Mail Traffic Statistics Test

Where Exchange Online handles heavy mail traffic, it is impossible for administrators to manually track each email transmitted by Exchange Online, and to determine whether/not it has been successfully delivered to the designated recipients. In such environments therefore, administrators can periodically run the Mail Traffic Statistics test, receive deep-dive insights on the flow of mails through Exchange Online, and accurately determine the delivery status of the emails.

This test tracks the mails going in and out of the Exchange Online organization, reports the count of inbound and outbound mails, and thus reveals the level of mail traffic on Exchange Online. The test further reveals the nature of the mail traffic by reporting the count of internal and external mails. The total size of mails is also reported, with detailed diagnostics shedding light on mail activity that is suspect owing to its abnormal size. Most importantly, the test reports the count of mails in different states, thus promptly alerting administrators to delivery failures / slowness. Detailed diagnostics accurately point administrators to the exact mails that are pending delivery and the ones that could not be delivered.

Target of the test : Exchange Online

Agent deploying the test : A remote agent

Outputs of the test : One set of results for the monitored Offce 365 tenant

Configurable parameters for the test

Parameters Description

Test period

How often should the test be executed

Host

The host for which the test is to be configured. By default, this is portal.office.com

Tenant Name

This parameter applies only if you want the eG agent to use Azure AD Certificate-based Authentication for accessing and monitoring an O365 tenant and its resources.

Azure AD certificate-based authentication (CBA) enables customers to allow or require users to authenticate with X.509 certificates against their Azure Active Directory (Azure AD) for applications and browser sign-in. When monitoring highly secure Office 365 environments, you can configure the eG agent to identify itself to a tenant using a valid X.509 certificate, so that it is allowed secure access to the tenant and its resources.

By default, the value of this parameter is none. This means that, by default, the eG agent does not use certificate-based authentication to connect to an O365 tenant.

On the other hand, if you want the eG agent to use this modern authentication technique to securely access a tenant's resources, you should do the following:

  1. Enable Azure AD Certificate-based authentication for the target O365 tenant; this can be achieved manually, via the Office 365 portal, or automatically, using Powershell scripts we provide. For the manual procedure, refer to Manually Enabling Certificate-based Authentication For an Office 365 Tenantunder Microsoft Office 365. For the automatic procedure, refer to Automatically Fulfilling Pre-requisites in a Modern Authentication-Enabled Environmentunder Microsoft Office 365.

    When enabling certificate-based authentication, an X.509 certificate will be generated for the target tenant.

  2. Configure the Tenant Name parameter with the name of the tenant for which certificate-based authentication is enabled. Using the tenant name, the eG agent will be able to read the details of the X.509 certificate that is generated for that tenant, and use that certificate to access that tenant's resources. To determine the tenant name, do the following:

    • Log in to the Microsoft 365 Admin Center as an administrator.

    • Under Setup, click on Domains.

    • Find a domain that ends with .onmicrosoft.com - this is your Microsoft O365 tenant name.

O365 User Name, O365 Password, and Confirm Password

These parameters need to be configured only if the Tenant Name parameter is set to none. On the other hand, if a valid Tenant Name is configured, then you should set these parameters to none .

For execution, this test requires the privileges of an O365 user who is vested with the View-Only Audit Logs, View-Only Recipients, Mail Recipients, and Mailbox Import Export permissions. Configure the credentials of such a user against O365 User Name and O365 Password text boxes. Confirm the password by retyping it in the Confirm Password text box.

While you can use the credentials of any existing O365 user with the afore-said privileges, it is recommended that you create a special user for monitoring purposes using the Office 365 portal and use the credentials of that user here. To know how to create a new user using the Office 365 portal and assign the required privileges to that user, refer to Creating a New User in the Office 365 Portal under Microsoft Office 365. You can also use eG's proprietary PowerShell script to automatically create a new user, or assign the required privileges to an existing user. To know how to use this script, refer to theAutomatically Fulfilling Pre-requisites in a Basic Authentication-Enabled Environmenttopic.

