The feature is available for McAfee Email Protection Advanced Plan (and higher).

Message Audit provides basic message audit capability which allows you to track incoming messages and research message disposition information. It shows the email status and the action McAfee has performed over it (e.g. delivery, quarantine, denial).

Note: outgoing message track is availabe on McAfee Email Data Loss Protection and Email Continuity plans only.

Message Audit includes:

  1. Message Search
  2. Perimeter Block Search
  3. Search History 

Message Search

Search allows you to find email by Message Details, Message ID or Message Headers. To start search navigate to Email Protection > Message Audit > Message Search.

Search by Message Details. Use the message details option to view message disposition information based on specific parts of the message (e.g. sender, recipient, the subject line, etc...).

Note: search supports wildcards. If you are looking for emails from particular senders we recommend to use asterisk before sender’s email address (e.g. *test@domain.com) due to PRVS tag being added to some email addresses.

Search by Message ID. Use search to find message disposition information based on the unique message ID of an email message.

Search by Headers. Use search to find message disposition information based on the message header of an email message.

Note: headers search does not allow wildcards.

Searches

Search Results and Audit Details Preview

You find the output of your search in Search Results section. All emails which satisfy your search criteria show up there. By clicking on the email you will see detailed information in Audit Details Preview section. This section includes the following information:

  • From:the sender's email address.
  • To:the recipient's email address.
  • Subject:the subject line.
  • Size:the file size of the email.
  • Message ID:the unique message ID.
  • Tracking ID:the unique tracking ID.
  • Sender IP:the IP address of the sender.
  • Direction:specifies whether the email was sent (outbound) or received (inbound).
  • Spam Score:the likelihood that the email is spam.
  • Timestamp:the date and time for the event.
  • Event:provides details on each event, including:
    • Frontend/backend Transport Layer Security (TLS): yes/no.
    • Backend IP:the attempted destination the IP Server was sent.
    • Policy Set:the policy email was trigged by.
    • User Name: who released the email from quarantine.

Use Download option to save your search results to CSV file.

Results

Message Audit Events

In Events section you find the actions McAfee has taken against the email. The description of each code is listed below:

Event

Definition and suggested actions

250 Backend; Mode: normal

Message was accepted for delivery

250 Backend; (Mode: exempt)

 

Recipient is exempt from filtering.

If you want to remove exemption navigate to Account Management > Users > double-click on user in question > Email Protection > uncheck Exempt user box. 

250 Deferred; (Mode: normal)

The sender of the message receives a successfully delivered confirmation, but a copy or notification of the message is sent to a designated recipient due to a policy violation.

250 OK

Successfully delivered. The user name who released the email from quarantine may be listed in the Audit Details window.

250 OK silent discard for recipient shield

 

Due to the recipient shield, the message had a silent discard, but the recipient received an OK message.

To manage Recipient Shield settings navigate to Email Protection > Policies > double-click on the policy in question > Allow/Deny > Recipient Shield.

521 outbound.logi.com must use TLS (Mode: normal)

Enforced TLS is enabled but the server denies the email.

To manage Enforced TLS settings navigate to Email Protection > Policies > double-click on the policy in question > Email Authentication > Enforced TLS.

551 Sender is on domain's block list (Mode: normal)

 

The policy settings determine the message has a permanent failure and will not be retried.

To manage Block list navigate to Email Protection > Policies > double-click on the policy in question > Allow/Deny > Sender Deny.

551 Mailhost is on a global block list

 

The mail host is sending a high percentage of spam.

Try again in 2 hours. If it fails again, it means the IP address is continuing to send spam. 

551 Mailhost is on our global block list 

Due to prior abuse, the sender or recipient is being blocked.

551 Sender is on domain's block list

 

This sender is not allowed to send messages per policy settings.

To manage Block list navigate to Email Protection > Policies > double-click on the policy in question > Allow/Deny > Sender Deny.

552 Message size exceeds fixed maximum

This sender has sent a message which exceeds a policy setting maximum.

553 Invalid recipient (Mode: normal)

The message was rejected because user creation was set to deny.

553 Mailbox is restricted

The message was sent to an address that is rejected by a recipient shield.

To manage Recipient Shield settings navigate to Email Protection > Policies > double-click on the policy in question > Allow/Deny > Recipient Shield.

553 Sender is on user deny list

 

User has added sender to his/her deny list.

To manage user’s block list navigate to Account Management > Users > double-click on user > Sender Deny.

554 Denied IPR

The sending IP address has recently seen a high percentage of spam.

Try again in 2 hours. If it fails again, it means the IP address is continuing to send spam.

554 Denied Spamhaus

Spamhaus is a 3rd party block listing service.

Contact www.spamhaus.org to see block list, or navigate to Email Protection select Policies > select the policy in question > Spam > uncheck Enable Real-time Blackhole List

592 Recipient does not accept mail 

Recipient's email address is questionable.

250 Delivered Replied

Successful Delivery

250 Failsafe

Message has been accepted and is stored in failsafe.

250 Queued

Message is in the queue. Each message is handled differently due to policy. The queue information may be listed in the Audit Details window.

250 OK qa

Message was quarantined because message contained an attachment that is rejected by your policy.

To manage Attachment policy settings navigate to Email Protection > Policies > double-click on policy in questions > Attachments. 

