Understanding Email Logs
Posted by Richard Kennedy on 10/03/16 14:55
his article aims to give a brief guide on how to understand the information in the Proofpoint Essentials logs. Below are some common examples of the various states email logs can display on Proofpoint Essentials, and some explanations for the information shown in each.
In this example, we see several fields on the left. These are:
Recipient: Who the email is for.
Classification: This field shows what type of email Proofpoint Essentials considers the email to be. These may be Spam, Clean or Filtered. In this example, a filter is in place to always allow emails from this particular sender, so we see ‘Filtered: Allow’.
Triggering Filter: If a filter has been triggered, as in this example, you will see the filter rule which has been triggered.
Delivery: This field shows us delivery information for this email. As we can see, the Delivery Status is ‘Delivered’. Note the ‘Last delivery response’ at the end of this field. Of particular importance is the response code 250 (highlighted) from the receiving server, whose IP address is displayed in square brackets to the left. This indicates it has accepted the email from the Essentials platform.
At this point, if you have not received an email that you believe you should have and see this status in the email log, it indicates that the issue causing non-delivery lies with the recipient server and should be investigated at that point – Proofpoint Essentials has successfully delivered the email to the specified receiving server.
Released: Whether or not this email has been released from a Quarantine.
Reported: Whether or not this email has been reported as spam by the recipient.
As we can see, Proofpoint Essentials has determined that the email is Spam (Classification: Spam). We can also see that the Delivery status is 'Quarantined' and that the email has not yet been released (Released: No). At the bottom of the log we can see some other useful information, in this case, the IP address of the sending server and which geographic region it has come from. This information can be useful when creating filters – if your organisation is receiving spam from, for example, Nigeria, you can choose to quarantine all emails from that country in the future by creating a filter.
In this example we can see that for this email, the Delivery Status is Deferred. Proofpoint Essentials will reattempt delivery of deferred mail for up to 14 days. The ‘Last delivery response’ gives us some useful information as to why delivery has been deferred. In this example, the receiving server does not have a verified security certificate, and delivery will continue to be deferred until this is resolved, or the email expires after 14 days of failed delivery attempts. If an email is expired after 14 days of delivery attempts, a Non-Delivery Report will be sent to the sender of the email to notify them that delivery of that message failed permanently. Mail can be deferred for a variety of different reasons, which will be detailed in the 'last delivery response'.
Other common reasons for mail being deferred are:
- Delivery of mail being blocked by a firewall at the recipient destination
*If the E-mails are getting deferred at Proofpoint Essentials end, these emails will be automatically retried once every 5min, 15min, 30min and 1 hour after that for the next 14 days.