Searching Message Tracking Logs by Sender or Recipient Email Address

Continuing my series of tips on searching message tracking logs using PowerShell, in this article I will demonstrate a few techniques for searching logs based on sender or recipient email address.

The Get-MessageTrackingLog cmdlet provides two parameters for specifying sender and recipient email addresses as search criteria.

  • -Sender – a single SMTP address for the sender of the email message
  • -Recipients – one or more SMTP addresses for the recipients of the email message

Both parameters are optional, so if they are omitted the search will return all senders, all recipients, or all of both.

To demonstrate the use of these parameters consider the following email message sent from Alan Reid to three recipients.

Searching Message Tracking Logs by Sender Email Address

Because I happen to have sent this test message within the last hour it is not very difficult for me to search for by combining the -Sender parameter with the -Start parameter to search within a time/date range.

[PS] C:\>Get-MessageTrackingLog -Sender Alan.Reid@exchangeserverpro.net -Start (Get-Date).AddHours(-1)

EventId  Source   Sender                            Recipients                        MessageSubject
-------  ------   ------                            ----------                        --------------
SUBMIT   STORE... Alan.Reid@exchangeserverpro.net   {}                                Payroll report for September
RECEIVE  SMTP     Alan.Reid@exchangeserverpro.net   {David.Gower@exchangeserverpro... Payroll report for September
DELIVER  STORE... Alan.Reid@exchangeserverpro.net   {Alex.Heyne@exchangeserverpro.... Payroll report for September
DELIVER  STORE... Alan.Reid@exchangeserverpro.net   {David.Gower@exchangeserverpro... Payroll report for September

However, if I were searching over a broader time range I may see more results than I really want to see.

[PS] C:\>Get-MessageTrackingLog -Sender Alan.Reid@exchangeserverpro.net

EventId  Source   Sender                            Recipients                        MessageSubject
-------  ------   ------                            ----------                        --------------
SUBMIT   STORE... Alan.Reid@exchangeserverpro.net   {}                                Descry turmoil deviance
SUBMIT   STORE... Alan.Reid@exchangeserverpro.net   {}                                Impending abeyance recitals ba...
SUBMIT   STORE... Alan.Reid@exchangeserverpro.net   {}                                Egress
SUBMIT   STORE... Alan.Reid@exchangeserverpro.net   {}                                Presage visceral penurious
SUBMIT   STORE... Alan.Reid@exchangeserverpro.net   {}                                Stipple voluble blatant stymie
SUBMIT   STORE... Alan.Reid@exchangeserverpro.net   {}                                Inured
SUBMIT   STORE... Alan.Reid@exchangeserverpro.net   {}                                Heinous mercurial
SUBMIT   STORE... Alan.Reid@exchangeserverpro.net   {}                                Relapse smolder
SUBMIT   STORE... Alan.Reid@exchangeserverpro.net   {}                                Meeting minutes
SUBMIT   STORE... Alan.Reid@exchangeserverpro.net   {}                                Supine poignant
SUBMIT   STORE... Alan.Reid@exchangeserverpro.net   {}                                Indigence denigrate swerve vig...
SUBMIT   STORE... Alan.Reid@exchangeserverpro.net   {}                                Jocular
SUBMIT   STORE... Alan.Reid@exchangeserverpro.net   {}                                Oblivious apropos condone savant
SUBMIT   STORE... Alan.Reid@exchangeserverpro.net   {}                                Obdurate splice penitent
SUBMIT   STORE... Alan.Reid@exchangeserverpro.net   {}                                Extenuate aplomb obtain eulogy
SUBMIT   STORE... Alan.Reid@exchangeserverpro.net   {}                                Cursory cryptic rescind euphoria
SUBMIT   STORE... Alan.Reid@exchangeserverpro.net   {}                                Lucubrate ruffian
SUBMIT   STORE... Alan.Reid@exchangeserverpro.net   {}                                Indigence umbrage
SUBMIT   STORE... Alan.Reid@exchangeserverpro.net   {}                                Emaciate valiant tractable
SUBMIT   STORE... Alan.Reid@exchangeserverpro.net   {}                                Volatile fission cajole
SUBMIT   STORE... Alan.Reid@exchangeserverpro.net   {}                                Concord legacy chisel fagged
SUBMIT   STORE... Alan.Reid@exchangeserverpro.net   {}                                Egress reconcile contrite cred...
SUBMIT   STORE... Alan.Reid@exchangeserverpro.net   {}                                Abstruse salacious constrict
SUBMIT   STORE... Alan.Reid@exchangeserverpro.net   {}                                Unearth recreancy paucity
SUBMIT   STORE... Alan.Reid@exchangeserverpro.net   {}                                A meeting #1
SUBMIT   STORE... Alan.Reid@exchangeserverpro.net   {}                                A meeting #2
SUBMIT   STORE... Alan.Reid@exchangeserverpro.net   {}                                Assuage foppish
SUBMIT   STORE... Alan.Reid@exchangeserverpro.net   {}                                Clamor austere collusion
SUBMIT   STORE... Alan.Reid@exchangeserverpro.net   {}                                Waffle saturnine

