Blog Post

Exchange Team Blog
7 MIN READ

Journaling in Hybrid Scenarios

The_Exchange_Team's avatar
May 15, 2023

Journaling in Exchange Server or Exchange Online can help your organization respond to legal, regulatory, and organizational compliance requirements by recording all or targeted email messages. 

To know more about how to configure and manage journaling in Exchange Online, see Journaling in Exchange Online. For more information about journaling in Exchange Server, see Journaling in Exchange Server.

What about hybrid?

In Exchange hybrid, we often see mixed configurations where journaling is enabled on Exchange Server or in Exchange Online, or both. Our recommendation is to create the journaling rule in both Exchange Online and Exchange Server and point them to the same journal recipient. This may cause duplicate journaling under some circumstances. On the other hand, if journaling rules are not created in both places, there is a chance of some emails not being journaled.

Let’s walk through various scenarios and understand how to make sure all intended emails are journaled correctly without causing any duplicates.

It is important to note that you can't designate an Exchange Online mailbox as a journaling mailbox. You can deliver journal reports to an on-premises archiving system or a third-party archiving service.

We can split this subject into 3 routing scenarios for easy understanding:

  • Journaling of inbound emails
  • Journaling of outbound emails
  • Journaling of internal emails (messages within single organization, including cross-premises emails)

Journaling of inbound emails

In a hybrid configuration, when you have both on-premises and cloud mailboxes, you can route inbound emails through Exchange Online or your Exchange servers. This can be done by pointing your MX record to either your Exchange servers or to Exchange Online Protection in Microsoft 365. For more information about available routing options for inbound email, see Inbound Messages from Internet.

Scenario 1: MX record points to on-premises

  • When email is processed by on-premises first, a header called X-MS-Exchange-Organization-Processed-By-Journaling is added to indicate that the journaling agent touched the message (this is an internal header and won't be visible to the recipient). Regardless of whether any on-premises journaling rule exists, the journaling agent will always touch a message on-premises, and the header will be added. It is not possible to disable the on-premises journaling agent. This header will be promoted on the email to Exchange Online, and once in Exchange Online, the service won’t journal the email again to prevent duplicate journaling.
  • Although we just mentioned that Exchange Online should not journal the message again, the Journaling agent in Exchange Online does check to see if any changes happened to the email from the ingress point. If there are changes, the journaling agent processes the message again to capture the change, even if the header is already present. When an email is sent from on-premises to Exchange Online, it will be sent to the remote routing address (e.g., contoso.mail.onmicrosoft.com) and then in Exchange Online, the categorizer resolves the address to the primary address which is contoso.com. Because of this change, journaling happens again in Exchange Online.

If you have any journaling rules on-premises and this behavior is causing duplicate journaling in Exchange Online, you can use PreventDupJournaling as described here. To enable this, please open a support ticket with Microsoft.

What happens when Send From Aliases is enabled?
When this feature is enabled, the Exchange Online address resolution from contoso.mail.onmicrosoft.com to consoso.com does not happen (to preserve the alias) and there will be no change in the email address. So, with Send From Alias feature enabled, journaling by Exchange Online does not happen when email originated from or was routed through on-premises.

My MX is pointed to on-premises, and I have journaling rule enabled only in Exchange Online. Some of the emails originated or routed from on-premises are not getting journaled. How can we solve this?
You can solve this by implementing any one the following:

  • Consider pointing your MX record to Office 365, and Exchange Online journaling will start working.
  • If you are not actively using Send From Alias in Exchange Online, consider disabling it.
  • Configure journaling on-premises pointing to same journal recipient(s) and add PreventDupJournaling in Exchange Online.

Scenario 2: MX record points to Exchange Online

When an MX record points to Exchange Online, the Exchange Online journaling agent will process the email first. In this case, centralized mail routing plays an important role in how journaling works on inbound emails.

Centralized mail transport (CMT) is recommended only for organizations with specific compliance-related transport needs. Our recommendation for most Exchange organizations is not to enable CMT.

