Email discovery is a critical component of compliance, legal investigations, and information governance. Microsoft Purview eDiscovery offers powerful capabilities for searching through organizational communications, but effectively targeting domain-specific emails requires understanding the correct syntax and search parameters.
Searching for Emails Sent TO a Specific Domain
When you need to identify all communications sent to recipients at a particular domain, use this query structure:
(Date=YYYY-MM-DD..YYYY-MM-DD) AND
(Recipients:"@domain.com*")
For example, to find all emails sent to anyone at pokebearswithsticks.com between October 15-29, 2024:
(Date=2024-10-15..2024-10-29) AND
(Recipients:"@pokebearswithsticks.com*")
- The @ symbol is necessary in the domain specification
- Place the wildcard (*) after the domain to capture all variations
- No wildcard should precede the @ symbol
- Quotation marks ensure proper handling of special characters
Searching for Emails FROM Specific Senders TO a Domain
When you need to find emails sent by specific individuals to recipients at a particular domain:
(Date=2024-10-15..2024-10-29) AND
(From:"Koala.Bear@pokebearswithsticks.com" OR From:"Brown.Bear@pokebearswithsticks.com") AND
(Recipients:"@croucher.cloud*")
This query would find all emails from these two specific senders to any recipient at croucher.cloud.
Searching Across Multiple Criteria
For more complex scenarios, you can combine various search parameters:
(Date=2024-10-15..2024-10-29) AND
((Participants:"Grizzly.Bear@pokebearswithsticks.com" OR
Participants:"Polar.Bear@pokebearswithsticks.com" OR Participants:"Panda.Bear@pokebearswithsticks.com") AND
(Participants:"@croucher.cloud*"))
Common Syntax Errors to Avoid
- Incorrect Wildcard Placement: Wildcards (*) should only be used as suffixes at the end of words/phrases, not as prefixes.
- Incorrect:
*@domain.com - Correct:
"@domain.com*"
- Incorrect:
- Incorrect Property Names: Use the proper property names for sender and recipient information.
- Use
From:for sender email addresses - Use
Recipients:for recipient email addresses - Use
Participants:when you want to include both senders and recipients
- Use
- Missing Quotation Marks: Always use quotation marks around email addresses, especially when they contain special characters like apostrophes.
Controlling Search Scope
Remember that your query scope is affected by:
- Location Selection: Before running your search, select the appropriate mailboxes or locations in the eDiscovery console
- Case Configuration: The mailboxes you've added to your case will limit the scope of your search
- Content Sources: For organization-wide searches, ensure you've selected "All locations" where appropriate
By using these techniques, you can efficiently target the exact email communications you need while minimizing false positives and reducing processing time.