Finding messages with email log search

This article explains how to find messages that are sent to or from an organization using the email log search feature. See the email log search overview for additional guidelines. We recommend to wait one hour for the message to display, select an acceptable date and time range, and enter only one sender or recipient.

Note: Only super administrators can perform an email log search. The email log search feature isn't available to Free and Nonprofits Google Apps editions. Resellers also don't have access to the email log search feature for a resold domain when accessing its Admin console via the reseller console. The subject line is not visible to government edition customers, or other customers who have data location restrictions in place.

To use email log search:

  1. Sign in to the Google Admin console.  You must sign in as a super administrator.
  2. Click Reports.
  3. Click Audit > Email Log Search.
  4. Select a date range using the drop-down list, or specify the range using the calendar. The range is limited to the last 30 days.

    To view all messages sent and received during a selected date range, skip to step 7.

  5. If you specify a date range and also want to specify a time range, click the displayed time to enter a different start and end time for the range of messages to search.
    Note: The time zone is displayed adjacent to the date selection. The times shown represent the time zone of the computer used to sign in to the Admin console.
  6. Enter search criteria in one or more of the following fields:
    • SenderEnter the email address of the sender, either the complete address or a partial match. 
    • RecipientEnter the email address of the recipient, either the complete address or a partial match.
    • Sender IPEnter the IP address of the message sender. Important: Make sure you carefully insert the correct IP address. If you enter a malformed IP address, the request will fail
    • Recipient IPEnter the IP address of the message recipient. Important: Make sure you carefully insert the correct IP address. If you enter a malformed IP address, the request will fail
    • Message IDEnter the unique message identifier located in the message header, such as:

      See Message headers for instructions on finding message headers of particular mail providers.

      Note: If you both enter a message ID and specify a time range (as described in step 5), email log search overrides the time range and returns the entire day’s (or date range’s) details for that message ID.
  7. Click Search. A counter appears showing how long the query is taking. It can take up to one hour for a message to be logged.

    A list of messages matching your search parameters appears.

    Email log search results

    Note: If the search return more than 10,000 results, an alert appears. Some messages may display the message ID only, with N/A in the other fields. To view details for one of these messages, click the message ID in the list. This makes it appear in the Message ID search field, and you can then run a search on just this message.
  8. Perform any of the following tasks on the search results list:
    • Click the arrows in the upper-right corner to navigate through the pages of the list.
    • Click a subject (or message ID) to see the message’s details. See Viewing message details with email log search for a description of the information shown.
    • To export or download your search results, click Download-export icon in the upper-right corner of the screen, and then click either Export to Google Sheets or Download as CSV file.

      The button appears only if the search results return exportable data. Selecting either of these options initiates a new query, so it may take some time before the file is ready to open. If you download the search results, you can view them in a spreadsheet editor of your choice.

      Export or download

      Note: This process exports/downloads up to 1,000 messages or 10,000 log entries. A given email message may contain many log entries, depending on the number of message recipients. The query continues to download for several minutes before timing out. If the query time exceeds a few minutes, or if the download exceeds the maximum number of log entries, the end of the CSV displays an error message. If this happens, narrow the search time window to return fewer items.
Was this article helpful?
Sign in to your account

Get account-specific help by signing in with your Apps for Work account email address, or learn how to get started with Apps for Work.