在傳統 EAC 中執行郵件追蹤Run a message trace in the classic EAC

注意

郵件追蹤可在 Microsoft 365 的安全性中心和現代 Exchange 系統管理中心中取得。Message trace is available in the Microsoft 365 security center and in the modern Exchange admin center. 如需詳細資訊,請參閱 message trace In Security & 合規性中心現代 Exchange 系統管理中心的郵件追蹤For more information, see Message trace in the Security & Compliance Center and Message trace in the modern Exchange admin center.

身為系統管理員,您可以在 Exchange 系統管理中心 (EAC) 中執行郵件追蹤,以了解電子郵件發生了什麼事。As an administrator, you can find out what happened to an email message by running a message trace in the Exchange admin center (EAC). 執行郵件追蹤之後,您能以清單方式檢視結果,然後檢視特定郵件的詳細資料。After running the message trace, you can view the results in a list, and then view the details about a specific message. 提供過去 90 天的郵件追蹤資料。Message trace data is available for the past 90 days. 如果郵件超過7天,您只能在 [可供下載] 中查看結果。CSV 檔案。If a message is more than 7 days old, you can only view the results in a downloadable .CSV file.

如需訊息追蹤和其他郵件流程疑難排解工具的影片演練,請參閱 尋找並修正電子郵件傳遞問題,做為 Microsoft 365 或 Office 365 for business adminFor a video walkthrough of message trace and other mail flow troubleshooting tools, see Find and fix email delivery issues as a Microsoft 365 or Office 365 for business admin.

開始之前有哪些須知?What do you need to know before you begin?

提示

有問題嗎?Having problems? 在 Exchange 論壇中尋求協助。Ask for help in the Exchange forums. 請造訪論壇:Exchange OnlineExchange Online ProtectionVisit the forums at Exchange Online or Exchange Online Protection. 如果您是 Microsoft 365 或商務用 Office 365 for business admin,請參閱 商務產品的連絡人支援-系統管理說明。If you're a Microsoft 365 or Office 365 for business admin, see Contact support for business products - Admin Help.

執行郵件追蹤Run a message trace

  1. 在 EAC 中,移至 [ 郵件流程 ] > 郵件追蹤In the EAC, go to Mail flow > message trace .

    Exchange 系統管理中心的螢幕擷取畫面顯示從郵件流程瀏覽功能表中選取了訊息追蹤。

  2. 根據您要搜尋的專案,您可以在下欄欄位中輸入值。Depending on what you're searching for, you can enter values in the following fields. 針對低於 7 天的郵件,則不需要這些欄位。None of these fields are required for messages that are less than 7 days old. 只要按一下 [搜尋] ,即可擷取預設期間 (過去 48 小時) 的所有郵件追蹤資料。You can simply click Search to retrieve all message trace data over the default time period, which is the past 48 hours.

    1. 日期範圍 :使用下拉式清單,選取此專案可搜尋過去24小時、48小時或7天內傳送或接收的郵件。Date range : Using the drop-down list, select to search for messages sent or received within the past 24 hours, 48 hours, or 7 days. 您也可以選取過去 90 天內任何範圍的自訂時間範圍。You can also select a custom time frame that includes any range within the past 90 days. 您也可以變更自訂搜尋的時區 (國際標準時間 (UTC))。For custom searches you can also change the time zone, in Coordinated Universal Time (UTC).

    2. 傳遞狀態 :使用下拉式清單,選取您要查看其相關資訊的郵件狀態。Delivery status : Using the drop-down list, select the status of the message you want to view information about. 保留預設值 [全部] ,以涵蓋所有狀態。Leave the default value of All to cover all statuses. 其他可能的值為:Other possible values are:

      • 已傳遞 :郵件已成功傳遞到預定目的地。Delivered : The message was successfully delivered to the intended destination.

      • 失敗 :未傳遞郵件。Failed : The message was not delivered. 已嘗試並且失敗,或因為篩選服務所採取的動作而未傳遞。Either it was attempted and failed or it was not delivered as a result of actions taken by the filtering service. 例如,若郵件經判定確實包含惡意程式碼。For example, if the message was determined to contain malware.

      • 擱置 * :正在嘗試或重新嘗試傳遞郵件。Pending*: Delivery of the message is being attempted or re-attempted.

      • 展開 :郵件已傳送至通訊群組清單並已展開,因此可以個別查看清單的成員。Expanded : The message was sent to a distribution list and was expanded so the members of the list can be viewed individually.

      • 未知 * :郵件傳遞狀態目前是未知的。Unknown*: The message delivery status is unknown at this time. 列出查詢的結果後,傳遞詳細資料欄位不包含任何資訊。When the results of the query are listed, the delivery details fields will not contain any information.

