A lot of the comments and questions I receive here relate to situations where an admin is trying to locate missing emails and needs some advice on where to look. Hunting for missing emails is a task that many Exchange admins are asked to do on a regular basis. In most of the operations roles I’ve held during my career I would deal with at least one of these cases every day.
In this series of articles I’ll provide you with information and troubleshooting tips that will make the task of finding missing emails much simpler.
Understanding your Scenario
There is no single approach to locating missing emails in an Exchange Server environment, because most cases are different in some way. For example, is the email missing because it was sent from Person A to Person B but never arrived? Or is it missing because Person B received it but now can’t find it? Each of those scenarios is the same from an end user impact perspective – Person B doesn’t have the email message they need – but are different from a troubleshooting perspective. One is a potential email delivery problem, the other is a potential data recovery scenario. And each one has a wide variety of possible root causes.
So the first step for you will be to clearly define the scope of the problem. It’s rare to receive a support ticket from your help desk team, or a report from end users, that contains 100% of the information you need. So there may be some questions you need to ask, such as:
- Who sent the email?
- Do they work for the same company or are they an external sender?
- When was it sent?
- Who did they send it to?
- Did anyone else receive the email?
- Have you been able to receive emails from that person before?
- Are others around you still receiving emails?
- Are you still receiving emails from other people, or are you receiving no emails at all?
- Is this problem specific to one device, or are you not receiving emails anywhere (e.g. Outlook, OWA, mobile)?
- Did the sender receive any error message or non-delivery report? (Not an easy one to answer if the sender is an external party)
- If you had received the email and it has now disappeared, when did you notice it was gone? When was the last time you remember seeing it?
- Does anyone else have access to your mailbox or account details (e.g. a delegate or assistant)?
If the person who reported the problem is available to speak to then they will usually be able to answer at least some of the questions above. If they can’t answer them all (e.g. they’re unsure about the time the email was sent) then you’ll just need to broaden your search to account for different possibilities. But I usually find that enough information comes out of a short conversation to add much needed clarity to the situation.
Basic Elimination
Depending on the answers you get for the questions you ask you should go through a short process of elimination to rule out anything that the end user wasn’t able to confidently answer. For example, send them a test email from your own computer with a delivery receipt enabled, and make sure it is received in their Outlook as well as their mobile device. With that one simple test you’ve ruled out multiple possible causes of the problem.
By the way, the delivery receipt when you are testing internal emails is important. For one thing, it means you can do the test without the other person being available to confirm delivery. It also means that you’ll know that the email was delivered successfully even if the end user claims it wasn’t (e.g. they have an inbox rule or some other issue preventing it from appearing in their Outlook or mobile device).
The more you can rule out quickly the easier your troubleshooting will be. However, don’t assume that anything you’ve ruled out in the initial part of the investigation should be completely ignored. At this stage you’re only trying to identify the best place to start looking. You may need to come back later to things that you ruled out and investigate those as well.
You should also consider what has changed (perhaps by you or your team) recently that may have contributed to the problem. Often we can make changes to the environment which take several days to emerge as a user-impacting problem, so make sure you consider all recent changes, not just those that occurred in the last day or so.
Understanding the Environment
To troubleshoot email delivery you need to have an understanding of the environment you’re working in and what the mail flow path should look like for the scenario you’re dealing with. Having a Transport diagram of your environment printed out on your desk or easily accessible on your computer is a good start. It should include notations for all devices or services that could impact connectivity along the way, such as firewalls, load balancers, security appliances, external smart hosts, and so on. Not only will this guide your troubleshooting but it will also highlight whether any other support teams may need to be involved in the case.
If you’re dealing with a new customer and you don’t have a diagram like that already then spend a few minutes at the start of the call finding out what’s involved in their mail flow and sketch yourself a quick diagram. It might sound a bit basic but I do recommend it. My notebooks are full of drawings like that from previous support cases.
An Example
Let’s take a look at a simple scenario of an external sender emailing a person in the organization. This organization is very simple, with just a single Exchange server receiving email directly from the internet via the firewall.
In the simple scenario above a missing email case could be:
- A delivery problem with emails from one or more external senders, which could be caused by a wide variety of problems with DNS, firewalls, internet routing, spam filters, block lists, and more.
- An internal delivery problem within Exchange itself, which again has many possible root causes.
- An email that has been moved or deleted from the user’s mailbox, which needs to be found or recovered from backup, and may also involve an investigation into when and how it was removed, and who removed it.
So even though it is a very simple scenario, there are many possibilities for what has caused the email to go missing.
Over a series of upcoming articles I’ll explore a variety of troubleshooting scenarios and some tips that will help you with your investigations into any case of missing emails.
I communicate via protonmail with another protonmail user. We usually have no problem sending and receiving each others emails. However, I recently sent this person two emails with a sensitive legal attachment. These emails never arrived at the recipient. They simply disappeared. Later in the day, I sent a test email to them. That went through fine. Is it possible someone intercepted or hacked my emails with the legal attachment?
We have Two Exchange 2013 mail-servers in a DAG. During a upgrade to CU23 for security issues, After a few days we discovered that some external e-mails did not arrived to the recipients. question is why some externals e-mails arraiving fine and others not.
Hi Paul.
I trust you are well.
One of my clients has all his sent email from the Sent Items folder disappearing every 2nd month. This happens on both his Outlook client, as well as the Exchange Server.
I searched for his sent items on OWA, and there’s nothing there.
Setting for his sent items is set correctly to Save copies of messages in the sent items folder and
Save Forwarded messages.
How can i find or trace where the sent emails disappeared to? Please help.
Thanks.
Maxwell.
Hi Paul,
I may not be an expert in the systems like you are, I have a question for you please, My company received an email from a customer that my employee saw, but later we cannot see that email like it disappeared, and we cannot find it into the deleted emails or in the server log. The customer resent an email with attached the forwarded email for confirmation.
Is there any scenario that this may happen? even rare? the future of an employee is depending on your answer
I answered your question here:
https://www.practical365.com/tracking-mailbox-owner-deletes-using-mailbox-audit-logging/#comment-370522
Please don’t post the same question multiple times here.
This is exactly what I needed. Thank you so much man!
Pingback: Troubleshooting SMTP Connectivity from External Senders
Pingback: Finding Missing Emails in an Exchange Server Environment | Infrastructure Land
This is a useful article.
I’m waiting for the next articles.
Tks for share with us.