Domain, Domain User Name, Domain Password, and Confirm Password

These parameters are applicable only if the eG agent needs to communicate with the Office 365 portal via a Proxy server.

In this case, in the Domain text box, specify the name of the Windows domain to which the eG agent host belongs. In the Domain User Name text box, mention the name of a valid domain user with login rights to the eG agent host. Provide the password of that user in the Domain Password text box and confirm that password by retyping it in the Confirm Password text box.

On the other hand, if the eG agent is not behind a Proxy server, then you need not disturb the default setting of these parameters. By default, these parameters are set to none.

Proxy Host, Proxy Port, Proxy User Name, and Proxy Password

These parameters are applicable only if the eG agent needs to communicate with the Office 365 portal via a Proxy server.

In this case, provide the IP/host name and port number of the Proxy server that the eG agent should use in the Proxy Host and Proxy Port parameters, respectively.

If the Proxy server requires authentication, then specify the credentials of a valid Proxy user against the Proxy User Name and Proxy Password text boxes. Confirm that password by retyping it in the Confirm Password text box. If the Proxy server does not require authentication, then specify none against the Proxy User Name, Proxy Password, and Confirm Password text boxes.

On the other hand, if the eG agent is not behind a Proxy server, then you need not disturb the default setting of any of the Proxy-related parameters. By default, these parameters are set to none.

DD Frequency

Refers to the frequency with which detailed diagnosis measures are to be generated for this test. The default is 1:1. This indicates that, by default, detailed measures will be generated every time the test runs, and also every time the test detects a problem. You can modify this frequency, if you so desire. Also, if you intend to disable the detailed diagnosis capability for this test, you can do so by specifying none against DD Frequency.

Detailed Diagnosis

To make diagnosis more efficient and accurate, the eG Enterprise embeds an optional detailed diagnostic capability. With this capability, the eG agents can be configured to run detailed, more elaborate tests as and when specific problems are detected. To enable the detailed diagnosis capability of this test for a particular server, choose the On option. To disable the capability, click on the Off option. The option to selectively enabled/disable the detailed diagnosis capability will be available only if the following conditions are fulfilled:

  • The eG manager license should allow the detailed diagnosis capability
  • Both the normal and abnormal frequencies configured for the detailed diagnosis measures should not be 0.
Measurements made by the test
Measurement Description Measurement Unit Interpretation

Unique senders

Indicates the number of unique senders of emails.

Number

Unique receivers

Indicates the number of unique receivers of emails.

Number

Unique sender IPs

Indicates the number of unique IPs from which emails were sent.

Number

Inbound mail items

Indicates the number of emails coming into all domains in the mo

Number

Use the detailed diagnosis of this measure to view the top-10 recipients, in terms of the number of mails they received. This will point administrators to those recipients who have been receiving an abnormally large number of emails and is contributing to the heavy email mail traffic on Exchange Online.

Inbound mail size

Indicates the total size of emails received by the domains in the monitored tenant.

GB

Use the detailed diagnosis of this measure to view the top-10 recipients, in terms of the total size of emails they received.

Outbound mail items

Indicates the number of emails flowing out of the domains in the monitored tenant.

Number

Use the detailed diagnosis of this measure to view the top-10 senders, in terms of the number of mails they sent. This will point administrators to those senders who have been sending an abnormally large number of emails and is contributing to the heavy email mail traffic on Exchange Online.

Outbound mail size

Indicates the total size of emails sent by the domains in the monitored tenant.

GB

Use the detailed diagnosis of this measure to view the top-10 senders, in terms of the total size of emails they sent.

Total mail items

Indicates the total number of emails sent/received by domains in the monitored tenant.

Number

This measure is the sum of the values of the Inbound mail items and Outbound mail items measures.

