Using Get-MessageTrace PowerShell command for viewing and exporting information on mail sent and received | Exchange Online | Part 2#2 5/5 (3) 20 min read

The current article is the second article in our two-article series.

In this article, we review how to use the Get-MessageTrace PowerShell command for viewing and exporting information about incoming and outgoing mail transactions that are stored in the Exchange Online log files.

In the former article, we review in details the concept of the “Time ranges” when using the Get-MessageTrace PowerShell command.
In the current article, we continue to explorer the additional parameter that we can use together with the Get-MessageTrace PowerShell command.

The concept of sender and recipient when using the MessageTrace command

Before we start with Get-MessageTrace PowerShell command examples, I would like to quickly relate to the terms – sender and recipient.

In many scenarios, we “filter” or narrow the Get-MessageTrace PowerShell command result by adding filter parameters.

I have notice that the filter parameters described as “sender” and “recipient” sometimes causes confusion, so it’s important to clarify the meaning of these terms.

  • The term “sender,” relate to the originating entity that “write the E-mail message.”
  • The term “recipient,” relate to the “destination entity,” meaning the person or the persons that the E-mail message was sent to them.”

In the following diagram, we can see that when Bob sends E-mail to Adele, Bob defined as the Sender (SenderAddress) and Adele (RecipientAddress) defend as the Recipient.

The Get-MessageTrace command - the sender and the recipient Parameter

Working with the group by PowerShell parameter and Message Trace results

In some scenarios, the information that we want to get about the “mail flow”, is not information about a specific E-mail message\s but instead, a high-level view of the mail transactions that was performed by as specific sender or a specific recipient in a specific time range.

By using the PowerShell command “Group-Object” in addition to the Get-MessageTrace PowerShell command, we can get this “High level view” about emails transactions.

The PowerShell command “Group-Object” help us to “group” information about a specific “property” and in additional, enable us to “count” the number of instances in each group.

Get information about the most “active” organization senders.

In the following example, we want to accomplish the following requirements:

  • We want to get information about each of the emails that was sent from All senders in the last 30 days.
  • We want to present the results grouped by each of the Senders.
  • We want to count the number of E-mail messages that were sent by each Sender.
  • We want to present the results in “descending” way. The purpose of using the “descending” is to easily view, who are the users who send the largest number of mail items.

To get the required information, we use the PowerShell command – Group-Object.
We ask from the command – Group-Object, to perform for us three tasks:

  • Group the results by relating to the property – SenderAddress
  • Count the results for each sender (the number of mail items that a specific sender sent ).
  • Order the information presented in the “count” column in descending order.

The command syntax that we use is:

Group-Object -Property SenderAddress | Select name,count | Sort count -desc

Display information about the number of mail items that was accepted from specific senders | Group the result + Count the result

PowerShell command example

PowerShell console output example

Get information about the most “popular” organization recipients.

In the following example, we want to accomplish the following requirements:

  • We want to get information about each of the emails that were received by our user (send to our users) in the last 30 days.
  • We want to present the results grouped by each of the Recipients (RecipientAddress).
  • We want to count the number of E-mail messages that were sent by each Recipients.
  • We want to present the results in “descending” way. The purpose of using the “descending” is to easily view, who are the users who send the largest number of mail items, meaning – the most “active” Recipients (who are the Recipients taht sends that send the largest number of mail items).

To get the required information, we use the PowerShell command – Group-Object.
We ask from the command – Group-Object to perform for us three tasks:

  • Group the results by relating to the property – RecipientAddress
  • Count the results for each recipient (the number of mail items that was sent to the specific recipient).
  • Order the information presented in the “count” column in descending order.

The command syntax that we use is:

Group-Object -Property RecipientAddress | Select name,count | Sort count -desc

Display information about the number of mail items that was received

PowerShell command example

PowerShell console output example


Get information about emails that was sent from a Specific sender

Using the “SenderAddress” parameter, enable us to get information about emails that were sent by a specific sender\s.

The term “sender” can be translated to – our organization recipients who send E-mails to “other recipients” or external sender who send E-mails to our organization users.

Get information about Emails sent by a specific sender | Basic PowerShell command syntax.

PowerShell command syntax

PowerShell command example

Get information about Emails sent by a specific sender in the last X days.

PowerShell command syntax

PowerShell command example

Get information about Emails sent by a specific sender in the last X days + count the number of E-mail messages.

In this scenario, we use the PowerShell cmdlet – Group-Object, for counting the number of E-mail messages that were sent by a specific sender.

PowerShell command example

Get information about Emails sent by a specific sender\s | Sender\s that their E-mail address includes a specific domain name, in the last X days.

PowerShell command syntax

In the following example, we want to get information about all the emails that was sent by “senders,” which their E-mail address includes the domain name – o365info.com in the last 30 days.

PowerShell command example

Export information about emails sent from a specific sender to log file | Create a dedicated file for each sender.

In the following section, I would like to demonstrate a more advanced scenario, in which we need to get information about all the mail transaction that was performed by each of the “senders” that appears in the Exchange Online log files.

The information should include all the sender who sent E-mail in the last 30 days.

