Email Track and Trace
Track and Trace Administration Guide
Documentation version: 1.0Legal Notice
Legal Notice Copyright © 2013 Symantec Corporation. All rights reserved.
Symantec, the Symantec Logo, the Checkmark Logo and are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any.
Symantec Corporation 350 Ellis Street
Mountain View, CA 94043
http://www.symantec.com
Clients are advised to seek specialist advice to ensure that they use the Symantec services in accordance with relevant legislation and regulations. Depending on jurisdiction, this may include (but is not limited to) data protection law, privacy law, telecommunications regulations, and employment law. In many jurisdictions, it is a requirement that users of the service are informed of or required to give consent to their email being monitored or intercepted for the purpose of receiving the security services that are offered by Symantec. Due to local legislation, some features that are described in this documentation are not available in some countries. Configuration of the Services remains your responsibility and entirely in your control. In certain countries it may be necessary to obtain the consent of individual personnel. Symantec advises you to always check local legislation prior to deploying a Symantec service. You should understand your company’s requirements around electronic messaging policy and any regulatory obligations applicable to your industry and jurisdiction. Symantec can accept no liability for any civil or criminal liability that may be incurred by you as a result of the operation of the Service or the implementation of any advice that is provided hereto.
The documentation is provided "as is" and all express or implied conditions, representations, and warranties, including any implied warranty of merchantability, fitness for a particular purpose or non-infringement, are disclaimed, except to the extent that such disclaimers are held to be legally invalid. Symantec Corporation shall not be liable for incidental or consequential damages in connection with the furnishing, performance, or use of this documentation. The information that is contained in this documentation is subject to change without notice.
Technical support
If you need help on an aspect of the security services that is not covered by the online Help or administrator guides, contact your IT administrator or Support team. To find your Support team's contact details in the portal, click Support > Contact
Email Track and Trace
This document includes the following topics:
■ About Email Track and Trace
■ Searching for an email with Email Track and Trace ■ Searching by message ID in Email Track and Trace
■ Viewing Email Track and Trace search results
■ Viewing email delivery details in Email Track and Trace
■ Requesting Email Track and Trace results by email
■ Enabling a user for Email Track and Trace
About Email Track and Trace
The Email Track and Trace tool lets you trace a specific email and determine if and when it was processed and the action taken. You can search for an email that was processed within the last 30 days. Typically, an email is searchable within 15 minutes of entering the Email Services infrastructure. The Email Services infrastructure does not store copies of any emails that pass through it. Rather, it logs key information about each email at the time of processing.
When an email is found, the following details are displayed:
■ Whether and when an email was accepted or not into the Email Services infrastructure.
■ Whether and when the email was delivered to the recipient's network. Or, in the event of an unsuccessful first delivery attempt, whether retry attempts are in progress.
■ Which of the Email Services intercepted the email and the action that was taken on it.
The Email Track and Trace tool enforces a security policy that ensures you can only search for the emails that you have permission to view. The security policy is based on the following criteria:
■ The organization you work for.
■ The access privileges that are associated with your portal login ID.
Access rights for Email Track and Trace are applied across all of the domains that are provisioned for your account.
■ The user role.
An administrator with the Edit Configuration permission can access Email Track and Trace. An administrator can grant an Email Track And Trace user role for other portal users.
You can find Email Track and Trace in the portal under the Tools tab. See“Searching for an email with Email Track and Trace”on page 5. See“Searching by message ID in Email Track and Trace”on page 7. See“Requesting Email Track and Trace results by email”on page 13. See“Viewing Email Track and Trace search results”on page 8.
See“Viewing email delivery details in Email Track and Trace”on page 10. See“Enabling a user for Email Track and Trace”on page 13.
Searching for an email with Email Track and Trace
To perform a search, you must specify at least one of the following criteria:
■ Recipient
■ Sender
■ Subject line
To identify a specific email, we recommend that you provide as much information as possible when defining your search criteria.
You can view your results on screen or have them emailed to you.
To search for an email
1
Select Tools > Email Track and Trace.2
In the Search tab, enter your search criteria.To display additional search options, select Show All. The following search options are available:
Description Search options
Search for the recipient's email address.
The email address must conform to valid email address format, including an @ symbol and a period. An asterisk (*) can be used as a wildcard to represent one or more characters, for example
*@domain.*
The maximum field length is 255 characters.
Recipient
Search for the sender's email address.
The email address must conform to valid email address format, including an @ symbol and a period. An asterisk (*) can be used as a wildcard to represent one or more characters, for example
*@domain.*
The maximum field length is 255 characters.