This is a good indicator of the total mail traffic on Exchange Online. If the value of this measure is abnormally high, you can check the values of the Inbound mail items and Outbound mail items measures to know what is causing the abnormal traffic - a high volume of incoming mails? or a high volume of outgoing mails? Based on the result, you can use the detailed diagnosis of the corresponding measure to know which exact sender/receiver (as the case may be) is responsible for the abnormal email traffic.

Total mails size

Indicates the total size of emails sent/received by domains in the monitored tenant.

GB

This measure is the sum of the values of the Inbound mail size and Outbound mail size measures.

If the value of this measure is abnormally high, you can check the values of the Inbound mails size and Outbound mails size measures to determine whether the size of incoming mails is more than that of outgoing mails or vice-versa. If Inbound mails size is abnormally high, then proceed to determine what type of incoming mails are of an abnormal size - internal mails? or external mails? For this, compare the value of the Size of internal mails received and Size of external mails received measures. Likewise, if the value of the Outbound mail size measure is very high, then compare the value of the Size of internal mails sent and Size of external mails sent measures to know what type of outbound mail activity is suspect owing to abnormal mail size - outgoing internal mail activity? or outgoing external mail activity? Based on the result, you can use the detailed diagnosis of the corresponding measure to know which exact sender's/receiver's (as the case may be) mail size is much higher than the rest. Such a sender's/receiver's mail activity may have to be investigated.

Internal emails sent

Indicates the number of emails sent to receivers who are in the same domain as the senders.

Number

If the Total mail items and Outbound mail items measures report an abnormally high value, then take a look at this measure to figure out if the abnormal outbound email traffic is owing to too many internal mails being sent. Use the detailed diagnosis of this measure to identify who sent the maximum number of internal mails.

Size of internal emails sent

Indicates the total size of emails sent to receivers who are in the same domain as the senders.

GB

If the Total mails size and Outbound mails size measures report abnormally high values, then take a look at this measure to figure out if there is any internal outbound email activity that is suspicious owing to its abnormal size. Use the detailed diagnosis of the Internal emails sent measure to identify who sent internal emails of an abnormal size. The mail activity of such senders can be investigated.

Internal emails received

Indicates the number of emails received by recipients who are in the same domain as the senders.

Number

If the Total mail items and Inbound mail items measures report an abnormally high value, then take a look at this measure to figure out if the abnormal inbound email traffic is owing to too many internal mails being received. Use the detailed diagnosis of this measure to identify who received the maximum number of internal mails.

Size of internal emails received

Indicates the total size of emails received by recipients who are in the same domain as the senders.

GB

If the Total mails size and Inbound mails size measures report abnormally high values, then take a look at this measure to figure out if there is any internal inbound email activity that is suspicious owing to its abnormal size. Use the detailed diagnosis of the Internal emails received measure to identify who received internal emails of an abnormal size. The mail activity of such recipients can be investigated.

External emails sent

Indicates the number of emails sent to receivers who are in a domain different from that of the senders.

Number

If the Total mail items and Outbound mail items measures report an abnormally high value, then take a look at this measure to figure out if the abnormal outbound email traffic is owing to too many external mails being sent. Use the detailed diagnosis of this measure to identify who sent the maximum number of external mails.

Size of external emails sent

Indicates the total size of emails sent to receivers who are in a domain different from that of the senders.

GB

If the Total mails size and Outbound mails size measures report abnormally high values, then take a look at this measure to figure out if there is any external outbound email activity that is suspicious owing to its abnormal size. Use the detailed diagnosis of the External emails sent measure to identify who sent external emails of an abnormal size. The mail activity of such senders can be investigated.

External emails received

Indicates the number of emails received by recipients who are in a domain different from that of the senders.

Number

If the Total mail items and Inbound mail items measures report an abnormally high value, then take a look at this measure to figure out if the abnormal inbound email traffic is owing to too many external mails being received. Use the detailed diagnosis of this measure to identify who received the maximum number of external mails.

Size of external emails received

Indicates the total size of emails received by recipients who are in a domain different from that of the senders.

