MessageTraceDetail report

The MessageTraceDetail REST URI provides detailed information about the processing steps performed on email messages that have passed through the Office 365 system for the organization in the last 30 days. This report is typically used with the MessageTrace report to determine why a message wasn't delivered from the user as expected.

https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTraceDetail[?ODATA options]

The following fields can be specified in $select, $filter, and $orderby ODATA2 query options. All fields are returned if no $select option is provided.

Name

WCF Type*

EDM Type*

[In/Out]** Description

Example values

Added in service version

Action

string

None specified

[In/Out] Description of the action taken on the email message, if any. This field may be blank, or null if no action was performed. For information about valid Action values, see MailFilterList report.

SetSpamConfidenceLevel, RejectMessage

2013-V1

Data

string

None specified

[In/Out] Office 365 internal processing details, in URI-escaped XML. This information may be useful to Office 365 support to help you resolve mail-flow issues.

<root><MEP ... Name="ServerHostName" String="ADSF123ASDF"/></root>

2013-V1

Date

System.DateTime

Edm.DateTime

[In/Out] The date and time the message was detected as containing malware.

Short Date (for example, 03/10/2013) or Date Time with quotes (for example, "03/10/2013 4:55 PM")

2013-V1

Detail

string

None specified

[In/Out] Description of the processing step performed. This information may be useful to Office 365 support to help you resolve mail-flow issues.

Message received by: ADSF123ASDF

2013-V1

EndDate

System.DateTime

Edm.DateTime

[In] This field is used to limit the report period. Use this field in a $filter query option to set the end date and time of the reporting period. If you supply EndDate in the $filter option, you must also supply StartDate.

Short Date (for example, 03/10/2013) or Date Time with quotes (for example, "03/10/2013 4:55 PM")

2013-V1

Event

string

None specified

[In/Out] Short description of the processing step.

RECEIVE, FAIL

2013-V1

MessageId

string

None specified

[In/Out] The Internet MessageId header of the message, if one was supplied. This value can also be explicitly null.

If no ID was provided for the message, the report data will show <d:MessageId m:null="true" /> for Atom, and "MessageId":null for JSON

2013-V1

MessageTraceId

System.Guid

Edm.Guid

[In] An identifier used to obtain the detailed message-transfer trace information.

ae4ad8f6-7613-411c-e67e-08cfc740629

2013-V1

Organization

string

None specified

[In/Out] The fully qualified domain name that was processing the email.

example.onmicrosoft.com

2013-V1

RecipientAddress

string

None specified

[In] The SMTP email address of the user that the message was addressed to.

userone@example.onmicrosoft.com

2013-V1

SenderAddress

string

None specified

[In] The SMTP email address of the user the message was purportedly from. Because sender addresses are commonly spoofed in spam email, they are not considered completely reliable.

usertwo@example.onmicrosoft.com

2013-V1

StartDate

System.DateTime

Edm.DateTime

[In] This field is used to limit the report period. Use this field in a $filter query option to set the start date and time of the reporting period. If you provide a StartDate in the $filter option, you must also specify an EndDate.

Short Date (for example, 03/10/2013) or Date Time with quotes (for example, "03/10/2013 4:55 PM")

2013-V1

*The WCF Type refers to the .NET Framework data type assigned to the field when you create a Windows Communication Foundation (WCF) Service Reference in Visual Studio. The EDM Type refers to the ADO.NET Entity Data Model (EDM) types returned in Atom-formatted reports.

**For information about [In/Out] indicators, see the "Input parameters and report output columns" section.

Each entry in the report includes several fields of metadata. For more information see Common metadata returned by the Office 365 Reporting web service.

The Date field indicates when the messages were handled by the Office 365 system, and are reported in the time zone of those servers.

This report provides summary information of messages that passed through the email system, for which more-detailed trace information is available. To obtain that detailed trace information, your application can use the MessageTraceDetail report. It is important that your application provide all of the following information to obtain the detailed trace information. For more information about tracing messages, see How to: Trace email messages in Office 365.

  • MessageTraceId GUID from the MessageTrace report output.

  • RecipientAddress that the message was sent to.

  • SenderAddress that the message came from.

  • StartDate and EndDate that identify the period during which the message was processed.

Using StartDate and EndDate

The StartDate and EndDate fields do not provide useful information in the report results, and are always set to 0001-01-01T00:00:00Z in the report output. They are intended to enable easy restriction of the reporting time window, and provide finer precision than would be available in a "daily" report.

