With the Get-MessageTrace PowerShell cmdlet, you can view information on each mail sent and received in Exchange Online in the last 10 days. You can also export information about all incoming and outgoing mails saved in Exchange Online. In this article, you will learn how to use the Exchange Online PowerShell Get-MessageTrace cmdlet.
Table of contents
- Exchange Online message trace
- Connect to Exchange Online PowerShell
- Get-MessageTrace PowerShell cmdlet
- Get-MessageTrace data in specific date range
- Get-MessageTrace clean results
- Get-MessageTrace combined with Group-Object results
- Get-MessageTrace of emails sent from specific sender
- Get-MessageTrace of emails sent to specific recipient
- Get-MessageTrace of emails with specific status
- Get-MessageTrace of emails with specific subject
- Get-MessageTrace filters results by source or destination IP address
- Extend Page or PageSize number results
- Use MessageTraceDetail on specific mail
- Export Get-MessageTrace results to file
- Conclusion
Exchange Online message trace
In an Exchange Online (Microsoft 365) based environment, Exchange Online registers every incoming and outgoing mail.
There are two ways to view information on mail sent and received:
- Exchange admin center
- Exchange Online PowerShell
In this article, we will only use Exchange Online PowerShell and go through the PowerShell commands Get-MessageTrace and Get-MessageTraceDetail to query and export messages data.
Let’s start listing the advantages and disadvantages of the Get-MessageTrace PowerShell command.
Advantage:
- To view and export information of Exchange Online messages.
- Quickly and effectively retrieve information about messages registered in Exchange Online.
Disadvantages:
- You can obtain information from the Exchange Online server within a maximum time range of 10 days. Exchange Online saves mail information for a period of 90 days, but you can’t fetch information that exceeds 10 days.
- The information you can display on the PowerShell console or export to a file is very basic information that doesn’t include detailed information about the specific mail.
Note: Use the Get-MessageTraceDetail PowerShell cmdlet to get additional information for the last 10 days. However, the information is still basic, and the results are returned less quickly.
If you require information about a mail older than 10 days, use the PowerShell command Get-HistoricalSearch. Especially when searching for detailed information about a specific mail registered in Exchange Online.
Connect to Exchange Online PowerShell
To be able to run the PowerShell commands, you need to run Windows PowerShell as administrator and connect to Exchange Online PowerShell.
Connect-ExchangeOnlineAfter you connect, proceed to the next step.
Get-MessageTrace PowerShell cmdlet
The Get-MessageTrace PowerShell cmdlet can trace messages in Exchange Online.
The date range is an essential component when using the Get-MessageTrace PowerShell cmdlet. We will also show various types of examples to the user of Get-MessageTrace with different parameters and filters such as sender, recipient, subject, IP address, and more.
Date range
The most essential building block is the date range. Therefore it’s best to use a PowerShell parameter that defines the date range.
Note: When using the Get-MessageTrace command, you can only get data from the last 48 hours by default.
These PowerShell parameters define the required date range:
- StartDate
- EndDate
After we provide the information about the required date range, we can add additional blocks that help us to filter or narrow the search results.
We will show you some examples to narrow the search results:
- Get information about mails related to emails sent from a specific sender or to a specific recipient.
- Get information about mails related to emails with a specific subject or a specific status.
Sender vs. Recipient
In many scenarios, we filter or narrow the Get-MessageTrace PowerShell command result by adding filter parameters.
The filter parameters sender and recipient can be confusing, so it’s important to clarify the meaning of these terms.
- Sender: The person that sends the email message.
- Recipient: The person that receives the email message. It is related to the destination entity to which the email was sent.
The below picture shows an example of when Bob sends an email to Adele. Bob is defined as the sender (SenderAddress), and Adele is the recipient (RecipientAddress).
If you want to get information about all the available PowerShell parameters when using the Get-MessageTrace cmdlet, you can use the Get-Member PowerShell command in the next step.
Use Get-MessageTrace PowerShell command
Run the below PowerShell command example.
Get-MessageTrace | Get-MemberYou will get the below PowerShell output example. Look at the different parameters listed under Name.
PS C:\> Get-MessageTrace | Get-Member
TypeName: Deserialized.Microsoft.Exchange.Management.FfoReporting.MessageTrace
Name MemberType Definition
---- ---------- ----------
GetType Method type GetType()
ToString Method string ToString(), string ToString(string format, System.IFormatProvider formatProvider), string IFormattable.ToString(string format, System.IFormatProvider formatPro...
EndDate Property System.DateTime {get;set;}
FromIP Property System.String {get;set;}
Index Property System.Int32 {get;set;}
MessageId Property System.String {get;set;}
MessageTraceId Property System.Guid {get;set;}
Organization Property System.String {get;set;}
Received Property System.DateTime {get;set;}
RecipientAddress Property System.String {get;set;}
SenderAddress Property System.String {get;set;}
Size Property System.Int32 {get;set;}
StartDate Property System.DateTime {get;set;}
Status Property System.String {get;set;}
Subject Property System.String {get;set;}
ToIP Property {get;set;} Run the PowerShell cmdlet Get-MessageTrace without parameters to show data from the last 48 hours.
Get-MessageTracePowerShell output result.
PS C:\> Get-MessageTrace
Received Sender Address Recipient Address Subject Status
-------- -------------- ----------------- ------- ------
15/06/2023 19.45.30 Stephen.Hunter@m365info.com amanda.hansen@m365info.com RE: مرحبا كيف حالك Delivered
15/06/2023 19.42.43 Amanda.Hansen@m365info.com stephen.hunter@m365info.com مرحبا كيف حالك Delivered
15/06/2023 11.54.24 info4@dienglg.top stephen.hunter@m365info.com If you need paper notebook,Im here for you FilteredAsSpam
14/06/2023 11.22.44 Office365Reports@microsoft.com msadmin@m365info.com Your requested Report Amanda is now available Delivered
14/06/2023 10.01.30 ms-noreply@microsoft.com msadmin@m365info.com Get the latest Office apps Delivered
14/06/2023 08.56.40 postmaster@m365info.com office365reports@microsoft.com Undeliverable: Your requested Message trace report - 2023-06-14T08:25:07.136Z is now available Failed
14/06/2023 08.56.39 Office365Reports@microsoft.com msadmin@m365info.com Your requested Message trace report - 2023-06-14T08:25:07.136Z is now available Failed
14/06/2023 01.57.05 beata@defenderarchitect.com stephen.hunter@m365info.com Test your Junk mail! FilteredAsSpamTo get the data of the last 10 days, proceed to the next step.