When Centralized mail routing is enabled: 

  • Inbound emails are routed to on-premises first regardless of whether the recipient is located. However, before that, the Exchange Online journaling agent will add the header X-MS-Exchange-Organization-Processed-By-Journaling. The header will be promoted on the email to on-premises. Regardless of any journaling rule in Exchange Online, the agent will always touch a message and the header will be added. Like Exchange Server, it is not possible to disable this agent in Exchange Online.
  • Exchange Server will initially skip journaling for on-premises recipients because of the presence of the header.
  • However, for Exchange Online recipients, the Exchange Server categorizer resolves the address contoso.com to the target address which is Contoso.mail.onmicrosoft.com. Because of this change, journaling does happen in Exchange Server for Exchange Online recipients if there is a matching journaling rule on-premises.
  • Similarly, when email gets routed back to Office 365, journaling happens again in Exchange Online for the second time as the categorizer resolves the contoso.mail.onmicrosoft.com to primary domain contoso.com for Exchange Online recipients.

If you have journaling rules both in Exchange Online and Exchange Server and this is causing duplicate journaling in Exchange Online, this can be prevented by usingPreventDupJournaling as mentioned here. To enable this, open a support ticket with Microsoft. Also, on-premises journaling for Exchange Online recipients can be prevented by scoping your on-premises journaling rule only for “Internal messages only.”

What happens when Send From Alias is enabled?
When Send From Alias is enabled, the address resolution from contoso.mail.onmicrosoft.com to consoso.com does not happen in Exchange Online to preserve the alias and there will be no change in the email address. So, Exchange Online journaling does not work for the second time, which is good as duplicate journaling is prevented.

When Centralized Mail routing is disabled:

  • Exchange Online journaling will journal the email for both Exchange Online and Exchange Server recipients and will add the header X-MS-Exchange-Organization-Processed-By-Journaling.
  • Exchange Server will skip journaling even if there is a matching rule present.

Journaling of outbound emails

Based on your requirements, you can choose how outbound messages are routed from Exchange Online users. When you run the Hybrid Configuration Wizard (HCW), you can select one of two options:

  • Don't enable CMT (this is recommended; route emails directly from Exchange Online to the Internet)
  • Enable CMT (to route outbound emails to the Internet via Exchange Server)

For more information about transport routing options available for outbound emails, see Outbound messages to the internet.

Scenario 1: When routing emails directly to the Internet (CMT disabled):

  • Exchange Online journaling rule must process emails from Exchange Online to the Internet.
  • Exchange Server journaling rule must process the email from on-premises to the Internet.

Scenario 2: When routing emails via on-premises to the Internet (CMT enabled):

  • Exchange Online journaling rule will process the email from Exchange Online to the Internet and add the header X-MS-Exchange-Organization-Processed-By-Journaling. When the mail is leaving Exchange Online, when it hits the default remote domain (*), the TrustedMailOutboundEnabled parameter will be $false (the correct setting). As a result, the header X-MS-Exchange-Organization-Processed-By-Journaling is filtered by content filtering before leaving EXO. Therefore, when it reaches On-Premises, the message is journaled again by On-premises if there is a matching rule.
  • Exchange Server journaling rule must process the email from on-premises to the Internet.

A common requirement of many customers is to leverage CMT but use a different route for journaled messages from Exchange Online to the external journal recipient. This can be achieved by having “Double CMT” in Exchange Online. Refer the section “Journaling and CMT” in Journaling and CMT.

Journaling internal emails within the tenant (including cross-premises emails)

Cloud to cloud:

This can be taken care by a journaling rule in Exchange Online. Any situations where email is forked (bifurcated) will lead to duplicate journaling which are expected and by design:

  • Transport chipping (too many recipients on the message).
  • Internal and external recipients exist on the same message – two forks are created for spam/phishing purposes (one for internal recipients, and one for external recipients).
  • Any future scenarios where the service might need to fork the message.

On-premises to cloud:

  • First journaling will happen when the Exchange Server journaling agent processes the message. Exchange Online will journal again as categorizer resolves the target domain ‘contoso.onmicrosoft.com’ to the primary domain ‘contoso.com’.
  • This will have the same behavior and remediations as mentioned in the above Scenario 1: MX record points to on-premises.

