Capture 365 Journal

Posted on  by



-->

Journaling in Exchange Server can help your organization respond to legal, regulatory, and organizational compliance requirements by recording all or targeted email messages. Journaling in Exchange Server is basically unchanged from Exchange Server 2010.

Exchange provides the following journaling options:

  • Dynamics 365 – Task Recorder - Capture screenshots using Google Chrome extension Published on December 25, 2016 December 25, 2016. 54 Likes. 12 Comments.
  • Hybrid Deployment. In a Hybrid deployment, where some mailboxes are on-premise Exchange Server and some Office 365 Exchange Online, you must set up a journaling rule on both the on-premise Exchange Server and Office 365 to capture inbound, outbound, and internal mail.

Pedal through your past into your future with 365 traveling prompts in My Step Journal. One writer overcomes dyslexia. Find your spiritual guideposts.

  • Standard journaling: Journal all messages that are sent to and received by mailboxes on a specific mailbox database. To journal all messages in your organization, you need to configure journaling on all mailbox databases on all Exchange servers.

  • Premium journaling: Use journal rules to journal messages based on recipients (all recipients or specified recipients), and scope (internal messages, external messages, or all messages). Premium journaling requires Exchange Enterprise client access licenses (CALs). For more information about CALs, see Exchange licensing FAQs.

To configure journaling, see Journaling procedures in Exchange Server.

When you plan for messaging retention and compliance, it's important to understand journaling, and how journaling fits in your organization's compliance policies.

Why journaling is important

First, it's important to understand the difference between journaling and archiving when it comes to email messages:

  • Journaling refers to recording email communications as part of the organization's email retention strategy.

  • Archiving refers to removing email messages from their native location (for example, a user's mailbox), and storing them elsewhere.

Many organizations need to maintain records of the email communication that occurs as employees perform their daily business tasks. You can use Exchange journaling as a tool in your email retention or archival strategy.

Although a regulation may not specifically require journaling, Exchange journaling can help your organization achieve compliance with the regulation. For example, corporate officers in some financial sectors can be held liable for claims that are made by their employees to customers. Designated compliance managers can use journaling to collect and regularly review the email messages that are sent by employees to customers as part of their greater employee-to-customer communications review. The compliance managers can report their approval to the corporate officer, and the corporate officer can then report compliance to the regulating body.

The following list shows some of the more well-known U.S. and international regulations where Exchange journaling may help form part of your compliance strategies:

  • Sarbanes-Oxley Act of 2002 (SOX)

  • Security Exchange Commission Rule 17a-4 (SEC Rule 17 A-4)

  • National Association of Securities Dealers 3010 & 3110 (NASD 3010 & 3110)

  • Gramm-Leach-Bliley Act (Financial Modernization Act)

  • Financial Institution Privacy Protection Act of 2001

  • Financial Institution Privacy Protection Act of 2003

  • Health Insurance Portability and Accountability Act of 1996 (HIPAA)

  • Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (Patriot Act)

  • European Union Data Protection Directive (EUDPD)

  • Japan's Personal Information Protection Act

Journaling agent

The Journaling agent is the built-in Exchange transport agent that processes messages as they flow through the Transport service on Mailbox servers. The journaling configuration settings are stored in Active Directory, and are read by the Journaling agent. The Journaling agent is registered on the OnSubmittedMessage and OnRoutedMessage categorizer events in the transport pipeline. For more information about the transport pipeline, see Mail flow and the transport pipeline.

Note that built-in transport agents like the Journaling agent are invisible and unmanageable by the transport agent management cmdlets (*-TransportAgent).

Journal reports

A journal report is the message that's recorded by journaling. The journal report contains the original message as an unaltered file attachment. The body of the journal report contains summary information from the original message (for example, the sender's email address, message subject, Message-ID, and recipient email addresses). This type of journaling is known as envelope journaling, and is the only journaling method that's supported by Exchange.

Journal reports and IRM-protected messages

You need to consider the effects of IRM-protected messages on journal reports. Third-party archiving systems that don't have built-in RMS support can't decrypt the IRM-protected messages in journal reports, which negatively affects the search and discovery of content in journaled messages. In Exchange, you can configure journal report decryption to save a clear-text copy of the message in the journal report. For more information, see Enable journal report decryption.

