Journaling tool is showing duplicate emails after INKY was installed

Explainer: how Microsoft 365 journaling interacts with INKY's mail flow.

Written By Nathan McCurley

Last updated 3 days ago

The short version

If your organization uses Microsoft 365 journaling to archive email for compliance, you may notice that some messages appear twice in your archive β€” once without an INKY banner, and once with the banner attached. This is expected behavior, not a misconfiguration in INKY or in your tenant. Below is what's happening and what (if anything) to do about it.

What journaling does

Microsoft 365 journaling is a compliance feature that automatically saves a copy of every email entering or leaving your tenant to a designated archive mailbox (called the journaling mailbox). Think of it like a security camera at your office door β€” every time the door opens, a recording is made.

A journal rule has three parts:

  • Scope β€” which messages to capture (internal only, external only, or all)

  • Recipient β€” whose mail to capture (everyone, or specific users/groups)

  • Journaling mailbox β€” where the captured copies are sent

When a message matches a journal rule, Microsoft generates what's called a journal report β€” a system-generated email that contains the original message as an unaltered attachment, plus envelope metadata like the sender, all recipients, BCC list, and any distribution-list expansions.

How INKY fits into the mail flow

INKY adds its banners (the neutral, caution, and danger bars) by being inserted into your mail flow as a stop along the way along with rewriting links. When an email arrives at your Microsoft 365 tenant, Microsoft routes it out to INKY's cloud service for analysis. INKY checks the message, adds the appropriate banner, and sends it back into your tenant for final delivery to the recipient.

That round trip is what causes the duplicate journal entries.

Why a single email triggers the journal rule twice

Here's the sequence for an inbound message:

  1. The email arrives at Microsoft 365 from the internet. Microsoft's Journaling agent evaluates the message against your journal rules, matches, and sends Copy #1 to your archive. This is the pre-INKY version with no banner.

  2. Microsoft routes the message out to INKY via the inbound connector configured during your INKY install.

  3. INKY analyzes the message and adds the banner, then sends it back to your Microsoft 365 tenant through INKY's outbound connector.

  4. The message re-enters Microsoft 365's mail transport pipeline. From Microsoft's perspective, this is a brand-new message arriving at the tenant β€” it has no memory of having processed this email before.

  5. The Journaling agent evaluates again, matches the same rule, and sends Copy #2 to your archive. This is the post-INKY version with the banner.

  6. The message is delivered to the recipient's inbox.

The recipient only ever sees one email. The duplicates exist only in the journal archive.

Why Microsoft can't just skip the second one

This is the question support gets asked most often, and the answer is that Microsoft built journaling this way intentionally. From Microsoft's own documentation:

When a message matches the scope of multiple journal rules, all matching rules are triggered.

And specifically for scenarios where mail leaves the tenant and comes back:

Any situations where email is forked will lead to duplicate journaling.

Microsoft has publicly confirmed that any third-party service that pulls mail out of the tenant for processing and returns it (INKY, Mimecast, Proofpoint, Exclaimer, and others) will trigger journaling on both legs. There is no way to configure a journal rule to recognize "this is the same email I already saw" β€” Microsoft does not track that, by design, because under-recording is a worse compliance failure than over-recording.

It's also worth noting that journal reports themselves are exempt from mail flow rules. That means you can't write a transport rule that suppresses journaling on INKY's return traffic β€” Microsoft does not allow journal traffic to be filtered by admin-defined rules.

What this means in practice

  • The duplicates appear only in your journal archive, not in any user's mailbox

  • The recipient receives exactly one email in their inbox, with the INKY banner attached as expected

  • The two journal copies are slightly different β€” Copy #1 is the message as it arrived from the sender, Copy #2 is the same message with INKY's banner and any rewritten links applied

  • This affects both inbound mail (if you have INKY's inbound protection enabled) and outbound mail (if you have INKY's outbound protection enabled)

What you can do about it

Most modern archive platforms can deduplicate automatically. A few common approaches:

Deduplicate by Internet Message-ID. Every email carries a unique Message-ID header that INKY preserves across the round trip. Most archive systems (Smarsh, Global Relay, Mimecast Archive, Microsoft Purview, etc.) can be configured to treat two journal reports with the same Message-ID as duplicates and keep only one.

Filter on INKY's headers. INKY adds several X-Inky-* headers to messages it processes. If your archive supports header-based ingestion rules, you can configure it to only accept journal reports where an X-Inky-* header is present (keeping only the post-INKY copy) or where it is absent (keeping only the pre-INKY copy). Which version you keep depends on your compliance team's preference β€” most organizations prefer the pre-INKY version since it represents the message as the sender actually wrote it.

Check your hybrid configuration. If your organization uses a hybrid Exchange deployment (some mailboxes on-premises, some in Microsoft 365), Microsoft documents an additional source of duplicate journaling unrelated to INKY: the cloud journals once and the on-premises server journals once. Stacking this on top of the INKY round trip can produce more than two copies. Audit your hybrid journal rule configuration if you're seeing three or four copies per message.

How to explain this to leadership

When INKY scans an email, it briefly hands the message out of our Microsoft 365 tenant and back in again so it can add the protective banner. Microsoft's journaling system sees that as two trips through our mail flow, so it saves two copies to our compliance archive. This is by Microsoft's design, not a bug in INKY, and our archive platform can be configured to keep only one copy if duplicates are a concern.

When to contact support

Contact INKY Support if:

  • You're seeing more than two journal copies per message (this usually indicates a hybrid deployment issue or a misconfigured journal rule, not an INKY issue)

  • The post-INKY copy in your archive is missing the INKY banner (this could indicate a header preservation issue)

  • Your archive platform is unable to deduplicate based on Message-ID and you need help identifying which INKY headers to filter on

Contact your archive vendor if:

  • You need help configuring deduplication rules in your archive platform

  • You're unsure which version (pre-INKY or post-INKY) your compliance team should retain

Questions? Contact INKY Support with the team name.