How to Perform an Extended Message Trace in Office 365

Wednesday, September 10, 2014
You can use Message Trace from the Exchange Admin Center in the Office 365 Portal to trace emails through Exchange Online. You can trace messages based upon a number of criteria including email address, date range, delivery status, or message ID.

To perform a Message Trace, click Mail Flow in the EAC and select Message Trace, then enter the trace criteria. The high-level results will output to a new browser window.

High-Level Message Trace Output
Click the "pencil" icon to see more details on the selected item.

Detailed Message Trace Output
A standard message trace is useful for basic message tracing. It answers the question, "Did the message get delivered?", but that's about it. If you want to see all the real details of message transport you need to perform extended message tracing.

The trick to perform an extended message trace using the EAC is you have to choose a Custom date range of 8 days or more. You will then see additional options for the trace at the bottom of the form. Note that Exchange Online keeps logs for the last 90 days.

Extended Message Trace Options

Click the checkbox for Include message events and routing details with report, otherwise the report will only include a few more details than a regular trace: origin_timestamp, sender_address, recipient_status, message_subject, total_bytes, message_id, network_message_id, original_client_ip, directionality, connector_id, and delivery_priority. It also won't show each hop through Exchange online.

Note that including message events and routing details will result in a larger report that takes longer to process, so you will probably want to scope the message trace down to a particular sender or recipient. The following details will be included in the report: date_time, client_ip, client_hostname, server_ip, server_hostname, source_context, connector_id, source, event_id, internal_message_id, message_id, network_message_id, recipient_address, recipient_status, total_bytes, recipient_count, related_recipient_address, reference, message_subject, sender_address, return_path, message_info, directionality, tenant_id, original_client_ip, original_server_ip, and custom_data.

You have the option to choose the message direction (Inbound, Outbound, or All) and the original client IP address, if desired. You can also specify the report title and a notification email address. Note that the email address must be one for an accepted domain in your tenant. The mailbox does not have to be in the cloud.

The search will take some time, depending on the search criteria you entered and the volume of email. You can click View pending or completed traces at the top of the Message Trace form to view the status of the extended trace. When it completes you can click the link to Download this report or, if you configured the search to send a notification, click the report link in the notification email.

The extended message trace output is a CSV file that you can save and open in Excel. Here's the best way to view it in Excel:
  • Select cell A1 and press Shift-Ctrl-End to highlight all the cells.
  • Click Insert > Table and click OK.
  • Click View Freeze Panes > Freeze Top Row.
  • Select the entire worksheet and then double-click the line between columns A and B to autosize the all the columns in the table.
Auto size the columns in Excel
You will then have an extended trace report showing all the transport details of the messages that match your search criteria. This report can be filtered by clicking the drop down arrows on the title row.

If you plan to save the report, be sure to save it as an Excel Workbook (*.xlsx) or you will lose the formatting.