Problem Statement
Email message headers can be a valuable source of information when troubleshooting email delivery issues. For instance, I encountered a situation where emails sent by a partner company were marked as spam, while others were redirected to an internal email address. Analyzing the email message headers can help investigate these issues.
I investigated the issue by performing a Message trace from the Exchange admin center. If you are an Exchange administrator or Global Administrator, you can perform a message trace by following the below steps:
- Sign in to the Exchange admin center (https://admin.exchange.microsoft.com).
- Go to Mail Flow > Message trace.
- Click on + Start a trace.
To narrow your search, specify the sender and recipient email addresses or domain names. Select a time range, delivery status, and direction details, and click on Search. This will display the data on the dashboard, and you can click on each email to access more detailed information about the mail flow.
For instance, clicking on an email with the status FilteredAsSpam may provide further information, such as “The message was delivered to the Junk Email folder.” However, you cannot view message header information from this interface, which is needed for further analysis. Let’s explore how to access email header information.
Table of Contents
Option 1: Retrieve Email Message Headers via Microsoft 365 Defender Portal
What if the recipient cannot send the email as an attachment, and you do not have this option to retrieve email header information? In such cases, you can still view the email header information directly from the Microsoft 365 Defender portal.
To view email message header information, please follow these steps:
- Sign in to the Microsoft 365 Defender portal (https://security.microsoft.com).
- Email & Collaboration > Explorer.
- When you click on Explorer, it will open the Threat Explorer page.
- Search for the email using the filters.
Please note that you will not see the “Explorer” option if you have a Microsoft Defender for Office 365 Plan 1 license. In that case, you will see the “Real-time detections” option instead. If you want to understand the difference between Microsoft Defender for Office 365 Plan 1 and Microsoft Defender for Office 365 Plan 2, you can click here.
Missing Explorer Option
- Click on the email for more details, then select View header.
- Under the Plain-text email header tab, click “Copy message header” to copy the email message header information for further investigation.
Option 2 – Retrieve Email Message Headers via Outlook Web Client (OWA)
You can obtain the email message header information if you have a copy of an email saved or sent as an attachment or access to the Outlook Web client where the email was delivered. Follow these steps to retrieve email header information from the Outlook Web Access client:
- Sign in to Outlook on the web client (https://Outlook.office365.com/owa)
- Find the email for which you need the email header information.
- Right-click on the email and click on View > View message details.
- You’ll find “Message details,” which contains the email message header information. Copy all the text from Message details for further investigation and analysis.
Option 3 – Retrieve Email Message Headers via Outlook Desktop Client
Please follow these steps to retrieve email header information from the Outlook Desktop client:
- Open the Outlook Desktop client.
- Search for the email for which you need the header.
- Double-click on the email to open it.
- Once the email is open, go to File > Properties.
- Look for “Internet headers” and copy all the text from this textbox to a notepad. This contains the email header information for that email.
- You can now use this email header information for further investigation and analysis to gather more details about the email flow.
How to analyze Email Headers?
We have obtained the email header information, but it may be challenging to interpret the raw internet header data. You can utilize various email header analysis tools to analyze email headers effectively. Here are some options:
1. Use Microsoft Message header analyzer
You can paste the email header into Microsoft Message Header Analyzer and click “Analyze headers” to assess the email header information.
2. Use MXtoolbox Email Header Analyzer
You can also paste the email header into MXToolbox Email Header Analyzer and click “Analyze header” to evaluate the email header information.
Conclusion
In this blog post, we’ve explored various methods for obtaining email header information, which is crucial for analyzing email delivery issues. When dealing with email-related problems and opening a support ticket with Microsoft, you might be required to provide this information. Therefore, knowing how to retrieve it from the user and the Microsoft 365 Defender portal is essential.
Remember that if your users are assigned Microsoft Defender for Office 365 Plan 1 licenses, you won’t be able to obtain email header information from the Microsoft 365 Defender portal. In such cases, you’ll need to have access to either the email sent as an attachment or use Outlook for the web or Outlook desktop client where the email was delivered.
READ NEXT
- Block Emails Based On File Attachment Extension In Office 365
- How To Create Defender Antivirus Exclusions Using Intune
- How To Whitelist A Website Or Domain In Microsoft 365 Defender
- Block Office 365 Apps On Specific Devices Using Azure AD Conditional Access
- Onboarding Devices To Microsoft 365 Apps Admin Center
