The Zscaler service provides real-time log consolidation across the globe, so you can view every email transaction to or from your organization. Email Insights provides three types of logs for tracking email traffic:

  • Logs lists the transaction logs associated with each email message.
  • The Messages log lists all messages within the specified period, including quarantined messages.
  • The Quarantine log lists only those messages that are in quarantine. You can view and manage the quarantined messages from the Quarantine log.

To view these logs, go to Analytics > Email Insights or click View Logs from a dashboard or report.

The Email Insights window displays the logs or messages on the right pane. It lists up to 100 logs or messages at a time. Scroll down to the bottom of the window and click LOAD MORE to view the next group of up to 100 transactions.

To learn more about the email logs, expand a topic below.

Filtering and Finding Transactions

You can narrow down the list of transactions by doing the following on the left pane:

  • Choose a predefined time frame or use the calendar and time menus to define your own time frame. Note that you can set the time by hour, minutes, and seconds, if you need a more granular time frame.
  • Apply filters to narrow down the data or to search for specific messages or logs. See Using Email Log Filters.

After you set a filter, click Apply Filters to list the filtered transactions

Exporting to CSV

Click Export to CSV to export the data to a CSV file immediately. The service exports only the columns that are visible. It exports up to 100,000 lines of data at a time. You can continue to use the service while the export is in progress.

Customizing the Logs

You can customize the logs as follows:

  • Click to list the available fields for display. Tick a box to add a column or clear it to remove a column. Alternatively, click Select all or Deselect all to display or remove all columns.
  • Drag a column to another location.
  • Resize a column by positioning the cursor on its border and dragging it to the desired width.

The settings are stored as a web cookie on your computer. They are retained as long as the cookie is not deleted.

Viewing Message History

You can track email through its various delivery stages.

  • Click  beside a message to view more information about and to track a message's history. See Viewing Email Details for more information.

Dropping/Releasing Messages

  • Click beside a message to drop it from quarantine or click beside a message to release it.

Transaction Details

The following table lists the fields that you can display in the Transactions, Messages, and Quarantine log.

Untitled Document




Describes the action that the service took on the email. This field is available in the Logs view only.

Attachments (Clip icon)

Indicates if the message had an attachment.


List of file names and types of attachments, if any.

Client Trans Time (ms)

Time taken for the sending MTA to receive message acceptance response from the ZEN. This will typically include - (a) time it took to receive the message by us, (b) time to process (AV/SPAM scanning, policy application etc) and (c) the time it took for the ZEN to deliver the message to all recipients (delivery is attempted in parallel, so it would be the SMTP transaction that took the max time). This field is available in the Logs view only.

Destination IP

The IP address of the recipient email server.


Specifies whether the email was inbound or outbound.

DLP Dictionaries

List of DLP dictionaries that were matched, if applicable

DLP Engine

DLP engines that were matched, if any.

Message ID

The unique identifier of the message that the mail server adds to the header when the message is first created.

Message Size

The email size, in bytes.


The email addresses of the recipients.


Indicates if the service retried to send the email.


The email address of the sender.

Server Response Code

The 3-digit number at the beginning of an SMTP response. This field is available in the Logs view only.

Server Response String

The SMTP response code and description. This field is available in the Logs view only.

Server Trans Time (ms)

Time, in milliseconds, taken to complete an SMTP transaction with a receiving MTA (from ZEN to the MTA). This field is available in the Logs view only.

Source IP

The IP address from which the email was sent.

Spam Algorithms

Spam algorithms detected, if any.

Spam Score

The spam score (1-100) that the service assigned the email.

SSL Deliver

Indicates if the email was sent over SSL. This field is available in the Logs view only.

SSL Receive

Indicates if the email was received over SSL. This field is available in the Logs view only.


Indicates if the message was delivered, dropped or quarantined. If the message has multiple recipients, it also indicates the number of recipients with the same status. For example, if the status is Delivered (2), then this means that the message was delivered to two recipients. If there were more recipients, then you'll know that the message was not delivered to all recipients, and you can view the email's status for all recipients in the Recipient's tab. This field is available in the Messages and Quarantine logs only.


The subject of the email.

Threat Category

Specifies the virus, spyware or malware type that was detected, if any.

Threat Super Category

Indicates if the service detected a virus, spyware or other malware in the email. Otherwise, it displays Clean Transaction to indicate no malware was detected in the transaction.

Threat Name

The name of the threat that was detected, if any.


The date and time of the transaction.

Transaction ID

The unique identifier that the service assigned to the email message. All transactions associated with a message have the same transaction ID.