Set specific date range
As mentioned, the most basic building block when using the Get-MessageTrace command is the required date range.
The date range is the space between the start date and the end date.
Look at the below Powershell syntax example.
Get-MessageTrace -StartDate <mm/dd/yyyy> -EndDate <mm/dd/yyyy>Exchange Online shows the information with a start date of a maximum of 10 days.
Get-MessageTrace -StartDate 04/01/2023 -EndDate 06/01/2023If you type a start date older than 10 days from today or a date range greater than 10 days, you will get the following error.
PS C:\> Get-MessageTrace -StartDate "05/01/2023" -EndDate "05/10/2023"
Write-ErrorMessage : |Microsoft.Exchange.Management.Tasks.ValidationException|Invalid
StartDate value. The StartDate can't be older than 10 days from today.
At C:\AppData\Local\Temp\tmpEXO_ewmxedgo.0pb\tmpEXO_ewmxedgo.0pb.psm1:1120
char:13
+ Write-ErrorMessage $ErrorObject
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Get-MessageTrace], ValidationException
+ FullyQualifiedErrorId : [Server=DB9PR02MB7211,RequestId=60294da4-119d-8a23-c31c-d9a9895
70a3a,TimeStamp=Wed, 07 Jun 2023 20:28:34 GMT],Write-ErrorMessageNote: You will get an error if the StartDate is older than 10 days from today. Also, the date range between the StartDate and EndDate may not exceed 10 days.
When using the Get-MessageTrace command, there are two major syntax methods that we can use for defining the date range.
- Manually type the specific dates (Start-Date and End-Date) in the format month, day, and year (mm/dd/yyyy).
- Or use the PowerShell cmdlet Get-Date.
The second method which we prefer to use is the PowerShell function Get-Date.
As the name implies, the Get-Date PowerShell cmdlet will fetch the information about the current date and time. The information includes the second, minute, hour, day, month, and year.
When using the Get-MessageTrace cmdlet, the Get-Date PowerShell function defines the End-Date. You can define the Start-Date by using time units such as AddHours or AddDays and subtracting them from the current date.
In the following example, we define a date range of 10 days using the time unit AddDays and the value (-10).
Get-MessageTrace -StartDate (Get-Date).AddDays(-10) -Enddate (Get-Date)This syntax tells PowerShell that we want to define a date calculated by subtracting 10 days from the current time we get from the Get-Date PowerShell cmdlet.
Get-MessageTrace data in specific date range
Get information about sent or received emails in a specific date range. Specify the dates by manually typing the StartDate and EndDate.
Run the below PowerShell command example.
Get-MessageTrace -StartDate 06/05/2023 -EndDate 06/10/2023PowerShell output example.
PS C:\2> Get-MessageTrace -StartDate 06/05/2023 -EndDate 06/10/2023
Received Sender Address Recipient Address Subject Status
-------- -------------- ----------------- ------- ------
09/06/2023 10.13.47 susanbernard@gmail.com amanda.hansen@m365info.com This is a test Delivered
09/06/2023 10.04.16 susanbernard@gmail.com stephen.hunter@m365info.com Re: Test Delivered
09/06/2023 10.01.37 Stephen.Hunter@m365info.com susanbernard@gmail.com Test Delivered
09/06/2023 09.58.06 Amanda.Hansen@m365info.com stephen.hunter@m365info.com RE: Available Delivered
09/06/2023 09.56.06 Stephen.Hunter@m365info.com amanda.hansen@m365info.com Available Delivered
07/06/2023 21.15.32 6157142326@pcdcva.onmicrosoft.com projectpool11@m365info.com All parties have Completed: Please DocuSign`M365info FilteredAsSpam
07/06/2023 12.32.00 631752352@pcdcva.onmicrosoft.com chris.lucas@m365info.com All parties have Completed: Please DocuSign:`chris.lucas@m365info.com FilteredAsSpam
07/06/2023 06.55.21 6556232315@pcdcva.onmicrosoft.com amanda.hansen@m365info.com All parties have Completed: Please DocuSign: M365info` FilteredAsSpam
06/06/2023 21.30.03 6296142354@netorgft3171689.onmicrosoft.com projector8@m365info.com Approved: Completed: Please DocuSign: M365info` FilteredAsSpam
06/06/2023 20.34.22 susanbernard@gmail.com stephen.hunter@m365info.com Test your Junk mail! FilteredAsSpam
06/06/2023 20.25.41 susanbernard@gmail.com stephen.hunter@m365info.com Just a test! Delivered
06/06/2023 19.22.32 6226122326@netorgft3171689.onmicrosoft.com diana.baker@m365info.com Completed: Please DocuSign - M365info 06/06/2023 12:22` FilteredAsSpam
05/06/2023 17.36.04 juliannaroland73@gmail.com kellytest@m365info.com Good Day Beloved, FilteredAsSpam
05/06/2023 14.29.22 629572315@netorgft3171689.onmicrosoft.com chris.lucas@m365info.com Your document has been Completed: Please DocuSign: chris.lucas@m365info.com` FilteredAsSpamNote: The time zone in Microsoft will be in Universal Time Coordinated (UTC). For example, the Central Standard Time (CST) is 5 hours behind UTC. So if an email were sent at 8:00 AM CST, it would show up as 13:00 PM. To ensure getting all messages of a specific date range with message trace, add or subtract the hours, depending on varying time zones of the Exchange server location and the user’s mailbox.
Next, we would like to show examples where we use the Get-Date PowerShell cmdlet as a baseline and add PowerShell time units such as AddHours, AddDays, and AddMinutes.
Get-MessageTrace data in last x minutes
Get information about sent and received emails in the last x minutes. We will show you an example of all Exchange email messages sent and received in the last 30 minutes.
Run the below PowerShell command example.
Get-MessageTrace -StartDate (Get-Date).AddMinutes(-30) -EndDate (Get-Date)It will get Exchange Online mail information for the last 30 minutes.
PowerShell output example.