GB

If the Total mails size and Inbound mails size measures report abnormally high values, then take a look at this measure to figure out if there is any external inbound email activity that is suspicious owing to its abnormal size. Use the detailed diagnosis of the External emails received measure to identify who received external emails of an abnormal size. The mail activity of such recipients can be investigated.

Rejected or redirected

Indicates the number of emails that were rejected or redirected.

Number

If this measure reports a non-zero value, then use the detailed diagnosis of the measure to know which messages were rejected/redirected. Using this information, you can figure out if your message flow rules need to be tweaked.

Failed

Indicates the number of messages that could not be delivered.

Number

Ideally, the value of this measure should be 0. If this measure reports a non-zero value, it means that one/more messages could not be delivered. In this case, use the detailed diagnosis of this measure to identify the emails for which delivery failed.

An email delivery is considered to have failed if delivery was attempted and it failed or it was not delivered as a result of actions taken by the filtering service - eg., if the message was determined to contain malware.

Pending

Indicates the number of messages that are waiting to be delivered.

Number

Typically, an email's status will be Pending if its delivery is being attempted or re-attempted.

If the value of this measure increases consistently, it could hint at a processing bottleneck on Exchange Online. This may warrant further investigation. In this case, use the detailed diagnosis of this measure to identify the emails that are yet to be delivered.

Getting status

Indicates the number of emails that are in the Getting status presently.

Number

If an email is in the Getting status, it means that the email was recently received by Office 365, but no other status data is yet available. You may have to check back in a few minutes.

Delivered

Indicates the number of emails that were successfully delivered.

Number

A high value is desired for this measure.

Resolved

Indicates the number of emails that are in the RESOLVED status currently.

Number

A RESOLVED event is triggered if a message was redirected to a new recipient address based on an Active Directory look up. When this happens, the original recipient address is listed in a separate row in the message trace along with the final delivery status for the message.

Filtered as spam

Indicates the number of emails that were filtered as spam.

Number

If this measure reports a non-zero value, it means that that one/more mails have been identified as spams, and were rejected or blocked (not quarantined).

Expanded

Indicates the number of emails in the Expanded state currently.

Number

The delivery status of a message is set as Expanded, if the message was sent to a distribution group that was expanded.

Quarantined

Indicates the number of emails that have been quarantined.

Number

You can set up quarantine for incoming email messages in Office 365 where messages that have been filtered as spam, bulk mail, phishing mail, mail that contains malware, and mail that matched a specified mail flow rule can be kept for later review.

As an Office 365 user, you can manage messages that were sent to quarantine instead of sent to you in one of two ways: by responding to spam notifications sent to you directly (if your admin has set this up), or by using the Security & Compliance Center.

Unknown

Indicates the number of emails for which the delivery status is Unknown presently.

Number

Ideally, the value of this measure should be 0.

Unique outbound domains

Indicates the number of unique domains that received emails from the domains configured for the monitored Office 365 tenant account.

Number

Use the detailed diagnosis of this measure to know the outbound domains.

Unique inbound domains

Indicates the number of unique domains that sent emails to the domains configured for the monitored tenant.

Number

Use the detailed diagnosis of this measure to know the inbound domains.

The detailed diagnosis of the Internal emails sent measure reveals the top-10 senders of internal emails, in terms of the number of emails they sent. In the event of abnormally high internal email traffic on Exchange Online, you can use these detailed metrics to quickly identify the sender responsible for such traffic. The number of internal emails received by each sender and the total size of outbound and inbound emails per sender are also reported as part of detailed metrics.

Figure 1 : The detailed diagnosis of the Internal emails sent measure

The detailed diagnosis of the Internal emails received measure reveals the top-10 recipients of internal emails, in terms of the number of emails they received. In the event of abnormally high internal email traffic on Exchange Online, you can use these detailed metrics to quickly identify the receiver responsible for such traffic. The number of internal emails sent by each receiver and the total size of outbound and inbound emails per receiver are also reported as part of detailed metrics.

