Jaa


Understanding Journal Reports

 

Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2

Journal reports contain important message content and metadata. Understanding the structure of journal reports allows you to interpret the information in these reports.

Looking for management tasks related to managing journaling? See Managing Journaling.

Contents

Journal Reports

Journal Report Fields

Journal Report Headers

Examples of Journal Reports

Journal Reports

A journal report is the message generated by the Journaling agent on a Hub Transport server and delivered to the journaling mailbox. The original message is included unaltered as an attachment to the journal report. This type of journal report is called an envelope journal report.

Note

Microsoft Exchange Server 2010 supports envelope journaling only.

When using standard journaling, journal reports are generated for all messages sent or received by mailboxes on a mailbox database enabled for journaling. When using premium journaling, journal reports are generated for messages that match a journal rule.

For more information about journaling, see Understanding Journaling.

The information contained in a journal report is organized so that every value in each header field has its own line. This enables you to easily parse journal reports manually or by using an automated process, depending on your requirements.

When the Journaling agent journals a message, it tries to capture as much detail as possible about the original message. This information is very important in determining the intent of the message, its recipients, and its senders. For example, whether the recipients that are identified in the message are directly addressed in the To field, the Cc field or are included as part of a distribution list may determine the nature and extent of their involvement in the e-mail communication.

Depending on the situation, Exchange 2010 may generate more than one journal report for a single message. Whether a single message generates one journal report or multiple journal reports depends on several factors, such as message bifurcation or distribution group expansion.

Journal reports can potentially contain very sensitive information and must be protected so that they can't be viewed by unauthorized individuals. For more information about how you can protect journal reports, see Protecting Journal Reports.

For more information about managing journal reports, see Understanding How to Manage Journal Reports.

Return to top

Journal Report Fields

The following sections describe each field contained within journal reports generated by Exchange 2010. These fields are separated into basic and extended fields, as shown in the following table.

Basic and extended journal report fields

Basic journal report fields Extended journal report fields

Sender

To

Subject

Cc

Message-ID

Bcc

Recipient

On-Behalf-Of

Whether extended journal report fields are populated depends on whether recipient addressing can be determined. This happens in the following circumstances:

  • MAPI submission to a Client Access server   Recipient addressing can be determined when a message is submitted to a Client Access server using a MAPI client such as Microsoft Outlook 2010.

  • Authenticated SMTP submission to a Hub Transport server   Recipient addressing can also be determined when a message is submitted to a Hub Transport server in an authenticated SMTP session. The authenticated sender must not have the ms-Exch-Smtp-Accept-Any-Sender permission because this generally indicates that the sender was an Exchange server.

If recipient addressing can be determined for a particular recipient, the recipient e-mail address is inserted into the appropriate extended To, Cc, or Bcc fields described in the "Extended journal report fields" table later in this topic. The recipient e-mail address isn't inserted into the basic Recipient field described in the "Basic journal report fields" table later in this topic.

If a message is submitted to a Hub Transport server by using any other method, such as anonymous submission from an Edge Transport server or submission from a server running Exchange Server 2003, Exchange can't verify that the recipient addressing hasn't been tampered with. If recipient addressing can't be verified, the recipient e-mail address is inserted in the basic Recipient field and not into an extended To, Cc, or Bcc field.

For each recipient addressed on a message, one recipient journal report field is added. No recipient field contains more than one recipient e-mail address, except as follows:

  • Recipient fields that contain recipients that have been expanded from a distribution group

  • Recipient fields that contain recipients that have received a message forwarded from another mailbox

For expanded or forwarded messages, the e-mail address of the recipient that received final delivery of the message and the e-mail address of the distribution group or mailbox that was originally addressed are included.

Basic Journal Report Fields

Basic fields in Exchange 2010 journal reports include the sender, subject, and Message-ID of the original message. All journal reports include this information if it's present in the original message.

The fourth basic field is the Recipient field. Exchange 2010 only classifies information that it knows is correct. If Exchange can't determine whether a recipient was included in the To, Cc, or Bcc recipient fields, the recipient is added to the Recipient field in the journal report.

The following table lists the basic fields that are included in the body of journal reports.

Basic journal report fields

Field name Description

Sender

The Sender field displays the SMTP address of the sender specified in the From header. If the message is sent on behalf of another sender, the field displays the address specified in the Sender header.

Subject

The Subject field displays the subject header value.

Message-ID

The Message-ID field displays the SMTP Message-ID.

Recipient

The Recipient field displays the SMTP address of a recipient included in an e-mail message when Exchange can't determine the recipient addressing of that message. This includes messages from the Internet or unauthenticated senders and messages that originated from legacy Exchange servers. Recipients added by transport rules or other transport agents are also listed in the Recipient field.