PS C:\> Get-MessageTrace -StartDate (Get-Date).AddMinutes(-30) -EndDate (Get-Date)
Received Sender Address Recipient Address Subject Status
-------- -------------- ----------------- ------- ------
15/06/2023 19.45.30 Stephen.Hunter@m365info.com amanda.hansen@m365info.com RE: مرحبا كيف حالك Delivered
15/06/2023 19.42.43 Amanda.Hansen@m365info.com stephen.hunter@m365info.com مرحبا كيف حالك DeliveredNote: You may not exceed the time limit of 10 days. An error occurs when you type the number 15840 and above for AddMinutes.
Get-MessageTrace data in last x hours
Get information about sent and received emails in the last x hours. The example will display all Exchange email messages sent and received in the last 30 hours.
PowerShell command example:
Get-MessageTrace -StartDate (Get-Date).AddHours(-30) -EndDate (Get-Date)It will get Exchange Online mail information for the last 30 hours.
Powershell output example:
PS C:\> Get-MessageTrace -StartDate (Get-Date).AddHours(-30) -EndDate (Get-Date)
Received Sender Address Recipient Address Subject Status
-------- -------------- ----------------- ------- ------
15/06/2023 19.45.30 Stephen.Hunter@m365info.com amanda.hansen@m365info.com RE: مرحبا كيف حالك Delivered
15/06/2023 19.42.43 Amanda.Hansen@m365info.com stephen.hunter@m365info.com مرحبا كيف حالك Delivered
15/06/2023 11.54.24 info4@dienglg.top stephen.hunter@m365info.com If you need paper notebook,Im here for you FilteredAsSpamNote: You can’t exceed the time limit of 10 days, or you will get an error. Keep the number of Addhours below 264.
Get-MessageTrace data in the x days
Get information about sent and received emails in the last x days. You can display all Exchange email messages sent and received up to the last 10 days.
Run the PowerShell command example.
Get-MessageTrace -StartDate (Get-Date).AddDays(-10) -EndDate (Get-Date)Note: Remember that you can’t exceed the time limit of maximum 10 days.
Date range using variables
If you want to avoid typing long and complex date values, you can use a method where you define the date range using variables.
The variables we define will contain the required date range. The Get-MessageTrace cmdlet defines the date range by using the variables defined in the previous step.
Use the below PowerShell variables.
$DateEnd = Get-Date
$DateStart = $DateEnd.AddHours(-30)
Get-MessageTrace -StartDate $DateStart -EndDate $DateEndPowerShell output example.
PS C:\> $DateEnd = Get-Date
$DateStart = $DateEnd.AddHours(-30)
Get-MessageTrace -StartDate $DateStart -EndDate $DateEnd
Received Sender Address Recipient Address Subject Status
-------- -------------- ----------------- ------- ------
15/06/2023 19.45.30 Stephen.Hunter@m365info.com amanda.hansen@m365info.com RE: مرحبا كيف حالك Delivered
15/06/2023 19.42.43 Amanda.Hansen@m365info.com stephen.hunter@m365info.com مرحبا كيف حالك Delivered
15/06/2023 11.54.24 info4@dienglg.top stephen.hunter@m365info.com If you need paper notebook,Im here for you FilteredAsSpamGet-MessageTrace clean results
When we use the Get-MessageTrace PowerShell cmdlet in Exchange Online without a specific filter, the output includes unnecessary information about systems and internal Exchange Online mail messages.
In the following example, we can see information about system emails irrelevant to our search.
PowerShell output example.
PS C:\> Get-MessageTrace -StartDate (Get-Date).AddDays(-5) -EndDate (Get-Date)
Received Sender Address Recipient Address Subject Status
-------- -------------- ----------------- ------- ------
15/06/2023 19.45.30 Stephen.Hunter@m365info.com amanda.hansen@m365info.com RE: مرحبا كيف حالك Delivered
15/06/2023 19.42.43 Amanda.Hansen@m365info.com stephen.hunter@m365info.com مرحبا كيف حالك Delivered
15/06/2023 11.54.24 info4@dienglg.top stephen.hunter@m365info.com If you need paper notebook,Im here for you FilteredAsSpam
14/06/2023 11.22.44 Office365Reports@microsoft.com msadmin@m365info.com Your requested Report Amanda is now available Delivered
14/06/2023 10.01.30 ms-noreply@microsoft.com msadmin@m365info.com Get the latest Office apps Delivered
14/06/2023 08.56.40 postmaster@m365info.com office365reports@microsoft.com Undeliverable: Your requested Message trace report - 2023-06-14T08:25:07.136Z is now available Failed
14/06/2023 08.56.39 Office365Reports@microsoft.com msadmin@m365info.com Your requested Message trace report - 2023-06-14T08:25:07.136Z is now available Failed
14/06/2023 01.57.05 beata@defenderarchitect.com stephen.hunter@m365info.com Test your Junk mail! FilteredAsSpam
13/06/2023 07.22.03 info8@dupiist.top stephen.hunter@m365info.com Professional Notebook manufacturer in China Delivered
12/06/2023 20.08.19 ocampofer18@gmail.com stephen.hunter@m365info.com Prueba FilteredAsSpam
12/06/2023 14.24.28 ryan.przybyl@hds-rx.com stephen.hunter@m365info.com spam filter test FilteredAsSpamSuppose we want to clean the search result by removing the information about the system emails. In that case, we will add filters that will ignore specific emails.
Run the below PowerShell example.
Get-MessageTrace -StartDate (Get-Date).AddDays(-5) -EndDate (Get-Date) | Where {$_.SenderAddress -notlike '*microsoft.com*' -and $_.SenderAddress -notlike '*root' }In our example, we want to remove all the Sender Address emails with the word *microsoft.com* or a word that ends with *top.
PowerShell output example.
PS C:\> Get-MessageTrace -StartDate (Get-Date).AddDays(-5) -EndDate (Get-Date) | Where {$_.SenderAddress -notlike '*microsoft.com*' -and $_.SenderAddress -notlike '*top' }
Received Sender Address Recipient Address Subject Status
-------- -------------- ----------------- ------- ------
15/06/2023 19.45.30 Stephen.Hunter@m365info.com amanda.hansen@m365info.com RE: مرحبا كيف حالك Delivered
15/06/2023 19.42.43 Amanda.Hansen@m365info.com stephen.hunter@m365info.com مرحبا كيف حالك Delivered
14/06/2023 08.56.40 postmaster@m365info.com office365reports@microsoft.com Undeliverable: Your requested Message trace report - 2023-06-14T08:25:07.136Z is now available Failed
14/06/2023 01.57.05 beata@defenderarchitect.com stephen.hunter@m365info.com Test your Junk mail! FilteredAsSpam
12/06/2023 20.08.19 ocampofer18@gmail.com stephen.hunter@m365info.com Prueba FilteredAsSpam
12/06/2023 14.24.28 ryan.przybyl@hds-rx.com stephen.hunter@m365info.com spam filter test FilteredAsSpamGet-MessageTrace combined with Group-Object results
In some scenarios, we are not looking for information about specific email messages but rather a high-level view of mails performed by a specific sender or recipient within a specific date range.