      *如果您正在搜尋超過7天的郵件,則無法選取 [ 擱置 ] 或 [ 未知 ]。*If you're searching for messages that are older than 7 days, you can't select Pending or Unknown .

    3. 郵件識別碼 :這是網際網路郵件識別碼 (也稱為「用戶端識別碼」) 位於 Message-ID: 標頭欄位的郵件頭中。Message ID : This is the Internet message ID (also known as the Client ID) found in the message header in the Message-ID: header field. 使用者可為您提供此資訊,以便調查特定郵件。Users can provide you with this information in order to investigate specific messages.

      此 ID 的形式會視傳送郵件系統而有所不同。The form of this ID varies depending on the sending mail system. 以下為範例: <08f1e0f6806a47b4ac103961109ae6ef@server.domain>The following is an example: <08f1e0f6806a47b4ac103961109ae6ef@server.domain>.

      這個識別碼應該是唯一的;不過,並非所有傳送郵件系統的行為都相同。This ID should be unique; however, not all sending mail systems behave the same way. 因此,查詢單一郵件 ID 時,可能會取得多封郵件的結果。As a result, there's a possibility that you may get results for multiple messages when querying upon a single Message ID.

      附注:請 務必包含完整的郵件識別碼字串。Note : Be sure to include the full Message ID string. 此可能包含角括弧 (<>)。This may include angle brackets (<>).

    4. 寄件者 :按一下 [ 件人] 欄位旁邊的 [ 新增寄件者 ] 按鈕,即可縮小搜尋特定寄件者的範圍。Sender : You can narrow the search for specific senders by clicking the Add sender button next to the Sender field. 在後續的對話方塊中,從使用者選擇器清單中選取您公司的一或多位寄件者,然後按一下 [新增]In the subsequent dialog box, select one or more senders from your company from the user picker list and then click Add . 若要新增不在清單上的寄件者,請輸入其電子郵件地址並按一下 [檢查名稱]To add senders who aren't on the list, type their email addresses and click Check names . 在此方塊中,電子郵件地址支援萬用字元,格式如下:*@contoso.com。In this box, wildcards are supported for email addresses in the format: *@contoso.com. 指定萬用字元時,無法使用其他地址。When specifying a wildcard, other addresses can't be used. 當您完成選取時,請按一下 [確定]When you're done with your selections, click OK .

    5. 收件 者:您可以按一下 [ 收件 者] 欄位旁邊的 [ 新增收件 者] 按鈕來縮小搜尋的特定收件者。Recipient : You can narrow the search for specific recipients by clicking the Add recipient button next to the Recipient field. 在後續的對話方塊中,從使用者選擇器清單中選取您公司的一或多位收件者,然後按一下 [新增]In the subsequent dialog box, select one or more recipients from your company from the user picker list and then click Add . 若要新增不在清單上的收件者,輸入他們的電子郵件,然後按一下 [檢查名稱]To add recipients who aren't on the list, type their email addresses and click Check names . 在此方塊中,電子郵件地址支援萬用字元,格式如下:*@contoso.com。In this box, wildcards are supported for email addresses in the format: *@contoso.com. 指定萬用字元時,無法使用其他地址。When specifying a wildcard, other addresses can't be used. 當您完成選取時,請按一下 [確定]When you're done with your selections, click OK .

  3. 若要搜尋超過7天的郵件,請設定下列設定: (否則您可以略過此步驟) :If you're searching for messages that are older than 7 days, configure the following settings: (otherwise you can skip this step):

    1. 在報告中包含郵件事件和路由詳細資料 :只有在您尋找少量郵件時,才建議選取此核取方塊。Include message events and routing details with report : We recommend selecting this check box only if you're looking for a small number of messages. 否則,結果會花更長的時間才會再次傳回。Otherwise, the results will take longer to return.

    2. 方向 :保留 所有 傳送給您 組織的郵件 的預設值,或選取 輸入 郵件給您組織傳送的郵件。Direction : Leave the default All or select Inbound for messages sent to your organization or Outbound for messages sent from your organization.

    3. 原始用戶端 IP 位址 :指定寄件者用戶端的 IP 位址。Original client IP address : Specify the IP address of the sender's client.

    4. 報表標題 :指定此報表的唯一識別碼。Report title : Specify the unique identifier for this report. 這也會用作電子郵件通知的主旨行文字。This will also be used as the subject line text for the email notification. 預設值為 "Message trace report <day of the week> <current date> <current time> "。The default is "Message trace report <day of the week>, <current date> <current time>". 例如,「郵件追蹤報告2018年10月17日,7:21:09 AM」。For example, "Message trace report Thursday, October 17, 2018 7:21:09 AM".