...snip!

So in the case where I want to search a broader time window, but see fewer irrelevant results, I can combine the -Sender and -Recipients parameters in my search command.

Searching Message Tracking Logs by Recipient Email Address

It doesn’t matter whether the recipient was in the To, CC, or BCC of the message, the search will return any match regardless. Here the “Payroll report for September” email shown above is found even though Alex Heyne was one of several recipients and was in the CC field.

[PS] C:\>Get-MessageTrackingLog -Sender Alan.Reid@exchangeserverpro.net -Recipients alex.heyne@exchangeserverpro.net

EventId  Source   Sender                            Recipients                        MessageSubject
-------  ------   ------                            ----------                        --------------
RECEIVE  SMTP     Alan.Reid@exchangeserverpro.net   {David.Gower@exchangeserverpro... Payroll report for September
DELIVER  STORE... Alan.Reid@exchangeserverpro.net   {Alex.Heyne@exchangeserverpro.... Payroll report for September

You can specify multiple recipient SMTP addresses simply by separating them with a comma. When you do this the condition is an “or” not an “and”. In other words, any messages with any one of the recipients will be returned in the results, they do not need to be messages sent to all the recipients.

Here both the payroll email sent to Alex and David, as well as another email sent only to David, are returned in the same results.

[PS] C:\>Get-MessageTrackingLog -Sender Alan.Reid@exchangeserverpro.net -Recipients alex.heyne@exchangeserverpro.net,david.gower@exchangeserverpro.net

EventId  Source   Sender                            Recipients                        MessageSubject
-------  ------   ------                            ----------                        --------------
RECEIVE  SMTP     Alan.Reid@exchangeserverpro.net   {David.Gower@exchangeserverpro... Payroll report for September
DELIVER  STORE... Alan.Reid@exchangeserverpro.net   {Alex.Heyne@exchangeserverpro.... Payroll report for September
DELIVER  STORE... Alan.Reid@exchangeserverpro.net   {David.Gower@exchangeserverpro... Payroll report for September
RECEIVE  SMTP     Alan.Reid@exchangeserverpro.net   {David.Gower@exchangeserverpro... Also how about lunch?
DELIVER  STORE... Alan.Reid@exchangeserverpro.net   {David.Gower@exchangeserverpro... Also how about lunch?

Searching Message Tracking Logs for Wildcard Values or Partial Matches

Unfortunately wildcard searches are not allowed with the -Sender and -Recipient parameters.

For example, this will return no results.

[PS] C:\>Get-MessageTrackingLog -Recipients *@gmail.com

However, you can use wildcards if you pipe the output of Get-MessageTrackingLog into Where-Object instead.

In this situation it is wise to limit the search to a specific date range for better performance. Or, if you do need to search the entire set of log files remember to use “-Resultsize Unlimited”.

