Email Track and Trace Best Practices

book

Article ID: 178851

calendar_today

Updated On:

Products

Email Security.cloud

Issue/Introduction

 

Resolution

The Email Track & Trace is a powerful tool for tracing specific emails and determining if and when they were processed and if any actions were taken by the Symantec services on them. The following best practices will help you optimize your searches.

Limiting the time window and refining your search criteria will yield the best results.

  • If you know the specific time window of the email you are attempting to locate, restrict the search the shorter the time period (days or hours) for a quicker search response
  • Using one or more of our indexed fields in your search criteria will significantly improve search performance. 
    • Indexed fields:
      • Subject
      • Service
      • Sender IP
      • Sender Address
      • Recipient Address
      • Time stamp
      • Date
  • Always use fields in the "Select more search options" where available; adding Service, Hello string or Sending server external IP etc. to significantly increase the chances of a successful search.

 

When do I ask for results in the UI versus asking for a CSV to email results?

  • The UI will return results for up to 1,000 rows
  • If you expected results that will be greater than 1,000 rows, then always request a CSV to be emailed; the CSV file will deliver up to 10,000 rows

 

How long should a report take?

  • Results should return in the UI within seconds or minutes, but will time out if the search is too complex and/or takes over 30 minutes to complete. 
  • Results that are requested via emailed CSV can arrive within minutes, or during peak periods it may take a few hours depending upon the query load. 

 

What causes timeouts and failed searches?

  • Using any non-indexed fields (indexed fields are listed above) for searches, especially multiple non-indexed fields, will greatly increase the chances of a failed search. We have recently surveyed the most frequently used non-indexed fields and we are working to add them to our next release. If non-indexed fields are essential in the search then adding one or multiple indexed fields in addition will improve the chances of success.
  • When searching on a subject field based on a word, use all the characters you have. For example: Don't use the letters "Ref" when searching for the word "Referral" as you significantly increase the chances of a failed search by widening the search parameters. Additionally, using "subject starts with" or "subject ends with" provide faster results than "subject contains".
  • Avoid using *@*.* in sender & recipient fields when combining with other search parameters.