By using the PowerShell cmdlet Group-Object in addition to the Get-MessageTrace, we can get this high-level view of emails.
Note: The Group-Object cmdlet helps us to group information about a specific property and enables us to count the number of instances in each group.
Get information about most active organization senders
In the following example, we want to accomplish the following requirements:
- We want to get information about the emails sent from all senders in the last 10 days.
- We want to present the results grouped by each of the senders.
- We want to count the number of email messages sent by each sender.
- We want to present the results in descending order to view the users who sent the most mail items at the top.
To get the required information, we use the Group-Object cmdlet that performs three tasks:
- Group the results by relating to the property SenderAddress.
- Count the results for each sender (the number of mail items a specific sender sent).
- Order the information presented in the Count column in descending order.
Use the PowerShell command Group-Object syntax to sort the most active organization sender.
Group-Object -Property SenderAddress | Select Name,Count | Sort Count -DescendingRun the PowerShell command example Get-MessageTrace in combination with Group-Object.
Get-MessageTrace -StartDate (Get-Date).AddDays(-10) -EndDate (Get-Date) | Group-Object -Property SenderAddress | Select Name,Count | Sort Count -DescendingDisplay information about the number of mail items (Count) accepted from specific senders (Name). The user with the most emails will be shown above.
The PowerShell output example.
PS C:\> Get-MessageTrace -StartDate (Get-Date).AddDays(-10) -EndDate (Get-Date) | Group-Object -Property SenderAddress | Select Name,Count | Sort Count -Descending
Name Count
---- -----
susanbernard@gmail.com 4
Stephen.Hunter@m365info.com 3
Amanda.Hansen@m365info.com 2
Office365Reports@microsoft.com 2
info4@dienglg.top 1
ms-noreply@microsoft.com 1Get information about most popular organization recipients
In the example below, we want to accomplish the following requirements:
- We want to retrieve information about each email received by our users (or sent to our users) within the last 10 days.
- We want to present the results grouped by each recipient (RecipientAddress).
- We want to count the number of email messages that each recipient sent.
- We want to present the results in descending order. It displays the users who send the largest number of mail items, which are the most active recipients.
To get the required information, we use the Group-Object cmdlet that performs three tasks:
- Group the results by relating to the property (RecipientAddress).
- Count the results for each recipient (the number of mail items sent to the specific recipient).
- Order the information presented in the count column in descending order.
Use the PowerShell command Group-Object syntax to sort the most popular organization recipients.
Group-Object -Property RecipientAddress | Select Name,Count | Sort Count -DescendingRun the PowerShell command example.
Get-MessageTrace -StartDate (Get-Date).AddDays(-10) -EndDate (Get-Date) | Group-Object -Property RecipientAddress | Select Name,Count | Sort Count -DescendingIt displays the number of mail items (Count) received by recipients (Name).
PowerShell output example.
PS C:\> Get-MessageTrace -StartDate (Get-Date).AddDays(-10) -EndDate (Get-Date) | Group-Object -Property RecipientAddress | Select Name,Count | Sort Count -Descending
Name Count
---- -----
stephen.hunter@m365info.com 10
amanda.hansen@m365info.com 4
msadmin@m365info.com 3
office365reports@microsoft.com 1
susanbernard@gmail.com 1
projectpool11@m365info.com 1
chris.lucas@m365info.com 1
projector8@m365info.com 1
diana.baker@m365info.com 1Get-MessageTrace of emails sent from specific sender
A specific sender is an organization user who sends emails to other recipients (internal & external)
Use the PowerShell parameter -SenderAddress, to obtain information about emails sent by a specific sender address.
To retrieve information about emails sent by a specific sender, you can use the following PowerShell command syntax.
Get-MessageTrace -SenderAddress <Sender Email address>PowerShell command example.
Get-MessageTrace -SenderAddress Amanda.Hansen@m365info.comNote: If you can’t see any results, no emails were sent from this user in the last 48 hours. By default, the Get-MessageTrace only shows data from the last 48 hours.
To get information about a specific sender in the last x days, you need to add parameters.
PowerShell command syntax.
Get-MessageTrace -StartDate (Get-Date).AddDays(-x) -EndDate (Get-Date) -SenderAddress <Sender Email address>Run the below PowerShell command example.
Get-MessageTrace -StartDate (Get-Date).AddDays(-10) -EndDate (Get-Date) -SenderAddress Amanda.Hansen@m365info.comPowerShell result of a specific sender in the last 10 days.
PS C:\> Get-MessageTrace -StartDate (Get-Date).AddDays(-10) -EndDate (Get-Date) -SenderAddress Amanda.Hansen@m365info.com
Received Sender Address Recipient Address Subject Status
-------- -------------- ----------------- ------- ------
15/06/2023 19.42.43 Amanda.Hansen@m365info.com stephen.hunter@m365info.com مرحبا كيف حالك Delivered
09/06/2023 09.58.06 Amanda.Hansen@m365info.com stephen.hunter@m365info.com RE: Available DeliveredYou can also display the number of email messages sent by a specific sender.
Get information about the number of emails (Count) sent by a specific sender within the last x days.
For this example, we will add the Group-Object cmdlet for counting the number of email messages sent by a specific sender.
PowerShell command example.
Get-MessageTrace -StartDate (Get-Date).AddDays(-10) -EndDate (Get-Date) -SenderAddress Amanda.Hansen@m365info.com | Group-Object -Property SenderAddress | Select Name,CountThe PowerShell result shows the count of emails sent by a user.
PS C:\> Get-MessageTrace -StartDate (Get-Date).AddDays(-10) -EndDate (Get-Date) -SenderAddress Amanda.Hansen@m365info.com | Group-Object -Property SenderAddress | Select Name,Count
Name Count
---- -----
Amanda.Hansen@m365info.com 2Get information about emails sent by multiple senders with an email address that includes a specific domain name in the last x days.
