Home » Exchange Server » How to Tell Which Transport Rule Was Applied to an Email Message

How to Tell Which Transport Rule Was Applied to an Email Message

Francisco asks:

I am investigating to see if there is a way you can see which transport rules is applying to a certain message. The delivery report does not show it and I have not found any cmdlet that helps nor TechNet information about it. I think it might be important in certain circumstances to know it. Do you have any idea how to do this?

I can think of a few cases where this might be useful. For example, if a transport rule modifies a message property, or rejects a message, or causes a message to go to junk, then it would be useful to quickly find which rule or rules were applied to the message. For customers with just a few transport rules, there’s no real challenge here. But if your organization has hundreds of transport rules, then it gets a bit harder.

Fortunately, we can see which transport rules were applied to a message by using message tracking logs. Here’s a very basic example. In this scenario, Alan has sent an email to Alannah.

transport-rule-detection-01

When it arrives in Alannah’s mailbox, the subject line has been (rather clumsily) modified.

transport-rule-detection-02

So, what can the message tracking logs tell us? First, I collect the message tracking log entries for the unique message ID. If you’re not sure how to do that step, I recommend reading my series on searching message tracking logs with PowerShell. Here’s the command I ran, if you’re curious.

Next, I sort the events by time stamp, and look at the EventId, Source, and MessageSubject fields (because we already know the message subject was modified).

We can clearlly see that the AGENTINFO event is where the message subject was modified. So, let’s take a closer look at that message tracking log entry.

In the EventData field there’s some interesting clues… an “action=PrependSubject”, and a “ruleID=1f56ba43-1cb9-4293-b24d-5e263a75fc8a”. So which transport rule has that ID?

Super simple. We can see more about that rule as well.

So, that’s one way to find a rule by using message tracking logs to determine which rule ID was applied to the message. Another way we could have approached this is to search the transport rules for those that match a criteria. In this case that criteria would be the action of “Prepend the subject”, or to make it easier, just the word “prepend”.

Obviously there are many more filters you could apply, such as “Description -like ‘*reject*'” or “Description -like ‘*alan.reid*'”.

As you can see, there are a few different ways that you can look for which transport rule (or rules) has been applied to an email message.

Paul is a Microsoft MVP for Office Servers and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul is a co-author of Office 365 for IT Pros and several other books, and is also a Pluralsight author.
Category: Exchange Server

3 comments

  1. rana says:

    Hello Paul,

    I tried this in Exchange 2007 environment, But I could not find the ‘AGENTINFO’ Event id. I can only see an Event id ‘FAIL’. Does article apply to Exchange 2007 too ?

    Kind Regards
    Rana

  2. Sunny says:

    I have also tried on Exchange 2010, but did not find ‘AGENTINFO’ Event ID. I only have Receive,Expand,HAREDIRECT, Submit,Defer and Deliver. My issue is that user is sending email to a DL and the email did not deliver to members. I opened Delivery report and found error “The message was rejected by a rule set at the organization level. For more information, check your organization’s Transport rules.” I have checked rules but did not find any reverent rule. Please suggest

  3. David says:

    On our Exchange 2013 configuration, the Transport Rules do not show an Identity or Name in EventData so I still cannot identify using the Transport Log data which rule it is. I know which rule it is but I want to see all instances where that rule was triggered and export the relevant data.

Leave a Reply

Your email address will not be published. Required fields are marked *