Overview
Archiver is built for resilience and does not lose emails unless an Archiver UI setting explicitly drops/deletes emails, or an environmental factor occurs. This article provides a comprehensive overview of the causes of missing emails.
Initial checks
Before assuming an email is missing, two facts should be confirmed to ensure the email is indeed missing:
- Can a user with a Full Access role see the email?
- If the answer is yes, this is an ownership issue
- To fix ownership issues
- Review the affected user's profile in the Directory Service
- Ensure the email address is properly assigned to the user
- Run the RestoreOwners Tool
- References:
- Are the search results correct?
- Missing emails are a common result of indexing issues
- If an administrator cannot see the email, you should ensure the indices are healthy
- You can confirm that the indices are healthy by checking the search index state for the Archive Store you are trying to search
- If you notice that the relevant Archive Store is not healthy, you should rebuild its index
- Reference: Archiver Search Returns Zero or Incorrect Results
- Missing emails are a common result of indexing issues
If a user with a Full Access role cannot see the email and the index states are healthy, the email was likely not archived, and the next steps in the article should be reviewed.
Information
Below is a comprehensive list of scenarios on why emails might not be archived. Please note that there are different resolutions depending on recoverability. If you are facing one of these scenarios, submit a support ticket for a Technician to overview, confirm scenario, and provide possible workarounds or recommendations.
Here is a comprehensive list of scenarios on why emails might not be archived:
Environmental Causes
The Journal Mailbox Never Received a Copy of the Email
This can happen due to an Exchange fault or setting, such as when the journal mailbox was not set for all Exchange databases. You can verify this by going to the Exchange console > Organization config > Mailbox, selecting the properties for each of the databases and then going to Maintenance, enabling Journal and then adding the GFI Archiver journal user.
A particular example of this scenario involves an Exchange hybrid deployment, which has local Exchange mailboxes as well as Microsoft 365 (previously known as Microsoft Office 365) mailboxes. When accessing the ECP\Exchange Admin Center, under Recipients > Mailboxes, we should see what mailboxes are for Microsoft 365. If we have a journaling mailbox set for the local Exchange database only, any emails that do not contain a local Exchange mailbox would not have a copy saved to the local Exchange journaling mailbox.
Leftover Items
This is where journaled items that were not pulled from the journaling box are placed in the inbox.
Failed Email Download
When the email fails to be downloaded, Archiver moves the email from the inbox to a new folder called gfifailedmail (in this case, log in to OWA, and you should be able to see if such a folder exists).
Backup Solution Interference
An AV or backup solution interfered with the process and quarantined the items before they were processed. This can happen as follows:
- Items in the Pickup folder that are quarantined with no leftover files except for unusable temp files under Core | MAIS directory. Only the logs, which get overwritten in a few days, could tell if this happened.
- Items in the Queue folder that are quarantined. Since we "envelope" an email into multiple parts; we should have a very high chance of finding leftover files.
SQL Connectivity
Emails failed to be archived to the SQL database. In this case, you would see pending archival of files in the Pickup and/or Queue folders under:
- For automatic archiving:
...\GFI\Archiver\Core\
- For manual archiving:
...\GFI\Archiver\MAIS\
Quarantined Items
An Anti-Spam or Malware solution quarantined the item when a copy was sent to the journal. An example of this with GFI MailEssentials would be when the email is whitelisted, but the copy to the journal is not.
Multiple Domain Controllers
There are multiple domain controllers (DC) for the domain that Archiver is connected to. Sometimes, due to network issues, different DCs can return different results and if archiving restrictions are in place, the intended recipient might become "excluded", meaning that the email is dropped/deleted before archiving.
UI Settings
Archive Restrictions
Archive Restrictions were enabled, and the email was not archived, because the respective users/owners were excluded as a licensed user. Please refer to Understanding Archive Restrictions Options in GFI Archiver for more information.
Delete Immediately
Retention policy set to delete immediately: No record is left behind, except for the logs.
Delete After X Days
Retention policy set to delete an email after X days. When an email is archived, then removed by a retention rule, the SQL database will show it in the arc_delete
record.
Hard/Soft Delete
From the Configuration, email deletion was enabled as Hard Delete. A user/admin can manually remove an email. If Soft Delete was enabled, then only the ownership is removed, but the email remains in the database (searchable by admins with full access).
NOTE: The last two causes under "UI Settings" can be checked on the Auditing Reports tab, only if auditing was enabled during that time.