Standard vs. Premium Journaling

Journaling is a Functionality that has roots back to Exchange 5.5 SP1, where it could be implemented as MTA Journaling. In current versions of Exchange, you can set up Journaling so that the server sends copies of all messages it processes to a Journal recipient. Two types of Journaling can be implemented:

Standard Journaling – Configured on mailbox databases, standard journaling copies all messages sent to or from the mailboxes on that database. Standard Journaling is configured in the properties of the mailbox database or by running the Set-MailboxDatabase cmdlet.

Premium Journaling –  Configured using journal rules, premium journaling can copy all messages sent within an organization. Journal rules can be applied in a more targeted manner than standard journaling. You can configure journal rules to only journal external email or to only journal email for specific recipients in the organization. Journal rules are configured in the compliance management section of the Exchange admin center or by running the New-JournalRule cmdlet:

Set-MailboxDatabase MDB01 -JournalRecipient journaling@icewolf.ch

Get-MailboxDatabase MDB01 | fl Name, JournalRecipient

For more information, see this article: Exchange Best Practices: Configuration of Database Hosting Journal Mailbox

Exchange Online Journaling

While Microsoft recommends using Microsoft 365 Retention to retain data in Exchange Online when possible, there might still be some good reasons to use Journaling:

• If you’re in a Hybrid environment, you will want to have all email data in one place.
• The maturity of the organization.  In other words, you need more time to implement a Data Lifecycle with retention.
• The 3^rd party archiving or compliance product lifecycle or lifespan has not yet expired.
• The use of 3^rd party SaaS products for compliance or security.

In Exchange Online, you don’t have access to mailbox databases. But you still can use Journaling Rules to send copies of messages to a Journal Recipient. The big prerequisite is that the recipient must be outside of Exchange Online. You can’t designate an Exchange Online mailbox as a journaling mailbox. You can deliver journal reports to an on-premises archiving system or a third-party archiving service.

To set up Journaling in Exchange Online, administrators must configure Journaling rules. These rules define which emails are Journaled and where the copies are sent. There are two types of Journaling rules in Exchange Online: standard rules and scoped rules.

Standard Journaling rules apply to all messages that match a set of criteria defined by the administrator, such as messages sent to or from a particular user or distribution group. When a message matches a standard Journaling rule, a copy of that message is sent to the designated mailbox or archive.

Scoped Journaling rules are similar to standard rules, but they apply only to a specific set of users, such as a particular department or business unit. This allows organizations to limit the scope of Journaling to only those users or groups that require it, reducing the amount of data that needs to be stored and reviewed.

Journaling Rules are configured in the Data lifecycle management section of the Microsoft Purview compliance portal under Exchange (legacy).

Journaling Rules consist of three aspects, as seen in Figure 1 below.

• Journal Recipient (the email address where the Journal Messages are sent to)
• Journaling Mailbox (everyone or a specific Mailbox, Contact, or Distribution Group)
• Journal Scope (all messages / Internal messages only / External messages only)

Here’s the PowerShell command to create a Journaling Rule based on the membership of a Distribution Group for all messages.

New-JournalRule -Name "Journal in ‘G-JRN-01@icewolf.ch’" -Recipient G-JRN-01@icewolf.ch -JournalEmailAddress "Journaling01@icewolf.ch" -Scope Global -Enabled $True

To view the Journaling Rules in Exchange Online, use the following command as seen in Figure 2 below:

Get-JournalRule

Under Additional Settings, you need to configure the NDR Recipient if Exchange Online can’t deliver messages to the Journaling Recipient, as seen in Figure 3.

To get informed when there is a problem with reaching the Journaling Recipient, it’s recommended that you set the JournalingReportNdrTo parameter in the transport configuration to point to an external address, as seen in Figure 4 below.

Set-TransportConfig -JournalingReportNdrTo postmaster@icewolf.ch

Get-TransportConfig | fl *journ*

Depending on the Policies of your Organization you might not need to Journal VoiceMail. In that case you can change the Parameter VoiceMailJournalingEnabled to $false. If you want to increase the time before the Journal Messages in the queue expire, you can use the JournalMessageExpirationDays Parameter, as explained in the table below.

