Francisco asks:

I am investigating to see if there is a way you can see which transport rules is applying to a certain message. The delivery report does not show it and I have not found any cmdlet that helps nor TechNet information about it. I think it might be important in certain circumstances to know it. Do you have any idea how to do this?

I can think of a few cases where this might be useful. For example, if a transport rule modifies a message property, or rejects a message, or causes a message to go to junk, then it would be useful to quickly find which rule or rules were applied to the message. For customers with just a few transport rules, there’s no real challenge here. But if your organization has hundreds of transport rules, then it gets a bit harder.

Fortunately, we can see which transport rules were applied to a message by using message tracking logs. Here’s a very basic example. In this scenario, Alan has sent an email to Alannah.

transport-rule-detection-01

When it arrives in Alannah’s mailbox, the subject line has been (rather clumsily) modified.

transport-rule-detection-02

So, what can the message tracking logs tell us? First, I collect the message tracking log entries for the unique message ID. If you’re not sure how to do that step, I recommend reading my series on searching message tracking logs with PowerShell. Here’s the command I ran, if you’re curious.

[PS] C:\>$logs = Get-TransportServer | Get-MessageTrackingLog -MessageId "<a10d8434b47f4caea4afb3c9bc41b861@EX2013SRV1.exchangeserverpro.net>" -Start (Get-Date).AddDays(-1) -ResultSize Unlimited

Next, I sort the events by time stamp, and look at the EventId, Source, and MessageSubject fields (because we already know the message subject was modified).

[PS] C:\>$logs | Sort timestamp | Select eventid,source,messagesubject

EventId    Source      MessageSubject
-------    ------      --------------
RECEIVE    STOREDRIVER This is an email from Alan
HARECEIVE  SMTP        This is an email from Alan
HAREDIRECT SMTP        This is an email from Alan
RECEIVE    SMTP        This is an email from Alan
SUBMIT     STOREDRIVER This is an email from Alan
AGENTINFO  AGENT       Very Important MessageThis is an email from Alan
DELIVER    STOREDRIVER Very Important MessageThis is an email from Alan
SEND       SMTP        Very Important MessageThis is an email from Alan
HADISCARD  SMTP        This is an email from Alan

We can clearlly see that the AGENTINFO event is where the message subject was modified. So, let’s take a closer look at that message tracking log entry.

[PS] C:\>$logs | where {$_.eventid -eq "AGENTINFO"} | fl


RunspaceId              : 328245b3-31a5-4c0c-ac83-4f225b3c7be7
Timestamp               : 2/1/2016 8:45:50 PM
ClientIp                :
ClientHostname          : EX2016SRV1
ServerIp                :
ServerHostname          :
SourceContext           : CatContentConversion
ConnectorId             :
Source                  : AGENT
EventId                 : AGENTINFO
InternalMessageId       : 9680856285253
MessageId               : <a10d8434b47f4caea4afb3c9bc41b861@EX2013SRV1.exchangeserverpro.net>
Recipients              : {Alannah.Shaw@exchangeserverpro.net}
RecipientStatus         : {}
TotalBytes              : 7755
RecipientCount          : 1
RelatedRecipientAddress :
Reference               :
MessageSubject          : Very Important MessageThis is an email from Alan
Sender                  : Alan.Reid@exchangeserverpro.net
ReturnPath              : Alan.Reid@exchangeserverpro.net
Directionality          : Originating
TenantId                :
OriginalClientIp        : 192.168.0.110
MessageInfo             :
MessageLatency          :
MessageLatencyType      : None
EventData               : {[AMA, SUM|v=0|action=|error=|atch=0], [AMA, EV|engine=M|v=0|sig=1.213.5104.0|name=|file=],
                          [AMA, DT|ST=14|PT=0|TT=21.2478], [TRA, ETRI|MsgType=Undefined|Ex=|IsKnown=], [TRA,
                          ETR|ruleId=1f56ba43-1cb9-4293-b24d-5e263a75fc8a|st=2/1/2016 10:42:04
                          AM|action=PrependSubject|sev=1|mode=Enforce], [TRA,
                          ETRP|ruleId=1f56ba43-1cb9-4293-b24d-5e263a75fc8a|ExecW=38|ExecC=31], [CompCost,
                          |AMA=0|ETR=0], [DeliveryPriority, Normal], [AccountForest, exchangeserverpro.net]}

In the EventData field there’s some interesting clues… an “action=PrependSubject”, and a “ruleID=1f56ba43-1cb9-4293-b24d-5e263a75fc8a”. So which transport rule has that ID?

