Francisco asks:
I am investigating to see if there is a way you can see which transport rules is applying to a certain message. The delivery report does not show it and I have not found any cmdlet that helps nor TechNet information about it. I think it might be important in certain circumstances to know it. Do you have any idea how to do this?
I can think of a few cases where this might be useful. For example, if a transport rule modifies a message property, or rejects a message, or causes a message to go to junk, then it would be useful to quickly find which rule or rules were applied to the message. For customers with just a few transport rules, there’s no real challenge here. But if your organization has hundreds of transport rules, then it gets a bit harder.
Fortunately, we can see which transport rules were applied to a message by using message tracking logs. Here’s a very basic example. In this scenario, Alan has sent an email to Alannah.
When it arrives in Alannah’s mailbox, the subject line has been (rather clumsily) modified.
So, what can the message tracking logs tell us? First, I collect the message tracking log entries for the unique message ID. If you’re not sure how to do that step, I recommend reading my series on searching message tracking logs with PowerShell. Here’s the command I ran, if you’re curious.
[PS] C:\>$logs = Get-TransportServer | Get-MessageTrackingLog -MessageId "<a10d8434b47f4caea4afb3c9bc41b861@EX2013SRV1.exchangeserverpro.net>" -Start (Get-Date).AddDays(-1) -ResultSize Unlimited
Next, I sort the events by time stamp, and look at the EventId, Source, and MessageSubject fields (because we already know the message subject was modified).
[PS] C:\>$logs | Sort timestamp | Select eventid,source,messagesubject EventId Source MessageSubject ------- ------ -------------- RECEIVE STOREDRIVER This is an email from Alan HARECEIVE SMTP This is an email from Alan HAREDIRECT SMTP This is an email from Alan RECEIVE SMTP This is an email from Alan SUBMIT STOREDRIVER This is an email from Alan AGENTINFO AGENT Very Important MessageThis is an email from Alan DELIVER STOREDRIVER Very Important MessageThis is an email from Alan SEND SMTP Very Important MessageThis is an email from Alan HADISCARD SMTP This is an email from Alan
We can clearlly see that the AGENTINFO event is where the message subject was modified. So, let’s take a closer look at that message tracking log entry.
[PS] C:\>$logs | where {$_.eventid -eq "AGENTINFO"} | fl
RunspaceId : 328245b3-31a5-4c0c-ac83-4f225b3c7be7
Timestamp : 2/1/2016 8:45:50 PM
ClientIp :
ClientHostname : EX2016SRV1
ServerIp :
ServerHostname :
SourceContext : CatContentConversion
ConnectorId :
Source : AGENT
EventId : AGENTINFO
InternalMessageId : 9680856285253
MessageId : <a10d8434b47f4caea4afb3c9bc41b861@EX2013SRV1.exchangeserverpro.net>
Recipients : {Alannah.Shaw@exchangeserverpro.net}
RecipientStatus : {}
TotalBytes : 7755
RecipientCount : 1
RelatedRecipientAddress :
Reference :
MessageSubject : Very Important MessageThis is an email from Alan
Sender : Alan.Reid@exchangeserverpro.net
ReturnPath : Alan.Reid@exchangeserverpro.net
Directionality : Originating
TenantId :
OriginalClientIp : 192.168.0.110
MessageInfo :
MessageLatency :
MessageLatencyType : None
EventData : {[AMA, SUM|v=0|action=|error=|atch=0], [AMA, EV|engine=M|v=0|sig=1.213.5104.0|name=|file=],
[AMA, DT|ST=14|PT=0|TT=21.2478], [TRA, ETRI|MsgType=Undefined|Ex=|IsKnown=], [TRA,
ETR|ruleId=1f56ba43-1cb9-4293-b24d-5e263a75fc8a|st=2/1/2016 10:42:04
AM|action=PrependSubject|sev=1|mode=Enforce], [TRA,
ETRP|ruleId=1f56ba43-1cb9-4293-b24d-5e263a75fc8a|ExecW=38|ExecC=31], [CompCost,
|AMA=0|ETR=0], [DeliveryPriority, Normal], [AccountForest, exchangeserverpro.net]}
In the EventData field there’s some interesting clues… an “action=PrependSubject”, and a “ruleID=1f56ba43-1cb9-4293-b24d-5e263a75fc8a”. So which transport rule has that ID?
[PS] C:\>Get-TransportRule -Identity 1f56ba43-1cb9-4293-b24d-5e263a75fc8a Name State Mode Priority Comments ---- ----- ---- -------- -------- From Alan to Alannah Enabled Enforce 0 ...
Super simple. We can see more about that rule as well.
[PS] C:\>Get-TransportRule -Identity 1f56ba43-1cb9-4293-b24d-5e263a75fc8a | select description | fl
Description : If the message:
Is sent to 'Alannah.Shaw@exchangeserverpro.net'
and Is received from 'Alan.Reid@exchangeserverpro.net'
Take the following actions:
Prepend the subject with 'Very Important Message'
So, that’s one way to find a rule by using message tracking logs to determine which rule ID was applied to the message. Another way we could have approached this is to search the transport rules for those that match a criteria. In this case that criteria would be the action of “Prepend the subject”, or to make it easier, just the word “prepend”.
[PS] C:\>Get-TransportRule -Filter "Description -like '*prepend*'" | select name,description | fl
Name : From Alan to Alannah
Description : If the message:
Is sent to 'Alannah.Shaw@exchangeserverpro.net'
and Is received from 'Alan.Reid@exchangeserverpro.net'
Take the following actions:
Prepend the subject with 'Very Important Message'
Obviously there are many more filters you could apply, such as “Description -like ‘*reject*'” or “Description -like ‘*alan.reid*'”.
As you can see, there are a few different ways that you can look for which transport rule (or rules) has been applied to an email message.
This article How to Tell Which Transport Rule Was Applied to an Email Message is © 2016 ExchangeServerPro.com
Get more Exchange Server tips at ExchangeServerPro.com
