are three methods for checking and analyzing the message trace:
1. Performing a message trace in the Exchange Admin Center
To run a message trace, you need to be a member of one of the following role groups:
- Global Administrator
- Exchange Administrator
For more information, see Manage role groups in Exchange Online, Permissions in Exchange Online, and Feature permissions in Exchange Online.
Steps
Open the modern EAC at https://admin.exchange.microsoft.com, expand “Mail flow”, and then select “Message trace”.
To go directly to message trace, open https://admin.exchange.microsoft.com/#/messagetrace.
For more detailed information on Message Trace using Exchange Admin Center, please refer to the Message trace in the modern Exchange admin center in Exchange Online article.
2. Performing a message trace in PowerShell
Use the Get-MessageTrace cmdlet to trace messages as they pass through the cloud-based organization.
#This cmdlet is available only in the cloud-based service.
Get-MessageTraceExample:
<# This example retrieves message trace information for messages sent by john@contoso.com between December 20, 2022 and December 30, 2022. #>
Get-MessageTrace -SenderAddress john@contoso.com -StartDate 12/20/2022 -EndDate 12/30/2022Important notes:
- You can use this cmdlet to search message data from the past 10 days. Running this cmdlet without any parameters will return data from the last 48 hours only. If you enter a start date older than 10 days, an error will occur and no results will be returned.
- To search for message data older than 10 days, utilize the Start-HistoricalSearch and Get-HistoricalSearch cmdlets.
- By default, this cmdlet returns a maximum of 1,000 results and may timeout on very large queries. If your query returns an excessive number of results, consider dividing it by using smaller StartDate and EndDate intervals.
- Please note that the timestamps on the output are in the UTC time format, which may differ from the time format used for the -StartDate and -EndDate parameters."
3. Performing a message trace in Coreview
- Go to the CoreView portal.
- Go to Reports > Exchange > Message Trace.
- You can also type “Trace” in the search bar at the top of the website to navigate to the report directly.
- Locate all messages or pinpoint specific messages sent by senders and/or recipients within a 10-day time range. Further refine your search by selecting a custom time range or adjusting the advanced settings.
- Utilize all the filter conditions, such as “Sender details” and “Recipient details”, to perform the message trace query.
- Once completed, click on the “Search” option to run the query.
- You can click on the “MessageTraceID” arrow to see the details of the message trace.
Key terminologies
Senders: click in this box and start typing to enter or select one or more senders from your organization.
Recipients: click in this box and start typing to enter or select one more recipient in your organization.
Status
- Delivered: the message was successfully delivered to the intended recipient.
- Expanded: a distribution group recipient was expanded prior to the delivery to the individual members of the group.
- Failed: the message wasn't delivered.
- Pending: delivery of the message is being attempted or reattempted.
- Quarantined: the message was quarantined (as spam, bulk mail, or phishing). For more information, please refer to Quarantined email messages in EOP.
- Filtered as spam: The message was identified as spam, and was rejected or blocked (not quarantined).
Operators will only be able to view and manage mailboxes that are part of their defined V-Tenant scope.