Trace the Path of Messages Through the Exchange Transport Service

Update: Looking for information about how to trace messages in Exchange Online? If so, head over to this article.

Continuing my series of tips on searching message tracking logs using PowerShell, in this article I will demonstrate a few techniques for searching logs based on sender or recipient email address. This article covers Exchange Server. As we explain in this article, a different technique is needed for Exchange Online.

The Get-MessageTrackingLog cmdlet provides two parameters for specifying sender and recipient email addresses as search criteria.

  • -Sender – a single SMTP address for the sender of the email message
  • -Recipients – one or more SMTP addresses for the recipients of the email message

Both parameters are optional, so if they are omitted the search will return all senders, all recipients, or all of both.

To demonstrate the use of these parameters consider the following email message sent from Alan Reid to three recipients.

Searching Exchange Server Message Tracking Logs by Sender or Recipient Email Address

Searching Message Tracking Logs by Sender Email Address

Because I happen to have sent this test message within the last hour it is not very difficult for me to search for by combining the -Sender parameter with the -Start parameter to search within a time/date range.

Get-MessageTrackingLog -Sender Alan.Reid@exchangeserverpro.net -Start (Get-Date).AddHours(-1)

EventId  Source   Sender                            Recipients                        MessageSubject
-------  ------   ------                            ----------                        --------------
SUBMIT   STORE... Alan.Reid@exchangeserverpro.net   {}                                Payroll report for September
RECEIVE  SMTP     Alan.Reid@exchangeserverpro.net   {David.Gower@exchangeserverpro... Payroll report for September
DELIVER  STORE... Alan.Reid@exchangeserverpro.net   {Alex.Heyne@exchangeserverpro.... Payroll report for September
DELIVER  STORE... Alan.Reid@exchangeserverpro.net   {David.Gower@exchangeserverpro... Payroll report for September

However, if I were searching over a broader time range I may see more results than I really want to see.

Get-MessageTrackingLog -Sender Alan.Reid@exchangeserverpro.net

EventId  Source   Sender                            Recipients                        MessageSubject
-------  ------   ------                            ----------                        --------------
SUBMIT   STORE... Alan.Reid@exchangeserverpro.net   {}                                Descry turmoil deviance
SUBMIT   STORE... Alan.Reid@exchangeserverpro.net   {}                                Impending abeyance recitals ba...
SUBMIT   STORE... Alan.Reid@exchangeserverpro.net   {}                                Egress
SUBMIT   STORE... Alan.Reid@exchangeserverpro.net   {}                                Presage visceral penurious
SUBMIT   STORE... Alan.Reid@exchangeserverpro.net   {}                                Stipple voluble blatant stymie
SUBMIT   STORE... Alan.Reid@exchangeserverpro.net   {}                                Inured
SUBMIT   STORE... Alan.Reid@exchangeserverpro.net   {}                                Heinous mercurial
SUBMIT   STORE... Alan.Reid@exchangeserverpro.net   {}                                Relapse smolder
SUBMIT   STORE... Alan.Reid@exchangeserverpro.net   {}                                Meeting minutes
SUBMIT   STORE... Alan.Reid@exchangeserverpro.net   {}                                Supine poignant
 etc.

So in the case where I want to search a broader time window, but see fewer irrelevant results, I can combine the -Sender and -Recipients parameters in my search command.

Cybersecurity Risk Management for Active Directory

Discover how to prevent and recover from AD attacks through these Cybersecurity Risk Management Solutions.

Searching Message Tracking Logs by Recipient Email Address

It doesn’t matter whether the recipient was in the To, CC, or BCC of the message, the search will return any match regardless. Here the “Payroll report for September” email shown above is found even though Alex Heyne was one of several recipients and was in the CC field.

Get-MessageTrackingLog -Sender Alan.Reid@exchangeserverpro.net -Recipients alex.heyne@exchangeserverpro.net

EventId  Source   Sender                            Recipients                        MessageSubject
-------  ------   ------                            ----------                        --------------
RECEIVE  SMTP     Alan.Reid@exchangeserverpro.net   {David.Gower@exchangeserverpro... Payroll report for September
DELIVER  STORE... Alan.Reid@exchangeserverpro.net   {Alex.Heyne@exchangeserverpro.... Payroll report for September

You can specify multiple recipient SMTP addresses simply by separating them with a comma. When you do this the condition is an “or” not an “and”. In other words, any messages with any one of the recipients will be returned in the results, they do not need to be messages sent to all the recipients.

Here both the payroll email sent to Alex and David, as well as another email sent only to David, are returned in the same results.

