Message Trace Guide

Q: How far back can I trace messages?

Standard message trace retains data for 10 days; extended trace up to 90 days.

Q: Which status indicates policy rejection?

Status FAIL with NDR 5.7.1 usually indicates rejection by transport rule or spam policy.

Q: How do I confirm connector involvement?

Include connector filters in the trace; look for TLS and smart host indicators in event details.

Q: What if no messages appear in trace?

If the 24h trace shows 0 messages, mail may be blocked globally—check connectors and EOP connectivity.

Collect evidence for routing and delivery issues. Use status codes, events, and timing to identify root causes.

⚠️ Business Consequence: Why This Matters

Financial Impact: Fast delivery diagnosis = reduced MTTR ($3K–$10K saved per incident)
Compliance Exposure: Message trace evidence = regulatory investigation documentation
Operational Risk: Routing validation prevents extended mail flow failures
Audit Trail: 90-day extended traces = legal hold/eDiscovery requirements

Trace analysis time: 2–5 minutes — accelerates delivery problem resolution.

🚀 Before You Start

⏱ Time Required

10-20 minutes to trace message and identify delivery path

👤 Skill Level

Exchange Online admin with basic PowerShell knowledge

🛡️ Safety

Read-only diagnostics. No impact on message delivery.

📋 What You'll Need

Exchange admin center or PowerShell, sender & recipient email addresses

⚠️ Message not found or trace unclear? Request Exchange Security Assessment for deep-dive analysis.

At a Glance

Purpose: Track mail delivery path and identify failure points
Data retention: 10 days (standard trace), 90 days (extended trace)
Time to run: 2-5 minutes for basic trace
Best for: Mail flow issues, NDR investigation, routing validation

Essential Filters & Search Parameters

Use these filters to narrow your trace results and find relevant messages:

Sender/Recipient: Email address or domain scope; use wildcards (*@contoso.com) for broad searches
Date range: Start and end time; default is last 48 hours (max 10 days for standard trace)
Direction: Inbound (external → tenant), Outbound (tenant → external), or Internal
Status: Delivered, Failed, Pending, Expanded (DL)
Transport rules and connector involvement

How to Interpret Message Trace Results

Message trace shows the lifecycle of an email through Exchange Online. Use these indicators to diagnose issues:

Event Timeline Stages

SUBMIT: Message accepted by Exchange Online Protection (EOP) from sender
RECEIVE: Message passed spam/malware filtering and entered mail flow engine
SEND: Message queued for delivery to recipient server
DELIVER: Successfully delivered to recipient mailbox
FAIL: Delivery failed; check NDR code for reason
EXPANDED: Distribution list expanded to individual recipients

Common NDR Codes & Meanings

5.1.1: Recipient address not found (invalid user or typo)
5.2.2: Mailbox full (quota exceeded)
5.4.1: Relay access denied (sender not authorized)
5.5.4: Invalid domain or routing error
5.7.1: Rejected by policy (transport rule, spam filter, or authentication)

Connector & TLS Indicators

Connector and TLS handshake indicators

FAQs

How far back can I trace messages?

Standard trace retains 10 days; extended trace up to 90 days.

Which status indicates policy rejection?

FAIL with NDR 5.7.1 often indicates transport rule or spam policy rejection.

How do I confirm connector involvement?

Filter for connector involvement and review TLS/smart host indicators in event details.

What if no messages appear in trace?

If a 24h trace shows 0 messages, validate connector health and EOP connectivity.