PowerShell command syntax.
Get-MessageTrace -StartDate (Get-Date).AddDays(-x) -EndDate (Get-Date) -SenderAddress <*@Domain name>PowerShell command example.
Get-MessageTrace -StartDate (Get-Date).AddDays(-10) -EndDate (Get-Date) -SenderAddress *@m365info.comOur example displays information about all the emails sent by senders with the same domain name (m365info.com) for the last 10 days.
PowerShell output result.
PS C:\> Get-MessageTrace -StartDate (Get-Date).AddDays(-10) -EndDate (Get-Date) -SenderAddress *@m365info.com
Received Sender Address Recipient Address Subject Status
-------- -------------- ----------------- ------- ------
15/06/2023 19.45.30 Stephen.Hunter@m365info.com amanda.hansen@m365info.com RE: مرحبا كيف حالك Delivered
15/06/2023 19.42.43 Amanda.Hansen@m365info.com stephen.hunter@m365info.com مرحبا كيف حالك Delivered
14/06/2023 08.56.40 postmaster@m365info.com office365reports@microsoft.com Undeliverable: Your requested Message trace report - 2023-06-14T08:25:07.136Z is now available Failed
09/06/2023 10.01.37 Stephen.Hunter@m365info.com susanbernard@gmail.com Test Delivered
09/06/2023 09.58.06 Amanda.Hansen@m365info.com stephen.hunter@m365info.com RE: Available Delivered
09/06/2023 09.56.06 Stephen.Hunter@m365info.com amanda.hansen@m365info.com Available DeliveredExport email information sent from sender to CSV
Export information about emails sent from a specific sender to a file. You can create a dedicated file for each sender.
You can get information about all the mails performed by each sender that appears in Exchange Online.
The requirements that we need to fulfill include the following parts:
- Show information about all the senders who sent emails in the last 10 days.
- It saves and exports the information to a CSV (Comma Separated Value) file.
- It will create and export a dedicated CSV file for each of the senders. For example, if the sender is Amanda.Hansen@m365info.com, the dedicated CSV file created for “Amanda” will include information only for emails sent from Amanda.Hansen@m365info.com.
To get the required information, we will use a PowerShell ForEach statement:
- In the first phase, the ForEach statement will loop via the array of records in Exchange Online.
- In the second phase, we export the required information to a separate CSV file based on the sender identity.
PowerShell command example.
$AllSender = Get-MessageTrace -StartDate (Get-Date).AddDays(-10) -EndDate (Get-Date) | Group-Object -Property SenderAddress | Select Name
$AllSender = $AllSender.name
$ErrorActionPreference = "SilentlyContinue"
ForEach ($Sender in $AllSender) {
Get-MessageTrace -StartDate (Get-Date).AddDays(-3) -EndDate (Get-Date) -SenderAddress $Sender | Export-Csv "C:\temp\$sender.csv" –NoTypeInformation -Encoding UTF8
}Get-MessageTrace of emails sent to specific recipient
The -RecipientAddress parameter lets us get information about emails sent to specific recipients.
We want to show how to get information about (internal & external) emails sent to organization recipients.
See the below PowerShell syntax.
Get-MessageTrace -RecipientAddress <Recipient Email Address>Run the below PowerShell command example.
Get-MessageTrace -RecipientAddress Amanda.Hansen@m365info.comNote: If you can’t see any results, no emails were sent to this recipient user in the last 48 hours. By default, the Get-MessageTrace only shows data from the last 48 hours.
You can also see information about emails sent to a specific organization recipient in the last x days. But you need to add the parameters -StartDate and -EndDate.
PowerShell command syntax.
Get-MessageTrace -StartDate (Get-Date).AddDays(-x) -EndDate (Get-Date) -RecipientAddress <Recipient Email Address>Run the PowerShell command example.
Get-MessageTrace -StartDate (Get-Date).AddDays(-10) -EndDate (Get-Date) -RecipientAddress Amanda.Hansen@m365info.comPowerShell output example of emails sent to a specific organization recipient in the last 10 days.
PS C:\> Get-MessageTrace -StartDate (Get-Date).AddDays(-10) -EndDate (Get-Date) -RecipientAddress Amanda.Hansen@m365info.com
Received Sender Address Recipient Address Subject Status
-------- -------------- ----------------- ------- ------
15/06/2023 19.45.30 Stephen.Hunter@m365info.com amanda.hansen@m365info.com RE: مرحبا كيف حالك Delivered
09/06/2023 10.13.47 susanbernard@gmail.com amanda.hansen@m365info.com This is a test Delivered
09/06/2023 09.56.06 Stephen.Hunter@m365info.com amanda.hansen@m365info.com Available Delivered
07/06/2023 06.55.21 6556232315@pcdcva.onmicrosoft.com amanda.hansen@m365info.com All parties have Completed: Please DocuSign: M365info` FilteredAsSpamDisplay additional information about emails sent to a specific recipient in the last x days and count the number of emails.
For this example, we will add the Group-Object cmdlet for counting the number of emails sent to a specific recipient.
PowerShell command example.
Get-MessageTrace -StartDate (Get-Date).AddDays(-10) -EndDate (Get-Date) -RecipientAddress Amanda.Hansen@m365info.com | Group-Object -Property SenderAddress | Select Name,CountThe PowerShell output displays a list with email senders (Name) and the number of emails (Count) sent to the recipient (Amanda.Hansen@m365info.com).
PS C:\> Get-MessageTrace -StartDate (Get-Date).AddDays(-10) -EndDate (Get-Date) -RecipientAddress Amanda.Hansen@m365info.com | Group-Object -Property SenderAddress | Select Name,Count
Name Count
---- -----
Stephen.Hunter@m365info.com 2
susanbernard@gmail.com 1
6556232315@pcdcva.onmicrosoft.com 1See information about emails sent to a specific recipient that includes a specific domain name in their email address in the last x days.
PowerShell command syntax
Get-MessageTrace -StartDate (Get-Date).AddDays(-x) -EndDate (Get-Date) -RecipientAddress <*@Domain Name>In the following example, we want to get information about emails sent to all recipients with email addresses, including the domain name (m365info.com) in the last 10 days.
PowerShell command example.
