How to perform a message trace in the Forefront Online Protection for Exchange (FOPE) Administration Center

Article translations Article translations
Article ID: 2690809 - View products that this article applies to.
Expand all | Collapse all

On This Page

Summary

This article describes how to perform a message trace in the Microsoft Forefront Online Protection for Exchange (FOPE) Administration Center.


More information

You typically perform a message trace in the FOPE Administration Center when you want to identify problems with message routing in FOPE or to confirm successful message routing. Be aware that this does not trace message routing through Exchange Online. 

You can perform a trace for the following message routing scenarios:
  • To receive messages from the Internet and to confirm delivery to an Exchange Online organization.
  • To send messages from Exchange Online and to confirm delivery to the Internet.
  • To send a message from an Exchange Online user to an Exchange Online user in a different organization. Mail flow travels to FOPE and then back to Exchange Online. (For example, user@contoso-A.microsoftonline.com sends mail to user@contoso-B.microsoftonline.com.)
To perform a message trace, follow these steps:
  1. Sign in to the FOPE Administration Center (https://admin.messaging.microsoft.com).
  2. On the Tools tab, click Message Trace.
  3. Complete the Sender address, Recipient address, Start date, and End date fields, and then click Search.

    Note You can specify only the sender domain for the Senderaddress field, or only the recipient domain for the Recipientaddress field.
  4. Check the results.
    • If no results are returned, the message may not have reached the FOPE system.
    • If there are results, search for the message based on the time that it was sent.
Note Contact FOPE Support if one of the following conditions is true:
  • The user's domain is set to external relay in Exchange Online. In this situation, messages are not searchable in the FOPE Administration Center.
  • Messages are generated by Exchange Server, such as Out-of-Office messages, automatic replies and nondelivery reports (NDRs). These messages are not searchable in the FOPE Administration Center.

Tracing notifications

The following table lists the To addresses and the From addresses that are used for content such as tracing notifications, restored messages, answerbacks, encrypted messages, and quarantined messages that are released from quarantine.
Collapse this tableExpand this table
ContentFromToNotes
Answerbacks
(used for encrypted message account creation on the account only and not for the actual encrypted message)
hostedencryption@encryption.messaging.microsoft.comEnd recipient email address
Archive restore
(used for messages that are restored from the archive)
restore@messaging.microsoft.comIntended recipient
Custom policy rule notifications
(traceable only if a notification from address is specified) 
The customer notification addressSender or recipient, as specified by the policy rule
Deferral notificationsThese seem to be untraceable by the Message Trace Tool. This information will be updated, if found otherwise.These seem to be untraceable by using the Message Trace Tool. This information will be updated, if found otherwise.
Directory Sync Tool(DST) notificationsnotifications@messaging.microsoft.comNotification address
Encrypted messagesSenderRecipientTwo messages are displayed (one message to the gateway and the other message to the recipient).
Messages that are released from quarantineSender's email address Recipient's email address
  • Pull the message ID from the trace details that displays the message that is being sent to quarantine.
  • Enter the message ID in the Message ID field of the Message Trace Tool.
  • Leave all other fields the same as in the first trace, and then click Search.
  • If two messages appear, the earlier message should show the message that is sent to quarantine and the later message should show the message that is released from quarantine.
Password reset email messages (sent by using "Need Password")exmailer@microsoft.comIntended recipient
Quarantine notificationsquarantine@messaging.microsoft.comIntended recipient

Troubleshoot tracing messages

If you cannot trace a message, one or more of the following conditions may be the reason:
  • The message did not come through FOPE servers.
  • The Return-Path (Mail From) address differs from the From address (Data field).

    This usually occurs with spoofed messages. Obtain the headers for the message, and then try to trace the message from the Return-Path address.
  • The recipient is part of a virtual domain. 

    Check the recipient to determine whether the account is listed in the FOPE Administration Center. On the left side of the account page, determine whether this recipient is a part of a virtual domain. If this is the case, try to trace the message to and from the virtual domain's domain name. For example, if user@domain.com belongs to virtual.domain.com, trace to and from user@virtual.domain.com. 
  • The message was generated by software, and then it was relayed through the mail server. However, the domain that the message comes from is not listed in the FOPE Administration Center. If this is the case, contact Support.
  • You made an error, such as additional spaces or a spelling error, when you entered the search criteria.
  • Logs have up to a 30-minute rollover. Therefore, the message's logs may not yet be traceable. Expand the date range to a day before and a day after the message was supposed to have come through the FOPE system.

Properties

Article ID: 2690809 - Last Review: October 22, 2013 - Revision: 6.0
Applies to
  • Microsoft Forefront Online Protection for Exchange
  • Microsoft Office 365 for enterprises (pre-upgrade)
  • Microsoft Office 365 for education  (pre-upgrade)
Keywords: 
vkbportal225 vkbportal231 vkbportal237 o365 KB2690809

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com