Skip to content

Message History Report

The Message History report details the messages processed by Sophos Email Security for your protected mailboxes.

This option is only available if your license includes Sophos Email.

Go to Logs & Reports > Message History.

If you have domains connected with Sophos Gateway and Sophos Mailflow, click Category to select whether to see one type, or all.

You can select the period for which you want to view the message processing history. By default, the report displays the messages processed during the current day. If you change the date range, click the refresh icon to update the report.

Report Details

Each row in the report shows one message that has passed through the gateway. If a message is sent to more than one recipient, there's only one row for that message.

For each message, the report shows:

  • Direction: click the arrows

    Click the subject go to Message Details for that message.

  • DATE shows the most recent activity for the message.

  • CATEGORY shows the result of our analysis.

    If a message is suspicious, you can hover over the CATEGORY entry to see why it was quarantined or deleted.


Whether a message is quarantined or deleted depends on the spam protection settings you've chosen, see Email Security policy.

Advanced Search

If you have Advanced Search, it is the default in Message History.

Click the Advanced Search input box. You can filter messages by the following:

  • From: Sender. Supports partial strings. Not case sensitive.
  • To: Recipient. Supports partial strings. Not case sensitive.
  • Subject: Supports partial strings. Not case sensitive.
  • Message size: Greater than or less than a number of MB. This uses the MIME size of an email, which may be greater than the raw file size. See Calculating email attachment file sizes.
  • Attachment: Type of attachment. Supports partial strings.
  • DSN code: Select a delivery status notification (DSN) code.

    You can enter a whole DSN code, or select one of the following wildcards:

    • 2.*.*: Successful delivery
    • 4.*.*: Transient failure
    • 5.*.*: Permanent failure


    When we analyze senders and recipients of messages, we use their SMTP envelope sender and recipient addresses, not their from-header and to-header addresses.

You can combine different search terms. They are applied with the AND condition.

You can filter messages by Direction, Status, or Reason.

If you change the date range or filter the messages, you need to click the refresh icon to update the search results.

Click the subject of a message to see its details. See Message Details.

Search results

In your search results the parameters you selected appear in the search box. You can refine your search by clicking individual parameters to remove them. Your search results are updated immediately.

You can click the direction arrow to limit your search to inbound or outbound messages. The down arrow is for inbound messages, the up arrow for outbound messages. If you click a direction arrow your search results are updated immediately.

Message Details

To view Message Details, click a message's Subject.

The URLs tab is part of Advanced Search, which might not be available to all users yet.

You can click the following tabs for more information about the message.

  • Details shows general information about the message and a history of events for the message. Event history is grouped by Recipients.
  • Raw Header shows the header details.
  • Attachments shows the name and size of attachments.
  • URLs shows any URLs in the message.

    We calculate attachment size using the email's MIME-encoding. We don't use the size of the raw files. This means attachment file sizes are often reported as larger than the actual file. See Calculating email attachment file sizes.

Depending on our message analysis you see either Report as Spam or Report as Not Spam. Click this to send the message to SophosLabs to help improve our spam detection.


In Message History you can click Block Sender or Block Domain to add the sender's email address or the domain to you block list.

You can select Block IP Address to add the IP address to the Inbound Allow/Block list. You can also add email addresses and domains to the blocklist.


Be careful if you block an IP address. You can accidentally block a whole service. For example if you block the IP address used by Microsoft 365, you won't receive messages from any Microsoft 365 users.

For more information see Inbound Allow/Block.

Multiple recipients

If a message is sent to multiple recipients, in Details you can do the following:

  • Scroll through the SMTP recipients and Header Recipients.
  • You can see a list of recipients with their latest delivery status. You can also search events by recipient email address or domain. You can expand a message to see all the events associated with it.
  • Filter the messages by clicking the links under Status Summary.