Overview

GFI Archiver is built for resilience and does not lose emails unless an Archiver UI setting explicitly drops/deletes emails, or an environmental factor occurs. This article provides a comprehensive overview of the causes of missing emails.

Information

Below is a comprehensive list of scenarios on why emails might not be archived. Please note that there are different resolutions depending on recoverability. If you are facing one of these scenarios, submit a support ticket for a GFI Technician to overview, confirm scenario, and provide possible workarounds or recommendations.

Here is a comprehensive list of scenarios on why emails might not be archived:

Environmental Causes

The Journal Mailbox Never Received a Copy of the Email

This can happen due to an Exchange fault or setting, such as when the journal mailbox was not set for all Exchange databases. You can verify this by going to the Exchange console > Organization config > Mailbox, selecting the properties for each of the databases and then going to Maintenance, enabling Journal and then adding the GFI Archiver journal user.

A particular example of this scenario involves an Exchange hybrid deployment, which has local Exchange mailboxes as well as Office 365 mailboxes. When accessing the ECP\Exchange Admin Center, under Recipients > Mailboxes, we should see what mailboxes are for Office365. If we have a journaling mailbox set for the local Exchange database only, any emails that do not contain a local Exchange mailbox would not have a copy saved to the local Exchange journaling mailbox.

Leftover Items

This is where journaled items that were not pulled from the journaling box are placed in the inbox.

Failed Email Download

When the email fails to be downloaded, Archiver moves the email from the inbox to a new folder called gfifailedmail (in this case, log in to OWA, and you should be able to see if such a folder exists).

Backup Solution Interference

An AV or backup solution interfered with the process and quarantined the items before they were processed. This can happen as follows:

• Items in the Pickup folder that are quarantined with no leftover files except for unusable temp files under Core | MAIS directory. Only the logs, which get overwritten in a few days, could tell if this happened.
• Items in the Queue folder that are quarantined. Since we "envelope" an email into multiple parts; we should have a very high chance of finding leftover files.

SQL Connectivity

Emails failed to be archived to the SQL database. In this case, you would see pending archival of files in the Pickup and/or Queue folders under:

• For automatic archiving: ...\GFI\Archiver\Core\
• For manual archiving: ...\GFI\Archiver\MAIS\

Quarantined Items

An Anti-Spam or Malware solution quarantined the item when a copy was sent to the journal. An example of this with GFI MailEssentials would be when the email is whitelisted, but the copy to the journal is not.

Multiple Domain Controllers

There are multiple domain controllers (DC) for the domain that Archiver is connected to. Sometimes, due to network issues, different DCs can return different results and if archiving restrictions are in place, the intended recipient might become "excluded", meaning that the email is dropped/deleted before archiving.

 

UI Settings

Archive Restrictions

Archive Restrictions were enabled, and the email was not archived, because the respective users/owners were excluded as a licensed user. Please refer to Understanding Archive Restrictions Options in GFI Archiver for more information.

Delete Immediately

Retention policy set to delete immediately: No record is left behind, except for the logs.

Delete After X Days

Retention policy set to delete an email after X days. When an email is archived, then removed by a retention rule, the SQL database will show it in the arc_delete record.

Hard/Soft Delete

From the Configuration, email deletion was enabled as Hard Delete. A user/admin can manually remove an email. If Soft Delete was enabled, then only the ownership is removed, but the email remains in the database (searchable by admins with full access).

NOTE: The last two causes under "UI Settings" can be checked on the Auditing Reports tab, only if auditing was enabled during that time.