    5. 通知電子郵件地址 :指定您想要在郵件追蹤完成時收到通知的電子郵件地址。Notification email address : Specify the email address that you want to receive the notification when the message trace completes. 此地址必須位於公認的網域清單內。This address must reside within your list of accepted domains.

  4. 按一下 [ 搜尋 :] 以執行郵件追蹤。Click Search : to run the message trace. 如果您快到在 24 小時的期間內可以執行的追蹤數量閾值,則會收到警告。You'll be warned if you're nearing the threshold of the amount of traces you're allowed to run over a 24 hour period.

執行郵件追蹤之後,請繼續閱讀下列其中一節,以瞭解如何查看您的結果。After running your message trace, proceed to one of the next sections to read about how to view your results.

附注 :若要搜尋不同的郵件,您可以按一下 [ 清除 ] 按鈕,然後指定新的搜尋準則。Note : To search for a different message, you can click the Clear button and then specify new search criteria.

查看超過7天之郵件的郵件追蹤結果View message trace results for messages less than 7 days old

在 EAC 中執行郵件追蹤後,結果會依日期列出,並依日期排序(最新的郵件會先出現)。After you run a message trace in the EAC, the results will be listed, sorted by date, with the most recent message appearing first. 您可以按一下欄標頭,依照所列的任何欄位排序。You can sort on any of the listed fields by clicking their headers. 再按一下欄標頭,就會反轉排序順序。Clicking a column header a second time will reverse the sort order. 檢視郵件追蹤結果時,系統會提供每封郵件的下列資訊:When viewing message trace results, the following information is provided about each message:

  • 日期 :服務接收到郵件的日期和時間 (使用設定的 UTC 時區)。Date : The date and time at which the message was received by the service, using the configured UTC time zone.

  • 寄件者 :表單中寄件者的電子郵件地址 alias@domainSender : The email address of the sender in the form alias@domain.

  • 收件者 :收件者的電子郵件地址。Recipient : The email address of the recipient or recipients. 若為傳送給一個以上收件者的郵件,每一個收件者有一行地址。For messages sent to more than one recipient, there is one line per recipient. 如果收件者為一份通訊群組清單,此通訊群組清單會是第一個收件者,而通訊群組清單的每位成員會顯示於個別行上,以便您檢查所有收件者的狀態。If the recipient is a distribution list, the distribution list will be the first recipient, and then each member of the distribution list will be included on a separate line so that you can check the status for all recipients.

  • 主旨 :郵件的主旨行文字。Subject : The subject line text of the message. 必要時,此主旨行會截短為前 256 個字元。If necessary, this is truncated to the first 256 characters.

  • 狀態 :此欄位指定郵件是否已 傳遞 至收件者或預定目的地,但 無法 傳遞至收件者 (因為郵件無法送達目的地或已篩選) ,正在 等待 傳遞, (正在傳遞,或是已推遲,但正嘗試進行傳遞,但卻是重新嘗試) 已展開 (沒有 傳遞 ,因為郵件已傳送至已展開至 DL) 之收件者的通訊群組清單,或其狀態為 None。因為 郵件 已拒絕或重新導向至不同的收件者,所以郵件沒有傳遞給收件者。) ( (Status : This field specifies whether the message was Delivered to the recipient or the intended destination, Failed to be delivered to the recipient (either because it failed to reach its destination or because it was filtered), is Pending delivery (it is either in the process of being delivered or the delivery was deferred but is being re-attempted), was Expanded (there was no delivery because the message was sent to a distribution list (DL) that was expanded to the recipients of the DL), or has a status of None (there is no status of delivery for the message to the recipient because the message was either rejected or redirected to a different recipient).

注意

郵件追蹤的顯示上限為 500 個項目。依預設,使用者介面每頁會顯示 50 個項目,而且您可以瀏覽這些頁面。您也可以變更每頁的項目數多寡,最多可到 500 個。The message trace can display a maximum of 500 entries. By default, the user interface displays 50 entries per page, and you can navigate through the pages. You can also change the entry size of each page up to 500.

查看超過7天之特定郵件的詳細資料View details about a specific message less than 7 days old

檢閱在 EAC 中執行郵件追蹤所傳回的項目清單之後,按兩下個別郵件,即可檢視有關郵件的下列詳細資料:After you review the list of items returned by running the message trace in the EAC, you can double-click an individual message to view the following additional details about the message:

  • 郵件大小 :郵件的大小(包括附件),以 KB (kb) ,或者,如果郵件大小大於 999 kb,以 MB (mb) 。Message size : The size of the message, including attachments, in kilobytes (KB), or, if the message size is greater than 999 KBs, in megabytes (MB).