Get-MessageTrackingLog -Sender Alan.Reid@exchangeserverpro.net -Recipients alex.heyne@exchangeserverpro.net,david.gower@exchangeserverpro.net

EventId  Source   Sender                            Recipients                        MessageSubject
-------  ------   ------                            ----------                        --------------
RECEIVE  SMTP     Alan.Reid@exchangeserverpro.net   {David.Gower@exchangeserverpro... Payroll report for September
DELIVER  STORE... Alan.Reid@exchangeserverpro.net   {Alex.Heyne@exchangeserverpro.... Payroll report for September
DELIVER  STORE... Alan.Reid@exchangeserverpro.net   {David.Gower@exchangeserverpro... Payroll report for September
RECEIVE  SMTP     Alan.Reid@exchangeserverpro.net   {David.Gower@exchangeserverpro... Also how about lunch?
DELIVER  STORE... Alan.Reid@exchangeserverpro.net   {David.Gower@exchangeserverpro... Also how about lunch?

Searching Message Tracking Logs for Wildcard Values or Partial Matches

Unfortunately wildcard searches are not allowed with the -Sender and -Recipient parameters.

For example, this command returns no results.

Get-MessageTrackingLog -Recipients *@gmail.com

However, you can use wildcards if you pipe the output of Get-MessageTrackingLog into Where-Object instead.

In this situation it is wise to limit the search to a specific date range for better performance. Or, if you do need to search the entire set of log files remember to use “-Resultsize Unlimited”.

Get-MessageTrackingLog -Start (Get-Date).AddHours(-1) | Where-Object {$_.recipients -like "*@gmail.com"}

EventId  Source   Sender                            Recipients                        MessageSubject
-------  ------   ------                            ----------                        --------------
RECEIVE  STORE... Alan.Reid@exchangeserverpro.net   {exchangeserverpro@gmail.com}     Email to the internet!
TRANSFER ROUTING  Alan.Reid@exchangeserverpro.net   {exchangeserverpro@gmail.com}     Email to the internet!
SEND     SMTP     Alan.Reid@exchangeserverpro.net   {exchangeserverpro@gmail.com}     Email to the internet!

You can see that the wildcard is used with the -like comparison operator, but another technique is to use the -match comparison operator which doesn’t require the wildcard character.

Get-MessageTrackingLog -Start (Get-Date).AddHours(-1) | Where-Object {$_.recipients -match "gmail"}

EventId  Source   Sender                            Recipients                        MessageSubject
-------  ------   ------                            ----------                        --------------
RECEIVE  STORE... Alan.Reid@exchangeserverpro.net   {exchangeserverpro@gmail.com}     Email to the internet!
TRANSFER ROUTING  Alan.Reid@exchangeserverpro.net   {exchangeserverpro@gmail.com}     Email to the internet!
SEND     SMTP     Alan.Reid@exchangeserverpro.net   {exchangeserverpro@gmail.com}     Email to the internet!

The same use of Where-Object with -like or -match also applies to the sender email address.

Summary

As you can see the -Sender and -Recipients parameters give us some flexibility when searching message tracking logs. However in some cases we need to use the more powerful capabilities of Where-Object for wildcard and partial string matching.

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for Practical365.com.

Comments

  1. Lana Haider

    Thanks!
    One thing I found particularly helpful was your use of examples to illustrate your points. This made it much easier to understand how to use the Get-MessageTrackingLog cmdlet and the Where-Object cmdlet to search for specific messages.

  2. Marcos

    In a hybrid Exhange 2013 / Office 365 environment, messages sent to O365 are not delivered. The EventId: HAREDIRECTFAIL appears in the Log. The connectors were created by the Wizard and the configuration took place normally until the end. What could be causing this problem?

  3. Hani Kumar

    Hello Paul,

    A Great Thanks for you effort!

    Could you please let me know the powershell script to find the email delivered from a domain (Accepted domain) to external and internal recipient

  4. Ovi

    Hi Paul.

    I was trying really hard to figure how to track an email that was sent to a dynamic distro list. One user complained about not getting it and I can’t find that email in his mailbox, so something must happened. He is for sure member of the group, so he should get it.
    Thanks.

  5. Md. Didarul Alam

    i need to Get-MessageTrackingLog with mail size ..how can generate this ???

  6. Manikandan

    Hi Paul,

    I used following command, but it does not return complete email address of sender and recipient.

    Get-MessageTrackingLog -ResultSize Unlimited -Start “10/19/2019 1:00AM” -End “10/22/2019 11:00AM” -EventId “Send” > C:\temp\tracelogs2.txt

  7. Lenore Upshaw

    Hi there, all is going perfectly here and
    ofcourse every one is sharing facts, that’s genuinely fine, keep up writing.

  8. badbanana

    anyone knows how to find send IP nowadays?

    that used to be in Outlook properties, there is an X-Originating-IP attribute but now it is no longer there.

  9. Mark S

    Hi Paul,

    Sorry, I see this is an old article but was hoping that you might be able help me please.

    I need to generate a report for the amount of recipients that are in emails.

    We are trying to make sure our users are not leaking users email address by sending bulk emails using the TO: field

    We have put in place recipient limits, but some users have a higher limits than other and we just want find out how many go above the standard limit so we can look at restricting them more.

    Is there away of doing this in Powershell and the tracking logs?

    Any help would be appreciated.

    Many Thanks,
    Mark

  10. Guz

    Hi Paul!
    Is it possible to find who is forwarding to another user?
    Tracking the message I found and got the Source (MAILBOXRULE) and the SourceContext but I’m not able to find any rule.

