Overview

Message Trace in Exchange Online allows administrators to follow an email’s delivery path through Microsoft 365. It provides detailed insights such as delivery status, delays, spam filtering, quarantine actions, and SMTP events. Message Trace is essential for resolving mail flow issues, investigating missing emails, and ensuring compliance.

⭐ Use Cases

✔ 1. Troubleshooting Missing or Delayed Emails

Message Trace helps identify whether the message was:

• Delivered

• Delayed

• Blocked

• Quarantined

• Rejected by transport rules

• Filtered by anti-spam policies

✔ 2. Investigating Spam or Phishing Reports

Admins can trace suspicious messages to see:

• Sender IP

• Spam result

• Malware or phish verdict

• Policy actions applied

✔ 3. Auditing Mail Flow for Compliance

Useful for:

• eDiscovery

• Legal investigations

• HR escalations

• Verifying outbound communications

✔ 4. Outbound Delivery Checks

Helps validate:

• Customer never received email

• Whether SPF/DKIM/DMARC affected delivery

• If the message bounced due to remote server

Step 1 — Open Message Trace

Microsoft 365 Defender Portal (New UI)

1. Go to https://security.microsoft.com

2. Navigate to Email & collaboration

3. Select Review → Message Trace

Exchange Admin Center (Classic UI)

1. Go to https://admin.exchange.microsoft.com

2. Navigate to Mail flow → Message trace

Microsoft is migrating Message Trace into Defender. Both locations may appear depending on your tenant.

Step 2 — Select the Time Range

Microsoft provides three time range options:

✔ Last 24 hours (Real-time trace)

• Fastest results

• Basic info only

• Used for immediate issues

✔ Custom Range (Up to 10 days)

• More detailed data

• Still online results

✔ Historical Trace (Up to 90 days)

• Deep-dive logs

• Takes longer

• Delivers downloadable CSV file via email

• Required for older messages

Step 3 — Enter Search Criteria

You can filter by:

• Sender

• Recipient

• Subject

• Message ID

• Direction (Inbound/Outbound/Internal)

• Delivery status

• P2 sender (SMTP envelope sender)

• P1 sender (Header “From”)

This helps refine results for specific mail flow scenarios.

Step 4 — Run the Trace

1. Set your filters

2. Click Search

3. Review results including:

   • Status: Delivered, Failed, Quarantined, Expanded, Pending

   • Event timeline: SMTP events

   • Policy actions: Transport rules, DLP, ATP

   • Connector and routing path

   • Final delivery location

Step 5 — Export or Download Results

Message Trace results can be exported in:

• CSV file

• Advanced Historical Trace CSV (sent via email)

• On-screen view

CSV is recommended for security auditing and reporting.

?️ Troubleshooting

❗ No results found

• Confirm correct time range

• Use Message ID instead of subject (more precise)

❗ Message delayed

Check:

• Queuing

• Throttling

• Malware scanning

• Transport rule actions

❗ Message not delivered

Check:

• Block lists

• SMTP bounce code

• Quarantine

• DKIM/DMARC failures

• Outbound spam policy

❗ Historical trace taking too long

• This is normal — data is retrieved from archive logs

• Larger queries take several minutes and arrive via email