Journal rules

The basic components of a journal rule are:

  • Journal recipient: Who you want to journal.

  • Journal rule scope: What you want to journal.

  • Journaling mailbox: Where you want to store the journaled messages.

Journal recipient

The journal recipient specifies who you want to journal. Messages that are sent to or received by the journal recipient are journaled (the direction doesn't matter). You can configure a journal rule to journal messages for all senders and recipients in the Exchange organization, or you can limit a journal rule to an Exchange mailbox, group, mail user, or mail contact. If you specify a distribution group, you enable journaling for the members of the distribution group (not for the group itself).

By targeting specific recipients or groups of recipients, you can configure a journaling environment that helps you meet your organization's regulatory and legal requirements, while minimizing the storage and other costs that are associated with retaining large amounts of data.

Journal recipients that are enabled for Unified Messaging in Exchange 2016

By default, if your Exchange 2016 organization uses Unified Messaging (UM) to consolidate the email, voice mail, and fax infrastructure, Exchange is configured to journal voice mail notification and missed call notification messages. You can disable journaling for these types of messages, but messages that contain UM-generated faxes are always journaled.

To disable journaling for voice mail and missed call notifications, see Enable or disable journaling for voice mail and missed call notifications.

Note

Unified Messaging is not available in Exchange 2019.

Journal

Journal rule scope

After you define who you want to journal, you need to define the scope of the messages to journal. The available scopes are:

  • Internal messages only: The source or destination of the message is inside your Exchange organization.

  • External messages only: The source or destination of the message is outside your Exchange organization.

  • All messages: The source or destination of the message doesn't matter. Note that a journal rule with this scope could potentially journal messages that were already journaled by other rules with internal only or external only scopes.

Journaling mailbox

The journaling mailbox is where the journaled messages are delivered. How you configure the journaling mailbox depends on your organization's policies, regulatory requirements, and legal requirements. For example, you may be able to configure one journaling mailbox for all journal rules in your organization, or you may be required to use different journaling mailboxes for different journal rules.

Capture 365 Journal Login

Notes:

  • Journaling mailboxes contain sensitive information, so you need to secure access to them. Messages in the journaling mailbox may be part of legal proceedings or subject to regulatory requirements. We recommend that you create and enforce clearly-defined policies that indicate who has access to a journaling mailbox. Speak with your legal representatives to verify that your journaling solution complies with all the laws and regulations that apply to your organization.

  • A Microsoft 365 or Office 365 mailbox can't be used as a journaling mailbox. If you're running a hybrid deployment between on-premises Exchange and Microsoft 365 or Office 365, you can designate on-premises journaling mailboxes for your Microsoft 365 or Office 365 and on-premises organizations. You can also deliver journaled messages to an on-premises email archiving system or a third-party email archiving service.

  • Journaling mailboxes need to accept messages that are at least as large as the maximum message size that's available in your organization. Be sure to account for any custom maximum message sizes that you've configured on individual mailboxes. For more information, see Configure message size limits for a mailbox.

  • We recommend that you configure the journaling mailbox to only accept messages from the Microsoft Exchange recipient (the only sender of journal reports). Note that you can only do this in the Exchange Management Shell. For more information, see Configure message delivery restrictions for a mailbox.

  • We recommend that you disable the storage quota limits for the journaling mailbox. For more information, see Configure storage quotas for a mailbox.

Alternate journaling mailbox

Like other messages, undeliverable journal reports are queued, and delivery is periodically retried until the message expires (the default value is two days, and is configured by the MessageExpirationTimeout parameter on the Set-TransportService cmdlet). Unlike other messages, expired journal reports can't be returned to the sender in a non-delivery report (also known as an NDR or bounce message), because the sender is the Microsoft Exchange recipient. Expired journal reports can't be recovered.