    It’s only happening with appointments, it’s not forwarding regular emails.
    Both are on-premises mailbox and the one who is acting as “sender” left the company but her account still active for some reasons.

    There are no Rules on her OWA to this user who is getting the meeting invites.

  11. LS

    Hi Paul,
    excellent work, I need to find all the email addresses that are currently using the SMTP relay server, we have a few application servers sending out notices when I run:

    Get-MessageTrackingLog -Resultsize unlimited -EventId Send | Format-List Send* > “D:\Send Search.txt”

    I get about 30 email addresses
    however if I manually browse to
    C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\MessageTracking
    and open the individual log files I get a lot more senders.. what am I missing?

  12. Binu Kumar

    Hello Paul,

    Its always great to read your posts.

    Do we have similar commands to be used in O365 shell as well ? I want to export report from a sender who sent email to our organization.

    Trying to run the following:
    Get-MessageTrace -SenderAddress mkaplan@cascadellc.com -StartDate 06/12/2017 -EndDate 07/13/2017 | FL > D:\report.csv.

    Throws an error : Invalid StartDate value. The StartDate can’t be greater than 30 days from today.

    Kindly suggest.

    Regards,
    Binu Kumar

    1. Md. Rubiat Haque

      Hi Binu,

      When I run this command, a csv file generate in a single column. How to export this with multiple column?

      Regards,
      Md. Rubiat Haque

  13. clementine

    the question why I can’t get all e-mails sent by this user when issuing this command
    get-messagetrackinglog -Sender “jhon_mathyou@mydomain.com” -Server “myhubcas2” -Start “2/18/2018 1
    2:00:00 AM” -End “2/18/2018 3:10:00 PM”

    or

    Get-ExchangeServer | where {$_.isHubTransportServer -eq $true -or $_.isMailboxServer -eq $true} | Get-MessageTrackingLog -Sender “jhon_mathyou@mydomain.com” -Start “2/18/2018 12:00:00 AM” -End “2/18/2018 3:10:00 PM”

    1. clementine

      when I issue this command

      Get-MessageTrackingLog -Sender jhon_mathyou@mydomain.com -Start (Get-Date).Adddays(-2)

      no output

      Get-MessageTrackingLog -Sender jhon_mathyou@mydomain.com -Start (Get-Date).Adddays(-2) -server myhubcas

      no output

      get-messagetrackinglog -Sender “jhon_mathyou@mydomain.com” -Server “myhubcas2” -Start “2/18/2018 12:00:00 AM” -End “2/18/2018 3:10:00 PM”

      [PS] C:\Windows\system32>get-messagetrackinglog -Sender “jhon_mathyou@mydomain.com” -Server “rockwellcollins” -Start “2/18/2018 1
      2:00:00 AM” -End “2/18/2018 3:10:00 PM”

      EventId Source Sender Recipients MessageSubject
      ——- —— —— ———- ————–
      RECEIVE STORE… jhon_mathyou@mydomain.com {jhon_mathyou@mydomain.com} aodb
      DELIVER STORE… jhon_mathyou@mydomain.com {jhon_mathyou@mydomain.com} aodb
      RECEIVE SMTP jhon_mathyou@mydomain.com {T2_HD@mydomain.com, T2_Support… Miss-use ticket
      EXPAND ROUTING jhon_mathyou@mydomain.com {a_salem@mydomain.com, mohame… Miss-use ticket
      REDIRECT ROUTING jhon_mathyou@mydomain.com {T2_HD@mydomain.com} Miss-use

      1. clementine

        PS] C:\Windows\system32>get-messagetrackinglog -Sender “jhon_mathyou@mydomain.com” -Server “myhubcas” -Start “2/18/2018 1
        2:00:00 AM” -End “2/18/2018 3:10:00 PM”

        no output although this user has sent email to an external domain through hubcas1

        but i can see this log if I put the recipient in the command line like that ,it shows the sender jhon

        [PS] C:\Windows\system32>get-messagetrackinglog -Recipients “ims-africa@rock.com”-Server “myhubcas” -Start “2
        /18/2018 12:00:00 AM” -End “2/18/2018 3:10:00 PM”

        EventId Source Sender Recipients MessageSubject
        ——- —— —— ———- ————–
        RECEIVE SMTP jhon_mathyou@mydomain.com {ims-africa@rock.co… RE: TOC complain that Flight N…
        TRANSFER ROUTING jhon_mathyou@mydomain.com {ims-africa@rock.com} RE: TOC complain that Flight N…
        SEND SMTP jhon_mathyou@mydomain.com {ims-africa@rock.com} RE: TOC complain that Flight N…8 3:10:00 PM”

        1. clementine

          the question why I can’t get all e-mails sent by this user when issuing this command
          get-messagetrackinglog -Sender “jhon_mathyou@mydomain.com” -Server “myhubcas2” -Start “2/18/2018 1
          2:00:00 AM” -End “2/18/2018 3:10:00 PM”

          or

          Get-ExchangeServer | where {$_.isHubTransportServer -eq $true -or $_.isMailboxServer -eq $true} | Get-MessageTrackingLog -Sender “jhon_mathyou@mydomain.com” -Start “2/18/2018 12:00:00 AM” -End “2/18/2018 3:10:00 PM”