  • 郵件識別碼 :這是網際網路郵件識別碼 (也稱為「Message-ID:」 token 之郵件的標頭中所) 的用戶端識別碼。Message ID : This is the Internet message ID (also known as the Client ID) found in the header of the message with the "Message-ID:" token. 此 ID 的形式會視傳送郵件系統而有所不同。The form of this varies depending on the sending mail system. 以下為範例: <08f1e0f6806a47b4ac103961109ae6ef@contoso.com>The following is an example: <08f1e0f6806a47b4ac103961109ae6ef@contoso.com>.

    此 ID 必須是唯一的;但是,它的產生依存於傳送郵件系統,而且並非所有傳送郵件系統的行為都相同。因此,查詢單一郵件 ID 時,可能會取得多封郵件的結果。This ID should be unique, however, it is dependent on the sending mail system for generation and not all sending mail systems behave the same way. As a result, there is a possibility that you may get results for multiple messages when querying upon a single Message ID.

    這會以輸出形式提供,以便追蹤項目和有問題的郵件可以產生關聯。This is given as output so that trace entries and the messages in question can be co-related.

  • 至 IP :服務嘗試傳遞郵件的 ip 位址。To IP : The IP address or addresses to which the service attempted to deliver the message. 如有多位收件者,則會顯示這些位址。If there are multiple recipients, these are displayed. 對於傳送至 Exchange Online 的輸入郵件,此值為空白。For inbound messages sent to Exchange Online, this value is blank.

  • 來源 IP :傳送郵件的電腦 IP 位址。From IP : The IP address of the computer that sent the message. 對於從 Exchange Online 傳送的外寄郵件,此值為空白。For outbound messages sent from Exchange Online, this value is blank.

在事件區段中,下列欄位提供當郵件通過訊息管線時所發生事件的相關資訊:In the events section, the following fields provide information about the events that occurred to the message as it passed through the messaging pipeline:

  • 日期 :事件發生的日期和時間。Date : The date and time that the event occurred.

  • 事件 :此欄位會簡短通知您發生什麼事,例如,當服務收到郵件時、郵件已傳遞或無法傳遞給預定收件者,等等。Event : This field briefly informs you of what happened, for example if the message was received by the service, if it was delivered or failed to be delivered to the intended recipient, and so on. 以下是可列出的事件範例:The following are examples of events that may be listed:

    • 接收 :服務接收到郵件。RECEIVE : The message was received by the service.

    • 傳送 :郵件是由服務所傳送。SEND : The message was sent by the service.

    • 失敗 :無法傳遞郵件。FAIL : The message failed to be delivered.

    • 傳遞 :郵件已傳遞至信箱。DELIVER : The message was delivered to a mailbox.

    • 展開 :郵件已傳送至已展開的通訊群組。EXPAND : The message was sent to a distribution group that was expanded.

    • 傳輸 :由於內容轉換、郵件收件者限制或代理程式的原因,收件者已移至複本發送郵件。TRANSFER : Recipients were moved to a bifurcated message because of content conversion, message recipient limits, or agents.

    • DEFER :郵件傳遞已延遲,且稍後可能重新嘗試。DEFER : The message delivery was postponed and may be re-attempted later.

    • 已解決 :郵件已重新導向至以 Active Directory 查詢為基礎的新收件者位址。RESOLVED : The message was redirected to a new recipient address based on an Active Directory look up. 發生此情況時,原始收件者地址會伴隨著郵件的最終傳遞狀態,出現在郵件追蹤裡的另一列。When this happens, the original recipient address is listed in a separate row in the message trace along with the final delivery status for the message.

    • DLP 規則 :郵件中的 dlp 規則或敏感度標籤相符。DLP rule : The message had a DLP rule or sensitivity label match in this message.

      提示

      可能會出現其他事件。Additional events may appear. 如需這些事件的詳細資訊,請參閱 郵件追蹤記錄檔中的事件種類For more information about these events, see Event types in the message tracking log.

  • 動作 :此欄位會顯示因惡意程式碼或垃圾郵件偵測或規則相符而篩選郵件時所執行的動作。Action : This field shows the action that was performed if the message was filtered due to a malware or spam detection or a rule match. 例如,它會讓您知道郵件是否已遭刪除,或已傳送至隔離區。For example, it will let you know if the message was deleted or if it was sent to the quarantine.

  • 詳細資料 :此欄位提供 elaborates 發生狀況的詳細資訊。Detail : This field provides detailed information that elaborates on what happened. 例如,它可能會通知您哪一個特定的郵件流程規則 (又稱為「傳輸規則) 相符」,以及郵件因符合專案而發生的情況。For example, it may inform you which specific mail flow rule (also known as a transport rule) was matched, and what happened to the message as a result of that match. 它也會通知您在哪一個特定附件中偵測到哪一種特定惡意程式碼,或郵件為何被偵測為垃圾郵件。It can also inform you which specific malware was detected in which specific attachment, or why a message was detected as spam. 如果已成功傳遞郵件,即可告訴您郵件傳遞至的 IP 位址。If the message was successfully delivered, it can tell you the IP address to which it was delivered.

