How to read an advanced message trace

As you probably know in Exchange Online, you can investigate what happened with a message by running a message trace in the Exchange admin center (EAC). Admin rights are required to perform this action. There are mainly two types of message trace:

  • Basic message trace, where messages displayed are less than 7 days old and appear in the results within 5-30 minutes since they got into Office 365. Several months ago, they have been enhanced to reveal more information and be more user-friendly. This should make them more useful to administrators and perhaps decrease the need of using powershell to get full details about a message delivery error.
  • Advanced message trace, where messages displayed can be up to 90 days old and results can take up to a few hours to appear. The results can only be viewed in a downloadable .CSV file. You will see shortly how to read these CSV files.

The exact steps on how to do a message trace and view the results are described in this TechNet article. You can also use powershell to get a basic message trace or an advanced one. This is an example cmdlet for generating an advanced one (notice the report type).

 

 Start-HistoricalSearch -ReportTitle "Transaction 44" -MessageID DB5PR02MB16234F444FC01FD13353B4679F950@DB5PR02MB1623.eurprd02.prod.outlook.com -StartDate 4/12/2016 -EndDate 4/13/2016 -ReportType MessageTraceDetail -NotifyAddress admin@contoso.onmicrosoft.com

 

Below there is a table comparing the two types of message trace.

"Basic" Message Trace "Extended" Message Trace
Data Set Between approx. 15 minutes & 7 days Between approx. 8 hours & 90 days
View Results In UI Download
Results In seconds In minutes/hours (can configure notification email address)
Routing Details Basic detail only Full detail optional
Maximum Size 500 messages 3,000 rows in the .CSV or 5 MB .CSV file size
Max Queries / Day   Reasonable limits 15 per tenant

 

Lately, there should be less and less need to generate and advanced message trace and the top reason for still needing it, I would say, is, if you need to investigate messages older than 7 days. Another reason would be, if maybe you have several transport rules set to Do Not Audit and want to know which of them actioned upon a message (their name will not appear in the simple message trace).

Ok, so you have the advanced message trace downloaded (.CSV file), how do you read it?

  • Open the file in Excel, sort by first column (date_time) and auto filter the spreadsheet.
  • Check the event_id column ->Look for FAIL, DELIVER or other relevant events. If you see DELIVER you are sure the email landed into the mailbox, if you see FAIL, the email did not reach the mailbox. For an explanation of all Event Types check this article.
  • Look for error messages or other information that is interesting. Once you’ve found an error message, do some research on it and that will tell you why the email was not delivered by transport.
  • Last column (custom_data) in the file also contains interesting information like actions performed by the Anti-malware agent (AMA=SUM|v=0), Spam filter agent (S:SFA=SUM), Transport rule agent (S:TRA=ETR). All those attributes and their values have a meaning which is described in this article