          EventId Source Sender Recipients MessageSubject
          ——- —— —— ———- ————–
          RECEIVE STORE… jhon_mathyou@mydomain.com {jhon_mathyou@mydomain.com} aodb
          DELIVER STORE… jhon_mathyou@mydomain.com {jhon_mathyou@mydomain.com} aodb
          RECEIVE SMTP jhon_mathyou@mydomain.com {T2_HD@mydomain.com, T2_Support… Miss-use ticket
          EXPAND ROUTING jhon_mathyou@mydomain.com {amr_salem@mydomain.com, mohame… Miss-use ticket
          REDIRECT ROUTING jhon_mathyou@mydomain.com {T2_HD@mydomain.com} Miss-use ticket
          REDIRECT ROUTING jhon_mathyou@mydomain.com {T2_HD@mydomain.com} Miss-use ticket

          you notice that ims-africa@rock.com doesn’t show up

          put into consideration that I have a cas array ,each one of them has one hub role (2 hub server that have one send connector )

  14. Ndukaa

    You always save my ass Paul!..Big up

  15. vino

    i am new to this could you please explain how to find out that mail is not delivered to the recipient

    1. mharding

      Hi,
      Does Anyone know if there is a particular flag that logs the email count by date? I’m trying to figure out who has sent a certain number of emails within certain dates.
      Thanks!

  16. vinodhini

    what is STORE,DELIVER AND ROUTING could you please explain

  17. Qalid

    Dear Paul,

    I read your blog, Awesome solution. I need just shell command for shingle user send and recvied email report and export to csv.

    Qalid

  18. rino

    how many days are kept by the message tracking logs? is there a way to keep tracking logs for x number of months?

  19. tom

    How to get related recipients into the CSV file??– per message that is.
    Thank you, Tom

    1. rino

      pipe the output to CSV. something like ” | export-csv c:\filename.csv “

  20. Hubby Brooks

    Our VP of IT is having an issue where all of her incoming email with subject of lunch goes straight to her deleted folder. No matter who sends. We have turned off all rules but still have the same results. She has windows 10 PC using Exchange email server.

    1. Avatar photo
      Paul Cunningham

      I can’t think of any other cause other than a rule. You might need to look closer via Outlook, via OWA, via MFCMAPI as well.

  21. vino

    Hi Paul,

    Iam looking for a script to count how many users read particular email.
    Like iam sending one email to internal distribution group. I want to check the email read count. I enabled read delivery report and able to see read report individually by clicking each user. Is there any way to export the report or any suggestions please.

  22. Raja M

    Hi Paul,

    how do we know whether there is an attachment or not in the email? i am not able to find through message tracking logs.

  23. Rimvydas

    Hi,
    Is there any way to show all recipients completely? I have the situation when I tried to search recipients by matching for example @gmail.com. And when recipient is found and if there are a lot of recipients in matched email, recipients column is not show completely and ends with … Is it possible to show this column completely? I’ve tried out-string -Width but this didn’t help:(

  24. Dhananjay

    Hi Paul,

    I have ex2013, I’m looking for the way to get detailed information of sent email, for e.g details of system from which the message is sent. Is there any way I could do this?

    I have already tried get-logonstatistics, which I guess no more avaialble in ex2013.

    Regards,
    Dhananjay

  25. James

    I’m trying to track emails using the Get-MessageTrackingLog -MessageSubject “Leaver Form” -Recipients ….etc

    I need to outline the time it was sent to the time it was received, is there a better way to do this or what can I tack on to make this script give me time and dates?

    1. Avatar photo
      Paul Cunningham

      If you’ve got a search returning all the events for a specific message that you’re interested in, you can sort them by timestamp and just look at the first and last one.

  26. Moazzam Ali Quraishi

    Thank Mr. Paul for that script i am fan of yours and the scripts of yours are job saving 🙂 .

    Edit: Removed script. Please don’t post scripts and large code samples here in the comments, it breaks the layout of the page. Publish your scripts on your own blog, on GitHub, or in the TechNet Script Gallery.

    1. Moazzam Ali Quraishi

      Apologizing for bad English 🙂

  27. Shaun

    hello

    I was wondering if anyone has experienced the following Scenario:

    1) Some users have received messages where the “subject” is the same as the user id (for example, “userid” is shaun and the message “subject” is shaun)

    2) Some users have received messages where the “subject” is part of the user id (for example, “userid” is myboylolipop and the message subject is myboylo)

    Is there anyway to query the message tracking logs to identify the mailboxes affected by numbers 1) and 2) above ?

    much obliged

  28. shalendra singh

    Hi!
    Could you please let us know, Can we monitor bulk email forwarder user from outbound and inbound. If yes, then how?

