I’ve been asked by more than a few people recently whether Exchange Server message tracking also includes emails sent to Bcc recipients.
I guess the purpose of Bcc would lead some to assume that those emails are not logged by message tracking.
However if you consider it from the perspective that all email travels through the transport pipeline no matter whether they are To, Cc, or Bcc recipients, and that the idea of untraceable email passing through your Exchange servers should be a scary thought, it makes sense that these messages are in fact logged in the message tracking logs.
I realise an actual demonstration may be necessary to convince some people of this, so here it is.
This email is sent to two recipients; one in the To field and one a Bcc.
I’ve only just sent the email so a quick search of the last 10 minutes of message tracking logs is all I need to run.
[PS] C:\>$msgs = Get-ExchangeServer | Get-MessageTrackingLog -Sender Alan.Reid@exchangeserverpro.net -Start (Get-Date).A ddMinutes(-10)
Now let’s take a look at the results.
[PS] C:\>$msgs | sort timestamp EventId Source Sender Recipients MessageSubject ------- ------ ------ ---------- -------------- SUBMIT STORE... Alan.Reid@exchangeserverpro.net {} A test email RECEIVE STORE... Alan.Reid@exchangeserverpro.net {Ana.Williams@exchangeserverpr... A test email TRANSFER ROUTING Alan.Reid@exchangeserverpro.net {Mahera.Bawa@exchangeserverpro... A test email DELIVER STORE... Alan.Reid@exchangeserverpro.net {Mahera.Bawa@exchangeserverpro... A test email DELIVER STORE... Alan.Reid@exchangeserverpro.net {Ana.Williams@exchangeserverpr... A test email SUBMIT STORE... Alan.Reid@exchangeserverpro.net {} A test email RECEIVE STORE... Alan.Reid@exchangeserverpro.net {Ana.Williams@exchangeserverpr... A test email TRANSFER ROUTING Alan.Reid@exchangeserverpro.net {Mahera.Bawa@exchangeserverpro... A test email DELIVER STORE... Alan.Reid@exchangeserverpro.net {Mahera.Bawa@exchangeserverpro... A test email DELIVER STORE... Alan.Reid@exchangeserverpro.net {Ana.Williams@exchangeserverpr... A test email
As you can see, both recipients are visible in the results.
But now let’s take a closer look, as some of you may be wondering how you can tell from the message tracking logs whether a recipient was in the Bcc of the email message.
[PS] C:\>$msgs | sort timestamp | select eventid,recipients,recipientstatus EventId Recipients RecipientStatus ------- ---------- --------------- SUBMIT {} {} RECEIVE {Ana.Williams@exchangeserverpro.net,... {To, Bcc} TRANSFER {Mahera.Bawa@exchangeserverpro.net} {} DELIVER {Mahera.Bawa@exchangeserverpro.net} {} DELIVER {Ana.Williams@exchangeserverpro.net} {}
Notice on the RECEIVE event that the RecipientStatus field indicates whether the recipient was a To or a Bcc. Here’s that same event formatted slightly differently for clarity.
EventId : RECEIVE Recipients : {Ana.Williams@exchangeserverpro.net, Mahera.Bawa@exchangeserverpro.net} RecipientStatus : {To, Bcc}
Of course, with just two recipients you wouldn’t be 100% sure from this log event which one was the To and which one was the Bcc. So let’s take a look at another test email, this time with a different recipient mix.
Here is the RECEIVE event details for that message.
EventId : RECEIVE Recipients : {Mahera.Bawa@exchangeserverpro.net, John.Tilleray@exchangeserverpro.net, Ana.Williams@exchangeserverp ro.net} RecipientStatus : {To, To, Bcc}
Notice how the recipients and recipient statuses are listed in a matching order (not alphabetical order)?
In other words, for that specific message:
- Mahera Bawa = To
- John Tilleray = To
- Ana Williams = Bcc
So in conclusion, yes message tracking includes Bcc recipients, and yes you can even use message tracking logs to determine whether a recipient was in the To, Cc, or Bcc field of the email message.
If you’d like to learn more about message tracking in Exchange Server check out Mastering Message Tracking.
How can i do this in Exchange Online?
Only get-messagetrace and get-messagetracedetails are available in Exchange Online.
Hi guys, is it possible to generate a report on Microsoft that proves that the BBC’d recipient has received the email?
