Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=message-details

Details

The Details tab shows general information about the message and a history of events associated with it. The event history is grouped by recipient so you can see how the message was processed and delivered for each recipient.

Message information

At the top of the Details tab, you can see key information about the message.

The section includes the following information:

  • Subject: The subject line of the email message.
  • Direction: Whether the message is Inbound or Outbound.
  • Email Date: The date and time when the message was sent.

  • SMTP From: The envelope sender address used during SMTP transmission.

    You can click Block to block the sender email address or domain.

  • SMTP Recipients: The recipients specified in the SMTP envelope.

Additional message attributes appear on the right side:

  • Category: The classification assigned to the message, for example Spam.
  • Sub Category: Additional classification details, for example Confirmed.

  • IP Address: The IP address of the sending mail server.

    You can click Block IP Address to add it to your block list.

  • Header From: The sender address shown in the email header.

  • Header Recipients: The recipients listed in the email header.

Event history

The lower section of the Details tab shows the message event history for each recipient.

The table includes the following information:

  • Recipients: The recipient email address.
  • Date: The time when each event occurred.

  • Status: The processing stage of the message, for example Accepted, Processing, or Returned to M365.

    Note

    Hover over the ellipsis (three dots) to see additional SMTP details for the event. You can see whether the connection is secured with TLS, the TLS version, the cipher used, and the hostname of the mail server that processed the message.

  • Reason: The reason associated with the message status, such as spam detection results.

  • Additional Details: Technical information about the event.

You can expand a recipient entry to see all events related to that recipient. This helps you understand how the message was processed and delivered.

Blocking

In Message History, you can click the subject of a message you want to block and then view its message details. Next, click Block under SMTP From and select either Block sender or Block sender domain to add the sender's email address or the domain to your block list.

You can also click Block IP Address under IP Address to add the IP address to your block list. Alternatively, you can add email addresses and domains from the Inbound Allow/Block list.

Warning

Be careful when you block an IP address. You can accidentally block a whole service. For example, if you block the IP address used by Microsoft 365, you won't receive messages from any Microsoft 365 users.

You can add descriptions when blocking a sender's email address, domain, or IP address to specify the reason for each block entry. For example, a description might be "blocked due to spam". You can view and edit these descriptions later on the Inbound Allow/Block list.

For more information, see Email.

Recover deleted messages

You must be a Super Admin to perform this feature.

Outbound messages flagged as spam are deleted. This is because servers downgrade the reputation of Sophos Email delivery IP addresses when they receive spam from Sophos Email. If the Super Admin wants to check whether deleted messages were false positives, they can recover and quarantine them for further inspection. This applies to inbound and outbound messages.

You can recover and send the deleted messages to quarantine in Message History. The only deleted messages you can recover and send back to quarantine are as follows:

  • Inbound messages flagged as malware:

    • Virus
    • Intelix threat (unscannable)
    • Intelix threat (malicious)

  • Outbound messages flagged as spam

Click the subject of a message to see its details, then click Deleted to start message recovery. You can select Recover for all recipients to recover the message for all recipients, then click Recover.

Note

Messages recovered to quarantine must undergo a thorough evaluation before they're released so that the security of the recipient isn't compromised.

It may take a few minutes to recover the message to quarantine. When it's recovered to quarantine, you must thoroughly assess the message by using techniques such as submitting the message to Intelix for scanning. You can download the attachments to inspect them for malicious content. You can read the message content to determine whether it's spam. See Quarantined Messages.

Releasing outbound spam harms the reputation of delivery IP addresses of Sophos Email. A compromised reputation may result in delays or rejection of messages for all customers. So, an hourly rate limit is applied to the recovery of deleted outbound spam. In an hour, you can recover a maximum of five messages, each of which may have been addressed to one or more recipients.

The following video shows you how to recover deleted messages to quarantine and configure your users' quarantine as read-only.

Suspected spam messages

Inbound messages are scanned for spam, and then messages are categorized based on scan results. When Sophos Central identifies a suspicious message, it marks it as "Suspected" and adds its spam level.

Sophos Central categorizes the suspected spam messages based on their level. For example, a message corresponding to an L3 spam level will be marked as "Suspected L3" in Message History.

The action will depend on the adjustments you made to the slider. For example, you set the slider to L3 and the action to Quarantine. In that case, suspected spam messages from L1 to L3 will be quarantined, and those from L4 to L5 will be delivered to the recipient.

You can filter the messages by suspected spam level. You can also click the subject of a message to view more details and its suspected spam level. The suspected spam level you configured using the catch rate slider is shown in Reason, and the suspected spam level Sophos Central validated is shown in Sub Category.

You can watch the following video for a step-by-step guide on how to view the suspected spam messages and their corresponding spam levels in Message History.

Multiple recipients

If a message is sent to multiple recipients, in the Details tab, you can do the following actions:

  • Scroll through SMTP Recipients and Header Recipients.
  • See a list of recipients with their latest delivery status, search events by recipient email address or domain, and expand a message to view all associated events.
  • Filter messages by clicking the links under Status Summary.

