Message Trace in the Security & Compliance Center

You can track a message determine if a message was received, rejected, deferred, or delivered by the service. It also shows what actions were taken on the message before it reached its final status.

  1. Open the Security & Compliance Center at

  2. Expand Mail flow, and then select Message trace.

  3. From here you can start a new default trace by clicking on the Start a trace button. This will search for all messages for all senders and recipients for the last two days. Or you can use one of the stored queries from the available query categories and either run them as-is or use them as starting points for your own queries:

    • Default queries: Built-in queries provided by Office 365.

    • Custom queries: Queries saved by admins in your organization for future use.

    • Autosaved queries: The last ten most recently run queries. This list makes it simple to pick up where you left off.

    Also on this page is a Downloadable reports section for the requests you've submitted, as well as the reports themselves when they're are available for download.

  4. Filter by senders and recipients

    The default values are All senders and All recipients, but you can use the following fields to filter the results:

    • By these people: Click in this field to select one or more senders from your organization. You can also start to type a name and the items in the list will be filtered by what you've typed, much like how a search page behaves.

    • To these people: Click in this field to select one or more recipients in your organization.

  5. Time range

    The default value is 2 days, but you can specify date/time ranges of up to 90 days. When you use date/time ranges, consider these issues:

    • By default, you select the time range in Slider view using a time line. You can only select the day or time settings that are displayed. Trying to select an in-between value will snap the start/end bubble to the nearest displayed setting.

      A Slider time range in a new message trace in the Security & Compliance Center

      But, you can also switch to Custom view where you can specify the Start date and End date values (including times), and you can also select the Time zone for the date/time range. Note that the Time zone setting applies to both your query inputs and your query results.

      A Custom time range in a new message trace in the Security & Compliance Center

      For 10 days or less, the results are available instantly as a Summary report. If you specify a time range that's even slightly greater than 10 days, the results will be delayed as they are only available as a downloadable CSV file ( Enhanced summary or Extended reports).

      For more information about the different report types, see the Choose report type section in this topic.

      Note: Enhanced summary and Extended reports are prepared using archived message trace data, and it can take up to several hours before your report is available for download. Depending on how many other admins have also submitted report requests around the same time, you might also notice a delay before processing starts for your queued request.

    • Saving a query in Slider view saves the relative time range (for example, 3 days from today). Saving a query in Custom view saves the absolute date/time range (for example, 2018-05-06 13:00 to 2018-05-08 18:00).

  6. Message trace results

    The different report types return different levels of information. The information that's available in the different reports is described in the following sections.

    Summary report output

    After running the message trace, the results will be listed, sorted by descending date/time (most recent first).

    Summary report results for message trace in the Security & Compliance Center

    The summary report contains the following information:

    • Date: The date and time at which the message was received by the service, using the configured UTC time zone.

    • Sender: The email address of the sender (alias@domain).

    • Recipient: The email address of the recipient or recipients. For a message sent to multiple recipients, there's one line per recipient. If the recipient is a distribution group, dynamic distribution group, or mail-enabled security group, the group will be the first recipient, and then each member of the group is on a separate line.

    • Subject: The first 256 characters of the message's Subject: field.

    • Status: The delivery status of the message.

    By default, the first 250 results are loaded and readily available. When you scroll down, there's a slight pause as the next batch of results are loaded. Instead of scrolling, you can click Load all to load all of the results up to a maximum of 10,000.