The requirements that we need to fulfill, include the following parts:

  • The information that we get from the Get-MessageTrace command, will be saved to a CSV (comma separated value) file (exported to CSV file).
  • The special requirement is, that the “export process,” will be implemented by creating a dedicated CSV file, for each of the senders. For example, in case that the sender is – Bob@o365info.com, the dedicated CSV file that will be created for “Bob” will include log information only for emails sent from Bob@o365info.com.

To be able to fulfill this requirement, we will use a PowerShell ForEach statement.

  • In the first phase, we use the ForEach statement, for “looping” via the “array of record” in the Exchange Online log file.
  • In the second phase, we export the required information to a separated CSV file, based on the “sender identity.”

PowerShell command example

Note – at the bottom of the article, you can find additional information about the subject
Of -exporting Get-MessageTrace output (information) to various file formats using PowerShell.


Get information about emails that was sent to a Specific recipients

Using the “RecipientAddress” parameter, enable us to get information about emails that were sent to a specific recipient\s.

Most of the time, the term “recipient” is translated to our organization recipients.

Get information about Emails sent to a specific recipient | Basic PowerShell command syntax.

PowerShell command syntax

PowerShell command example

Get information about Emails sent to a specific recipient in the last X days.

PowerShell command syntax

PowerShell command example

Get information about Emails sent to a specific recipient in the last X days + count the number of E-mail messages.

In this scenario, we use the PowerShell cmdlet – Group-Object, for counting the number of
E-mail messages that were sent from a specific recipient.

PowerShell command example

Get information about Emails sent to a specific recipient\s, that their E-mail address includes a specific domain name, in the last X days.

PowerShell command syntax

In the following example, we want to get information about all the emails that was sent to a specific recipient\s”, which their E-mail address includes the domain name – o365info.com in the last 30 days.

PowerShell command example


Get information about emails with a specific status

The Status parameter filters the results by the delivery status of the E-mail message. Valid values for this parameter are:

  • None: The message has no delivery status because it was rejected or redirected to a different recipient.
  • Failed: Message delivery was attempted, and it failed or the message was filtered as spam or malware, or by transport rules.
  • Pending: Message delivery is underway or was deferred and is being retried.
  • Delivered: The message was delivered to its destination.
  • Expanded: There was no message delivery because the message was addressed to a distribution group, and the membership of the distribution was expanded.

Get information about sent\received Emails with a specific status | Basic PowerShell command syntax

PowerShell command syntax

Get information about sent\received Emails with a specific status that was sent or received in the last X days

PowerShell command syntax

In the following example, we want to get information All Emails with a specific status that was sent or received in the last 30 days which their status is – “Failed”.

PowerShell command example

Another optional syntax that we can use for getting information about E-mail message with a specific status is:

PowerShell command example

Export information about Emails with a specific status to File | Create a separated file for each type of status

In the following section, I would like to demonstrate a more advanced scenario, in which we need to get information about the status of all the emails that was Sent and received in the last 30 days.

The requirements that we need to fulfill, include the following parts:

  • The information that we get from the Get-MessageTrace command, will be saved to a CSV (comma separated value) file (exported to CSV file).
  • The special requirement is, that the “export process,” will be implemented by creating a dedicated CSV file, for each of the optional status such as – Failed, None,

To be able to fulfill this requirement, we will use a PowerShell “ForEach” statement.

In the first phase, the ForEach statement, “loop” via the “array of record” in the Exchange Online log file.

In the second phase, we export the required information to a separated CSV file based on the specific mail transaction status.

PowerShell command example

Note – at the bottom of the article, you can find additional information about the subject
Of -exporting Get-MessageTrace output (information) to various file formats using PowerShell.

Display information about the number of mail items that was Sent to Distribution Groups | Group the result + Count the result

In this example, we want to get information about E-mail address that was sent to Distribution Group.
The “trick” hat we use for looking only for a Distribution Group is by using the specific status “Expanded”. When E-mail message is sent to a Distribution Group, Exchange performs the “expand” operation.

PowerShell command example


Get information about emails with a specific subject

The Get-MessageTrace parameter “subject,” enable us to get information about emails that include a specific subject or a specific “string” in the mail subject.

Get information about Emails sent\received with a specific recipient | Basic PowerShell command syntax.

PowerShell command syntax

PowerShell command example


Get information about emails | Filter information by source or destination IP address

The Get-MessageTrace parameter “ToIP” and “FromIP,” enable us to get information about emails that were sent from a specific IP address or send to a specific IP address.

Most of the times, when using the parameter “ToIP” we relate to the IP address of the mail server which Exchange Online address.

ToIP | Get information about emails that sent to “destination mail server” with a specific IP address.

As mentioned, most of the time the “IP address” is, the public IP address of the mail server that represent specific domain name or specific recipient.

Get information about Emails that was sent to a mail server with a specific IP address.

PowerShell command syntax

In the following example, we see an example of a PowerShell command syntax, that we use for getting information – mail items that was sent in the last 30 days, to a destination mail server, that has the IP address – 10.0.0.2.

PowerShell command example

The Get-MessageTrace command - TOIP paramter

FromIP | Get information about emails that sent from a specific IP address

The Get-MessageTrace parameter “FromIP,” enable us to get information about emails that were sent from a specific IP address.

Get information about Emails that was revived from a mail server with a specific IP address.

PowerShell command syntax

In the following example, we use a PowerShell command syntax, that will get information about mail items that was sent in the last 30 days, by the mail server that is IP address is – 10.0.0.2.

PowerShell command example


Define the setting that relates to the maximum number of results

When using the PowerShell command Get-MessageTrace” for displaying information using the PowerShell console, there is a built-in limitation to the number of “log events” (mail transaction” that will be displayed on the PowerShell console screen.

The “unit” which is used for defining the displayed result limitation defined as – “Page.”

By default, each page unit includes 1,000 rows (mail transactions).

By default, the Get-MessageTrace will display an only 1 page.

In other words, in case that the search result includes more than 1,000 results, the Get-MessageTrace command will display a maximum of 1,000 results.

In case that we perform a search that is expected to produce a large number of results, is recommended to define a parameter that will help us to “override”
the built-in defaults of the PowerShell command Get-MessageTrace”.

Get-MessageTrace includes two parameters that relate to the subject of maximum displayed results:

PageThe Page parameter specifies the page number of the results you want to view. Valid input for this parameter is an integer between 1 and 1000. The default value is 1.
PageSizeThe PageSize parameter specifies the maximum number of entries per page. Valid input for this parameter is an integer between 1 and 5000. The default value is 1000.

“Extend” the default page limitation to 5,000 results

PowerShell command syntax

PowerShell command example


Get more details on a specific mail transaction by using MessageTraceDetail

As mentioned at the begging of the current article, the Get-MessageTrace the command provides us basic information about a specific mail transaction.

In case that we want to get more detailed information about a specific mail transaction, we can use an additional PowerShell command named- MessageTraceDetail

We use the MessageTraceDetail command, as an “addition” to the
original Get-MessageTrace command.

For example:

Get message details for all sent and received emails in the last 30 days

PowerShell command example


Export information from Get-MessageTrace results to a file

Exporting information to a file using PowerShell is one of the functions that we can implement when using PowerShell “Get” commands.

When using the PowerShell “Get” commands, the “output” (the result from the PowerShell command) can be displayed on the PowerShell console screen or – exported to a file.

Export to file using PowerShell and supported file formats.

PowerShell supports the option of exporting command output to the following file formats: Text, CSV, HTML, and XML.

When we want to export the command output to a File, we need to “tell” PowerShell what is the required file format that we want to use.

In addition to the PowerShell cmdlets that we use to define the specific file format, we can “add” specific parameter that relates to the specific file format.

For example, when we wish to export PowerShell command output to a CSV (Comma Separated Value) file format, we can add additional parameters such as:

  • –NoTypeInformation – this option prevents from PowerShell to add unnecessary information to the CSV file.
  • -Encoding UTF8 – in case that the objects such as users, or mailboxes include non-English characters, we can add this “format parameter” to enable PowerShell export information that includes non-English characters.

The File name and the “path” parameter

A mandatory requirement when export command output to a file is the “File name.”
The additional part is the “Path.” The “path” parameter defines the specific location in which we want to save the file. For example – C:\Temp.

The “path” parameter is not a mandatory parameter. Most of the times, when we export information to a file, we will also provide information. In case that we don’t provide a specific path, PowerShell exports the file to the folder from which we run the PowerShell command.

It’s important to mention that when we provide the name of a specific path, such as C:\Temp, the PowerShell command “except” that this path is already created.

In other words, by default, the PowerShell command will not “create for us” a specific folder that was specified in the path.

Example of PowerShell syntax for exporting information to various file types

The following section, include a demonstration of exporting PowerShell command output to three types of file formats.

To export command syntax is built from two parts:

  1. Part 1#2 – this is the part of the “Get PowerShell cmdlets”, that fetch a specific information.
  2. Part 2#2 – this is the part in which we define the specific file format, the path, and the filename.

In the following section, we can see an example of the “export syntax” for three file formats – text, CSV, and HTML.

PowerShell command Example | Export information to Text File

PowerShell command example

PowerShell command Example | Export information to CSV File

PowerShell command example

PowerShell command Example | Export information to HTML File

PowerShell command example

The Get-MessageTrace command - export to file


For your convenience, I have “Wrapped” all the PowerShell commands that were reviewed in the article,
in a “Menu Based” PowerShell Script.

You are welcome to download the PowerShell script and use it.
Download -o365info PowerShell Script

Using Get-MessageTrace PowerShell command for viewing and exporting information on mail sent and received


Now it’s Your Turn!
It is important for us to know your opinion on this article

Print Friendly

Related Post

Please rate this

Eyal Doron on EmailEyal Doron on FacebookEyal Doron on GoogleEyal Doron on LinkedinEyal Doron on PinterestEyal Doron on RssEyal Doron on TwitterEyal Doron on WordpressEyal Doron on Youtube
Eyal Doron
Share your knowledge.
It’s a way to achieve immortality.
Dalai Lama