This can be especially helpful, for example, when recording email-based denial-of-service attacks on an hourly basis. When using these fields, you must include both in the $filter option. They are both considered optional, but if you provide one, you have to provide the other. If the StartDate/EndDate pair are not provided in the query, the default reporting time period is the previous two weeks. The "Examples" section later in this topic shows how to use the StartDate and EndDate fields.

Unlike the MessageTrace summary report, these fields are always empty in this report (0001-01-01T00:00:00).

The following example request and response uses information from a MessageTrace report, and determines that the message was deleted because malware was detected inside it. The MessageTraceDetail report output shows three events: receiving the message, a message delivery failure, and then the message being deleted because it contained malware.

https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTraceDetail?
  $select=Action,Data,Date,Detail,EndDate,Event,Index,MessageId,MessageTraceId,Organization,
    RecipientAddress,SenderAddress,StartDate&
  $filter=MessageTraceId%20eq%20guid'4682e74e-a81a-4760-c35b-08cfd41eebc2'%20and%20
    RecipientAddress%20eq%20'usertwo@example.onmicrosoft.com'%20and%20
    SenderAddress%20eq%userone@example.com'%20and%20
    StartDate%20eq%20datetime'2013-02-08T00:00:00Z'%20and%20
    EndDate%20eq%20datetime'2013-02-09T00:00:00Z'&
  $format=Atom
<?xml version="1.0" encoding="utf-8"?>
<feed xml:base="https://reports.office365.com/ecp/ReportingWebService/Reporting.svc/" 
  xmlns="http://www.w3.org/2005/Atom" 
  xmlns:d="http://schemas.microsoft.com/ado/2007/08/dataservices"
  xmlns:m="http://schemas.microsoft.com/ado/2007/08/dataservices/metadata">
  <id>https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTraceDetail</id>
  <title type="text">MessageTraceDetail</title>
  <updated>2013-02-09T23:13:25Z</updated>
  <link rel="self" title="MessageTraceDetail" href="MessageTraceDetail" />
  <entry>
    <id>https://reports.office365.com/ecp/ReportingWebService/Reporting.svc/MessageTraceDetail(0)</id>
    <category term="TenantReporting.MessageTraceDetail" 
      scheme="http://schemas.microsoft.com/ado/2007/08/dataservices/scheme" />
    <link rel="edit" title="MessageTraceDetail" href="MessageTraceDetail(0)" />
    <title />
    <updated>2013-02-09T23:13:25Z</updated>
    <author>
      <name />
    </author>
    <content type="application/xml">
      <m:properties>
        <d:Organization>example.onmicrosoft.com</d:Organization>
        <d:MessageId>&lt;8CFD41EEA339B87-1048-248A6@servername.organization.example.com&gt;</d:MessageId>
        <d:MessageTraceId m:type="Edm.Guid">4682e74e-a81a-4760-c35b-08cfd41eebc2</d:MessageTraceId>
        <d:Date m:type="Edm.DateTime">2013-02-08T14:22:55.937</d:Date>
        <d:Event>RECEIVE</d:Event>
        <d:Action m:null="true" />
        <d:Detail>Message received by: ADSF123ASDF</d:Detail>
        <d:Data>&lt;root&gt;&lt;MEP ... Name="ServerHostName" String="ADSF123ASDF"/&gt;&lt;/root&gt;</d:Data>
        <d:SenderAddress m:null="true" />
        <d:RecipientAddress m:null="true" />
        <d:StartDate m:type="Edm.DateTime">0001-01-01T00:00:00</d:StartDate>
        <d:EndDate m:type="Edm.DateTime">0001-01-01T00:00:00</d:EndDate>
        <d:Index m:type="Edm.Int32">0</d:Index>
      </m:properties>
    </content>
  </entry>
  <entry>
    <id>https://reports.office365.com/ecp/ReportingWebService/Reporting.svc/MessageTraceDetail(1)</id>
    <category term="TenantReporting.MessageTraceDetail" 
      scheme="http://schemas.microsoft.com/ado/2007/08/dataservices/scheme" />
    <link rel="edit" title="MessageTraceDetail" href="MessageTraceDetail(1)" />
    <title />
    <updated>2013-02-09T23:13:25Z</updated>
    <author>
      <name />
    </author>
    <content type="application/xml">
      <m:properties>
        <d:Organization>example.onmicrosoft.com</d:Organization>
        <d:MessageId>&lt;8CFD41EEA339B87-1048-248A6@servername.organization.example.com&gt;</d:MessageId>
        <d:MessageTraceId m:type="Edm.Guid">4682e74e-a81a-4760-c35b-08cfd41eebc2</d:MessageTraceId>
        <d:Date m:type="Edm.DateTime">2013-02-08T14:22:55.97</d:Date>
        <d:Event>FAIL</d:Event>
        <d:Action m:null="true" />
        <d:Detail>The message was not delivered.</d:Detail>
        <d:Data>&lt;root&gt;&lt;MEP Name="SourceContext" String="Malware Agent"/&gt;&lt;/root&gt;</d:Data>
        <d:SenderAddress m:null="true" />
        <d:RecipientAddress m:null="true" />
        <d:StartDate m:type="Edm.DateTime">0001-01-01T00:00:00</d:StartDate>
        <d:EndDate m:type="Edm.DateTime">0001-01-01T00:00:00</d:EndDate>
        <d:Index m:type="Edm.Int32">1</d:Index>
      </m:properties>
    </content>
  </entry>
  <entry>
    <id>https://reports.office365.com/ecp/ReportingWebService/Reporting.svc/MessageTraceDetail(2)</id>
    <category term="TenantReporting.MessageTraceDetail" 
      scheme="http://schemas.microsoft.com/ado/2007/08/dataservices/scheme" />
    <link rel="edit" title="MessageTraceDetail" href="MessageTraceDetail(2)" />
    <title />
    <updated>2013-02-09T23:13:25Z</updated>
    <author>
      <name />
    </author>
    <content type="application/xml">
      <m:properties>
        <d:Organization>example.onmicrosoft.com</d:Organization>
        <d:MessageId>&lt;8CFD41EEA339B87-1048-248A6@servername.organization.example.com&gt;</d:MessageId>
        <d:MessageTraceId m:type="Edm.Guid">4682e74e-a81a-4760-c35b-08cfd41eebc2</d:MessageTraceId>
        <d:Date m:type="Edm.DateTime">2013-02-08T14:22:55.97</d:Date>
        <d:Event>Malware</d:Event>
        <d:Action>Delete message</d:Action>
        <d:Detail>Malware: EICAR_Test_File File: Message Body</d:Detail>
        <d:Data>&lt;root&gt;&lt;MEP ... String="Message Body"/&gt;&lt;/root&gt;</d:Data>
        <d:SenderAddress m:null="true" />
        <d:RecipientAddress m:null="true" />
        <d:StartDate m:type="Edm.DateTime">0001-01-01T00:00:00</d:StartDate>
        <d:EndDate m:type="Edm.DateTime">0001-01-01T00:00:00</d:EndDate>
        <d:Index m:type="Edm.Int32">2</d:Index>
      </m:properties>
    </content>
  </entry>
</feed>