If you don't want undeliverable journal reports to queue and eventually expire, you can specify an alternate journaling mailbox that accepts the NDRs for all undeliverable journal reports when any journaling mailbox is unavailable (one alternate journaling mailbox for all journaling mailboxes in your organization). The original journal report is an attachment in the NDR. When the journaling mailbox becomes available again, you can use the Resend this message feature in Outlook on the NDRs in the alternate journaling mailbox to send the unaltered delivery reports to the journaling mailbox.

Before you configure an alternate journaling mailbox, contact your legal representatives. Laws or regulations that apply to your organization may prohibit all journaled messages from being stored in the same mailbox.

When you configure an alternate journaling mailbox, you should use the same criteria that you used when you configured the journaling mailbox.

Notes:

  • If the alternate journaling mailbox also becomes unavailable and rejects the NDRs for undeliverable journal reports, the original journal reports are lost and can't be recovered.

  • You should treat the alternate journaling mailbox as a special dedicated mailbox. Journal rules, Inbox rules, and mail flow rules (also known as transport rules) that involve the alternate journaling mailbox are ignored.

Journal rule replication

Because journal rules are stored in Active Directory, they're read and applied by the Transport service on all Mailbox servers in the organization. When you create, modify, or remove a journal rule, the change is replicated between the domain controllers in your organization. This allows Exchange to provide a consistent set of journal rules across the organization.

Notes:

  • Replication between domain controllers depends on factors that aren't controlled by Exchange (for example, the number of Active Directory sites, and the speed of network links). Therefore, you need to consider replication delays when you implement journal rules in your organization. For more information about Active Directory replication, see Introduction to Active Directory Replication and Topology Management Using Windows PowerShell.

  • Each Mailbox server caches expanded distribution groups to avoid repeated Active Directory queries to determine a group's membership. By default, entries in the expanded groups cache expire every four hours. Therefore, changes to the group's membership can't be applied to journal rules until the expanded groups cache is updated. To force an immediate update of the cache on a Mailbox server, restart the Microsoft Exchange Transport service. You need to restart the service on each Mailbox server where you want to forcibly update the cache.

Troubleshooting

Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server. If you're having trouble with the alternate journaling mailbox, see KB2829319.

-->

Important

Please refer to the Microsoft 365 security center and the Microsoft 365 compliance center for Exchange security and compliance features. They are no longer available in the new Exchange Admin Center.

Journaling can help your organization respond to legal, regulatory, and organizational compliance requirements by recording inbound and outbound email communications. When planning for messaging retention and compliance, it's important to understand journaling, how it fits in your organization's compliance policies, and how Exchange Online helps you secure journaled messages.

Why journaling is important

First, it's important to understand the difference between journaling and a data archiving strategy:

  • Journaling is the ability to record all communications, including email communications, in an organization for use in the organization's email retention or archival strategy. To meet an increasing number of regulatory and compliance requirements, many organizations must maintain records of communications that occur when employees perform daily business tasks.

  • Data archiving refers to backing up the data, removing it from its native environment, and storing it elsewhere, therefore reducing the strain of data storage. You can use Exchange journaling as a tool in your email retention or archival strategy.

Although journaling may not be required by a specific regulation, compliance may be achieved through journaling under certain regulations. For example, corporate officers in some financial sectors may be held liable for the claims made by their employees to their customers. To verify that the claims are accurate, a corporate officer may set up a system where managers review some part of employee-to-client communications regularly. Every quarter, the managers verify compliance and approve their employees' conduct. After all managers report approval to the corporate officer, the corporate officer reports compliance, on behalf of the company, to the regulating body. In this example, email messages might be one type of the employee-to-client communications that managers must review; therefore, journaling can be used to collect all email messages sent by client-facing employees. Other client communication mechanisms may include faxes and telephone conversations, which may also be subject to regulation. The ability to journal all classes of data in an enterprise is a valuable functionality of the IT architecture.