查看超過7天之郵件的郵件追蹤結果View message trace results for messages more than 7 days old

如果您針對超過7天的專案執行郵件追蹤,當您按一下 [ 搜尋 郵件時,就會顯示訊息已順利提交,而且在追蹤完成時,會將電子郵件通知傳送至所提供的電子郵件地址。If you run a message trace for items that are older than 7 days, when you click Search a message should appear letting you know that the message was successfully submitted, and that an email notification will be sent to the supplied email address when the trace has completed. (如果處理郵件追蹤,且已成功檢索符合搜尋準則的資料,此通知訊息會包含有關追蹤的資訊,以及可下載的連結。CSV 檔案。(If the message trace is processed and data that matches your search criteria is successfully retrieved, this notification message will include information about the trace and a link to the downloadable .CSV file. 如果找不到符合您指定之搜尋準則的資料,系統會要求您提交新的要求與已變更的準則,才能取得有效的結果。 ) If no data was found that matched the search criteria you specified, you'll be asked to submit a new request with changed criteria in order to obtain valid results.)

在 EAC 中,您可以按一下 [ View pending] 或 [已完成追蹤 ],以查看針對超過7天之專案所執行的追蹤清單。In the EAC, you can click View pending or completed traces in order to view a list of traces that were run for items that older than 7 days. 在產生的 UI 中,追蹤清單是依照提交的日期和時間排序,第一個顯示的是最近提交的資料。In the resulting UI, the list of traces is sorted based on the date and time that they were submitted, with the most recent submissions appearing first. 除了報告標題、追蹤提交日期和時間以及報告中的郵件數目之外,還會列出下列狀態值:In addition to the report title, the date and time the trace was submitted, and the number of messages in the report, the following status values are listed:

  • 尚未開始 :追蹤已提交,但尚未執行。Not started : The trace was submitted but is not yet running. 此時,您可以選擇取消追蹤。At this point, you have the option to cancel the trace.

  • 取消 :已提交追蹤,但已取消。Cancelled : The trace was submitted but was cancelled.

  • 進行中 :追蹤正在執行,您無法取消追蹤或下載結果。In progress : The trace is running and you can't cancel the trace or download the results.

  • 已完成 :追蹤已經完成,您可以按一下 [ 下載此報告 ],在中取得結果。CSV 檔案。Completed : The trace has completed and you can click Download this report to retrieve the results in a .CSV file. 請注意,如果您的郵件追蹤結果超過50000的摘要報告訊息,它會被截斷為前50000封郵件。Note that if your message trace results exceed 50000 messages for a summary report, it will be truncated to the first 50000 messages. 如果您的郵件追蹤結果超過1000封郵件以取得詳細報告,它會被截斷為前1000封郵件。If your message trace results exceed 1000 messages for a detailed report, it will be truncated to the first 1000 messages. 如果您看不到所有需要的結果,則建議您將搜尋分成多個查詢。If you do not see all the results that you need, we recommend that break your search out into multiple queries.

當您選取特定郵件追蹤時,其他資訊會顯示在右窗格中。根據指定的搜尋準則,這可能會包括詳細資料 (例如,執行追蹤的日期範圍,以及郵件的寄件者和預定收件者)。When you select a specific message trace, additional information appears in the right pane. Depending on what search criteria you specified, this may include details such as the date range for which the trace was run, and the sender and intended recipients of the message.

注意

10天后,會自動刪除 EAC 中包含超過7天之資料的郵件追蹤。Message traces containing data that is more than 7 days old are automatically deleted in the EAC after 10 days. 無法手動刪除報告。They can't be manually deleted.

查看特定郵件超過7天的報告詳細資料View report details about a specific message more than 7 days old

當您下載及流覽郵件追蹤報告時,無論是在 EAC 中 view 擱置或已完成的追蹤 ,或是來自通知電子郵件,其內容都會取決於您是否已選取 [ 包含郵件事件和路由詳細資料與報告 ] 選項。When you download and view a message trace report, either from View pending or completed traces in the EAC or from a notification email, its contents depend on whether you have selected the Include message events and routing details with report option.

重要

若要檢視下載的郵件追蹤報告,您必須將 [僅檢視收件者] RBAC 角色指派給角色群組。預設會將此角色指派給下列角色群組:[規範管理]、[服務台]、[檢疫管理]、[組織管理]、[僅限檢視組織管理]。In order to view the downloaded message trace report, you must have the "View-Only Recipients" RBAC role assigned to your role group. By default, the following role groups have this role assigned: Compliance Management, Help Desk, Hygiene Management, Organization Management, View-Only Organization Management.