    Regards,
    Shalendra

  29. RickF

    Hi Paul,
    I ‘ve been reading your articles for years now. Your many PowerShell articles/examples have taught me a great deal. I am very grateful!! This is my first question.
    .
    The “from” listed in an email’s header also lists the sender’s name.
    e.g.: “From: SenderName ” .
    Is there anyway to capture the “SenderName” from the transaction logs? “$_.recipients” just lists the SMTP address. These emails will all be from external senders…. if they were internal, I could do a look up in AD.
    .
    Thanks in advance for your time in reply.
    …Rick

    1. RickF

      My example got editted when posted. the example email address got removed. The line should read:
      e.g.: “From: SenderName “

      1. RickF

        ….hmmm. Guess the submission process removes email addresses. trying example again in different format:
        e.g.: “From: SenderName $SomeAddressATexternalDomain.com$
        .
        I replaced the greater and less than symbols which surround the SMTP address using $.

  30. Ramez Lawendy

    Dear PAUL ,

    Please I need a command for Power shell to Trace a mail from a specific sender to a specific recipient .
    Can you help me

    Best Regards
    Ramez Lawendy

  31. Sam

    Paul,

    Can we track the incoming email from external address

    -Sam

      1. Sam

        Sorry to ask you this paul, but is there a specific command for it, as i was not able to find it in google ? or Get-MessageTrackingLog didn’t contain an specific parameters related to this.

      2. Sam

        Actually, there was lot of data, once i scrolled all the way, i was able to find them.

        Thank you for your response though

  32. Shiva

    Hi Paul,

    We have sent a survey link to all employees to participate and got the only few participant.
    Now Management is asking for the report to check how many of them read the email or simply deleted or its has been moved to spam folder directly.
    Could you please advise to generate the report for the above conditions (Conditions : how many of them read the email or simply deleted or its has been moved to spam folder directly.)
    I generated the report that mail has been delivered to all the mailbox.
    Kindly help me on this and much appreciated

  33. kim

    Hi Paul,

    how to trace message to have an output like this;

    Received: from domain.com (IP address) by domain.com
    (IP address) with Microsoft SMTP Server id 8.3.348.2; Wed, 23 Mar 2016
    11:28:57 -0400

    Received: from Domain.com ([IP address]) by
    Domain.com with ESMTP; 23 Mar 2016 15:28:57 +0000
    X-SBRS: 4.7

  34. Carlos

    Hi Paul,

    Is there by chance a way to do a Get-MessageTrackingLog in order to search for specific mail attachments in Exchange? I have been assigned an important email forensics project. The idea is to get a csv report with senders and recipients for all mail with this particular attachment.

    Thank you!
    Carlos

    1. Avatar photo
      Paul Cunningham

      Message tracking doesn’t record data about attachments. If you already know the message ID of the email, then yes you can do message tracking for it. If not, look to Exchange’s eDiscovery searches instead. If you need to go deeper, look at inspecting mailbox contents via Exchange Web Services.

  35. Me

    Hi Paul,

    Appreciate all the efforts you’re making.

    I have a question, when I want to export this command:

    Get-MessageTrackingLog -Start “2-29-2016 7:00:00” -End “2-29-2016 14:00:00” -Sender “foo@bar.com” | select-object Timestamp,EventId,MessageSubject,Sender,Recipients

    to a CSV file, the Subject of the messages shows up correctly, but when I pipe it to Out-GridView, instead of the proper Subject it says “Systeem Administrator” in the MessageSubject column.

    Any idea why it does that and how it can be fixed?

    Also I don’t know where it gets the Systeem from, that’s dutch for System.

    Exchange 2013 CU11,

    1. Me

      Ok, seems to be solved in CU12. Thanks.

  36. Ally

    Hi Paul, Thanks for the article. I want to trace all external emails sent using our SMTP server. I have tried below where pipeline but it doesn’t work if I add another one using comma. It only works if I put one domain. Do you have alternative where I can filter the results in CSV not to show our 3 domains. The goal is only to search emails sent to external address. Thanks!

    Works fine -where {$_.Recipients -notlike “*@ourdomain1.com”}
    Does not work – where {$_.Recipients -notlike “*@ourdomain1.com”,”*@domain2″,”*domain3″}

    1. Avatar photo
      Paul Cunningham

      Can’t compare against multiple values like that. You’d need to use something more like

      Where {$_.Recipients -notlike “*@ourdomain.com” -and $_.Recipients -notlike “*@domain2”}

      And so on.

      There’s probably even better way that would leverage the Get-AcceptedDomains cmdlet but the above should work even if it isn’t the most elegant way of doing it.

      1. Mark

        Maybe something like this?

        $Date = Get-Date -UFormat “%m.%d.%Y 00:00:00”
        $Messages = Get-Mailboxserver | Get-Messagetrackinglog -start $Date -eventid send -resultsize unlimited

        foreach ($Domain in (Get-AcceptedDomain).Name){
        $Messages = $Messages | where {$_.Recipients -notlike “*$Domain”}
        }

        $Messages | Group-Object -Property Sender | Select-Object name,count | sort count -desc | select -first 50 | ft -auto

        (top 50 senders: internal to external )

  37. Remy

    HI,

    great article!