[PS] C:\>Get-MessageTrackingLog -Start (Get-Date).AddHours(-1) | Where-Object {$_.recipients -like "*@gmail.com"}

EventId  Source   Sender                            Recipients                        MessageSubject
-------  ------   ------                            ----------                        --------------
RECEIVE  STORE... Alan.Reid@exchangeserverpro.net   {exchangeserverpro@gmail.com}     Email to the internet!
TRANSFER ROUTING  Alan.Reid@exchangeserverpro.net   {exchangeserverpro@gmail.com}     Email to the internet!
SEND     SMTP     Alan.Reid@exchangeserverpro.net   {exchangeserverpro@gmail.com}     Email to the internet!

You can see that the wildcard is used with the -like comparison operator, but another technique is to use the -match comparison operator which doesn’t require the wildcard character.

[PS] C:\>Get-MessageTrackingLog -Start (Get-Date).AddHours(-1) | Where-Object {$_.recipients -match "gmail"}

EventId  Source   Sender                            Recipients                        MessageSubject
-------  ------   ------                            ----------                        --------------
RECEIVE  STORE... Alan.Reid@exchangeserverpro.net   {exchangeserverpro@gmail.com}     Email to the internet!
TRANSFER ROUTING  Alan.Reid@exchangeserverpro.net   {exchangeserverpro@gmail.com}     Email to the internet!
SEND     SMTP     Alan.Reid@exchangeserverpro.net   {exchangeserverpro@gmail.com}     Email to the internet!

The same use of Where-Object with -like or -match also applies to the sender email address.

Summary

As you can see the -Sender and -Recipients parameters give us some flexibility when searching message tracking logs. However in some cases we need to use the more powerful capabilities of Where-Object for wildcard and partial string matching.

Comments

  1. Kobus says

    I’m looking for a way to count the outgoing mails per user from “day-one” of our mailserver.

    $msgs = get-messagetrackinglog -Sender “username@domain.nl” -EventID “SEND” -Start “1-1-2000 0:00:00″
    $msgs | Group-Object -Property Sender | Select-Object name,count | sort >C:\NumberOutgoingMailsUsername.txt

    The number of mails I get in the output file (156x) is much lower than the message in the users Send items (8488 mails). What am I overseeing? Is this affected by the retention policy?

  2. John says

    I’m trying to export to CSV mails sent out from a specific email using commands below:

    get-messagetrackinglog -Sender “email@domain.com” -EventID “SEND” -Start “4/5/2014 8:00:00 AM” -End “4/5/2014 12:00:00 PM” | Where-Object {$_.recipients -like “*gmail.com”} | Export-csv C:\export.csv

    However, in the Recipients field is showing only System.String[] . How can I make it show real recipients email address.

  3. Naga Krishna says

    Hi Paul,

    Good Evening..!!

    I have situation where the user ( xyz@abc.com) was transitioned to extermal organisation ( xyz@efg.com) . However, He is still continuing to receive emails from our internal users.

    We do not have objects for him either on exchange or AD. Early, Assumptions are that a DL might be involved with a object for him.

    How do we track the emails from internal users to this invisible object in our environent. Thanks

  4. Vairamuthu says

    In exchange 2007, we have created a transport rule, whatever emails coming to this mailbox , one copy deliver to respective mailbox and other copy deliver to sharepoint portal. Normal emails delivering fine, however using attachment emails are not delivered.

    Any advice or suggestion?

    Thanks

  5. Vairamuthu says

    I did message tracking. Any attribute will says whether attachements delivered successfully or not ? User complains pdf attachments not receiving.

    • says

      You need to be clearer in your problem statement. Is the problem that the emails with attachments aren’t being received by SharePoint, or by the mailbox? Or both? Or are the emails being delivered but without the attachments?

  6. Paul says

    Hi Paul,

    We have a client requirement to find all messages from a specific sender that have not been replied to within 24 hours. basically our client wants to be sure the messages are being followed up.

    So one of my clients employees receives an email from person@contoso.com and my client wants to get a report showing that his employee replied to that email from person@contoso.com within 24 hours. if the employee didn’t reply, the owner wants a report showing all the emails that were not replied to in a timely fashion. he wants this for all his employees.

    is there any way to track by conversation in powershell? can i match replies to original emails from the tracking logs or perhaps there is another way? any help would be greatly appreciated!

    • says

      I think your client should invest in a system, perhaps a job ticketing system, where customer correspondence is logged automatically and that has the reporting capabilities he desires.

  7. Mir says

    Thanks Paul for all the informative posts.
    After having gone through these, I did try the same on my production Exchange 2010 server and found the output as below:

    [PS] C:\Windows\system32>Get-MessageTrackingLog -Start (Get-Date).AddHours(-50) -resultsize unlimited | Where-Object {$_
    .recipients -match “hotmail”}

    EventId Source Sender Recipients MessageSubject
    ——- —— —— ———- ————–
    DSN DSN postmaster@mydomain.com.sa {muntader_2008@hotmail.com} Undeliverable: Electrical powe…
    FAIL SMTP postmaster@mydomain.com.sa {muntader_2008@hotmail.com} Undeliverable: Electrical powe…
    DSN DSN postmaster@mydomain.com.sa {esther_jimmy60@hotmail.com} Undeliverable: Possible Spam :…
    FAIL SMTP postmaster@mydomain.com.sa {esther_jimmy60@hotmail.com} Undeliverable: Possible Spam :…
    DSN DSN postmaster@mydomain.com.sa {abuali1444@hotmail.com} Undeliverable: It’s Talkif ica…
    FAIL SMTP postmaster@mydomain.com.sa {abuali1444@hotmail.com} Undeliverable: It’s Talkif ica…
    DSN DSN postmaster@mydomain.com.sa {mr-al-break@hotmail.com} Undeliverable: ??? ????? ???? CV
    FAIL SMTP postmaster@mydomain.com.sa {mr-al-break@hotmail.com} Undeliverable: ??? ????? ???? CV

    What I don’t understand here is we don’t have any postmaster account enabled anywhere but still it seems to be sending out mails automatically ?
    What do the DSN , FAIL imply ?
    Apart from these, I found other user mailboxes sending out emails to other users on the domain as well as out to the internet, but the users claim they never sent any such messages!
    Something is really fishy, could you advise where to start looking for trouble ?
    After some research I found “MicrosoftExchangeRecipientReplyRecipient” is blank and also RecipientValidation is set to false. Would any of these help ?

  8. Nicolai says

    hi Paul

    Can you help with this?

    1)
    I dont get any output from “CC” or “BCC” with “Recipients”. It do not show

    If i ex use this script, and i know there is a mail sendt from “hotmail.Com” to “Frank@myfirm.com” where i am “CC” It will not show the message. It shows only output “sendt to me”. if i change sender to “Frank@myfirm.com” it will show the message.

    What should i use instead ?

    Get-TransportServer |
    Get-MessageTrackingLog -Start (Get-Date).Addhours(-48) `
    -End (Get-Date) `
    -EventId send `
    -Sender “ME@myfirm.com”`
    | Select-Object Recipients,timestamp,eventid `
    | Where {($_.Recipients -match ‘@hotmail.com’)}

    2) how do i use wildcards “@myfirm.com” for “sender”

    Thanks!!

    Best Regards

    Nicolai

    • says

      1) Recipients will include CC and BCC recipients in the results.

      2) As I demonstrate in the article above you can’t use wildcards. I also demonstrated how to work around that.

  9. Sinchan says

    Hi Paul,

    I want to create a report as to when person ‘X’ received an email and when did he replied to it. Using exchange message tracking I can track it manually for a single mail , but I want to track it for all emails that was sent and replied for a particular user . Kindly advise how to do it?

    Thanks!
    Sinchan

Leave a Reply

Your email address will not be published. Required fields are marked *