>
    Strata Copilot
    View Email DLP Logs
    Focus
    Download PDF
    Focus
    1. Home
    2. Enterprise DLP
    3. Administration
    4. Monitor Enterprise DLP
    5. View Email DLP Logs
    Download PDF
    Enterprise DLP

    View Email DLP Logs

    Table of Contents

    View Email DLP Logs

    Review Email DLP logs to understand email forwarding activity and Enterprise Data Loss Prevention (E-DLP) inspection status.
    Where Can I Use This?What Do I Need?
    • Data Security
    • One of the following licenses that include the Enterprise DLP license
      Review the Supported Platforms for details on the required license for each enforcement point.
      • Prisma Access CASB license
      • Next-Generation CASB for Prisma Access and NGFW (CASB-X) license
      • Data Security license
    • Email DLP license
    Use Email DLP logs to gain granular visibility into your email processing pipeline and maintain the uninterrupted flow of business communications. By capturing detailed records of all emails received by the smart host, these logs help you efficiently troubleshoot delayed messages and optimize system performance.
    You can use Email DLP logs to:
    • Track Email Processing Phases—Monitor exact delivery statuses to determine if an email is currently undergoing analysis or queued for delivery.
    • Monitor Scan Durations—Review precise timestamps for when the system captured and released an email to understand the total processing time.
    • Identify Message Characteristics—View exact email sizes and attachment details to resolve potential issues without inspecting sensitive email content directly.
    • Perform Historical Reviews—Filter logs by specific users, delivery states, retry counts, and time frames for comprehensive analysis.
    • Verify Routing Information—Track specific senders, recipients, globally unique message IDs, and subject lines.
    • Monitor Security Outcomes—View scan results and policy decisions to determine if an email matched a data profile or bypassed scanning.
    • Review Delivery Statuses—Determine if Enterprise DLP successfully delivered an email, left it pending, or sent a Non-Delivery Report (NDR) or Delivery Status Notification (DSN).
    1. Log in to Strata Cloud Manager.
    2. Select ConfigurationSaaS SecurityData SecurityLogsEmail DLP Logs and View Logs.
    3. (Best Practices) Refresh the list of Email DLP logs to ensure SaaS Security displays the latest logs.
    4. Filter the logs as needed.
      • Enter an email in the search bar to filter the logs by user email.
      • Specify the time frame Duration you want to investigate. You can select Past 24 Hours, Past 7 Days, Past 30 Days, Past 90 Days, or Past 1 Year.
      • Filter the Email DLP logs based on the Event you want to investigate. The common Email DLP events are Create, Update, Delete, and Download.
    5. Review your Email DLP logs.
      In the Resources column, allSaaS Security prepends all Email DLP events with Email. For example, Email Policy, Email Content, and Email Evidence Storage.
      • Log Field Descriptions
        • Time Captured—Date and time Enterprise DLP received the forwarded email. Format is DD Month YYYY H:MM <AM or PM>.
        • Time Released—Date and time Enterprise DLP returned the forwarded email back to the next hop after successful inspection completion. Format is DD Month YYYY H:MM <AM or PM>.
        • Scan Duration—Represents the total inspection time. This period begins at Time Captured and concludes once Enterprise DLP renders a Policy Decision.
        • Message ID—Globally unique identifier for the email defined by RFC 5322 extracted from the email header.
        • Sender User—Email of the user who sent the email that was forwarded to Enterprise DLP.
        • Subject—Subject line of the email forwarded to Enterprise DLP.
        • Recipients—List of the target email recipient.
        • Scan Result—Displays the scan result for the forwarded email.
          • Not scanned for sensitive dataEnterprise DLP hasn't yet inspected the email.
          • Sensitive data found—Email was inspected and it contained sensitive data.
          • No Sensitive data found—Email was inspected and contained no sensitive data.
        • Policy Decision—Outcome of the Enterprise DLP inspection.
          • Email matched with a DLP Data Profile in a policy and evaluation was completed—Email contained sensitive data and the action configured in the matching Email DLP policy rule was taken.
          • Email did not match with an email DLP policy—Email contained no sensitive data and can continue to the target recipient.
          • Email DLP policy evaluation timed out—Inspection skipped and the Action on Max Timeout taken because the inspection time exceeded the Max Timeout setting in the Email DLP data filtering settings.
          • Internal mail scan was disabledEnterprise DLP didn't inspect the forwarded email because the Recipient is internal. This occurs when Enterprise DLP identifies the email as an internal email because the Sender and Recipient are registered within your onboarded Microsoft Exchange or Gmail email domains.
          • Data Loss Prevention service temporary disabled—Email inspection failed due to the Enterprise DLP being unavailable at the time the email was forwarded.
          • Cloud Identity Engine service temporary disabled—Email inspection failed due to the Cloud Identity Engine being unavailable at the time the email was forwarded.
          • DLP scan was skipped because maximum message size was exceeded—Inspection skipped and the Action on Oversized Message taken because the email exceeded the Maximum Size to Scan setting in the Email DLP data filtering settings.
        • Message Size—Total size of the forwarded Email.
        • Attachment—Displays Yes if the forwarded email included one or more attachments. Displays No if email didn't include an attachment.
        • Delivery Status—Current status of the forwarded email. Can display Scan Pending, Delivery Pending, Delivered, or
          • Scan Pending—Email successfully forwarded to Enterprise DLP and is pending inspection.
          • Delivery Pending—Email successfully inspected and is pending return back to the email host or quarantine inbox for review by an email administrator.
          • Delivered—Email successfully delivered to the next hop.
          • NDR Sent—Non-Delivery Report (NDR) sent to email Sender because Enterprise DLP couldn't deliver the email back to the next hop after two days of re-attempts.
        • Last Updated—Date and time the Email DLP log was updated to reflect its most current status. Format is DD Month YYYY H:MM <AM or PM>.
        • Action—Inspection result verdict as defined the matching Email DLP policy rule.
        • DSN Sent—Displays Yes if Enterprise DLP sent a Delivery Status Notification (DSN) to the email Sender when email delivery to the next hop is delayed. Displays No if email delivery to the next hop on first attempt.
        • Retries—Number of retries attempted by Enterprise DLP to deliver the email to the next hop.
    6. (Optional) Download the currently displayed list of Email DLP logs in CSV format to your local device if needed. The downloaded file reflects all the currently applied filters.

    © 2026 Palo Alto Networks, Inc. All rights reserved.