查看沒有路由詳細資料的郵件追蹤報告Viewing a message trace report without routing details

如果您在執行郵件追蹤時未包括路由詳細資料,下列資訊會包括在 .CSV 檔案中,此 .CSV 檔案可以在 Microsoft Excel 這類應用程式中開啟:If you didn't include routing details when running the message trace, the following information is included in the .CSV file, which you can open in an application such as Microsoft Excel:

  • origin_timestamp :服務接收到郵件的日期和時間(使用設定的 UTC 時區)。origin_timestamp : The date and time at which the message was received by the service, using the configured UTC time zone.

  • sender_address : The email address of the sender in the form alias@domain .

  • Recipient_status :將郵件傳遞至收件者的狀態。Recipient_status : The status of the delivery of the message to the recipient. 如果郵件已傳送給多個收件者,它會顯示每個收件者的所有收件者和對應狀態,格式為: <email address> ## <status> 。If the message was sent to multiple recipients, it will show all the recipients and the corresponding status against each, in the format: <email address>##<status>. 例如,狀態:For example, a status of:

    • # #Receive,Send :表示服務已接收到郵件,並將郵件傳送至預定目的地。##Receive, Send : means that the message was received by the service and sent to the intended destination.

    • # #Receive,失敗 :表示服務已接收到郵件,但無法將郵件傳遞至預定目的地。##Receive, Fail : means that the message was received by the service but failed to be delivered to the intended destination.

    • # #Receive,傳遞 :表示服務已接收到郵件,並將郵件傳遞至收件者的信箱。##Receive, Deliver : means that the message was received by the service and delivered to the recipient's mailbox.

  • message_subject :郵件的主旨行文字。message_subject : The subject line text of the message. 必要時,此主旨行會截短為前 256 個字元。If necessary, this is truncated to the first 256 characters.

  • total_bytes :包含附件的郵件大小(以位元組為單位)。total_bytes : The size of the message, including attachments, in bytes.

  • message_id :這是網際網路郵件 id (,也就是在具有 "Message-ID:" token 之郵件的標頭中找到的用戶端識別碼) 。message_id : This is the Internet message ID (also known as the Client ID) found in the header of the message with the "Message-ID:" token. 此 ID 的形式會視傳送郵件系統而有所不同。The form of this varies depending on the sending mail system. 以下為範例: <*08f1e0f6806a47b4ac103961109ae6ef*@*server*.*domain*>The following is an example: <*08f1e0f6806a47b4ac103961109ae6ef*@*server*.*domain*>.

    此 ID 必須是唯一的;但是,它的產生依存於傳送郵件系統,而且並非所有傳送郵件系統的行為都相同。因此,查詢單一郵件 ID 時,可能會取得多封郵件的結果。This ID should be unique, however, it is dependent on the sending mail system for generation and not all sending mail systems behave the same way. As a result, there is a possibility that you may get results for multiple messages when querying upon a single Message ID.

    這會以輸出形式提供,以便追蹤項目和有問題的郵件可以產生關聯。This is given as output so that trace entries and the messages in question can be co-related.

  • network_message_id :這是唯一的郵件識別碼值,會持續存在於可能由於分叉或通訊群組擴充而建立的郵件副本上。network_message_id : This is a unique message ID value that persists across copies of the message that may be created due to bifurcation or distribution group expansion. 範例值是 1341ac7b13fb42ab4d4408cf7f55890f。An example value is 1341ac7b13fb42ab4d4408cf7f55890f.

  • original_client_ip :寄件者的用戶端 IP 位址。original_client_ip : The IP address of the sender's client.

  • 方向 性:此欄位會指出郵件是否已傳送至組織的輸入 (1) ,或是否從組織傳送輸出 (2) 。directionality : This field denotes whether the message was sent inbound (1) to your organization, or whether it was sent outbound (2) from your organization.

  • connector_id :來源或目的地傳送連接器或接收連接器的名稱。connector_id : The name of the source or destination Send connector or Receive connector. 例如, ServerName \ ConnectorNameConnectorNameFor example, ServerName\ConnectorName or ConnectorName .

  • delivery_priority :表示郵件是以 標準 優先順序傳送。delivery_priority : Denotes whether the message was sent with High , Low , or Normal priority.