Sender
Specify the time range for your search. You can search for any emails that were processed within the last 30 days. An email is typically searchable within 15 minutes of it entering the infrastructure.
You can select from a preset range of hours or days, or you can select a specific time range.
The timezone defaults to the one that is defined in your Profile. You can change the timezone for a search as required.
Date range
Search by subject line.
If you only know part of the subject line, select one of the options in the drop-down menu: "Contains", "Begins with", or "Ends with". Then, enter the characters to search for.
An asterisk character (*) cannot be used as wildcard in this search box. If you search with an asterisk, the Email Track and Trace tool searches for any emails that contain an asterisk within the subject line.
Subject line
Description Search options
Search for the name of the attachment file. The maximum field length is 255 characters.
Attachment filename
Search for emails that have been delivered to a specific IP address. Wildcards are not supported.
Receiving server external IP
Search for the IP address of the sending mail server. Wildcards are not supported.
Note:You cannot search for the sending host name details.
Sending server external IP
If you suspect that one of the Email Services intercepted an email, you can search by the service name, for example "Content Control".
Service
You can use the Helo string as one of your search parameters (part of the SMTP receiving server identification process). Asterisk wildcards are not supported.
Helo
Search for an email attachment's unique MD5 checksum string. The search box must contain an MD5 checksum string in valid format (32 alphanumeric characters).
Attachment MD5 checksum
Search for emails within a preset size range.
Email size
3
Select whether to receive your results on screen or by email.4
Click Search.See“About Email Track and Trace”on page 4.
See“Viewing Email Track and Trace search results”on page 8. See“Searching by message ID in Email Track and Trace”on page 7.
Searching by message ID in Email Track and Trace
Mail servers generate a unique message ID for each email that is sent out. An Email Track and Trace search by message ID pinpoints an individual email.
To search for an email by message ID
1
Select Tools > Email Track and Trace.2
Select the Search by ID tab.3
Enter the message ID in the Message ID box.4
Select whether to receive your results on screen or by email.5
Click Search.See“Searching for an email with Email Track and Trace”on page 5. See“About Email Track and Trace”on page 4.
See“Viewing Email Track and Trace search results”on page 8.
Viewing Email Track and Trace search results
When you submit your search, a progress bar is displayed while the search runs. When the search completes, the page displays a list of entries that match your search criteria. You can sort the results once all of the results are returned by clicking on a column heading of your choice. The results list remains available in the portal for 24 hours or until you submit a new search. Your search criteria also remain on screen when your results are displayed so that you can refine your search if necessary.
The Email Track and Trace tool searches across multiple datacenters and can display up to 1,000 results from each datacenter. However, if more than 1,000 results are found, we recommend that you refine your search criteria.
As well as viewing your search results on screen, you can also send them in CSV format to an email address.
Note: If an email was sent to multiple recipients, each instance of the email is shown in the search results list.
The following table shows the information that is displayed in the results list. Table 1-1 Email Track and Trace results list
Description Column heading
The icon to the left of the subject field shows whether the email is inbound to your domain or outbound from your domain.
Message direction
The subject line of the email.
Subject
The email address of the intended recipient.
Recipient
The email address of the sender.
Sender
Table 1-1 Email Track and Trace results list (continued) Description
Column heading
If the email was accepted into the infrastructure, this column displays a check mark icon and the date and time that the email was received. Any email that is not accepted into the infrastructure is listed as rejected because the address is not registered. The infrastructure rejects all emails that are sent to addresses that are not on your organization's valid address list. Therefore, to avoid an email being rejected, ensure that your Address Registration address list is always up to date.
Accepted
If the email was delivered to the recipient's network, the date and time of delivery are displayed along with a check mark icon.
Note:In some circumstances, the email appears as delivered to the recipient's network, but may not have reached the intended recipient. Typically, the recipient organization's email security policies for inbound email are the reason for an email not reaching an intended recipient. If the email was not delivered to the recipient's network, it could be for one of the following reasons:
■ Not delivered – The email was not delivered into the recipient’s
network. One of the Email Services may have intercepted it, or the email was not accepted into the Email Services infrastructure in the first place.
■ Pending information – The complete log for the email is not
available yet. Typically, an email is searchable within 15 minutes of entering the infrastructure. Try your search again in a short while. ■ Retrying delivery – The email is in the process of being sent. An
email enters a retry schedule if it cannot be delivered immediately. ■ Delivery failed – We tried to deliver the email, but were
unsuccessful. The delivery failure may be due to a connection problem between our infrastructure and the recipient's network.
Note:When malware is detected in an outgoing email and that email is blocked and not sent, a Track and Trace log record is not created because the recipient never receives the blocked message. The recipient's email administrator may be notified, depending on the policies of the recipient network.
