Understanding Mail Tracking

This screen is designed for you to track email messages that passed through Trend Micro Email Security, including blocked or delivered messages. Trend Micro Email Security maintains up to 90 days of mail tracking logs. The sliding window for mail tracking log search is 60 continuous days that may cross calendar months.

The Mail Tracking screen provides the following search criteria:

• Period: The time range for your query.
  • Last 1 hour
  • Last 24 hours
  • Last 7 days
  • Last 14 days
  • Last 30 days
  • Custom range
• Direction: The direction of messages.
  • Incoming
  • Outgoing
• Recipient: The envelope recipient address. Specify up to 10 email addresses.
• Sender: The envelope sender address. Specify up to 10 email addresses.
• Email Header (To): The recipient address in the message header. Specify up to 10 email addresses.
• Email Header (From): The sender address in the message header. Specify up to 10 email addresses.

  Note Pay attention to the following when setting the preceding four address fields: Specify an exact email address or use wildcards (*) to substitute any characters in a search. In the general format of an email address (local-part@domain), be aware that: The local part must be a wildcard (*) or a character string that does not start with *, for example, *@example.com or test*@example.com. The domain must be a wildcard (*) or a character string that does not end with *, for example, example@* or example@*.test.com. If this field is left blank, *@* is used by default. Use wildcards (*) strategically to expand or narrow your search results. For example, put a wildcard (*) in the domain part to search by a particular user account on all domains or in the local part to match all accounts on a particular domain.

• Type: The type of email traffic that you want to query.
  • Accepted traffic: The messages that were allowed in by Trend Micro Email Security for further processing.
    If you select Accepted traffic as your search condition, a summary of email message traffic accepted by Trend Micro Email Security is displayed. For a message that has multiple recipients, the result will be organized as one recipient per entry.
  • Blocked traffic: The attempts to send messages that were stopped by connection-based filtering at the MTA connection level or by Trend Micro Email Security incoming security filtering.
    If you select Blocked traffic as your search condition, you can further select a block reason. See Blocked Message Details for details about the block reasons. A summary of email message traffic blocked by Trend Micro Email Security is displayed.

    Note Content-based filtering is not included in this category.

• Action: The last action taken on the message.
  • All: All the actions will be matched for your search.
  • Bounced: Trend Micro Email Security bounced the message back to the sender because the message was rejected by the downstream MTA.
  • Temporary delivery error: Trend Micro Email Security attempted to deliver the message to the downstream MTA but failed due to unexpected errors. This is a transient state of the message, and a message should not remain in this state for an extended period of time.
  • Deleted: Trend Micro Email Security deleted the entire email message according to the matched policy.
  • Delivered: Trend Micro Email Security delivered the message to the downstream MTA.
  • Expired: Trend Micro Email Security bounced the message back to the sender because the message had not been delivered successfully for a long time.
  • Quarantined: Trend Micro Email Security held the message in quarantine awaiting actions because the message triggered a certain policy rule. Quarantined messages can be reviewed and manually deleted or delivered.
  • Redirected: Trend Micro Email Security redirected the message to a different recipient according to the matched policy.
  • Submitted to sandbox: Trend Micro Email Security submitted the message to Virtual Analyzer for further analysis. This is a transient state of the message, and the state will change once the Virtual Analyzer analysis result is returned or Virtual Analyzer scan exception is triggered.
  • Password analyzing: Trend Micro Email Security submitted the message to Password Analyzer for password analysis. This is a transient state of the message, and the state will change once the Password Analyzer returns a result.
• Subject: The email message subject.
  The Subject field supports the following:
  • Fuzzy match
    Type one or multiple keywords for a fuzzy match. If you type more than one keyword, all keywords will be matched based on a logical AND, which means the matched subject must contain every keyword. Wildcards (*) will be automatically added before and after each keyword for a fuzzy match.
  • Exact keyword or phrase match
    Enclose a keyword or phrase in quotes for an exact match. Only records that contain the exact keyword or phrase will be matched.
  For example, there are three email subjects:
  • Subject1: Hello world
  • Subject2: Hello new world
  • Subject3: "Hello"
  If you type Hello world in the Subject field, this is a fuzzy match, and Subject1 and Subject2 will be matched. If you type "Hello world", this is an exact match using quotes, and only Subject1 will be matched. If you want to search for Subject3, be aware that quotes are contained by the subject itself. In this particular case, use backslashes (\) as the escape characters and type \"Hello\" for search.
• Message ID: The unique ID of an email message.
• Sender IP: The IP address of the host where the message was sent from.
• Delivered To: The IP address of the host where the message was delivered to.

  Note Type an IPv4 address or an IPv4 address prefix for the preceding two IP address fields.

• Upstream TLS: The version of the TLS protocol used by the upstream server to connect to Trend Micro Email Security.
  • All
  • TLS 1.0
  • TLS 1.1
  • TLS 1.2
  • TLS 1.3
  • None
• Downstream TLS: The version of the TLS protocol used by Trend Micro Email Security to connect to the downstream server.
  • All
  • TLS 1.0
  • TLS 1.1
  • TLS 1.2
  • TLS 1.3
  • None
• Downstream DANE: Whether DANE authentication is applied to TLS connections between Trend Micro Email Security and the downstream server.
  • All
  • Yes
  • No

  Note This field appears only when you set Direction to Outgoing and Type to Accepted traffic.

• Timestamp: The time a message was received.
  Choose the ascending or descending order of time to sort the search results.
• Messages with attachments only: Query only messages that contain attachments.
  When this option is selected, you can further specify the following criteria:
  • Attachment SHA256 Hash: The SHA256 hash value of a message attachment. Specify a SHA256 hash value consisting of 64 hexadecimal characters or leave it blank.
  • Attachment Filename: The filename of the attachment. You can use wildcards (*) to represent any characters in the filename.
  • Attachment Status: The status of the attachment after it was processed by Trend Micro Email Security.
    • All: The attachment was in any status. This is the default option.
    • Deleted: The attachment was deleted.
    • Cleaned: The attachment was cleaned for malware.
    • Bypassed: The attachment was bypassed.
    • Sanitized: The attachment was sanitized.
  • Attachment Password Analysis: Whether the attachment was subjected to password analysis and decrypted successfully.
    • Not analyzed: The attachment was not subjected to password analysis because it was not password-protected, its file type was not supported, or File Password Analysis was not enabled.
    • Analyzed: The attachment was subjected to password analysis.
      • Decrypted: The attachment was decrypted.
      • Not decrypted: The attachment could not be decrypted.
• Messages with end user feedback: Query messages that were reported by end users as spam, phishing, or not a risk through the Email Reporting add-in.

  Note This field appears only when you set Direction to Incoming and Type to Accepted traffic. This feature is not available at the Japan site.

  When this option is selected, you can further specify Reported Risk, namely All, Spam, Phishing, or Not a Risk.

When you query mail tracking information, use the various criteria fields to restrict your searches. After a query is performed, Trend Micro Email Security provides a list of log records that satisfy the criteria. Select one or more records and click Export Selected to export them to a CSV file. Click Export All to export all the queried log records if needed. If the number of log records to export is large, the export task needs to take time to complete. Go to Logs → Log Export Query to check the export status. Note that you can export up to 50,000 log records at a time and the maximum number of times of exporting all the queried log records is 5 per day, which is calculated based on the time zone UTC+00:00.

The most efficient way to query mail tracking information is to provide both sender and recipient email addresses within a time range that you want to search. For an email message that has multiple recipients, the result will be organized as one recipient per entry.

If the message you are tracking cannot be located using this strategy, consider the following: