Q: What is the Outlook saved mail (.msg) file format and what security problems come with its use?

You can save Microsoft Outlook items such as email messages to the file system, but be aware there are few methods of controlling such files.

William Lefkovics

December 22, 2011

3 Min Read
ITPro Today logo in a gray background | ITPro Today

A:Whether you use an Internet mail account (i.e., POP3, IMAP4) or a Microsoft Exchange Server mailbox, content of your account, such as messages,appointments, and contacts, is stored in a database. Exchange mailbox data is either the proprietary Extensible Storage Engine (ESE) database with fileextension .edb on an Exchange Server or a personal folder store (.pst) on a local workstation. Many older messaging solutions, and some current ones,use individual files in a file system for mailbox item storage. In most cases, these are simple file system files, often text files, but these itemscan still be indexed for efficient retrieval and storage.

Microsoft offers a file format, .msg, for storing individual Outlook items in the file system; however, it's not a simple text file that you can viewwith a text editor such as WordPad or Notepad. These .msg files are based on Compound File Binary Format and require a MAPI-aware application to fullyview the storages and streams. Microsoft sometimes refers to the .msg files as "Outlook saved mail." Some alternative messaging solutions havedeveloped methods to import Microsoft's .msg-formatted files into their database structures, such as by using an Outlook connector tool or otherutility. Third-party .msg file-manipulation tools include MSG 2 PST and MsgViewer Pro.

To create an .msg file from an Outlook item, such as an email message, you can drag-and-drop the item from an Outlook folder to a folder in WindowsExplorer, as Figure 1 shows. You can also select the Save As menu option from an Outlook item, then choose a location to save the item. Either way,Outlook performs a simple export to the .msg file format during this effort.


Figure 1: Creating an .msg file from an Outlook item by dragging and dropping the item from an Outlook folder to a folder in Windows Explorer (click image for larger view)

During the export, almost 100 message and attachment properties are included in the new .msg file. (For information about the specific properties, seethe MSDN article "2.2.1 Message Object Properties.") The message subject is used asthe file name, with the extension .msg added. The files are saved to the file system using the current date and time when you save them, but theOutlook item within retains its date properties. You can easily drag and drop the .msg files back into Outlook folders as well, essentially stripping.msg file formatting and returning the content to Outlook. These .msg files can be indexed and searched with Windows Desktop Search with the add-in forOutlook saved mail indexing, which you can download from the Microsoft Download Center.

The Outlook item file format (.msg) provides a reasonable archive mechanism for Outlook content. However, using .msg files might not be a good thingfor your company situation and policies. Users can copy content to .msg files in the file system, removing them from centrally managed storagecontrols. Wayward .msg files can provide cause for security concerns because content is easily copied. There's no account security on .msg files and noway to prevent users from dragging and dropping Outlook content to Windows Explorer.

There are some deterrents to the process of saving content as .msg files, but none are slam dunks in terms of prevention. You can implement filescreening on Windows servers (Windows Server 2003 R2 and later) to prevent users from saving .msg files on server shares. You can also use the OfficeCustomization Tool to set a policy removing the Save As option from the menu system when viewing items in Outlook. This option doesn't prevent a manualdrag and drop, however. I've seen companies run scripts, either at logon or at intervals, that search for and remove any .msg files on the users'workstations.

If your company uses Microsoft Information Rights Management (IRM) to secure and control attachments, it should be noted that .msg files arenot affected by IRM. That is, .msg files aren't a file type that IRM can manage.

For extensive technical documentation on the .msg file format, see the MSDN article "Outlook Item (.msg) File Format."

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like