Finding messages with email log search
This article explains how to find messages that are sent to or from an organization using the email log search feature. See the email log search overview for additional guidelines. We recommend to wait one hour for the message to display, select an acceptable date and time range, and enter only one sender or recipient.
To use email log search:
- Sign in to the Google Admin console. You must sign in as a super administrator.
- Click Reports.
- Click Audit > Email Log Search.
- Select a date range using the drop-down list, or specify the range using the calendar. The range is limited to the last 30 days.
To view all messages sent and received during a selected date range, skip to step 7.
- If you specify a date range and also want to specify a time range, click the displayed time to enter a different start and end time for the range of messages to search.
Note: The time zone is displayed adjacent to the date selection. The times shown represent the time zone of the computer used to sign in to the Admin console.
- Enter search criteria in one or more of the following fields:
- Sender—Enter the email address of the sender, either the complete address or a partial match.
- Recipient—Enter the email address of the recipient, either the complete address or a partial match.
- Sender IP—Enter the IP address of the message sender. Important: Make sure you carefully insert the correct IP address. If you enter a malformed IP address, the request will fail
- Recipient IP—Enter the IP address of the message recipient. Important: Make sure you carefully insert the correct IP address. If you enter a malformed IP address, the request will fail
- Message ID—Enter the unique message identifier located in the message header, such as: CAMrEYLjgm15=0+tp4JpwMV5J=JnR=qjQekfna3ZCZMwjwHfirstname.lastname@example.org
See Message headers for instructions on finding message headers of particular mail providers.Note: If you both enter a message ID and specify a time range (as described in step 5), email log search overrides the time range and returns the entire day’s (or date range’s) details for that message ID.
- Click Search. A counter appears showing how long the query is taking. It can take up to one hour for a message to be logged.
A list of messages matching your search parameters appears.Note: If the search returns more than 1,000 messages or 10,000 log entries, an alert appears. See Understanding incomplete email log search results to acknowledge the alert and tailor your search to see more accurate results.
- Perform any of the following tasks on the search results list:
- Click the arrows in the upper-right corner to navigate through the pages of the list.
- Click a subject (or message ID) to see the message’s details. See Viewing message details with email log search for a description of the information shown.
- To export or download your search results, click in the upper-right corner of the screen, and then click either Export to Google Sheets or Download as CSV file.
The button appears only if the search results return exportable data. Selecting either of these options initiates a new query, so it may take some time before the file is ready to open. If you download the search results, you can view them in a spreadsheet editor of your choice.Note: This process exports/downloads up to 1,000 messages or 10,000 log entries. A given email message may contain many log entries, depending on the number of message recipients. The query continues to download for several minutes before timing out. If the query time exceeds a few minutes, or if the download exceeds the maximum number of log entries, the end of the CSV displays an error message. If this happens, narrow the search time window to return fewer items. See Understanding incomplete email log search results to acknowledge the alert and tailor your search to see more accurate results.