The following list shows some of the more well-known U.S. and international regulations where journaling may help form part of your compliance strategies:

  • Sarbanes-Oxley Act of 2002 (SOX)

  • Security Exchange Commission Rule 17a-4 (SEC Rule 17 A-4)

  • National Association of Securities Dealers 3010 & 3110 (NASD 3010 & 3110)

  • Gramm-Leach-Bliley Act (Financial Modernization Act)

  • Financial Institution Privacy Protection Act of 2001

  • Financial Institution Privacy Protection Act of 2003

  • Health Insurance Portability and Accountability Act of 1996 (HIPAA)

  • Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (Patriot Act)

  • European Union Data Protection Directive (EUDPD)

  • Japan's Personal Information Protection Act

Capture 365 Journal 使い方

Journal rules

The following are key aspects of journal rules:

  • Journal rule scope: Defines which messages are journaled by the Journaling agent.

  • Journal recipient: Specifies the SMTP address of the recipient you want to journal.

  • Journaling mailbox: Specifies one or more mailboxes used for collecting journal reports.

In Exchange Online, there's a limit to the number of journal rules that you can create. For details, see Journal, Transport, and Inbox rule limits.

Journal rule scope

You can use a journal rule to journal only internal messages, only external messages, or both. The following list describes these scopes:

  • Internal messages only: Journal rules with the scope set to journal internal messages sent between the recipients inside your Exchange organization.

  • External messages only: Journal rules with the scope set to journal external messages sent to recipients or received from senders outside your Exchange organization.

  • All messages: Journal rules with the scope set to journal all messages that pass through your organization regardless of origin or destination. These include messages that may have already been processed by journal rules in the Internal and External scopes.

Journal recipient

You can implement targeted journaling rules by specifying the SMTP address of the recipient you want to journal. The recipient can be a mailbox, distribution group, mail user, or contact. These recipients may be subject to regulatory requirements, or they may be involved in legal proceedings where email messages or other communications are collected as evidence. By targeting specific recipients or groups of recipients, you can easily configure a journaling environment that matches your organization's processes and meets regulatory and legal requirements. Targeting only the specific recipients that need to be journaled also minimizes storage and other costs associated with retention of large amounts of data.

All messages sent to or from the journaling recipients you specify in a journaling rule are journaled. If you specify a distribution group as the journaling recipient, all messages sent to or from members of the distribution group are journaled. If you don't specify a journaling recipient, all messages sent to or from recipients that match the journal rule scope are journaled.

Note

365

The SMTP address specified for the journaling recipient cannot contain a wildcard character. For example, the SMTP address cannot be listed as *@contoso.com.

Journaling mailbox

The journaling mailbox is used to collect journal reports. How you configure the journaling mailbox depends on your organization's policies, regulatory requirements, and legal requirements. You can specify one journaling mailbox to collect messages for all the journal rules configured in the organization, or you can use different journaling mailboxes for different journal rules or sets of journal rules.

You can't designate an Exchange Online mailbox as a journaling mailbox. You can deliver journal reports to an on-premises archiving system or a third-party archiving service. If you're running an Exchange hybrid deployment with your mailboxes split between on-premises servers and Exchange Online, you can designate an on-premises mailbox as the journaling mailbox for your Exchange Online and on-premises mailboxes.

Journaling mailboxes contain sensitive information. You must secure journaling mailboxes because they collect messages that are sent to and from recipients in your organization. These messages may be part of legal proceedings or may be subject to regulatory requirements. Various laws require that messages remain tamper-free before they're submitted to an investigatory authority. We recommend that you create policies that govern who can access the journaling mailboxes in your organization, limiting access to only those individuals who have a direct need to access them. Speak with your legal representatives to make sure that your journaling solution complies with all the laws and regulations that apply to your organization.

Important

If you've configured a journaling rule to send the journal reports to a journaling mailbox that doesn't exist or is an invalid destination, the journal report remains in the transport queue on Microsoft datacenter servers. If this happens, Microsoft datacenter personnel will attempt to contact your organization and ask you to fix the problem so that the journal reports can be successfully delivered to a journaling mailbox. If you haven't resolved the issue after two days of being contacted, Microsoft will disable the problematic journaling rule.

Alternate journaling mailbox

When the journaling mailbox is unavailable, you may not want the undeliverable journal reports to collect in mail queues on Mailbox servers. Instead, you can configure an alternate journaling mailbox to store those journal reports. The alternate journaling mailbox receives the journal reports as attachments in the non-delivery reports (also known as NDRs or bounce messages) generated when the journaling mailbox or the server on which it's located refuses delivery of the journal report or becomes unavailable.

