This screen is designed for you to track email messages that passed through Trend Micro Email Security, including blocked or delivered messages. Trend Micro Email Security maintains up to 90 days of mail tracking logs. The sliding window for mail tracking log search is 60 continuous days that may cross calendar months.
The sliding window for mail tracking log search is 30 days in the Trend Micro Email Security Standard license.
For details about different license versions, see Available License Versions.
Period: The time range for your query.
Last 1 hour
Last 24 hours
Last 7 days
Last 14 days
Last 30 days
Direction: The direction of messages.
Recipient: The envelope recipient address. Specify up to 10 email addresses.
Sender: The envelope sender address. Specify up to 10 email addresses.
Email Header (To): The recipient address in the message header. Specify up to 10 email addresses.
Email Header (From): The sender address in the message header. Specify up to 10 email addresses.
Pay attention to the following when setting the preceding four address fields:
Specify an exact email address or use wildcards (*) to substitute any characters in a search. In the general format of an email address (local-part@domain), be aware that:
The local part must be a wildcard (*) or a character string that does not start with *, for example, *@example.com or email@example.com.
The domain must be a wildcard (*) or a character string that does not end with *, for example, example@* or example@*.test.com.
If this field is left blank, *@* is used by default.
Use wildcards (*) strategically to expand or narrow your search results. For example, put a wildcard (*) in the domain part to search by a particular user account on all domains or in the local part to match all accounts on a particular domain.
Type: The type of email traffic that you want to query.
Accepted traffic: The messages that were allowed in by Trend Micro Email Security for further processing.
If you select Accepted traffic as your search condition, a summary of email message traffic accepted by Trend Micro Email Security is displayed. For a message that has multiple recipients, the result will be organized as one recipient per entry.
Blocked traffic: The attempts to send messages that were stopped by connection-based filtering at the MTA connection level or by Trend Micro Email Security incoming security filtering.
If you select Blocked traffic as your search condition, you can further select a block reason. See Blocked Message Details for details about the block reasons. A summary of email message traffic blocked by Trend Micro Email Security is displayed.
Content-based filtering is not included in this category.
Action: The last action taken on the message.
All: All the actions will be matched for your search.
Bounced: Trend Micro Email Security bounced the message back to the sender because the message was rejected by the downstream MTA.
Temporary delivery error: Trend Micro Email Security attempted to deliver the message to the downstream MTA but failed due to unexpected errors. This is a transient state of the message, and a message should not remain in this state for an extended period of time.
Deleted: Trend Micro Email Security deleted the entire email message according to the matched policy.
Delivered: Trend Micro Email Security delivered the message to the downstream MTA.
Expired: Trend Micro Email Security bounced the message back to the sender because the message had not been delivered successfully for a long time.
Quarantined: Trend Micro Email Security held the message in quarantine awaiting actions because the message triggered a certain policy rule. Quarantined messages can be reviewed and manually deleted or delivered.
Redirected: Trend Micro Email Security redirected the message to a different recipient according to the matched policy.
Submitted to sandbox: Trend Micro Email Security submitted the message to Virtual Analyzer for further analysis. This is a transient state of the message, and the state will change once the Virtual Analyzer analysis result is returned or Virtual Analyzer scan exception is triggered.
Password analyzing: Trend Micro Email Security submitted the message to Password Analyzer for password analysis. This is a transient state of the message, and the state will change once the Password Analyzer returns a result.
Subject: The email message subject.
The Subject field supports the following:
Type one or multiple keywords for a fuzzy match. If you type more than one keyword, all keywords will be matched based on a logical AND, which means the matched subject must contain every keyword. Wildcards (*) will be automatically added before and after each keyword for a fuzzy match.
Exact keyword or phrase match
Enclose a keyword or phrase in quotes for an exact match. Only records that contain the exact keyword or phrase will be matched.
For example, there are three email subjects:
Subject1: Hello world
Subject2: Hello new world
If you type Hello world in the Subject field, this is a fuzzy match, and Subject1 and Subject2 will be matched. If you type "Hello world", this is an exact match using quotes, and only Subject1 will be matched. If you want to search for Subject3, be aware that quotes are contained by the subject itself. In this particular case, use backslashes (\) as the escape characters and type \"Hello\" for search.
Message ID: The unique ID of an email message.
Sender IP: The IP address of the host where the message was sent from.
Delivered To: The IP address of the host where the message was delivered to.
Type an IPv4 address or an IPv4 address prefix for the preceding two IP address fields.
Upstream TLS: The version of the TLS protocol used by the upstream server to connect to Trend Micro Email Security.
Downstream TLS: The version of the TLS protocol used by Trend Micro Email Security to connect to the downstream server.
This field appears only when you set Direction to Outgoing and Type to Accepted traffic.
Attachment SHA256 Hash: The SHA256 hash value of a message attachment. Specify a SHA256 hash value consisting of 64 hexadecimal characters or leave it blank.
When a valid SHA256 hash value is specified, the Attachment Status field displays with the following options:
All: Query all messages containing the specified attachment. This is the default option.
Deleted: Query the messages with the specified attachment deleted.
Cleaned: Query the messages with the specified attachment cleaned for malware.
Bypassed: Query the messages with the specified attachment bypassed.
Sanitized: Query the messages with the specified attachment sanitized.
Timestamp: The time a message was received.
Choose the ascending or descending order of time to sort the search results.
When you query mail tracking information, use the various criteria fields to restrict your searches. After a query is performed, Trend Micro Email Security provides a list of log records that satisfy the criteria. Select one or more records and click Export Selected to export them to a CSV file. Click Export All to export all the queried log records if needed. If the number of log records to export is large, the export task needs to take time to complete. Go to Logs > Log Export Query to check the export status. Note that you can export up to 50,000 log records at a time and the maximum number of times of exporting all the queried log records is 5 per day, which is calculated based on the time zone UTC+00:00.
The most efficient way to query mail tracking information is to provide both sender and recipient email addresses within a time range that you want to search. For an email message that has multiple recipients, the result will be organized as one recipient per entry.
If the message you are tracking cannot be located using this strategy, consider the following:
Expand the result set by omitting the recipient.
If the sender is actually blocked by connection-based filtering, the Blocked traffic results that do not match the intended recipient might indicate this. Provide only the sender and time range for a larger result set.
If the sender IP address has a "bad" reputation, mail tracking information will only be kept for the first recipient in a list of recipients. Therefore, the remaining message recipient addresses will not be listed when querying this sender.
Expand the result set by omitting the sender.
If the sender IP address has a "bad" reputation, omit the sender and provide only the recipient. If only the recipient email address is provided, all the messages that pertain to the recipient will be listed.