Please see this associated Powerpoint created by Jason Crawford

EmailTracking_LL.PPTX

Tracking Inbound Email

 

For the purpose of this document, inbound email will be considered an email sent either internally or externally to the user or mailbox you’re supporting.

The first step to troubleshoot an inbound email is to determine if the sender was internal or external to the recipient.  For instance, an email sent from jbean@evolveip.net to jdgutierrez@evolveip.net would be considered internal since both mailboxes live in the same Exchange environment.  An example of an external email would be an email sent from jcrawford@gmail.com to jdgutierrez@evolveip.net since the sender’s mailbox is a Gmail account, and the recipient’s mailbox lives in the evolveip.net Exchange servers.  Steps to troubleshoot internal and external email are contained below.

 

External Inbound Email

 

The majority of tickets sent to our helpdesk regarding inbound email involve email sent from an external mailbox since internal email is less prone to fail.  The first step is to verify the recipient domain’s MX record.  For this example we will use astrotechcorp.com, but the steps are the same for any domain.  :

  1. Open a command prompt and enter the following command:
    1. nslookup
      1. More information on the nslookup command can be found here - https://support.microsoft.com/en-us/kb/200525
  2. After pressing Enter, your command prompt will switch to nslookup’s interactive mode.  While in interactive mode, only commands specific to nslookup will be recognized.  To exit interactive mode, press control+c:
  3. You can use nslookup to query any kind of DNS record, so you must specify the MX record type by entering the following command while in interactive mode:

    1. set type=mx

  4. Optionally you can specify a name server used to query DNS.  In the following example, we will use Google DNS:

    1. server 8.8.8.8

  5. We can now enter the recipient domain and nslookup will query the MX record against Google’s DNS servers:

    1. astrotechcorp.com

  6. All total your command prompt window should look like this after pressing Enter:
  7. The value of the MX will be shown after ‘MX preference =’, and we can see astrotechcorp.com’s MX record contains two entries, both with the same preference of 10.
    1. An MX record’s preference will determine which record type is returned first.  The lower the preference, the higher the priority.  If the preference is the same as seen above, both entries will be treated with the same priority and Round Robin load balancing will be applied.

The MX record for astrotechcorp.com points to MXLogic (Spam Soap):

MX preference = 10, mail exchanger = astrotechcorp.com.inbound10.mxlogicmx.net
MX preference = 10, mail exchanger = astrotechcorp.com.inbound10.mxlogic.net

This means that the next hop after the email is sent is to MXLogic’s servers, and this is where we must look next.  McAfee has already provided excellent documentation on how to perform a Message Audit in the MXLogic portal available here - http://www.mxlogic.com/pdf/message-audit-quick-start.pdf.

If the email was blocked by MXLogic, it was due to either spam or a virus and action must be taken to either allow that type of email through MXLogic filters or the sender must be instructed to adjust the aspect(s) of the email that caused it to be blocked (attachment, links in the body, key words, etc).  If an MXLogic Message Audit shows a successful handoff to the recipient’s Exchange servers, the focus of our troubleshooting must now shift to Exchange.

The following process applies to Exchange 2007 – Exchange 2013.

  1. Gather the following information from the inbound email in question:
    1. Sender’s email address
    2. Recipient’s email address
    3. Date email was sent
  2. Login to the recipient’s Exchange server and open Exchange Management Shell
  3. Use the following command to track the email:

    1. Get-MessageTrackingLog -Sender xxx -Recipient xxx -Start xxx -End xxx | Sort-Object -Property Timestamp | fl | out-file track.txt;Invoke-Item track.txt

  4. Replace the xxx’s with the information gathered in step 1
    1. The start date should be one day before the email was sent
    2. The end date should be one day after the email was sent
  5. An example of a the command for an email sent from jcrawford@gmail.com to jdgutierrez@evolveip.net on June 29th, 2015 would look like this:

    1. Get-MessageTrackingLog -Sender jcrawford@gmail.com -Recipient jdgutierrez@evolveip.net -Start 6/28/2015 -End 6/30/2015 | Sort-Object -Property Timestamp | fl | out-file track.txt;Invoke-Item track.txt

      1. Alternately you can use this script - Track-Email.zip

    2. If the trace is being run against an Office 365 Exchange Online instance, it can be run locally with the following two programs installed:
      1. http://go.microsoft.com/fwlink/?LinkId=286152
      2. http://go.microsoft.com/fwlink/p/?linkid=236297
      3. Replace Get-MessageTrackingLog with Get-MessageTrace.

The output of this command will be written to the track.txt file, and that file will be displayed after running the command.  If results were not found, the file will be blank.  An example of a successful email delivery would include this:

RunspaceId              : 7d051138-124c-4ceb-b9cc-2e8a6ff27bcd
Timestamp               : 6/29/2015 9:24:19 AM
ClientIp                :
ClientHostname          : EC-EXCH02.futura.local
ServerIp                :
ServerHostname          : EC-EXCH01
SourceContext           : 08D277BD477AB8B0;2015-06-29T13:24:19.030Z;ClientSubmitTime:
ConnectorId             :
Source                  : STOREDRIVER
EventId                 : DELIVER
InternalMessageId       : 1730871820369
MessageId               : <fe6202a2202c4b42b461e62b053dc25c@eip-mbox-01.eip.local>
Recipients              : {futuraservices@futuraservices.net}
RecipientStatus         : {}
TotalBytes              : 78557
RecipientCount          : 1
RelatedRecipientAddress :
Reference               :
MessageSubject          : Test
Sender                  : jcrawford@evolveip.net
ReturnPath              : jcrawford@evolveip.net
Directionality          : Incoming
TenantId                :
OriginalClientIp        : 208.65.144.247 

The STOREDRIVER DELIVER event is what you want to see since it indicates the email was successfully delivered to the mailbox.  However, troubleshooting doesn’t always stop here.  The user you’re working with may still report they don’t see the email.  Here are message tracking results for one such instance:

RunspaceId              : 7d217b2d-754d-45a1-90fa-fa52b0dcb4b4
Timestamp               : 6/24/2015 2:12:44 PM
ClientIp                :
ClientHostname          : eip-mbox-01.eip.local
ServerIp                :
ServerHostname          : eip-mbox-02
SourceContext           : 08D25B37C05C85F8;2015-06-24T18:12:44.116Z;ClientSubmitTime:
ConnectorId             :
Source                  : STOREDRIVER
EventId                 : DELIVER
InternalMessageId       : 31026843747327
MessageId               : <CAEsQqsqPy_RAoTL9vU+fML6bQQLrhA+-XmGwW0v=6gZFQAy-UA@mail.gmail.com>
Recipients              : {anonymous@evolveip.net}
RecipientStatus         : {Resumes}
TotalBytes              : 141464
RecipientCount          : 1
RelatedRecipientAddress :
Reference               :
MessageSubject          : resume
Sender                  : anonymous@gmail.com
ReturnPath              : anonymous@gmail.com
Directionality          : Incoming
TenantId                :
OriginalClientIp        : 208.65.144.247

Here we can see the email was delivered to the mailbox from the DELIVER EventId; however, we can see the message was forwarded to the ‘Resumes’ folder through an Outlook rule from the RecipientStatus of {Resumes}.  In this case the user was looking for the email in his/her Inbox.

Internal Inbound Email

 

The only difference from the troubleshooting perspective of internal inbound email is the DNS server used by the sender.  For internal email, depending on how DNS is configured, the sender may be using an internal DNS server instead of an external DNS server.  In this case, the email will be delivered to whatever the MX record is for the domain according to the internal DNS server.  To find this value, login to the Exchange server being used and run nslookup without specifying a DNS server.