When the journaling mailbox becomes available again, you can use the Send Again feature of OfficeOutlook to submit journal reports for delivery to the journaling mailbox.

When you configure an alternate journaling mailbox, all the journal reports that are rejected or can't be delivered across your entire Exchange organization are delivered to the alternate journaling mailbox. Therefore, it's important to make sure that the alternate journaling mailbox and the Mailbox server where it's located can support many journal reports.

Caution

If you configure an alternate journaling mailbox, you must monitor the mailbox to make sure that it doesn't become unavailable at the same time as the journal mailboxes. If the alternate journaling mailbox also becomes unavailable or rejects journal reports at the same time, the rejected journal reports are lost and can't be retrieved.

Because the alternate journaling mailbox collects all the rejected journal reports for the entire Exchange Online organization, you must make sure that this doesn't violate any laws or regulations that apply to your organization. If laws or regulations prohibit your organization from allowing journal reports sent to different journaling mailboxes from being stored in the same alternate journaling mailbox, you may be unable to configure an alternate journaling mailbox. Discuss this with your legal representatives to determine whether you can use an alternate journaling mailbox.

When you configure an alternate journaling mailbox, you should use the same criteria that you used when you configured the journaling mailbox.

Important

Capture 365 Journal Review

The alternate journaling mailbox should be treated as a special dedicated mailbox. Any messages addressed directly to the alternate journaling mailbox aren't journaled.

Journal reports

A journal report is the message that the Journaling agent generates when a message matches a journal rule and is to be submitted to the journaling mailbox. The original message that matches the journal rule is included unaltered as an attachment to the journal report. The body of a journal report contains information from the original message such as the sender email address, message subject, message-ID, and recipient email addresses. This is also referred to as envelope journaling, and is the only journaling method supported by Microsoft 365 and Office 365.

Journal reports and IRM-protected messages

When implementing journaling, you must consider journaling reports and IRM-protected messages. IRM-protected messages will affect the search and discovery capabilities of third-party archiving systems that don't have RMS support built-in. In Microsoft 365 or Office 365, you can configure Journal Report Decryption to save a clear-text copy of the message in a journal report.

Important

The Journal Report Decryption feature currently does not support the explicit use of OME templates. If you use a mail flow rule (also known as a transport rule) to apply an OME template, the journal report will not contain a decrypted copy of the message. Currently, journal report decryption only works with the default OME template that's implicitly applied by Exchange Online (on OME messages).

Troubleshooting

When a message matches the scope of multiple journal rules, all matching rules will be triggered.

  • If the matching rules are configured with different journal mailboxes, a journal report will be sent to each journal mailbox.

  • If the matching rules are all configured with the same journal mailbox, only one journal report is sent to the journal mailbox.

Journaling always identifies messages as internal if the email address in the SMTP MAIL FROM command is in a domain that's configured as an accepted domain in Exchange Online. This includes spoofed messages from external sources (messages where the X-MS-Exchange-Organization-AuthAs header value is also Anonymous). Therefore, journal rules that are scoped to external messages won't be triggered by spoofed messages with SMTP MAIL FROM email addresses in accepted domains.

Duplicate journal report scenarios in a hybrid Exchange environment

In a hybrid Exchange environment, the following scenarios are known to result in duplicate journal reports and these are considered by design:

  1. Cloud to cloud: Any situations where email is forked will lead to duplicate journaling, such as:

  • Transport chipping (too many recipients on the message).

  • Internal and external recipients exist on the same message – two forks are created for spam/phishing purposes (one in which internal recipients exist, and one in which external recipients exist).

  • Any future needs where the cloud needs to fork the message.

Capture 365 Journal Articles

  1. On-premises to cloud: Once when on-premises journals and once when the cloud journals. This can be prevented by implementing the PreventDupJournaling flight in a tenant.

  2. Cloud to on-premises: After the cloud has journaled, on-premises journals. We cannot prevent this scenario.

Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.

If you're having trouble with the JournalingReportDNRTo mailbox, see Transport and Mailbox Rules in Exchange Online don't work as expected.