How to Interpret message trace results and policies in Exchange Online

By understanding how to interpret message trace results in the Exchange Online Admin Center you can find out what happened to a message once it reached your organisation. By using the information found in the message trace results, you can troubleshoot email delivery issues and determine the solution to a problem. 

In this post, I will walk you through how you can run a message trace in Exchange Online and how to interpret the results.

How to run a message trace in the Exchange Online Admin Center

  1. Login to the Exchange Admin Center:

2. Select Mail flow > Message Trace

3. Click + Start a trace

4. You can enter the following basic information to filter your trace results:

Basic information

  • Senders: select which sender you want to search for.
  • Recipients: select which recipients you want to search for.
  • Time Range: select the time range for your search results.

Advanced information

  • Delivery status: select this option if you know the status of the email you are looking for.
  • Message ID: this is the ID created by the sending system, which can be found in the message header. Check out our post on how to review and interpret message headers in Exchange Online.
  • Direction: you can select if the message was coming into your organisation or being sent from within your organisation.
  • Original client IP address: If you know the senders external IP address, you can filter by this here.

5. Click Search

How to Interpret message trace results

If you follow the above, you should have a nice collection of results from your message trace that are meaningful to you. So now, in order to troubleshoot the issue or understand what is happening to your message, we need to interpret the results.

Example 1

We have our results, and we can see the message we want to review. Simply click on the message and a slide-out window will appear to the right. Here is my successful test message:

test message

From the above, we can see:

  • The sender address (which I have blanked out above)
  • The recipient address
  • That the email was delivered successfully. 
  • That the email was delivered to the inbox folder of the recipient

Based on the fact this email was delivered successfully, we do not need to troubleshoot this further.

Example 2

With the above email, the user reported the email went to their Junk email folder, and not their inbox. At a glance, the status shows that the email was delivered to the user’s Junk email folder, so let’s take a look at why.

By Expanding the Message events tab, we can get some more advanced information on what is happening to this email.

Based on the message events:

  • The email was received by Exchange online using TLS1.2
  • The email was not classified as spam
  • The email was subject to a transport rule named ‘Set SCL to High’
  • The email was delivered to the junk email folder

We can determine from this information that the culprit to this issue is that transport rule affecting the email named ‘Set SCL to high’. 

If we go to Mail flow > Rules, we can see analyse the transport rule to resolve the issue.

In our case, someone has manually created a transport rule where any emails from this sender are modified to set the SCL to 9, automatically marking the email as spam. The solution would be to modify, disable or delete this transport rule.

All common event types in the message trace results

When analysing message trace results, the message events tab will provide the most valuable information to understand what is happening to your email. Below is a list of all the event types and their meaning.

RECEIVE: The message was receive by service name xxx

SEND: The message was sent by service name xxx.

FAIL: The message failed to be delivered. This can often happen if the destination is not reachable, the destination rejected the message, or if the message time out during the delivery attempt.

DELIVER: The message was delivered to a mailbox.

EXPAND: The message was sent to a distribution group that was expanded.

TRANSFER: Recipients were moved to a bifurcated message because of content conversion, message recipient limits, or agents. Message Bifurcation is when a new version of the message is created with slightly different properties. You can understand why this might happen here:

DEFER: The message delivered was postponed and may be re-attempted later.

RESOLVED: The message was redirected to a new recipient address based on an Active Directory look up. When this happens, the original recipient address is listed in a separate row in the message trace along with the final delivery status for the message.

DLP rule: The message had a DLP rule match in this message.

Sensitivity label: A server-side labelling event occurred. For example, a label was automatically added to a message that includes an action to encrypt or was added via the web or mobile client. This action is completed by the Exchange server and logged. A label added via Outlook will not be included in the event field.


Thank you for reading my post on how to interpret message trace results and policies in Exchange Online. This how to guide creates part of my MS-220 exam study guide for troubleshooting Exchange Online. Check out the full guide here:

Daniel Bradley

My name is Daniel Bradley and I work with Microsoft 365 and Azure as an Engineer and Consultant. I enjoy writing technical content for you and engaging with the community. All opinions are my own.

Leave a Reply