Extended Journal Report Fields

Extended fields in Exchange 2010 journal reports provide more recipient details, if available. The To, Cc, and Bcc fields in the journal report let you view how recipients are addressed in the original message.

The On-Behalf-Of field is populated if the SMTP headers of a message contain both the From and Sender header fields, regardless of whether the message was submitted directly to a Hub Transport server. The SMTP address contained in the From header field is populated in the On-Behalf-Of field.

The following table lists the extended fields that may be included in the body of journal reports.

Extended journal report fields

Field name Description

On-Behalf-Of

The On-Behalf-Of field displays the SMTP address of the mailbox from which the message appears if the Send On Behalf Of feature is specified by the sender.

To

The To field displays the SMTP address of a recipient included in the message envelope and in the To header field of the message.

The recipient address can be included either directly by the sender, or indirectly through distribution list expansion or if the message was forwarded to the recipient by another mailbox. To indicate whether the message went through distribution list expansion or was forwarded, the To field may also contain one Expanded field or one Forwarded field, separated with commas. For more information about these fields, see the "Expanded and Forwarded fields" table later in this topic.

Cc

The Cc field displays the SMTP address of a recipient included in the message envelope and in the Cc header field of the message.

The recipient address can be included either directly by the sender, or indirectly through distribution list expansion or if the message was forwarded to the recipient by another mailbox. To indicate whether the message went through distribution list expansion or was forwarded, the Cc field may also contain one Expanded field or one Forwarded field, separated with commas. For more information about these fields, see the "Expanded and Forwarded fields" table later in this topic.

Bcc

The Bcc field displays the SMTP address of a recipient included in the message envelope and in the Bcc header field of the message.

The recipient address can be included either directly by the sender, or indirectly through distribution list expansion or if the message was forwarded to the recipient by another mailbox. To indicate whether the message went through distribution list expansion or was forwarded, the Bcc field may also contain one Expanded field or one Forwarded field, separated with commas. For more information about these fields, see the "Expanded and Forwarded fields" table later in this topic.

Expanded and Forwarded Fields

The Expanded and Forwarded fields are included as fields on Recipient, To, Cc, or Bcc fields when that recipient has either been expanded from a distribution group or has had the message forwarded from another mailbox. The following table describes the Expanded and Forwarded fields.

Expanded and Forwarded fields

Field Description

Expanded

The Expanded field is displayed as a field of the To, Cc, and Bcc fields that are described earlier in this topic. The Expanded field is preceded by a comma. The SMTP address displayed in the Expanded field is the address of the distribution group that contains either the recipient specified in the To, Cc, or Bcc field or the nested distribution lists that contain the specified recipient.

The address displayed in this field is always the first distribution list to be expanded, regardless of how many nested distribution lists may be between the original parent distribution list and the expanded final recipient specified in the To, Cc, or Bcc field.

Forwarded

The Forwarded field is displayed as a field of the To, Cc, and Bcc fields that are described earlier in this topic. The Forwarded field is preceded by a comma. Usually, the Forwarded field displays the e-mail address of a mailbox configured to forward e-mail messages to the account specified in the To, Cc, or Bcc field.

If a chain of forwarding mailboxes is configured, where each mailbox forwards messages to the next one, the first forwarding mailbox is displayed in this field and the SMTP address of the final, non-forwarding mailbox in the chain is displayed in the To, Cc, or Bcc field.

The Journaling agent generates a journal report if a journaling recipient (the recipient specified in a journal rule) is detected in one of the following scenarios:

  • The journaling recipient is the sender or a recipient specified in the To, Cc, or Bcc fields.

  • The journaling recipient is a member of a distribution group that's specified in the To, Cc, or Bcc fields.

  • A message is automatically forwarded to a journaling recipient.

In the following cases, information about some recipients who aren't journaling recipients may not be included in the journal report.

  • Message chipping occurs   When a Hub Transport server handles a message that's sent to more than 1,000 recipients, either through distribution group expansion or if more than 1,000 recipients are specified in the To, Cc or Bcc fields, the server generates a separate or copy of the message for every 1,000 recipients. This is performed to reduce system resources used during message expansion. By default, each copy contains a maximum of 1,000 recipients. This is known as message chipping. Each instance of the message is known as a chipped message.

    The Journaling agent processes each chipped message to determine if there are any journaling recipients included in the recipient list. For example, if a message is sent to a distribution group that contains 5,000 members, the Hub Transport server generates five chipped messages, each containing 1,000 recipients. The Journaling agent generates a single journal report for each chipped message that contains a journaling recipient. The journal report contains details of only the 1,000 recipients included in the recipient list of the chipped message. If the distribution group membership contains only one journaling recipient, the Journaling agent generates a single journal report. That report lists only the 1,000 members that were expanded as a result of message chipping.