檢視含路由詳細資料的郵件追蹤報告View a message trace report with routing details

如果您在執行郵件追蹤時包括路由詳細資料,則郵件追蹤記錄的所有資訊會包括在 .CSV 檔案中,此 .CSV 檔案可以在 Microsoft Excel 這類應用程式中開啟。If you included routing details when running the message trace, all information from the message tracking logs is included in the .CSV file, which you can open in an application such as Microsoft Excel. 在此報告中所包含的部分值,會在上一節中說明,而其他可用於調查之值的值會在 郵件追蹤記錄檔的欄位中說明。Some of the values included in this report are described in the prior section, while other values that may be useful for investigative purposes are described in Fields in the message tracking log files.

custom_data 欄位The custom_data field

此外, custom_data 欄位可能包含篩選服務特有的值。各種不同的代理程式使用 AGENTINFO 事件中的 custom_data 欄位來記錄代理程式郵件處理的詳細資料。下面說明一些郵件資料保護相關代理程式。Additionally, the custom_data field may contain values that are specific to the filtering service. The custom_data field in an AGENTINFO event is used by a variety of different agents to log details from the agent's processing of the message. Some of the message data protection related agents are described below.

垃圾郵件篩選代理程式 (S:SFA)Spam Filter Agent (S:SFA)

開頭為 S:SFA 的字串是來自垃圾郵件篩選代理程式的項目,以及提供下列重要詳細資料:A string beginning with S:SFA is an entry from the spam filter agent and provides the following key details:

記錄資訊Log Information 描述Description
SFV = NSPMSFV=NSPM 郵件標記為非垃圾郵件,並傳送給預定的收件者。The message was marked as non-spam and was sent to the intended recipients.
SFV = SPMSFV=SPM 內容篩選已將郵件標記為垃圾郵件。The message was marked as spam by the content filter.
SFV = BLKSFV=BLK 已略過篩選,且郵件來自封鎖的寄件者,所以封鎖郵件。Filtering was skipped and the message was blocked because it originated from a blocked sender.
SFV = SKSSFV=SKS 內容篩選在處理郵件前,已將郵件標記為垃圾郵件。The message was marked as spam prior to being processed by the content filter. 這包含郵件符合郵件流程規則,以自動將其標記為垃圾郵件,並略過所有其他篩選的郵件。This includes messages where the message matched a mail flow rule to automatically mark it as spam and bypass all additional filtering.
SCL =<number>SCL=<number> 如需不同 SCL 值及其意義的詳細資訊,請參閱 垃圾郵件信賴等級For more information about the different SCL values and what they mean, see Spam Confidence Levels.
PCL =<number>PCL=<number> 郵件的網路釣魚信賴等級 (PCL) 值。The Phishing Confidence Level (PCL) value of the message. 它們的轉譯方式可以與 垃圾郵件信賴等級中所述的 SCL 值相同。These can be interpreted the same way as the SCL values documented in Spam Confidence Levels.
DI = SBDI=SB 已封鎖郵件的寄件者。The sender of the message was blocked.
DI = SQDI=SQ 已隔離郵件。The message was quarantined.
DI = SDDI=SD 已刪除郵件。The message was deleted.
DI = SJDI=SJ 郵件被傳送到收件者的 [垃圾郵件] 資料夾。The message was sent to the recipient's Junk Email folder.
DI = SNDI=SN 已透過較高風險傳遞集區路由傳送郵件。The message was routed through the higher risk delivery pool. 如需詳細資訊,請參閱外寄郵件的較高風險傳遞集區For more information, see High-risk delivery pool for outbound messages.
DI = SODI=SO 已透過標準輸出傳遞集區路由傳送郵件。The message was routed through the normal outbound delivery pool.
SFS = [a]SFS=[a] SFS = [b]SFS=[b] 這表示已符合垃圾郵件規則。This denotes that spam rules were matched.
IPV = CALIPV=CAL 因為 IP 位址指定於連線篩選的 [IP 允許] 清單中,所以已透過垃圾郵件篩選允許郵件。The message was allowed through the spam filters because the IP address was specified in an IP Allow list in the connection filter.
H = [helostring]H=[helostring] 連線郵件伺服器的 HELO 或 EHLO 字串。The HELO or EHLO string of the connecting mail server.
PTR = [ReverseDNS]PTR=[ReverseDNS] 傳送 IP 位址 (也稱為反向 DNS 位址) 的 PTR 記錄。The PTR record of the sending IP address, also known as the reverse DNS address.

