Configure SecureStore Journaling with Exchange 2013/2016


SecureStore will archive email messages that pass through the Mailprotector perimeter. (Outbound connectors must be configured to relay email through Mailprotector's smart host.) However, internal messages on an Exchange server will not be routed outside the Exchange environment. Therefore, creating a journaling rule in the Exchange server is necessary to journal messages between intra-domain users.

Applies To:

SecureStore archiving, Exchange Server 2013 or 2016

IMPORTANT: The screenshots provided in this article are from the legacy Office 365. The Exchange Admin Centers of Exchange 2013 and 2016 are very similar.

Please go to Configure SecureStore Journaling with Microsoft Office 365 for domains hosted on Exchange Online.


This article assumes you have already enabled SecureStore in the Mailprotector Console for the intended domain. If you have not enabled SecureStore in the Console, you will not have the journaling address needed to complete the journal rule configuration steps.

We recommend having both the Mailprotector Console and the Exchange Admin Center open to complete the required configuration steps.

Summary of Required Information

  • Unique journaling address from the Mailprotector Console.
  • An alternate email address for journaling non-delivery reports. This address should be something your support team monitors for problems.
  • Access to the Exchange Admin Center for your client's domain.

1. Obtain the Journaling Address

1a. How to Find the Address in the Mailprotector Console

  1. Navigate to the Mailprotector Console at
  2. Navigate to the domain you are working on in the Console
  3. Select the "Archiving" tab
  4. The Journaling Address will be at the bottom of the page for you to utilize

The SMTP Collector/Journaling Address is the unique mailbox assigned to the domain to capture messages for archiving. The address will be required later to configure the Exchange server's journal rule.

2. Configure the Journal Rule

2a. Journal Rules Tool in the Exchange Admin Center

The following steps are performed at the Exchange Admin Center (EAC). If you are not sure how to access the EAC on the server, please contact your team's Exchange expert.

Once on the Exchange Admin Center page, navigate to the Journal Rules tool. You may click on the Journal Rules link from the main page area to go directly to the tool or use the Compliance Management menu option from the left-hand navigation, as shown in Figure 3.

Fig. 3

You should be on the Compliance Management menu and be looking at the Journal Rules tool, as shown in Figure 4.

Fig. 4

2b. Specify Alternate Journal Address for Undeliverable Reports

If the unique journaling address doesn't exist or is an invalid destination, the journal report remains in the transport queue on Exchange or O365 datacenter servers, and delivery of queued items is periodically retried.

IMPORTANT for OFFICE 365: If this happens, O365 datacenter personnel will attempt to contact your team and ask you to fix the problem so that the journal reports can be successfully delivered to the journaling mailbox. If you have not resolved the issue after two days of being contacted, O365 will disable the problematic journaling rule.

Undeliverable journal reports can't be returned to the sender in a non-delivery report (also known as an NDR or bounce message) because the sender is the Exchange server or O365 service. To handle the NDRs for undelivered journal reports, you have to specify an alternate journaling mailbox that accepts the NDRs for all undeliverable journal reports.

BEST PRACTICE: Choose an alternate email address that is an Exchange mailbox that can be connected to via Outlook. The original journal report is an attachment to the NDR. When the journaling mailbox for an undelivered journal report becomes available again, you can use the Resend this message feature in Outlook on the NDRs in the alternate journaling email address to send the unaltered delivery report to the unique journaling mailbox.

Click on the link next to Send undeliverable journal reports to: and enter or change the email address for undeliverable notices. Please do not use the email address shown in Figure 5.

Fig. 5

2c. Add the New Journal Rule for SecureStore

After having an alternate journal address configured and ready for any potential problems, it is time to add the journal rule. Click on the plus icon in the Journal Rule tool to a new rule. That will open the New Journal Rule dialog box as shown in Figure 6.

Fig. 6

Focused on the New Journal Rule dialog box, you will enter the following information into the journal rule fields:

  • Send journal reports to: the unique journaling address from the Mailprotector Console
  • Name: A descriptive name for the rule, such as Journaling to SecureStore Archive
  • If the message is sent to or received from...: [Apply to all messages]
  • Journal the following messages...: [Internal messages only]

The last field instructs the rule to journal messages between internal users. External senders and recipients will already be archived as they pass through Mailprotector's perimeter servers, so we only to capture the messages of intra-domain communication.

The New Journal Rule dialog box should look similar to Figure 7.

Fig. 7

Click the Save button to complete the rule creation. You will receive a Warning dialog box asking if you want this rule to apply to all future messages, as shown in Figure 8. Click the Yes button to continue.

Fig. 8

That completes the creation of the rule, and you will see the rule listed in the Journal Rules tool as shown in Figure 9.

Fig. 9

3. (Optional) Prevent winmail.dat Type Messages from Being Archived

Unfortunately, email encoding can cause winmail.dat files to be attached to emails despite an administrator's best efforts to configure the server and clients to use HTML or plain text messaging. Configuring a mail flow rule for the remote domain to the SecureStore archive can prevent the archiving of winmail.dat type attachments.

BEST PRACTICE: We recommend configuring this mail flow rule to prevent the winmail.dat file, especially with messages that are sent from your client's organization and include both an internal and external recipient. That type of message is the most likely to create winmail.dat type messages.

If still in the Exchange Admin Center (EAC), navigate to the Mail Flow -> Remote Domains page, as shown in Figure 10.

Fig. 10

On the Remote Domains page, click the plus icon to add a new configuration. A New Remote Domain dialog box will open as shown in Figure 11.

Fig. 11

In the New Remote Domain dialog, configure the following:

  • Name: Enter a configuration name such as SecureStore Archiving
  • Remote Domain:
  • Out of Office automatic reply types: None
  • Use rich-text format: Never

The completed dialog box should look similar to Figure 12, and you will click the Save button to continue.

Fig. 12

This completes the configuration of journaling to SecureStore from your Exchange or Office 365 tenant server.

NOTE: Propagation of the new settings could take an hour or more to filter through Office 365 services. Exact timeframes are unknown to Mailprotector.

If you have more questions about configuring the journaling rule in Exchange or Office 365, or find errors with this knowledge base article, please contact the Partner Success team.

IMPORTANT: If using Mailprotector's outbound relay for non-journaling mail flow, a connector will also be needed to route journaling directly to SecureStore's smarthost. This can be created using the connector creation steps under the "SecureStore" section of


Have more questions? Submit a request