  • Distribution group expansion servers are specified   When a Hub Transport server receives a message sent to an individual recipient or a distribution group marked for journaling, and a distribution group which has another Hub Transport server specified as the expansion server, the journal report lists the distribution groups as To, Cc, or Bcc recipients, but the Expanded field doesn't include members of the distribution group that wasn't expanded on that server.

    For example, consider a message sent to two distribution groups (DL-Journaled, DL-NotJournaled) and a mailbox user (UserA). The DL-Journaled distribution contains journal recipients. The DL-NotJournaled distribution group has the Hub Transport server HT2 specified as an expansion server. In this example, the following steps are taken:

    1. The message is first processed by Hub Transport server HT1. HT1 expands DL-Journaled and detects journaling recipients. HT1 generates a journal report that contains the following noteworthy fields:

      To/Cc/Bcc   This field includes DL-Journaled, DL-NotJournaled, and UserA.

      Expanded   This field includes members of DL-Journaled. If DL-Journaled contains more than 1,000 members, message chipping may occur, which would generate more than one chipped message. It may also include membership of any other distribution groups expanded on HT1 for this particular chipped message (for example, a distribution group that's a member of DL-Journaled).

    2. HT1 delivers the journal report to the journaling mailbox.

    3. HT1 marks the message as journaled by inserting the x-header X-MS-Exchange-Organization-Processed-By-Journaling.

    4. HT1 bifurcates the message and sends it to HT2, the expansion server specified for DL-NotJournaled.

    5. HT1 delivers the message to the next hop for the recipients expanded from DL-Journaled (which could include further bifurcation) and UserA.

    6. HT2 receives the message. It inspects the message headers and determines that the message has been journaled.

    7. HT2 expands the DL-NotJournaled distribution group. None of the expanded recipients are journaling recipients. Therefore, no additional journal reports are generated.

    8. HT2 delivers the message to the next hop for the recipients expanded from DL-NotJournaled (which could include further bifurcation).

Return to top

Journal Report Headers

In Exchange 2003, the journaling of messages and the identification of journal reports are controlled by using the X-EXCH50 binary large object (BLOB). In Exchange 2010, the X-EXCH50 BLOB is deprecated and replaced with SMTP headers. The organization SMTP headers can be accessed only by the Exchange 2010 transport components, and they're removed by the header firewall before a message is delivered to a mailbox or to an SMTP server outside the Exchange 2010 organization.

The following headers are used by the journaling agent:

  • X-MS-Exchange-Organization-Journal-Report   This SMTP header identifies an Exchange 2010 journal report. This allows the message to act as a system message, allowing it to bypass message size and mailbox recipient restrictions. The header is removed when the journal report is delivered to a journal mailbox.

  • X-MS-Journal-Report   This SMTP header is added to a journal report when it's delivered to a journal mailbox, to indicate the message is a journal report. This header lets you differentiate a journal report from a regular message, but it isn't used by any Exchange 2010 transport components.

  • X-MS-Exchange-Organization-Processed-By-Journaling   This SMTP header identifies messages that have been processed by the Exchange 2010 Journaling agent. If the header is included in a message, Exchange 2010 recognizes that the message has already been processed by the Journaling agent on a previous Hub Transport server, and it doesn't journal the message again. This header is removed before the message is delivered to recipients.

These SMTP headers don't contain values. As previously described, the existence of these headers in a message determines whether the message is a journal report or has been processed by the Journaling agent.

For more information, see the following topics:

Return to top

Examples of Journal Reports

The first figure in this section shows an example of a journal report that was generated when a message was sent from an Exchange 2010 mailbox to a Hub Transport server. The message was sent by mailbox user Jennifer Kim to the following recipients:

  • To: SalesGroup distribution group, Anna Lidman

  • Cc: Christine Hughes

    Note

    Christine's mailbox is configured to automatically forward messages to the mailbox for Katie Jordan, and also keep a copy.

  • Bcc: Blaine Dockter

A single journal report was created when the original message was sent. The journal report shown in the following figure lists all the recipients addressed in the To field, including recipients expanded from the SalesGroup distribution group, the Cc field, including recipients to whom the message was forwarded automatically, and the Bcc field recipient.

Journal report that displays extended recipient fields

Journal report with extended recipient fields

The following figure shows an example of a journal report that was generated when a message that originated from the Internet was processed by a Hub Transport server. The recipients addressed in this example are the same as the recipients in the previous example. However, in the journal report in this figure, all recipients are included in the Recipient field because the original message was sent from the Internet, and Exchange can't verify that the recipient addressing hasn't been tampered with. As with the first example, a single journal report is created.

Journal report that displays basic recipient fields

Journal report with basic recipient fields

Return to top

 © 2010 Microsoft Corporation. All rights reserved.