篩選郵件是否為垃圾郵件時,範例 custom_data 項目會與下面類似:When a message is filtered for spam, a sample custom_data entry would look similar to the following:

S:SFA=SUM|SFV=SPM|IPV=CAL|SRV=BULK|SFS=470454002|SFS=349001|SCL=9|SCORE=-1|LIST=0|DI=SN|RD=ftmail.inc.com|H=ftmail.inc.com|CIP=98.129.140.74|SFP=1501|ASF=1|CTRY=US|CLTCTRY=|LANG=en|LAT=287|LAT=260|LAT=18;

惡意程式碼篩選代理程式 (S:AMA)Malware Filter Agent (S:AMA)

開頭為 S:AMA 的字串是來自反惡意程式碼代理程式的項目,以及提供下列重要詳細資料:A string beginning with S:AMA is an entry from the anti-malware agent and provides the following key details:

記錄資訊Log Information 描述Description
AMA =SUM | v = 1|AMA=SUM|v=1|
or
AMA = EV | v = 1 AMA=EV|v=1|
郵件已判定為包含惡意程式碼。The message was determined to contain malware. SUM 表示任何數目的引擎都可以偵測到惡意軟體。SUM denotes that the malware could've been detected by any number of engines. EV 表示特定引擎偵測到惡意程式碼。EV denotes that the malware was detected by a specific engine. 引擎偵測到惡意程式碼時,這會觸發後續動作。When malware is detected by an engine this triggers the subsequent actions.
動作 = rAction=r 已取代郵件。The message was replaced.
動作 = pAction=p 已略過郵件。The message was bypassed.
動作 = dAction=d 已延遲郵件。The message was deferred.
動作 = sAction=s 已刪除郵件。The message was deleted.
動作 = stAction=st 已略過郵件。The message was bypassed.
動作 = syAction=sy 已略過郵件。The message was bypassed.
動作 = niAction=ni 已拒絕郵件。The message was rejected.
動作 = neAction=ne 已拒絕郵件。The message was rejected.
動作 = bAction=b 已封鎖郵件。The message was blocked.
名稱 =<malware>Name=<malware> 偵測到之惡意程式碼的名稱。The name of the malware that was detected.
File =<filename>File=<filename> 含有惡意程式碼之檔案的名稱。The name of the file that contained the malware.

郵件包含惡意程式碼時,範例 custom_data 項目會類似下面的內容:When a message contains malware, a sample custom_data entry would look similar to the following:

S:AMA=SUM|v=1|action=b|error=|atch=1;S:AMA=EV|engine=M|v=1|sig=1.155.974.0|name=DOS/Test_File|file=filename;S:AMA=EV|engine=A|v=1|sig=201307282038|name=Test_File|file=filename

傳輸規則代理程式 (S:TRA)Transport Rule Agent (S:TRA)

開頭為 S:TRA 的字串是傳輸規則代理程式中的專案,並提供下列主要詳細資料:A string beginning with S:TRA is an entry from the Transport Rule agent and provides the following key details:

記錄資訊Log Information 描述Description
ETR | ruleId = [guid]ETR|ruleId=[guid] 已符合的規則 ID。The rule ID that was matched.
St = [datetime]St=[datetime] 規則比對時的日期和時間 (UTC)。The date and time (in UTC) when the rule match occurred.
Action = [ActionDefinition]Action=[ActionDefinition] 已套用的動作。The action that was applied. 如需可用動作的清單,請參閱 Exchange Online 中的郵件流程規則動作For a list of available actions, see Mail flow rule actions in Exchange Online.
Mode = 強制Mode=Enforce 規則的模式。可能的值為:The mode of the rule. Possible values are:
強制 :將強制執行規則上的所有動作。Enforce : All actions on the rule will be enforced.
使用原則提示來測試 :將會傳送任何「原則提示」動作,但不會處理其他強制執行動作。Test with Policy Tips : Any Policy Tip actions will be sent, but other enforcement actions will not be acted on.
不搭配原則提示的測試 :動作將會列在記錄檔中,但是不會以任何方法通知寄件者,而且不會處理強制執行動作。Test without Policy Tips : Actions will be listed in a log file, but senders will not be notified in any way, and enforcement actions will not be acted on.

當郵件符合郵件流程規則時,custom_data 專案範例會如下所示:When a message matches a mail flow rule, a sample custom_data entry would look similar to the following:

S:TRA=ETR|ruleId=19a25eb2-3e43-4896-ad9e-47b6c359779d|st=7/17/2013 12:31:25 AM|action=ApplyHtmlDisclaimer|sev=1|mode=Enforce

相關資訊For more information

郵件追蹤常見問題集 中顯示使用者可能遇到的郵件傳遞問題及可能的解答。其中也說明如何使用郵件追蹤工具來取得解答,以及對特定的郵件傳遞問題進行疑難排解。Message Trace FAQ presents messaging questions that a user may have, along with possible answers. It also describes how to use the message trace tool in order to get those answers and troubleshoot specific mail delivery issues.

我是否可以透過 Exchange online PowerShell 或 Exchange Online Protection PowerShell 來執行郵件追蹤?使用的 Cmdlet 為何? 提供 PowerShell Cmdlet 的相關資訊,您可以用來執行郵件追蹤。Can I run a message trace via Exchange Online PowerShell or Exchange Online Protection PowerShell? What are the cmdlets to use? gives information about the PowerShell cmdlets that you can use to run a message trace.