    How can i see the email is successfully delivered to the next smarthost?

    Remy

    1. Avatar photo
      Paul Cunningham

      If you need more detail than what the message tracking log shows you can enable protocol logging on the send connector for your org and look at those logs to see the SMTP connection that occurs.

  38. RobertK

    Great article.

    how can use message tracking to see when message is being sent to secondary smtp address and not primary?

      1. RobertK

        Perfect. thank you

  39. Paul Sathya

    Is it possible to get information on Attachments when doing message Tracking from exchange

    Get-TransportServer | get-messagetrackinglog -EventID “RECEIVE” -Start “6/10/2015 2:30:00 PM” -End “6/10/2015 4:00:00 PM” -ResultSize Unlimited | Select EventId,Source,Sender,ServerHostName,{$_.recipients},MessageId,MessageSubject,ClientIp,TimeStamp | Export-Csv “D:Rep-Cas1Example.Csv”

    the above command works fine for me with the info… but is it i can also have a Attachment name and size listed.

    (sorry my mail id was incorrect in there)

  40. Paul Sathya

    Is it possible to get information on Attachments when doing message Tracking from exchange

    Get-TransportServer | get-messagetrackinglog -EventID “RECEIVE” -Start “6/10/2015 2:30:00 PM” -End “6/10/2015 4:00:00 PM” -ResultSize Unlimited | Select EventId,Source,Sender,ServerHostName,{$_.recipients},MessageId,MessageSubject,ClientIp,TimeStamp | Export-Csv “D:Rep-Cas1Example.Csv”

    the above command works fine for me with the info… but is it i can also have a Attachment name and size listed.

  41. Steve

    Get this on SBS 2011, oh well – The term ‘Get-MessageTrackingLog’ is not recognized as the name of a cmdlet, function, script file, or operable program. 🙁

  42. Brian

    Every time I try these commands I get :

    Get-MessageTrace : Invalid Organization value. I’m sure I have all the rights I need, any thoughts?

    1. Anders Lundström

      This cmdlet is available only in the cloud-based service. Could it be that you are running on-premises?

  43. benny

    please can exchange 2010 show what time a recipient read a mail?

  44. Viral Rathod

    Paul, how to send output of meesage tracking logs via e-mail as attachment.

    Do you suggest any script so that on daily basis i can receive message tracking report of my user.

    The attachment should be csv.

    1. Avatar photo
      Paul Cunningham

      I don’t have a script to do exactly that. But any Get-MessageTrackingLog results can be exported to CSV using Export-CSV. And sending email (including attachments) using PowerShell is something there’s a lot of tutorials around for. So I’m sure you could write a script to handle that.

  45. Saaj

    Can we make use of get-messagetrackinglog to find out whether an email has been read if read tracking is enabled globally in the organization?

      1. Saaj

        Thanks Paul, I was wondering if it was possible through PS. Basically I need to find out emails read by a user on a particular day including any in shared mailboxes to track down the source of a virus infection.

        1. Saaj

          Hi Paul,

          I couldn’t find a way to search for read emails for a given date. I can only filter by sent or received. Are you able to provide me with an example or link please?

          Thanks.

  46. Leonard

    Hi Paul ,

    How do i get the IPv4 address of the sending computer from Message Tracking results in field clientip ? and the serverip field is ::1 ??!!!

    I see in field clientip only IPv6 , is any possibility to see the IPv4 in this field of report .

    br
    leo

  47. Dan Candido

    Hi Paul,

    When using Send As…can the recipient see the originator of the email (abc@abc.com) in any of the the properties of the email or would it just show the displayed “sent as” (def@abc.com) email address?

    Thanks and appreciate the site,

    Dan

    1. Avatar photo
      Paul Cunningham

      The recipient can’t see the real sender of a “Send As” message. They can only see the real sender if it is a “Send on Behalf” message.

  48. IS

    Greetings Paul!
    Excellent post 1st of all.

    I have a problem with the PS command.
    We are on EX 07, sending number of emails to our clients from the email database . Once a year we would send mass email to our clients and get 1200-1600 undelivered emails with 4.4.7 and exact error below

    Delivery has failed to these recipients or distribution lists:

    user@somedomain.com

    Microsoft Exchange has been trying to deliver this message without success and has stopped trying. Please try sending this message again, or provide the following diagnostic text to your system administrator.

    sender is in this example sender@mydomain.com
    and recipients is pulled from our database, so probably * (wild card)

    I would like to get report (csv file) that would contain ONLY email addresses from those emails that are undelivered so I can remove email addresses them from the database.

    I have tried
    get-messagetrackinglog -sender “sender@mydomain.com” -EventID “FAIL” -Start “10/12/2014 1:00:00 AM” -End “12/12/2014 11:59:00 PM” |ft Recipients

    but not having luck.

    any suggestion ?

    Appreciated!