Internal forwards

In the Details tab, you can also claw back messages that were forwarded or replied to internally.

Click Load internal forwards to get messages forwarded or replied to internally.

Internal forwards are supported only for Microsoft 365 mailboxes and are retrieved dynamically. This can take several seconds, depending on the number of forwarded messages.

If no internal forwards are found, a message appears stating that none were found.

If the message wasn't delivered to a Microsoft 365 mailbox in a domain connected for post-delivery protection, the Load internal forwards button is unavailable.

Make sure the post-delivery protection features are turned on for the domain. See Post-Delivery Protection.

You can also include messages forwarded or replied to internally when performing an on-demand clawback. For example, if a message is forwarded internally to a distribution list, you can claw back both the original message and any associated messages.

For more information about on-demand clawback and how to include these messages, see the following documentation:

On-demand clawback

You can manually claw back messages from recipients' mailboxes and move them to post-delivery quarantine.

When you claw back a message from its Message Details page, you can also claw back copies that were forwarded or replied to internally. Internally forwarded messages can only be clawed back if they were successfully delivered to Microsoft 365 mailboxes in domains connected for post-delivery protection (PDP).

This feature applies to individual recipients, email aliases, and distribution lists. After a successful clawback attempt, the clawback status for distribution lists remains "Clawback Initiated".

You can report a message to SophosLabs and claw it back at the same time. Clawback starts after you submit the message to SophosLabs, as long as it was successfully delivered to a supported mailbox.

A detection is sent to MDR if you select a reason during clawback. The reason appears as a suffix in the Detection Rule column on the Detections page in the Threat Analysis Center.

After a successful clawback, the messages are quarantined. You can check the messages in the post-delivery quarantine list and release them if they're non-malicious or legitimate. See Quarantined Messages.

You can view detailed clawback status information in the Additional Details column in Message Details.

You can also claw back messages from a recipient's inbox using the clawback API. For more information, see Email Management API.

Requirements and limitations

Before you perform a clawback, note the following points:

  • You can claw back a message only if it's delivered to a mailbox whose domain is connected for post-delivery protection.
  • It may take up to 10 minutes to claw back a message. Delays can occur during mailbox provider processing.
  • When a message is clawed back, all messages forwarded or replied to internally are also clawed back.
  • If you select only specific recipients during manual clawback, only messages forwarded or replied to internally for those recipients are clawed back.
  • A message and any messages forwarded or replied to internally can only be clawed back once. If they're released from post-delivery quarantine, they can't be clawed back again.
  • Messages sent to external mailboxes may appear in the results. However, you can only perform clawback and other post-delivery actions on mailboxes within domains connected to Sophos Central.

You can perform on-demand clawback in two ways:

Claw back messages in Message History

You can claw back messages directly from Message History.

Show me how

To do this, do as follows:

  1. In Sophos Central, go to Reports > Email Security Logs > Message History.

  2. Select the messages you want to claw back. You can select up to 100 messages at once.

    Any messages forwarded or replied to internally are included in the same clawback action.

    Tip

    • You can use Advanced Search to narrow down your message selection.
    • You can use the checkbox next to the up/down arrow icon to select all messages on the current page. Make sure you're viewing only inbound messages, as only those can be clawed back.
    • You can filter for delivered messages because only messages delivered successfully can be clawed back.

  3. Click Initiate clawback.

    The Clawback messages dialog appears.

  4. (Optional) Select a reason for clawing back the selected messages from the following options:

    • Spam emails
    • Malware emails
    • Phishing emails
    • Unwanted emails

  5. (Optional) If you selected Spam emails, Malware emails, or Phishing emails, you can select Report the emails to SophosLabs to report the messages to SophosLabs.

    This helps us improve our threat detection.

  6. Click Confirm to claw back the selected messages.

You can view detailed clawback status information in the Additional details column in Message Details.

Claw back messages in Message Details

You can claw back messages from their message details page.

Show me how

To do this, do as follows:

  1. In Sophos Central, go to Reports > Email Security Logs > Message History.
  2. Click the subject of a message you want to claw back to view its message details.

  3. Select the recipients from whom you want to claw back the delivered message.

    If the message has messages forwarded or replied to internally, you can select recipients in the Internal forwards table to claw back those messages along with the original message. See Internal forwards.

  4. Click Initiate clawback.

  5. Select a reason for clawing back the selected message from the following options:

    • Spam emails
    • Malware emails
    • Phishing emails
    • Unwanted emails

  6. (Optional) If you selected Spam emails, Malware emails, or Phishing emails, you can select Report the emails to SophosLabs to report the message to SophosLabs.

    This helps us improve our threat detection.

  7. (Optional) Click View Report to view the post-delivery summary report for the messages clawed back. See Post-Delivery Summary Report.

  8. Click Clawback to claw back the message from the selected recipients.

You can view detailed clawback status information in the Additional details column in Message Details.