Get-MessageTrace -StartDate (Get-Date).AddDays(-10) -EndDate (Get-Date) -RecipientAddress *@m365info.comOur example displays all the emails sent to recipients with the same domain name (m365info.com) for the last 10 days.
PowerShell output example.
PS C:\> Get-MessageTrace -StartDate (Get-Date).AddDays(-10) -EndDate (Get-Date) -RecipientAddress *@m365info.com
Received Sender Address Recipient Address Subject Status
-------- -------------- ----------------- ------- ------
15/06/2023 19.45.30 Stephen.Hunter@m365info.com amanda.hansen@m365info.com RE: مرحبا كيف حالك Delivered
15/06/2023 19.42.43 Amanda.Hansen@m365info.com stephen.hunter@m365info.com مرحبا كيف حالك Delivered
15/06/2023 11.54.24 info4@dienglg.top stephen.hunter@m365info.com If you need paper notebook,Im here for you FilteredAsSpam
14/06/2023 11.22.44 Office365Reports@microsoft.com msadmin@m365info.com Your requested Report Amanda is now available Delivered
14/06/2023 10.01.30 ms-noreply@microsoft.com msadmin@m365info.com Get the latest Office apps Delivered
14/06/2023 08.56.39 Office365Reports@microsoft.com msadmin@m365info.com Your requested Message trace report - 2023-06-14T08:25:07.136Z is now available Failed
14/06/2023 01.57.05 beata@defenderarchitect.com stephen.hunter@m365info.com Test your Junk mail! FilteredAsSpam
13/06/2023 07.22.03 info8@dupiist.top stephen.hunter@m365info.com Professional Notebook manufacturer in China Delivered
12/06/2023 20.08.19 ocampofer18@gmail.com stephen.hunter@m365info.com Prueba FilteredAsSpam
12/06/2023 14.24.28 ryan.przybyl@hds-rx.com stephen.hunter@m365info.com spam filter test FilteredAsSpam
09/06/2023 10.13.47 susanbernard@gmail.com amanda.hansen@m365info.com This is a test Delivered
09/06/2023 10.04.16 susanbernard@gmail.com stephen.hunter@m365info.com Re: Test Delivered
09/06/2023 09.58.06 Amanda.Hansen@m365info.com stephen.hunter@m365info.com RE: Available Delivered
09/06/2023 09.56.06 Stephen.Hunter@m365info.com amanda.hansen@m365info.com Available Delivered
07/06/2023 21.15.32 6157142326@pcdcva.onmicrosoft.com projectpool11@m365info.com All parties have Completed: Please DocuSign`M365info FilteredAsSpam
07/06/2023 12.32.00 631752352@pcdcva.onmicrosoft.com chris.lucas@m365info.com All parties have Completed: Please DocuSign:`chris.lucas@m365info.com FilteredAsSpam
07/06/2023 06.55.21 6556232315@pcdcva.onmicrosoft.com amanda.hansen@m365info.com All parties have Completed: Please DocuSign: M365info` FilteredAsSpam
06/06/2023 21.30.03 6296142354@netorgft3171689.onmicrosoft.com projector8@m365info.com Approved: Completed: Please DocuSign: M365info` FilteredAsSpam
06/06/2023 20.34.22 susanbernard@gmail.com stephen.hunter@m365info.com Test your Junk mail! FilteredAsSpam
06/06/2023 20.25.41 susanbernard@gmail.com stephen.hunter@m365info.com Just a test! Delivered
06/06/2023 19.22.32 6226122326@netorgft3171689.onmicrosoft.com diana.baker@m365info.com Completed: Please DocuSign - M365info 06/06/2023 12:22` FilteredAsSpamGet-MessageTrace of emails with specific status
The parameter -Status filters the results by the delivery status of the email. Valid values for this parameter are:
- None: The message has no delivery status because it was rejected or redirected to a different recipient.
- Failed: Message delivery was attempted but failed, or the message was filtered as spam or malware or by transport rules.
- Pending: Message delivery is underway or was deferred and is being retried.
- Delivered: The message was delivered to its destination.
- Expanded: There was no message delivery because the message was addressed to a distribution group, and the membership of the distribution was expanded.
Get information about sent or received emails with a specific status.
PowerShell command syntax.
Get-MessageTrace -StartDate <mm/dd/yyyy> -EndDate <mm/dd/yyyy> -Status <Status>Get information about sent or received emails with a specific status in the last x days
PowerShell command syntax
Get-MessageTrace -StartDate (Get-Date).AddDays(-x) -EndDate (Get-Date) -Status <Status>In the following example, we want to get information about incoming and outgoing emails with the -Status value Failed in the last 10 days.
PowerShell command example.
Get-MessageTrace -StartDate (Get-Date).AddDays(-10) -EndDate (Get-Date) -Status FailedThere is another optional syntax that we can use for getting information about emails with a specific status.
PowerShell command example.
Get-MessageTrace -StartDate (Get-Date).AddDays(-10) -EndDate (Get-Date) | Where {$_.Status -eq "Failed"}The PowerShell output shows all emails with the Status value Failed.
PS C:\Get-MessageTrace -StartDate (Get-Date).AddDays(-10) -EndDate (Get-Date) | Where {$_.Status -eq "Failed"}
Received Sender Address Recipient Address Subject Status
-------- -------------- ----------------- ------- ------
14/06/2023 08.56.40 postmaster@m365info.com office365reports@microsoft.com Undeliverable: Your requested Message trace report - 2023-06-14T08:25:07.136Z is now available Failed
14/06/2023 08.56.39 Office365Reports@microsoft.com msadmin@m365info.com Your requested Message trace report - 2023-06-14T08:25:07.136Z is now available FailedExport information of emails with specific status to CSV
You can obtain information about the status of all emails sent and received within the past 10 days. Create a separate CSV file for each type of status.
The requirements that we need to fulfill include the following parts:
- It saves and exports the information we get from the Get-MessageTrace command to a CSV (Comma Separated Value) file.
- It will export a separate CSV file for each type of status; Delivered, Expanded, Failed, None, and Pending.
To fulfill this requirement, we will use a PowerShell ForEach statement.
- In the first phase, the ForEach statement will loop via the array of records in Exchange Online.
- In the second phase, we export the required information to a separate CSV file based on the specific mail status.
PowerShell command example.