  49. Peter

    Paul- How can I determine what message TYPE was sent when using PowerShell to do message tracking ? I want to known if the message was a email or a meeting request or a task. The tracking does not seem to show that – any tricks I can try ?

  50. Ralph

    Paul Great Article… Can you define the difference between the query out put of “Store & SMTP”?

      1. David

        Great article as always.
        I can not seem to figure out how to format the command to include external and internal emails received by a single user. Can you give an example please?
        Thanks

        1. Avatar photo
          Paul Cunningham

          You don’t need to do anything special to include external and internal messages. A search for that specific recipient should be enough to get started.

  51. Russ Mittler

    I know its old post but I am trying to figure out why when I do a search it isn’t showing the email recipient correctly. The results are coming up but its missing some because the emails are being sent from an email alias.

    We have multiple domains set up in our environment so for example… the default domain is me@defaultdomain.com but we also have me@alternatedomain.com as well. So the email I’m searching for is not the default email but for some reason the search results only show the default email.

    My script:
    Get-MessageTrackingLog -Sender my@alternatedomain.com -Recipients me@defaultdomain.com -Start (Get-Date).AddHours(-12) -resultsize unlimited | Select-object sender,recipients,timestamp,eventid,messagesubject | Sort-Object timestamp > C:Templog.txt

    My results (example):
    Sender : my@defaultdomain.com
    Recipients : {me@defaultdomain.com}
    Timestamp : 10/2/2014 11:10:13 AM
    EventId : RECEIVE
    MessageSubject : Subject Matter

    I know for certain my results are missing emails specifically from the alternate email address because I can see examples of it in my Outlook, but I do not see it in the tracking log while running this script.

    Is there any parameters I can use to ensure it looks for the specified email address??

  52. Ernesto Pangilinan

    Dear Paul,

    I just want to ask why when I’m running the PS command Get-MessageTrackingLog -Sender user@domain.com. All I get is email with subject like “Read: RE: Building Progress Report”. I’m not getting the other email which should be there. All results have the prefix “Read:” appended by the subject of the email. Any ideas?

  53. Sinchan

    Hi Paul,

    I want to create a report as to when person ‘X’ received an email and when did he replied to it. Using exchange message tracking I can track it manually for a single mail , but I want to track it for all emails that was sent and replied for a particular user . Kindly advise how to do it?

    Thanks!
    Sinchan

    1. Irving

      I think you could use these cmdlet:
      Get-MessageTrackingLog -Sender example@contoso.com -ResultSize Unlimited

      or if you want a cvs file use this one:

      Get-MessageTrackingLog -Sender “example@contoso.com” -Start 1/1/2015 -End 1/1/2015 | Select-Object eventid,sender,timestamp,@{Name=”Recipients”;Expression={$_.recipients}},@{Name=”RecipientStatus”;Expression={$_.recipientstatus}},messagesubject | Export-csv C:example.csv

      You could replace sender by recipient and remember star PS as admin for cvs option.

  54. Nicolai

    hi Paul

    Can you help with this?

    1)
    I dont get any output from “CC” or “BCC” with “Recipients”. It do not show

    If i ex use this script, and i know there is a mail sendt from “hotmail.Com” to “Frank@myfirm.com” where i am “CC” It will not show the message. It shows only output “sendt to me”. if i change sender to “Frank@myfirm.com” it will show the message.

    What should i use instead ?

    Get-TransportServer |
    Get-MessageTrackingLog -Start (Get-Date).Addhours(-48) `
    -End (Get-Date) `
    -EventId send `
    -Sender “ME@myfirm.com”`
    | Select-Object Recipients,timestamp,eventid `
    | Where {($_.Recipients -match ‘@hotmail.com’)}

    2) how do i use wildcards “@myfirm.com” for “sender”

    Thanks!!

    Best Regards

    Nicolai

    1. Avatar photo
      Paul Cunningham

      1) Recipients will include CC and BCC recipients in the results.

      2) As I demonstrate in the article above you can’t use wildcards. I also demonstrated how to work around that.

  55. Mir

    Thanks Paul for all the informative posts.
    After having gone through these, I did try the same on my production Exchange 2010 server and found the output as below:

    [PS] C:Windowssystem32>Get-MessageTrackingLog -Start (Get-Date).AddHours(-50) -resultsize unlimited | Where-Object {$_
    .recipients -match “hotmail”}

    EventId Source Sender Recipients MessageSubject
    ——- —— —— ———- ————–
    DSN DSN postmaster@mydomain.com.sa {muntader_2008@hotmail.com} Undeliverable: Electrical powe…
    FAIL SMTP postmaster@mydomain.com.sa {muntader_2008@hotmail.com} Undeliverable: Electrical powe…
    DSN DSN postmaster@mydomain.com.sa {esther_jimmy60@hotmail.com} Undeliverable: Possible Spam :…
    FAIL SMTP postmaster@mydomain.com.sa {esther_jimmy60@hotmail.com} Undeliverable: Possible Spam :…
    DSN DSN postmaster@mydomain.com.sa {abuali1444@hotmail.com} Undeliverable: It’s Talkif ica…
    FAIL SMTP postmaster@mydomain.com.sa {abuali1444@hotmail.com} Undeliverable: It’s Talkif ica…
    DSN DSN postmaster@mydomain.com.sa {mr-al-break@hotmail.com} Undeliverable: ??? ????? ???? CV
    FAIL SMTP postmaster@mydomain.com.sa {mr-al-break@hotmail.com} Undeliverable: ??? ????? ???? CV

