Francisco asks:
I am investigating to see if there is a way you can see which transport rules is applying to a certain message. The delivery report does not show it and I have not found any cmdlet that helps nor TechNet information about it. I think it might be important in certain circumstances to know it. Do you have any idea how to do this?
I can think of a few cases where this might be useful. For example, if a transport rule modifies a message property, or rejects a message, or causes a message to go to junk, then it would be useful to quickly find which rule or rules were applied to the message. For customers with just a few transport rules, there’s no real challenge here. But if your organization has hundreds of transport rules, then it gets a bit harder.
Fortunately, we can see which transport rules were applied to a message by using message tracking logs. Here’s a very basic example. In this scenario, Alan has sent an email to Alannah.
When it arrives in Alannah’s mailbox, the subject line has been (rather clumsily) modified.
So, what can the message tracking logs tell us? First, I collect the message tracking log entries for the unique message ID. If you’re not sure how to do that step, I recommend reading my series on searching message tracking logs with PowerShell. Here’s the command I ran, if you’re curious.
[PS] C:\>$logs = Get-TransportServer | Get-MessageTrackingLog -MessageId "<a10d8434b47f4caea4afb3c9bc41b861@EX2013SRV1.exchangeserverpro.net>" -Start (Get-Date).AddDays(-1) -ResultSize Unlimited
Next, I sort the events by time stamp, and look at the EventId, Source, and MessageSubject fields (because we already know the message subject was modified).
[PS] C:\>$logs | Sort timestamp | Select eventid,source,messagesubject EventId Source MessageSubject ------- ------ -------------- RECEIVE STOREDRIVER This is an email from Alan HARECEIVE SMTP This is an email from Alan HAREDIRECT SMTP This is an email from Alan RECEIVE SMTP This is an email from Alan SUBMIT STOREDRIVER This is an email from Alan AGENTINFO AGENT Very Important MessageThis is an email from Alan DELIVER STOREDRIVER Very Important MessageThis is an email from Alan SEND SMTP Very Important MessageThis is an email from Alan HADISCARD SMTP This is an email from Alan
We can clearlly see that the AGENTINFO event is where the message subject was modified. So, let’s take a closer look at that message tracking log entry.
[PS] C:\>$logs | where {$_.eventid -eq "AGENTINFO"} | fl RunspaceId : 328245b3-31a5-4c0c-ac83-4f225b3c7be7 Timestamp : 2/1/2016 8:45:50 PM ClientIp : ClientHostname : EX2016SRV1 ServerIp : ServerHostname : SourceContext : CatContentConversion ConnectorId : Source : AGENT EventId : AGENTINFO InternalMessageId : 9680856285253 MessageId : <a10d8434b47f4caea4afb3c9bc41b861@EX2013SRV1.exchangeserverpro.net> Recipients : {Alannah.Shaw@exchangeserverpro.net} RecipientStatus : {} TotalBytes : 7755 RecipientCount : 1 RelatedRecipientAddress : Reference : MessageSubject : Very Important MessageThis is an email from Alan Sender : Alan.Reid@exchangeserverpro.net ReturnPath : Alan.Reid@exchangeserverpro.net Directionality : Originating TenantId : OriginalClientIp : 192.168.0.110 MessageInfo : MessageLatency : MessageLatencyType : None EventData : {[AMA, SUM|v=0|action=|error=|atch=0], [AMA, EV|engine=M|v=0|sig=1.213.5104.0|name=|file=], [AMA, DT|ST=14|PT=0|TT=21.2478], [TRA, ETRI|MsgType=Undefined|Ex=|IsKnown=], [TRA, ETR|ruleId=1f56ba43-1cb9-4293-b24d-5e263a75fc8a|st=2/1/2016 10:42:04 AM|action=PrependSubject|sev=1|mode=Enforce], [TRA, ETRP|ruleId=1f56ba43-1cb9-4293-b24d-5e263a75fc8a|ExecW=38|ExecC=31], [CompCost, |AMA=0|ETR=0], [DeliveryPriority, Normal], [AccountForest, exchangeserverpro.net]}
In the EventData field there’s some interesting clues… an “action=PrependSubject”, and a “ruleID=1f56ba43-1cb9-4293-b24d-5e263a75fc8a”. So which transport rule has that ID?