$statuses = "None", "Failed", "Pending", "Delivered", "Expanded"
ForEach ($status in $statuses) {
Get-MessageTrace -StartDate (Get-Date).Adddays(-10) -EndDate (Get-Date) -Status $status | Export-Csv "C:\temp\$status.csv" –NoTypeInformation -Encoding UTF8
}Note: If there are no emails for a particular status, it will export an empty CSV file.
Display information regarding the number of mail items sent to Distribution Groups
In this example, we want to obtain information about email addresses sent to the Distribution Group. We use the specific status Expanded when looking for a Distribution Group. Whenever an email is sent to a Distribution Group, Exchange performs the expand operation. So we will Group the result and then Count the result.
PowerShell command example.
Get-MessageTrace -StartDate (Get-Date).AddDays(-10) -EndDate (Get-Date) -Status Expanded | Group-Object -Property RecipientAddress | Select Name,Count | Sort Count -DescendingNote: If no data exists for the status Expanded, the PowerShell output will show nothing.
Get-MessageTrace of emails with specific subject
The Get-MessageTrace variable $Subject lets us get information about emails that include a specific subject or a specific string in the mail subject.
Let’s obtain information about emails sent and received with a specific subject in the last x days.
PowerShell command syntax.
Get-MessageTrace -StartDate <mm/dd/yyyy> -EndDate <mm/dd/yyyy> | Where {$_.Subject -like "*<string>*"}Run the below PowerShell command example.
Get-MessageTrace -StartDate (Get-Date).AddDays(-10) -EndDate (Get-Date) | Where {$_.Subject -like "*test*"}Our PowerShell output example shows all the emails with the subject word *test* in the last 10 days.
PS C:\> Get-MessageTrace -StartDate (Get-Date).AddDays(-10) -EndDate (Get-Date) | Where {$_.Subject -like "*test*"}
Received Sender Address Recipient Address Subject Status
-------- -------------- ----------------- ------- ------
14/06/2023 10.01.30 ms-noreply@microsoft.com msadmin@m365info.com Get the latest Office apps Delivered
14/06/2023 01.57.05 beata@defenderarchitect.com stephen.hunter@m365info.com Test your Junk mail! FilteredAsSpam
12/06/2023 14.24.28 ryan.przybyl@hds-rx.com stephen.hunter@m365info.com spam filter test FilteredAsSpam
09/06/2023 10.13.47 susanbernard@gmail.com amanda.hansen@m365info.com This is a test Delivered
09/06/2023 10.04.16 susanbernard@gmail.com stephen.hunter@m365info.com Re: Test Delivered
09/06/2023 10.01.37 Stephen.Hunter@m365info.com susanbernard@gmail.com Test Delivered
06/06/2023 20.34.22 susanbernard@gmail.com stephen.hunter@m365info.com Test your Junk mail! FilteredAsSpam
06/06/2023 20.25.41 susanbernard@gmail.com stephen.hunter@m365info.com Just a test! Delivered Get-MessageTrace filters results by source or destination IP address
The IP address is the public IP address of the mail server that represents a specific domain name or specific recipient.
The Get-MessageTrace parameters -ToIP and -FromIP, allow us to retrieve information about emails sent from a specific IP address or sent to a specific IP address.
First, we will use the parameter -ToIP, which relates to the IP address of the mail server Exchange Online.
| Parameter | Description |
|---|---|
| ToIP | The ToIP parameter filters the results by the destination IP address. For outgoing messages, the value of ToIP is the public IP address in the resolved MX record for the destination domain. For incoming messages to Exchange Online, the value is blank. |
| FromIP | The FromIP parameter filters the results by the source IP address. For incoming messages, the value of FromIP is the public IP address of the SMTP email server that sent the message. |
ToIP – Get information about emails sent to the destination mail server with a specific IP address
Obtain information about emails sent to a mail server with a specific IP address.
PowerShell command syntax.
Get-MessageTrace -StartDate <mm/dd/yyyy> -EndDate <mm/dd/yyyy> -ToIP <IP address>In the following example, we want to obtain information about mail items sent in the last 10 days to a destination mail server with the IP address 10.0.0.2.
PowerShell command example.
Get-MessageTrace -StartDate (Get-Date).AddDays(-10) -EndDate (Get-Date) -ToIP 10.0.0.2FromIP – Obtain information about emails sent from a specific IP address
The Get-MessageTrace parameter -FromIP, allows us to retrieve information about emails sent from a specific IP address.
Retrieve information about emails received from a mail server with a specific IP address.
PowerShell command syntax.
Get-MessageTrace -StartDate <mm/dd/yyyy> -EndDate <mm/dd/yyyy> -FromIP <IP address>In the following example, we want to obtain information about mail items sent in the last 10 days by the mail server with the IP address 10.0.0.2.
PowerShell command example.
Get-MessageTrace -StartDate (Get-Date).Adddays(-10) -EndDate (Get-Date) -FromIP 10.0.0.2PowerShell output result.
PS C:\> Get-MessageTrace -StartDate (Get-Date).Adddays(-10) -EndDate (Get-Date) -FromIP 80.71.142.100
Received Sender Address Recipient Address Subject Status
-------- -------------- ----------------- ------- ------
15/06/2023 19.45.30 Stephen.Hunter@m365info.com amanda.hansen@m365info.com RE: مرحبا كيف حالك Delivered
15/06/2023 19.42.43 Amanda.Hansen@m365info.com stephen.hunter@m365info.com مرحبا كيف حالك Delivered
09/06/2023 10.01.37 Stephen.Hunter@m365info.com susanbernard@gmail.com Test Delivered
09/06/2023 09.58.06 Amanda.Hansen@m365info.com stephen.hunter@m365info.com RE: Available Delivered
09/06/2023 09.56.06 Stephen.Hunter@m365info.com amanda.hansen@m365info.com Available DeliveredExtend Page or PageSize number results
When using the PowerShell command Get-MessageTrace to display information, there is a built-in limitation to the number of mails. The unit that specifies the displayed result limitation is called Page.
Note: By default, the Get-MessageTrace will only display 1 page. Each page unit includes 1,000 rows by default.
By default, the Get-MessageTrace command will display a maximum of 1,000 results, even though the search result includes more than 1,000 rows. Therefore we need to use a parameter that can help us to get a larger number of results.