250 OK qh

Message was quarantined for ClickProtect.

To manage ClickProtect settings navigate to Email Protection > Policies > double-click on policy in questions > ClickProtect. 

250 OK qk

Message was quarantined because message contained a keyword that is rejected by your policy.

To manage Content policy settings navigate to Email Protection > Policies > double-click on policy in questions > Content. 

250 OK qs

Message contained spam.

To manage Spam policy settings navigate to Email Protection > Policies > double-click on policy in questions > Spam. 

250 OK qv

Message might contain a virus and is being quarantined.

To manage Virus policy settings navigate to Email Protection > Policies > double-click on policy in questions > Virus. 

250 OK, Silent Deny

Sender believes delivery to be successful but message was dropped by policy.

250 encrypted

Message was delivered via the encryption inbox.

451 No Recipients

Message is received but the system is unable to verify if recipients can receive mail. The system will retry sending the message, but if this is unsuccessful, it will stop trying to send the message after a specified amount of time (typically 5 days).

521 Could not deliver message over TLS for domain

 

Enforced TLS is enabled but the server denies the email.

To manage Enforced TLS settings navigate to Email Protection > Policies > double-click on the policy in question > Email Authentication > Enforced TLS.

551 Denied IVF

There is a high risk of viruses and worms so this type of message is automatically denied.

To manage Virus policy settings navigate to Email Protection > Policies > double-click on policy in questions > Virus. 

551 Denied SPAM

This type of message is automatically denied due to a spam content.

To manage Spam Content Group policy settings navigate to Email Protection > Policies > double-click on policy in questions > Spam> Content Groups

551 Message contains an encrypted ZIP File

 

This policy denies attachments that cannot be scanned.

To manage Attachment policy settings navigate to Email Protection > Policies > double-click on policy in questions > Attachments. 

552 message size exceeds fixed maximum message size of {X} (Mode: normal) 

Sender believes delivery to be successful but the message exceeded maximum policy size and was discarded.

To manage Policy Settings navigate to Email Protection > Policies > Attachmnets > Additional Policies > set Deny messages where the total size exceeds: to desired value.

554 Denied

This policy does not allow a specific keyword.

To manage Content/Spam policy settings navigate to Email Protection > Policies > double-click on policy in questions > Content/Spam. 

554 Denied SPAM

This policy determined this type of message to be spam.

To manage Spam policy settings navigate to Email Protection > Policices > double-click on policy in questions > Spam. 

554 Content filter will not allow this message 

This policy contains an spam content group that blocked this message.

To manage Spam Content Group policy settings navigate to Email Protection > Policies > double-click on policy in questions > Spam> Content Groups.

554 This message contains a virus 

This policy denies an attachment containing this virus or this virus can not be cleaned.

To manage Virus policy settings navigate to Email Protection > Policies > double-click on policy in questions > Virus.

554 Message Denied: Restricted attachment 

The policy setting denies these attachments due to type or size.

To manage Attachment policy settings navigate to Email Protection > Policices > double-click on policy in questions > Attachments.

554 Denied, restricted attachment (contains two restricted attachments) 

The policy setting denies these attachments due to type or size.

To manage Attachment policy settings navigate to Email Protection > Policices > double-click on policy in questions > Attachments.

554 must use TLS (Mode normal)

 

TLS is not enforced.

To manage Enforced TLS settings navigate to Email Protection > Policies > double-click on the policy in question > Email Authentication > Enforced TLS.

554 Error: SPF validation failed because no SPF records available

 

Denied due to an enforced SPF policy violation.

To manage Enforced TLS settings navigate to Email Protection > Policies > double-click on the policy in question > Email Authentication > Enforced SPF.

Back to top

Perimeter Block Search

Perimeter Block Search form allows to search and review IPs that have been blocked based on the history of the sender IP. To start search navigate to Email Protection > Message Audit > Perimeter Block Search > specify criteria and run the Search.

Note: this search does not allow wildcards.

In Search results you will see the following information:

  • Timestamp: the time and date that the IP address was blocked or allowed.
  • Sender IP: the IP address being reviewed.
  • Status: indicates whether that IP address was blocked or allowed.

Use Download option to save your search results to CSV file.

Perimeter

Back to top

Search History

The search history tool allows you to view the history of users who have searched in message audit during the previous 14 days. Navigate to Email Protection > Message Audit > Search History > specify criteria and run the search.

In Search Results you will see the following information:

  • Timestamp: the time and date the search was performed.
  • User: the user who performed the search.
  • Search Type: the type of search (Message details or Perimeter block).
  • Search Criteria: the fields and search criteria used in the search.
  • Results Count: number of returned results.

Use Download option to save your search results to CSV file.

History

Note: some email traffic that does not show up in the McAfee Message Audit details by default. It includes:

  • 551 Mailhost is on our global blacklist rejections. Current IP address state and history on the McAfee firewall exceptions can be pulled under Message Audit > Perimeter block search. Domain policies are not applied to the rejections since the connection is dropped on the firewall.
  • IPR rejections: rolling block list rejection. IP address reputation cannot be cheked and no domain-level policies are applied. Read the Knowledge Base article on 554 Denied [IPR] Bounce Back Message for more information.

Contact Support if you need more details about such rejections.

Back to top