Because no log entry is created, Track and Trace searches will not find blocked messages, nor will the messages be included in Track and Trace reports. This can cause a discrepancy between the total number of messages sent and the number of messages found by Track and Trace, which can give the appearance that messages are missing.
Delivered
Table 1-1 Email Track and Trace results list (continued) Description
Column heading
Which of the Email Services that the email has triggered during processing.
Service
See“Searching for an email with Email Track and Trace”on page 5. See“Viewing email delivery details in Email Track and Trace”on page 10.
Viewing email delivery details in Email Track and
Trace
When you submit an Email Track and Trace search, a list of results is displayed on screen. To view detailed information about a specific email, click on the associated item in the results list.
To view full delivery information
1
Select Tools > Email Track and Trace.Enter your search criteria and submit your search.
2
When you have received your search results, click on the required entry in the results list.A pop-up window displays the delivery details in the Summary tab.
One of the following main delivery status messages is displayed at the top of the page:
■ Delivered to recipient network – The email was delivered to the recipient's
network.
Note:In some circumstances, the email appears as delivered to the recipient's network, but may not have reached the intended recipient. Typically, the recipient organization's email security policies for inbound email are the reason for an email not reaching an intended recipient.
■ Not delivered – The email was not delivered to the recipient’s network.
One of the Email Services may have intercepted it, or the email was not accepted into the Email Services infrastructure in the first place.
■ Pending information – The complete log for the email is not available yet.
Typically, an email is searchable within 15 minutes of entering the infrastructure. Try your search again in a short while.
■ Retrying delivery – The email is in the process of being sent. An email
enters a retry schedule if it cannot be delivered immediately.
■ Delivery failed – We tried to deliver the email, but were unsuccessful. The
delivery failure may be due to a connection problem between our infrastructure and the recipient's network.
The following information is provided in the Summary page: Description Detail
The email address of the sender.
Sender
The email address of the recipient.
Recipient
The subject line of the email.
Subject
The total size of the email message, including any attachments.
Message Size
The message ID, as shown in the header of most emails.
Message ID
The message reference number.
Message Reference
If the email was accepted into the infrastructure for scanning, a check mark icon and the
Accepted label are displayed.
If the email was rejected, an "X" icon and the Email
rejected label are displayed.
The infrastructure rejects all emails that are not on your organization's valid address list. To avoid an email being rejected, ensure that your Address Registration address list is always up to date.
Connection
The IP address of the sending mail server.
Sending Server
The Helo string that identifies the sending SMTP server.
Sending Server Helo
Description Detail
The date and time in GMT that the sending server has connected to our infrastructure.
Connection Started
The date and time in GMT that the sending server has disconnected from our infrastructure.
Connection Finished
If the delivery status is
Retrying delivery, this field
provides detailed information about the delivery retries.
Status
If one or more of your Email Services intercepted the email, the service that applied the most severe action is provided.
Security Scan
The main delivery status of the email message.
Delivery result
The number of delivery attempts.
Delivery Attempts
The date and time in GMT of the most recent delivery attempt.
Latest Attempt
The IP address of the recipient server.
Recipient Server
Clicking this link opens the Log
View tab, which displays
detailed connection information in chronological order according to dates and times in GMT.
View advanced delivery information
3
Click on the Attachments tab for information about any email attachment. You cannot open the Attachments tab if the email did not have an attachment. If the email has an associated attachment, the attachment's name is displayed along with its MD5 checksum value.4
Click on the Log View tab for detailed connection information.Detailed connection information is displayed in chronological order according to dates and times in GMT.
See“Viewing Email Track and Trace search results”on page 8. See“About Email Track and Trace”on page 4.
Requesting Email Track and Trace results by email
You can have the results of an Email Track and Trace search sent to you or to another recipient in an email. The results are sent as a CSV file attachment. The CSV file is password protected.
To request search results by email
1
Select Tools > Email Track and Trace. The Search tab opens.2
Define your search criteria.3
At the bottom of the Search page, select Email the results as a CSV file whenthe search is complete.
4
Enter a valid email address.5
Create a password for the CSV file and enter it in the Password for resultsfile box.
6
Click Search.See“About Email Track and Trace”on page 4.
See“Searching for an email with Email Track and Trace”on page 5. See“Viewing Email Track and Trace search results”on page 8.
Enabling a user for Email Track and Trace
An administrator with the Edit Configuration user role can access Email Track and Trace. An administrator can assign the Email Track And Trace user role to other portal users who are within the administrator's organization.
To enable a user for Email Track and Trace