Get-MessageTrace includes two parameters that relate to the subject of maximum displayed results:
| Parameter | Description |
|---|---|
| Page | The Page parameter specifies the page number of the results you want to view. Valid input for this parameter is an integer between 1 and 1000. The default value is 1. |
| PageSize | The PageSize parameter specifies the maximum number of entries per page. Valid input for this parameter is an integer between 1 and 5000. The default value is 1000. |
Extend default PageSize limitation
One way to extend the PageSize limit to 5,000.
PowerShell command syntax.
Get-MessageTrace -StartDate <mm/dd/yyyy> -EndDate <mm/dd/yyyy> -PageSize <number or records that each page includes>PowerShell command example.
Get-MessageTrace -StartDate (Get-Date).Adddays(-10) -EndDate (Get-Date) -PageSize 5000If you have 20 pages, you can use PowerShell to get information on a particular page number.
PowerShell command syntax.
Get-MessageTrace -StartDate <mm/dd/yyyy> -EndDate <mm/dd/yyyy> -Page <page number>Run the PowerShell command example to see the information on page number 5.
Get-MessageTrace -StartDate (Get-Date).Adddays(-10) -EndDate (Get-Date) -Page 5Use MessageTraceDetail on specific mail
As mentioned before, the Get-MessageTrace cmdlet provides us with basic information about a specific mail.
If we want more detailed information about a specific mail, we can add the PowerShell command Get-MessageTraceDetail.
We will add the MessageTraceDetail cmdlet to the original Get-MessageTrace command.
Note: Use the Get-MessageTraceDetail cmdlet to view the message trace event details for a specific message. These detailed results take more time than the Get-MessageTrace results.
Get message details for all sent and received emails in the last 3 days.
PowerShell command example:
Get-MessageTrace -StartDate (Get-Date).AddDays(-3) -EndDate (Get-Date) | Get-MessageTraceDetailYou have to wait a few minutes to see the results on the PowerShell console.
PowerShell output result.
PS C:\> Get-MessageTrace -StartDate (Get-Date).AddDays(-3) -EndDate (Get-Date) | Get-MessageTraceDetail
Date Event Detail
---- ----- ------
15/06/2023 11.54.24 Receive (with ext... Message received by: DU0PR02MB8289.eurprd02.prod.outlook.com. There was a delay of 1907 minutes prior to the message being received by Office 365.
15/06/2023 11.54.26 Spam No detail information available.
15/06/2023 11.54.27 Deliver The message was delivered to the Junk Email folder.
14/06/2023 11.22.44 Receive Message received by: DB3PR0202MB9154.eurprd02.prod.outlook.com using TLS1.2 with AES256
14/06/2023 11.22.45 Deliver The message was successfully delivered.
14/06/2023 10.01.31 Receive Message received by: DU0PR02MB8716.eurprd02.prod.outlook.com using TLS1.2 with AES256
14/06/2023 10.01.33 Deliver The message was successfully delivered.
14/06/2023 08.56.41 Drop Reason: [{LED=550 4.3.2 QUEUE.TransportAgent; message deleted by transport agent};{MSG=};{FQDN=};{IP=};{LRT=}]
14/06/2023 08.56.39 Receive Message received by: AS2PR02MB10153.eurprd02.prod.outlook.com using TLS1.2 with AES256
14/06/2023 08.56.40 Fail Reason: [{LED=550 5.1.10 RESOLVER.ADR.RecipientNotFound; Recipient msadmin@m365info.com not found by SMTP address lookup};{MSG=};{FQDN=};{IP=};{LRT=}]
14/06/2023 01.57.06 Receive Message received by: DU0PR02MB8039.eurprd02.prod.outlook.com using TLS1.2 with AES256
14/06/2023 01.57.07 Spam No detail information available.
14/06/2023 01.57.08 Deliver The message was delivered to the Junk Email folder.
13/06/2023 07.22.04 Receive Message received by: GV1PR02MB7779.eurprd02.prod.outlook.com
13/06/2023 07.22.08 Deliver The message was successfully delivered. Next, we will show you how to export PowerShell information to a file.
Export Get-MessageTrace results to file
You can also export the information to a file format supported by PowerShell. PowerShell supports exporting output to the following file formats: Text, CSV, HTML, and XML.
When we export the command output to a file, we need to tell PowerShell the required format we want.
In addition to the PowerShell cmdlets that we use to define the specific file format, we can add a specific parameter that relates to the specific file format.
For example, when we wish to export PowerShell command output to a CSV (Comma Separated Value) file format, we can add additional parameters such as:
| Parameter | Description |
|---|---|
| -NoTypeInformation | Prevents to add unnecessary information to the CSV file. |
| -Encoding UTF8 | It ensures that non-English characters included in users or mailboxes can be exported across different systems, applications, and programming languages that support UTF-8 encoding |
1. Create file name and path
It is required to name the file you export with PowerShell. The additional part is to choose a directory path. The path parameter defines the location where we want to save the file, such as C:\temp.
However, the path parameter is not mandatory. If we don’t provide a specific path, PowerShell exports the file to the folder from which we run the PowerShell command.
Note: By default, the PowerShell command will not create a specific folder specified in the path.
2. Export to file type format
We will show the PowerShell syntax to export information to various file types.
To export information to a file format in PowerShell, you need these two parts:
- Type the Get PowerShell cmdlets that fetch specific information.
- Define the specific file format, the path, and the filename.
Look at the below PowerShell examples to export information in three file formats; Text, CSV, and HTML.
Export information to Text File
PowerShell command example
Get-MessageTrace -StartDate (Get-Date).AddDays(-10) -EndDate (Get-Date) | Out-File "C:\Temp\All emails in the last month.TXT"Export information to CSV File
PowerShell command example
Get-MessageTrace -StartDate (Get-Date).AddDays(-10) -EndDate (Get-Date) | Export-CSV "C:\Temp\All emails in the last month.CSV" –NoTypeInformation -Encoding UTF8Export information to HTML File
PowerShell command example
Get-MessageTrace -StartDate (Get-Date).AddDays(-10) -EndDate (Get-Date) | ConvertTo-Html | Out-File "C:\Temp\All emails in the last month.HTML"Read more: Configure Catch all Mailbox in Microsoft 365 »
Conclusion
You learned how to use the Get-MessageTrace PowerShell cmdlet to view Exchange Online messages for up to 10 days old. It’s an excellent way to gather specific data from a time range and export to csv file.
Did you enjoy this article? You may also like Enable or disable Exchange ActiveSync mailboxes. Don’t forget to follow us and share this article.