No. You’d need to be able to follow the trail of the message to the destination server and there’s no way of doing that.
I know this article is meant for Exchange 2020 & 2013; Is there a way i can get the similar thing in O365? Is it possible in O365 to get the Recipient status of an email thats been sent?
Hi Paul,
Thanks for the post. It is very informative.
However, following your instructions, I cannot seem to retrieve information from the “BCC” and “TO” fields. For “Recipientstatus” I get “RecipientStatus : {250 2.1.5 Recipient OK}”. I am doing this in the Exchange Management Shell. I do not have the Get-MessageTrackingLog cmdlet in PS on the mail server. This is may seem a silly question,but how do I import it in?
Thanks,
Warm Regards,
Vladimir
The Real Person!
The Real Person!
If the cmdlet is not available for you in the Exchange Management Shell then its possible that you don’t have the necessary Exchange admin rights to use it.
I am logged on as a Domain admin on the mail server.
The Real Person!
The Real Person!
Domain Admin is not an Exchange permission.
You can find info on the permissions required for message tracking on TechNet: https://technet.microsoft.com/en-us/library/dd638213(v=exchg.160).aspx
Just checked. The Administrator account is a member of the “Organization Management” role group in Exchange, which has Message Tracking as an assigned role.
The Real Person!
The Real Person!
I can’t think of any reason why you don’t have the cmdlet available in your Exchange Management Shell then, unless someone has been messing around with your permissions or something else.
For those wondering – the “slightly different formatting” is intead of format-table, it’s format-list with the same parameters selected.
Great article.
For outside sender the RecipientStatus is empty. How can I understand recipient status in this case?
Hi,
How do i track bcc in exchange 2010 ?
thank you for your reply 🙂
I am being told by my boss that I have bcc-ed a work related e-mail to my personal address; and as this is is not allowed due to compliance rules, he will soon start a disciplinary procedure etc
Anyhow, to date he has not shown me a copy of that e-mail even though I requested it several times …. as I honestly do not remember sending it.
Do you think is it possible that he does not have the e-mail in question; and his allegations are based on some data form the exchange server only?
The Real Person!
The Real Person!
Message tracking gives them the metadata they need to determine that the message was sent. Other methods can give them the actual message as well. Your work email is not private. I think you should assume that they have what they say they have and prepare yourself. This is a HR matter between you and your company so there’s nothing else I can say.
Paul,
As a follow up to Steven’s question. How can I get the To, Cc, Bcc info on emails my organization sends to external addresses? As you stated the SEND event has the “250 Recipient Ok” data. I’ve searched the unfiltered logs and can’t find this in any of the entries regardless of EventId.
I found my own answer. I was filtering to only Source=SMTP events and was not seeing the Source=STOREDRIVER RECEIVE event.
Hi Paul
I tried your method, but instead of giving me information such as To, CC or BCC in “RecipientStatus”, I get something like “250 OK”. I couldn’t find CC or BCC anywhere…
The Real Person!
The Real Person!
Are you doing a message tracking log search or are you looking at protocol logs?
I used Get-MessageTrackingLog in PowerShell.
I event dropped the Message Tracking Log in Excel and looked at the column that says “RecipientStatus”, but nope… it shows information such as “250” rather than “CC/BCC”.
This is an Exchange 2013 environment.
The Real Person!
The Real Person!
How many servers in your org? Are you searching them all?
FWIW, I just re-tested it and its working fine in my Ex2013 lab. The Bcc RecipientStatus doesn’t appear on every tracking log entry for the message though, just on RECEIVE events. I do see “250 2.1.5 Recipient OK” recipient status on SEND events as well.
Hi !!
And thanks for this article.
Just a simply question about MessageTrackingLog.
It is possible to group by Domain ?
The Real Person!
The Real Person!
You can search on part or all of the sender or recipient address.
https://www.practical365.com/searching-message-tracking-logs-by-sender-or-recipient-email-address/
I install exch 2013 I have problem with read rec when send email to any client on our domain I recieved 2 read report 1 of them on behalf the client and the other upon my request for read report so I think the onbehalf one is generated by exchserv I want to prevent this generated report
The Real Person!
The Real Person!
Does this happen only to you or does it also happen to anybody who requests a read receipt?
its happend to everybody
Mr Paul please i need your help to solve this issue