    What I don’t understand here is we don’t have any postmaster account enabled anywhere but still it seems to be sending out mails automatically ?
    What do the DSN , FAIL imply ?
    Apart from these, I found other user mailboxes sending out emails to other users on the domain as well as out to the internet, but the users claim they never sent any such messages!
    Something is really fishy, could you advise where to start looking for trouble ?
    After some research I found “MicrosoftExchangeRecipientReplyRecipient” is blank and also RecipientValidation is set to false. Would any of these help ?

    1. Avatar photo
      Paul Cunningham

      That looks like spammers spoofing Hotmail addresses and your system is generating NDRs for any addresses that don’t exist.

      Do you have any spam filtering in place?

  56. Sandile

    Awesome post Paul, found a lot of live saving solutions on your blog.

  57. Paul

    Hi Paul,

    We have a client requirement to find all messages from a specific sender that have not been replied to within 24 hours. basically our client wants to be sure the messages are being followed up.

    So one of my clients employees receives an email from person@contoso.com and my client wants to get a report showing that his employee replied to that email from person@contoso.com within 24 hours. if the employee didn’t reply, the owner wants a report showing all the emails that were not replied to in a timely fashion. he wants this for all his employees.

    is there any way to track by conversation in powershell? can i match replies to original emails from the tracking logs or perhaps there is another way? any help would be greatly appreciated!

    1. Avatar photo
      Paul Cunningham

      I think your client should invest in a system, perhaps a job ticketing system, where customer correspondence is logged automatically and that has the reporting capabilities he desires.

  58. Vairamuthu

    I did message tracking. Any attribute will says whether attachements delivered successfully or not ? User complains pdf attachments not receiving.

    1. Avatar photo
      Paul Cunningham

      You need to be clearer in your problem statement. Is the problem that the emails with attachments aren’t being received by SharePoint, or by the mailbox? Or both? Or are the emails being delivered but without the attachments?

  59. Vairamuthu

    In exchange 2007, we have created a transport rule, whatever emails coming to this mailbox , one copy deliver to respective mailbox and other copy deliver to sharepoint portal. Normal emails delivering fine, however using attachment emails are not delivered.

    Any advice or suggestion?

    Thanks

  60. Naga Krishna

    Hi Paul,

    Good Evening..!!

    I have situation where the user ( xyz@abc.com) was transitioned to extermal organisation ( xyz@efg.com) . However, He is still continuing to receive emails from our internal users.

    We do not have objects for him either on exchange or AD. Early, Assumptions are that a DL might be involved with a object for him.

    How do we track the emails from internal users to this invisible object in our environent. Thanks

    1. Avatar photo
      Paul Cunningham

      I would just run the message tracking queries using the SMTP address and see what was returned.

  61. John

    I’m trying to export to CSV mails sent out from a specific email using commands below:

    get-messagetrackinglog -Sender “email@domain.com” -EventID “SEND” -Start “4/5/2014 8:00:00 AM” -End “4/5/2014 12:00:00 PM” | Where-Object {$_.recipients -like “*gmail.com”} | Export-csv C:export.csv

    However, in the Recipients field is showing only System.String[] . How can I make it show real recipients email address.

  62. Prakash

    I dont think it would show BCC information in the message tracking logs?

    1. Avatar photo
      Paul Cunningham

      Have you tried it? Send a message to a BCC recipient and see if you can track it in the logs.

      1. Prakash

        Yep, I have and it doesn’t show you Bcc’d email address..

        1. Avatar photo
          Paul Cunningham

          Are you asking whether the BCC recipient is logged separately in the log, as in specifically as a BCC recipient?

          In most log entries they appear as a recipient. In some log entries (specific event IDs) the RecipientStatus will show “Bcc”.

          1. julio.baptista

            Hi,
            Can you help me explain we receives undeliverable email as “Your message did not reach some or all of the intended recipients”

  63. Kobus

    I’m looking for a way to count the outgoing mails per user from “day-one” of our mailserver.

    $msgs = get-messagetrackinglog -Sender “username@domain.nl” -EventID “SEND” -Start “1-1-2000 0:00:00”
    $msgs | Group-Object -Property Sender | Select-Object name,count | sort >C:NumberOutgoingMailsUsername.txt

    The number of mails I get in the output file (156x) is much lower than the message in the users Send items (8488 mails). What am I overseeing? Is this affected by the retention policy?

      1. Abu

        Hi Paul,

        I would like to make sure that our exchange mailboxes have not received any email from one phishing mail(ex. nucia@gmail.com). How to check this.

  64. U. P. B. Michael

    Thanks paul – nice article…

Leave a Reply