In recent migrations from Exchange Server to Exchange Online, my plan was always to add the mailboxes to different Journaling Groups. That way, we could distribute the load to multiple Journaling recipients. Depending on the requirements, there can be multiple ways to achieve this:

• Based on UPN Suffix or Domain of PrimarySMTPAddress
• Based on Company / Department or Business Unit
• Based on First Character of Lastname or First Character of Emailaddress

Journaling in a Hybrid Scenario

If your organization is set up in a hybrid deployment, you must configure any Journaling rules twice, once in the on-premises Exchange Server and an identical rule in Exchange Online. If you don’t, some messages might not be journaled.

If the sender and recipients are both in accepted domains of the same organization, the messages are not honored as external, even if the x-ms-exchange-crosstenant-authas header in the messages has the value anonymous. Accordingly, these messages are not Journaled as external.

A few days ago, the Exchange Team released additional Information for Journaling in Hybrid Scenarios.

Scenario 1: MX Record Points to On-Premises

When email is processed by on-premises first, a header called X-MS-Exchange-Organization-Processed-By-Journaling is added by Exchange Server to indicate that the Journaling agent touched the message. Regardless of whether any on-premises Journaling rule exists, the Journaling agent will always touch a message on-premises, and the header will be added. It is not possible to disable the on-premises Journaling agent.

When an email is sent from on-premises to Exchange Online, it will be sent to the remote routing address (tenant.mail.onmicrosoft.com) and then in Exchange Online, the categorizer resolves the address to the primary address which is contoso.com. Because of this change, Journaling happens again in Exchange Online.

When Send from Alias is enabled, the Exchange Online address resolution from tenant.mail.onmicrosoft.com to consoso.com does not happen (to preserve the alias) and there will be no change in the email address. So, with the Send From Alias feature enabled, Journaling by Exchange Online does not happen when an email originated from or was routed through on-premises.

A few months ago, I had such a case and figured it out by Exchange pipeline tracing. Using Pipeline tracing captures copies of email messages from a specific SenderAddress as they move through the transport pipeline in the Transport service or the Mailbox Transport service on Mailbox server and on Edge Transport servers.

To enable Pipeline Tracing use the following Command as in Figure 5 below.

Set-TransportService -Identity <ServerName> -PipelineTracingEnabled $true -PipelineTracingSenderAddress <senderaddress>

To review your settings use the following command:

Get-TransportService | fl Identity, Pipeline*

In Figure 6, you can see the Header X-MS-Exchange-Organization-Processed-By-Journaling.

That header is not visible in the destination Mailbox in Exchange Online. To fix this issue you need to create a Transport Rule on the on-premises Exchange Server to remove the header.

New-TransportRule "Remove JournalingHeader" -RecipientAddressContainsWords "icewolfch.mail.onmicrosoft.com" -RemoveHeader "X-MS-Exchange-Organization-Processed-By-Journaling" -enabled $true

Scenario 2: MX Record Points to Exchange Online

When an MX record points to Exchange Online, the Exchange Online Journaling agent processes the email first. In this case, centralized mail routing plays an important role in how Journaling works on inbound emails.

When centralized mail routing is enabled:

• Inbound emails are routed to On-premises first, regardless of whether the recipient is located. However, before that, the Exchange Online Journaling agent will add the header X-MS-Exchange-Organization-Processed-By-Journaling. The header will be promoted on the email to on-premises. Regardless of any Journaling rule in Exchange Online, the agent will always touch a message, and the header will be added. Like Exchange Server, it is not possible to disable this agent in Exchange Online.
• Exchange Server will initially skip journaling for on-premises recipients because of the presence of the header.
• However, for Exchange Online recipients, the Exchange Server categorizer resolves the address contoso.com to the target address, which is Contoso.mail.onmicrosoft.com. Because of this change, Journaling does happen in Exchange Server for Exchange Online recipients if there is a matching journaling rule on-premises.
• Similarly, when email gets routed back to Office 365, Journaling happens again in Exchange Online for the second time as the categorizer resolves the contoso.mail.onmicrosoft.com to the primary domain contoso.com for Exchange Online recipients.

Wrapping Up

It’s crucial to understand how Exchange Journaling works and that Settings like SendFromAlias, Centralized Mail Routing, and where your MX record points to, have a huge impact on Journaling. Make sure you test everything thoroughly before you implement Journaling at scale. After the implementation make sure you have set JournalingReportNdrTo in TransportConfig, so you notice when Emails can’t be delivered to the Journaling Recipient. Otherwise, you might end up with a compliance gap.