Message tracking allows Exchange administrators to analyze mail flow, track the status of sent and received emails, find rejected and deferred messages. In Exchange Online (Microsoft 365), you can search message tracking logs in two ways: through the Exchange Admin Center (EAC) web interface and by using PowerShell.
Let’s first look at how to use GUI the message trace tool in EAC.
- Sign-in to https://admin.exchange.microsoft.com;
- Go to Mail Flow > Message Trace;
- You can select one of the pre-configured search templates or create a new query. Click Start a Trace;
- We want to find all emails sent from our Microsoft 365 tenant to Gmail mailboxes in the last two days. To do this, we put *@gmail.com in the recipient field. You can select additional search criteria and click Search;
- You will see a list of emails that match your search criteria and their delivery status. You can click on any entry in the list to view email delivery details.
You can use the Get-MessageTrace and the Get-MessageTraceDetail PowerShell cmdlets to search through the Exchange Online transport logs and to view the delivery event details.
Hint. The Get-MessageTrackingLog cmdlet is used to track messages in transport logs in on-premises Exchange Server 2019/2016/2013 environments.
Connect to your tenant using the Exchange Online PowerShell module:
Connect-ExchangeOnline
Run the command:
Get-MessageTrace
By default, the cmdlet returns all of the e-mails that were sent and received in the last 48 hours. The result of the cmdlet includes the following information:
- Message ID
- Sender and recipient addresses
- Send/receive date
- Email subject
- Email size
- Source and destination IP addresses
It is possible to select only certain parameters to output from the tracing log:
Get-MessageTrace| Select SenderAddress,RecipientAddress,Subject,Status,Size |ft
Use the StartDate and EndDate parameters to retrieve information about email messages for a specific period:
Get-MessageTrace -StartDate 10/22/2023 -EndDate 24/10/2023
Note. Get-MessageTrace searches for events in the last 10 days only. Use the Start-HistoricalSearch cmdlet to find data that is older than 10 days. EOL stores transport logs for the last 90 days, after which older events are deleted.
You can search for emails by the SenderAddress or by the RecipientAddress attribute. Wildcards are acceptable in email addresses. For example, to find all the emails that were sent from amanda.d@theitbros.com to any of the Gmail addresses, run the command:
Get-MessageTrace -SenderAddress amanda.d@theitbros.com –RecipientAddress *@gmail.com -StartDate (Get-Date).AddDays(-10) -EndDate (Get-Date)
You can view statistics on the number of emails sent/delivered. For example, the next command will show the top senders for the last 10 days:
Get-MessageTrace -StartDate (Get-Date).AddDays(-10) -EndDate (Get-Date) | Group-Object -Property SenderAddress | Select Name,Count | Sort Count -Descending
You can search for emails with a specific subject:
Get-MessageTrace -StartDate (Get-Date).AddDays(-10) -EndDate (Get-Date) | Where {$_.Subject -like "*decommission*"}
The -Status parameter allows you to search for emails by their delivery status.
Available statuses:
- None – there is no delivery status for the email because it was rejected or redirected;
- Failed – message delivery failed;
- Pending – message delivery in progress, delayed, or retrying;
- Delivered;
- Expanded – message was sent to a distribution group address.
By default, Get-MessageTrace returns a maximum of 1000 results. You can use the PageSize parameter to increase the list of returned objects to up to 5000 items.
You can use the Get-MessageTraceDetail cmdlet to get detailed information about all the events of a specific email:
Get-MessageTrace -recipient *.gmail.com |Get-MessageTraceDetail