The [In/Out] indicators in the fields table have the following meanings:

  • Fields marked [In] in the fields table are primarily intended for use in $filter=, $orderby=, and other query options that restrict which entries the report returns. Fields marked [In] in the fields table can be included in the $select= option, and they will appear in the report entries, but they will contain no useful data.

  • Fields marked [In/Out] in the fields table can be used in both the column selection ($select=) and entry restriction ($filter= and $orderby=) options. When you include one of these fields in the $select= option, it will appear in the report entries, and will contain useful data when it is available.

The MessageTrace report was introduced in Office 365 service version 2013-V1. For more information on versioning, see Versioning in the Office 365 Reporting web service

The MessageTraceDetail report returns the same information as the Get-MessageTraceDetail Windows PowerShell cmdlet.

The account you use to access the reports must have administrative permissions in the Office 365 organization. If the account can view this report in the Office 365 Control Panel, then the account has permissions to retrieve the data from the REST web service. This report requires the user to be assigned to the View-Only Recipients role. In the default Office 365 permissions structure, users with the following administrator permissions can access this report: billing administrator, global administrator, password administrator, service administrator, and user management administrator. For more information, see MailboxUsage report.

Information available in this report contains the exact date and time for each event. You can use any feasible time period and duration by including the StartDate and EndDate fields in the $filter option. Times are reported in the time zone of the server scanning the email.

The information for this report is available for a period of 30 days, or until the subscription is canceled.

Events may be delayed by up to 24 hours before they appear in a report.

Show:
© 2014 Microsoft