[PS] C:\>Get-TransportRule -Identity 1f56ba43-1cb9-4293-b24d-5e263a75fc8a Name State Mode Priority Comments ---- ----- ---- -------- -------- From Alan to Alannah Enabled Enforce 0 ...
Super simple. We can see more about that rule as well.
[PS] C:\>Get-TransportRule -Identity 1f56ba43-1cb9-4293-b24d-5e263a75fc8a | select description | fl Description : If the message: Is sent to 'Alannah.Shaw@exchangeserverpro.net' and Is received from 'Alan.Reid@exchangeserverpro.net' Take the following actions: Prepend the subject with 'Very Important Message'
So, that’s one way to find a rule by using message tracking logs to determine which rule ID was applied to the message. Another way we could have approached this is to search the transport rules for those that match a criteria. In this case that criteria would be the action of “Prepend the subject”, or to make it easier, just the word “prepend”.
[PS] C:\>Get-TransportRule -Filter "Description -like '*prepend*'" | select name,description | fl Name : From Alan to Alannah Description : If the message: Is sent to 'Alannah.Shaw@exchangeserverpro.net' and Is received from 'Alan.Reid@exchangeserverpro.net' Take the following actions: Prepend the subject with 'Very Important Message'
Obviously there are many more filters you could apply, such as “Description -like ‘*reject*'” or “Description -like ‘*alan.reid*'”.
As you can see, there are a few different ways that you can look for which transport rule (or rules) has been applied to an email message.
you are a legend Paul , I still see your posts and use them occasionally ,it is very sad that we no longer see your contributions ,god bless you ,you are a true legend for Exchange community
Where would we find the specific action taken by a particular rule? For example, there is a transport rule which is configured to “prepend a disclaimer” into a message, but if the disclaimer cannot prepend for any reason (such as email formatting which prevents the prepend action), and the rule instead has to either ignore or wrap, where would we find the rule action taken? We’d like to be able to report on whether a rule took a wrap action instead of prepending the disclaimer but I’m not finding the specific action in the logs.
Can something similar to this be performed in Exchange Online?
Message Trace will typically tell you which Rule(s) applied. If you have multiple conditions in the Rule it won’t tell you which of those were triggered though.
no information in eventdata. it is blank, but SourceContext : Transport Rule Agent is showing there, what can i do ?
Is there any way to tell via the message tracking logs if Inbox Rules are causing emails that have been delivered not to be visible?
Hi gents,
Is there any way we can make this investigation in Exchange 2016
Really helpful post, thanks for sharing 🙂
nice.
but this is assuming the rejection came from a transport rule. in our case, we used AD and for that you can’t find out which AD object blocked or rejected the email unless you are familiar or be the person who created that blocking using AD.
Hi Paul,
What if a user placed a rule that all sent emails would go to another email address and not go to the sent emails folder? How could you then check the rule for an email that is in fact not there?
Thank you for this useful information. It was just what I was looking for.
The one that you posted “[PS] C:\>Get-TransportRule -Identity 1f56ba43-1cb9-4293-b24d-5e263a75fc8a” is only working for the specific messageID, but is there any way to track every message in the server together with the transport rule?
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Yes. You’ll need to come up with a PowerShell command or script that loops through every message you’re interested in and checks for a rule ID, and then translates that rule ID into the rule name.
Thx for the reply. I did try with get-transportrule piping with get-messagetrackinglogs together with any possible parameter but still couldn’t get it work. Are these command working well together?
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
It’s not going to be as simple as piping one to the other. You’ll need to write a proper script.
On our Exchange 2013 configuration, the Transport Rules do not show an Identity or Name in EventData so I still cannot identify using the Transport Log data which rule it is. I know which rule it is but I want to see all instances where that rule was triggered and export the relevant data.
I have also tried on Exchange 2010, but did not find ‘AGENTINFO’ Event ID. I only have Receive,Expand,HAREDIRECT, Submit,Defer and Deliver. My issue is that user is sending email to a DL and the email did not deliver to members. I opened Delivery report and found error “The message was rejected by a rule set at the organization level. For more information, check your organization’s Transport rules.” I have checked rules but did not find any reverent rule. Please suggest
Hello Paul,
I tried this in Exchange 2007 environment, But I could not find the ‘AGENTINFO’ Event id. I can only see an Event id ‘FAIL’. Does article apply to Exchange 2007 too ?
Kind Regards
Rana