Cloud to on-premises:

  • Exchange Online journaling rule will process the email sent from Exchange Online to on-premises and add the header X-MS-Exchange-Organization-Processed-By-Journaling. So, Exchange Server will skip journaling for the second time as there won’t be any further changes to the email messages.

We hope that this article provides you with enough information about setting up journaling in an Exchange hybrid environment. I also want to take a moment and thank Arindam Thokder for his contribution. Please use the comment section to ask questions or provide suggestions!

Mithun Rathinam

Updated Aug 22, 2023
Version 2.0
  • Sektorsync's avatar
    Sektorsync
    Brass Contributor

    Hello techresolve!

     

    We currently use dynamic distribution groups (DDGs) as base for JournalingRules.

     

    The DDGs members are collected based on recipient filter which is based on AD-attributes (native or extensionattributes possible).

     

    Furthermore, in Hybrid scenarios the DDG should be configured that it only contains UserMailboxes (not MailUsers/RemoteMailboxes), in each System (ExchangeOnpremises and ExchangeOnline).

    This would also avoid duplicate journaling.


    Example DDG:

    Get-DynamicDistributionGroup <Name of DDG> | fl recipientfilter,name,prim*

    RecipientFilter : ((((CustomAttributeXX -eq 'XXXXX') -and (RecipientType -eq 'UserMailbox')))
    PrimarySmtpAddress : <MailAddress of DDG>

     


    Example JournalingRule:

    PS C:\> Get-JournalRule <Name of the JournalingRule>

    Name : <Name of the JournalingRule>
    Recipient : <MailAddress of DDG>
    JournalEmailAddress : <Journaling Mailbox>
    Scope : External
    Enabled : True

     

     

  • Hi ShaneD347 , To prevent duplicate journaling for external recipients in Scenario 2, the only option is to change the default settings of the default remote domain "*" by setting the TrustedMailOutboundEnabled parameter to $True. This ensures that outbound messages to recipients in the remote domain are considered safe and will bypass content filtering and recipient filtering. We recommend using this value in cross-forest deployments

  • Techresolve's avatar
    Techresolve
    Copper Contributor

    Hi Mithun,

    How can admin exclude certain users from journaling in multi-geo tenant, where emails of certain users not to be journaled based on their geo location ? Secondly do we have any future plans to include dynamic DL membership for EXO journaling rule , I believe currently only regular DLs are supported.

  • HI Techresolve , The exclusion is not possible based on Geo location, it can be done manually. The Journal recipient can be a mailbox, distribution group, DDG, mail user, or contact .. Yes, DDG is supported ( Correction made) 

  • MichaelRuebel's avatar
    MichaelRuebel
    Copper Contributor

    Question: You write in scenario 2 (cmt enabled): "As a result, the header X-MS-Exchange-Organization-Processed-By-Journaling is filtered by content filtering before leaving EXO. Therefore, when it reaches On-Premises, the message is journaled again by On-premises if there is a matching rule." 

     

    For my understanding: this would lead to double journaling. Is this correct?

     

    Further question: Internal mail (from cloud to onprem) scenario: There you write "Exchange Online journaling rule will process the email sent from Exchange Online to on-premises and add the header X-MS-Exchange-Organization-Processed-By-Journaling. So, Exchange Server will skip journaling for the second time as there won’t be any further changes to the email messages." Doesn't this contradict with the text above?

  • MichaelRuebel 

    1) yes, it leads to duplicate journaling and it affects email sent to external recipient which gets routed via on-premise. ( Not the onpremise recipients).

    2) Regarding the internal email, ie EXO to onpremise, content filtering won't get applied as we preserve the headers. Hence, duplicate journaling will not happen there 

  • MichaelRuebel ,yes but default remote domain settings is the key here for processing external recipient and apply content filtering. The same will not be applied for internal onpremise recipients 

  • ShaneD347's avatar
    ShaneD347
    Copper Contributor

    Mithun_Rathinam Question: You write in scenario 2 (cmt enabled): "As a result, the header X-MS-Exchange-Organization-Processed-By-Journaling is filtered by content filtering before leaving EXO. Therefore, when it reaches On-Premises, the message is journaled again by On-premises if there is a matching rule." 

    So this leads to duplication for emails sent to external recipients. is there a workaround on how to avoid this duplication?