[PS] C:\>Get-TransportRule -Identity 1f56ba43-1cb9-4293-b24d-5e263a75fc8a

Name                                         State    Mode        Priority Comments
----                                         -----    ----        -------- --------
From Alan to Alannah                         Enabled  Enforce     0        ...

Super simple. We can see more about that rule as well.

[PS] C:\>Get-TransportRule -Identity 1f56ba43-1cb9-4293-b24d-5e263a75fc8a | select description | fl


Description : If the message:
                  Is sent to 'Alannah.Shaw@exchangeserverpro.net'
                  and Is received from 'Alan.Reid@exchangeserverpro.net'
              Take the following actions:
                  Prepend the subject with 'Very Important Message'

So, that’s one way to find a rule by using message tracking logs to determine which rule ID was applied to the message. Another way we could have approached this is to search the transport rules for those that match a criteria. In this case that criteria would be the action of “Prepend the subject”, or to make it easier, just the word “prepend”.

[PS] C:\>Get-TransportRule -Filter "Description -like '*prepend*'" | select name,description | fl


Name        : From Alan to Alannah
Description : If the message:
                  Is sent to 'Alannah.Shaw@exchangeserverpro.net'
                  and Is received from 'Alan.Reid@exchangeserverpro.net'
              Take the following actions:
                  Prepend the subject with 'Very Important Message'

Obviously there are many more filters you could apply, such as “Description -like ‘*reject*'” or “Description -like ‘*alan.reid*'”.

As you can see, there are a few different ways that you can look for which transport rule (or rules) has been applied to an email message.

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for Practical365.com.

Comments

  1. hazem

    you are a legend Paul , I still see your posts and use them occasionally ,it is very sad that we no longer see your contributions ,god bless you ,you are a true legend for Exchange community

  2. Phall

    Where would we find the specific action taken by a particular rule? For example, there is a transport rule which is configured to “prepend a disclaimer” into a message, but if the disclaimer cannot prepend for any reason (such as email formatting which prevents the prepend action), and the rule instead has to either ignore or wrap, where would we find the rule action taken? We’d like to be able to report on whether a rule took a wrap action instead of prepending the disclaimer but I’m not finding the specific action in the logs.

  3. Daniel

    Can something similar to this be performed in Exchange Online?

    1. Vance

      Message Trace will typically tell you which Rule(s) applied. If you have multiple conditions in the Rule it won’t tell you which of those were triggered though.

  4. Mailadmin

    no information in eventdata. it is blank, but SourceContext : Transport Rule Agent is showing there, what can i do ?

  5. Stuart

    Is there any way to tell via the message tracking logs if Inbox Rules are causing emails that have been delivered not to be visible?

  6. Zahari Zahariev

    Hi gents,

    Is there any way we can make this investigation in Exchange 2016

  7. Marios

    Really helpful post, thanks for sharing 🙂

  8. badbanana

    nice.

    but this is assuming the rejection came from a transport rule. in our case, we used AD and for that you can’t find out which AD object blocked or rejected the email unless you are familiar or be the person who created that blocking using AD.

  9. Dave

    Hi Paul,
    What if a user placed a rule that all sent emails would go to another email address and not go to the sent emails folder? How could you then check the rule for an email that is in fact not there?

  10. Gilbert

    Thank you for this useful information. It was just what I was looking for.

  11. Edwin

    The one that you posted “[PS] C:\>Get-TransportRule -Identity 1f56ba43-1cb9-4293-b24d-5e263a75fc8a” is only working for the specific messageID, but is there any way to track every message in the server together with the transport rule?

      1. Edwin

        Thx for the reply. I did try with get-transportrule piping with get-messagetrackinglogs together with any possible parameter but still couldn’t get it work. Are these command working well together?

  12. David

    On our Exchange 2013 configuration, the Transport Rules do not show an Identity or Name in EventData so I still cannot identify using the Transport Log data which rule it is. I know which rule it is but I want to see all instances where that rule was triggered and export the relevant data.

  13. Sunny

    I have also tried on Exchange 2010, but did not find ‘AGENTINFO’ Event ID. I only have Receive,Expand,HAREDIRECT, Submit,Defer and Deliver. My issue is that user is sending email to a DL and the email did not deliver to members. I opened Delivery report and found error “The message was rejected by a rule set at the organization level. For more information, check your organization’s Transport rules.” I have checked rules but did not find any reverent rule. Please suggest

  14. rana

    Hello Paul,

    I tried this in Exchange 2007 environment, But I could not find the ‘AGENTINFO’ Event id. I can only see an Event id ‘FAIL’. Does article apply to Exchange 2007 too ?

    Kind Regards
    Rana

Leave a Reply