When investigating delivery issues, false positives, or false negatives, you may first need to verify whether the email actually passed through the Symantec Email Security.cloud (ESS) infrastructure.

If an email bypasses ESS, Symantec cannot apply filtering policies, log the message, or provide tracking data. Use the two methods below to confirm if a message was routed through the service.

Method 1: Search Track and Trace in ClientNet

The most definitive way to check if a message processed through the service is to look for its logs in the management portal.

1. Log in to the Symantec ClientNet portal.

2. Navigate to Dashboard > Tools > Track and Trace.

3. Search for the message using the sender, recipient, or message ID within the relevant timeframe.

Note: If the message appears in Track and Trace, it was successfully received and processed by ESS. If it does not appear, proceed to Method 2 to verify via the email headers.

Method 2: Review the Message Headers

If you have access to the email sample (e.g., an .eml or .msg file), you can examine its internet headers for Symantec-specific metadata.

Open the message headers and look for the following unique identifiers added by ESS:

• X-Brightmail-Tracker: This header is injected by the Symantec Antispam engine and is the most common indicator of ESS processing.

• Received Headers: Look for hops containing messagelabs.com (e.g., clusterX.us.messagelabs.com), which indicates the email passed through Symantec’s mail transfer agents (MTAs).

Conclusion

If the message cannot be found in Track and Trace and the message headers do not contain any Symantec/Brightmail identifiers, the message did not route through the Email Security.cloud infrastructure.

In this scenario, the email was delivered via an alternate path (such as direct internal delivery or a different mail gateway), and you will need to review your organization's routing configurations or MX records.