Skip to main content
Contact Us
My preferencesSign out
Proofpoint, Inc.

Missing messages in Email Archive

  1. Last updated
  2. Save as PDF
Situation Searching for specific messages in the Proofpoint New Archive does not find the messages.
Solution This article provides information on tracing messages in O365 (and similar in Exchange) to confirm message archives.

 

This article can be used when it appears that there are many messages during the desired time frame for many users, but specific messages are not showing up. It is not for addressing current issues where no mail is being is being archived at all or there are missing periods of no mail in the archive.

Archive Dependencies:

Archiving is a blend of features by both Microsoft and Proofpoint.  Microsoft's journaling feature creates a copy of any message that is sent or received internally or externally and stores that message in either a local journal mailbox or sends it to be stored offline in an external repository.  Proofpoint provides a central cloud storage solution that can store messages via either method.  If journaling is set to copy to a local journal mailbox, Proofpoint can pull that mail into it's external cloud storage (via periodic IMAP access) or Proofpoint can simply accept copies of messages sent directly in real time to it's cloud storage (via immediate SMTP).

What to do if a specific message(S) cannot be found

  1. First confirm that you have the proper Discovery rights for the mailbox where the message should be found. 
    1. Under the Users list in archive, an Administrator can edit the profile for the person performing archive searches to insure they have been granted Discovery Rights for All Mailbox's or for the specific mailbox being searched for messages. 

      If you simply grant All Mailbox's and do a general search for the message without limiting the search to a specific mailbox it will often show up.

  2. Attempt a general search with specific text that will insure a unique result on the searched for message.  This eliminates unforeseen restrictions that may be excluding the message from the results
  3. Confirm that other messages for other users during the expected time frame are showing up in the archive. This will confirm there was not an issue with archiving in general for the organization during the expected time frame.  It is common for a connector to stop working and messages to not get archived during that time.
  4. Messages that are sent to Proofpoint and rejected for any reason will be stored in the mail systems Undeliverable Mailbox.  This mailbox is designated within the journaling rule of the mail system.  Confirm what is configured there and then check for the specific message within that mailbox.

    If there is a lot of mail in the undeliverable mailbox, we can help get all that mail into the Proofpoint Archives later via an IMAP connection.

If Issue Persists after doing the above

It is likely the message was never ingested into the Proofpont Archive. We need to determine if the message was ever sent to the Archives.  You can do this by doing a message trace to see each event that occurred with that message and determine if some other policy prevented archiving or if the proper journal policy did not execute. Here are some guidelines for O365 but Exchange will be similar in the approach.

  1. In the online Exchange Admin console go to Mail Flow.
  2. Choose Message Trace from the mail flow menu.
  3. Use the available fields to narrow down the search, i.e. To:  or From: and specific time frame.  Ideally, you would have the Message ID but not possible in many cases.
  4. Click Search.
  5. Review the results for the specific message in question.
  6. You should look for two events specifically.  
    • An event confirming the journaling policy was triggered
    • An event confirming the message was successfully delivered to Proofpoint via the dedicated Archive Connector for this.

If you can confirm the message was delivered to Proofoint for archiving.  Provide the message trace logs to Essentials support in a ticket and we will investigate on our end.