Figure 2 : The detailed diagnosis of the Internal emails received measure

The detailed diagnosis of the External emails sent measure reveals the top-10 senders of external emails, in terms of the number of emails they sent. In the event of abnormally high external email traffic on Exchange Online, you can use these detailed metrics to quickly identify the sender responsible for such traffic. The number of external emails received by each sender and the total size of outbound and inbound emails per sender are also reported as part of detailed metrics.

Figure 3 : The detailed diagnosis of the External emails sent measure

The detailed diagnosis of the External emails received measure reveals the top-10 recipients of external emails, in terms of the number of emails they received. In the event of abnormally high external email traffic on Exchange Online, you can use these detailed metrics to quickly identify the receiver responsible for such traffic. The number of external emails sent by each receiver and the total size of outbound and inbound emails per receiver are also reported as part of detailed metrics.

Figure 4 : The detailed diagnosis of the External emails received measure

The detailed diagnosis of the Inbound mail items measure reveals the top-10 receivers of emails, in terms of the number of emails they received. This will point administrators to that receiver who has received the maximum number of messages. In the event of abnormal mail traffic on Exchange Online, this information will help administrators identify the recipient who is probably contributing to the heavy traffic. The count of emails sent by each receiver and the total size of inbound and outbound mails per receiver are also displayed as part of detailed diagnostics.

Figure 5 : The detailed diagnosis of the Inbound mail items measure

The detailed diagnosis of the Inbound mails size measure lists the top-10 email recipients, in terms of the total size of emails they received. If the total size of mails appears to be unusually high, administrators can use these detailed metrics to accurately pinpoint the recipient who has received mails of large sizes. The number of mails received and sent by each recipient and the outbound mails size is also displayed as part of detailed statistics.

Figure 6 : The detailed diagnosis of the Inbound mails size measure

The detailed diagnosis of the Outbound mail items measure reveals the top-10 senders of emails, in terms of the number of emails they sent. This will point administrators to that sender who has sent the maximum number of messages. In the event of abnormal mail traffic on Exchange Online, this information will help administrators identify the sender who is probably contributing to the heavy traffic by sending too many messages. The count of emails received by each sender and the total size of inbound and outbound mails per sender are also displayed as part of detailed diagnostics.

Figure 7 : The detailed diagnosis of the Outbound mail items measure

The detailed diagnosis of the Outbound mails size measure lists the top-10 email senders, in terms of the total size of emails they sent. If the total size of mails appears to be unusually high, administrators can use these detailed metrics to accurately pinpoint the sender who has sent mails of large sizes. The number of mails received and sent by each sender and the inbound mails size is also displayed as part of detailed statistics.

Figure 8 : The detailed diagnosis of the Outbound mails size measure

The detailed diagnosis of the Failed messages measure, provides complete details of the messages that could not be delivered. The senders of such messages, the recipient of these messages, and the message subject is reported, so as to ease the troubleshooting of delivery failures.

Figure 9 : The detailed diagnosis of the Failed measure

The detailed diagnosis of the Pending measure provides the complete details of the email messages that have been attempted/re-attempted, and are awaiting delivery. The sender, receiver, and subject of such messages are reported, along with the date on which such messages were sent. This greatly aids administrators troubleshoot delivery delays.

Figure 10 : The detailed diagnosis of the Pending measure

The detailed diagnosis of the Unique outbound domains measure lists the top-10 domains, in terms of the number of emails they sent. In the event of abnormal email traffic, administrators can use this information to isolate the domain that sent the maximum number of emails and contributed to the traffic.

Figure 11 : The detailed diagnosis of the Unique outbound domains measure

The detailed diagnosis of the Unique inbound domains measure lists the top-10 domains, in terms of the number of emails they received. In the event of abnormal email traffic, administrators can use this information to isolate the domain that received the maximum number of emails and contributed to the traffic.

Figure 12 : The detailed diagnosis of the Unique inbound domains measure