Somewhere in your mail system right now are messages that are, legally speaking, business records: the email approving a price change, the thread negotiating a contract, the attachment with the signed W-9, the complaint from the employee who later filed suit. When a court, a regulator, or an auditor asks for them, "we couldn't find it" lands somewhere between expensive and catastrophic — and "we delete everything after ninety days, including that" can be worse. An email retention policy is the unglamorous document that decides, in advance and defensibly, what your business keeps, for how long, and how you'd produce it on demand. Here's what the rules actually require and how to implement them without drowning in storage.

Email Is Records — the Law Doesn't Care About the Medium

No single statute says "keep all email for N years." Instead, dozens of record-keeping requirements apply to the content of messages, whatever medium carries them. The practical baselines most businesses inherit:

  • Tax records — the IRS expects records supporting returns to be kept, generally three to seven years depending on the situation. Invoices, expense approvals, and payroll discussions living in email are inside that expectation.
  • Employment records — federal employment law imposes one-to-multi-year retention on hiring, discipline, and termination records; personnel matters conducted over email qualify.
  • Industry rules — HIPAA-covered entities keep required documentation six years; SEC/FINRA-regulated firms live under some of the strictest regimes (SEC Rule 17a-4's multi-year, tamper-evident communications retention); government contractors inherit contract-specified retention.
  • Litigation holds — the moment litigation is reasonably anticipated, relevant messages must be preserved, overriding every deletion schedule. Courts have sanctioned businesses heavily for email that auto-deleted after the duty to preserve attached.

The pattern: your retention obligations are the union of the rules that touch your industry, your contracts, and your disputes — which is why the policy has to be written for your business, not copied from a template and forgotten.

Archiving Is Not Backup

The two get conflated constantly, and the difference decides whether you can actually comply:

  • Backup answers "can we get the system back after a failure?" It's a point-in-time copy, kept briefly, restored in bulk.
  • Archiving answers "can we find and produce every message that matches this request, years later, and show it wasn't altered?" It's a continuous, indexed, searchable, tamper-evident record — journaled at delivery, so a user deleting a message from their mailbox doesn't delete it from the record.

A backup of your mail server does not satisfy a records request in any reasonable timeframe — restoring years of nightly snapshots to hunt for a thread is the horror-story version of e-discovery. And an archive doesn't restore a crashed server. Mature setups have both, doing different jobs.

Keeping Everything Forever Is Also a Mistake

The tempting shortcut — storage is cheap, keep it all — creates its own problems. Everything you hold is discoverable: in litigation, decade-old offhand remarks become exhibits. Everything you hold is breachable: retained email is a growing pile of sensitive data a future incident can expose, a lesson written into every breach disclosure that includes "emails dating back to 2011." And privacy expectations increasingly cut the other way — holding personal data longer than a stated purpose justifies is itself becoming a liability. Defensible retention means keeping what rules and business need require, then deleting on schedule — consistently, so no one can claim the deletion was selective.

Implementing It in the Platform You Already Own

For businesses on Microsoft 365 or Google Workspace, the machinery is largely included at business/enterprise tiers:

  • Microsoft 365: retention policies and labels enforce keep-and-delete schedules across mail (and Teams); litigation hold preserves mailboxes immutably; content search and eDiscovery handle production. Retention here is compliance tooling — distinct from the backup question, which stays yours.
  • Google Workspace: Vault provides journaled retention, holds, and search at the comparable tiers.
  • Third-party archivers earn their fee where regimes demand provable immutability (17a-4-style), where mail spans platforms, or where retention must survive tenant-admin compromise.

Whichever tooling: journal at delivery, index for search, restrict who can place and lift holds, and log it all.

Don't forget departed employees — the classic gap. When someone leaves, their mailbox still contains business records under the same retention obligations, but nobody wants to pay for the license forever. Both platforms have an answer: Microsoft 365's inactive mailboxes preserve a held mailbox after the license is removed, and Google Vault retains a departed user's mail per policy. Fold the mailbox decision into your offboarding checklist so it happens by procedure, not by memory — the request for a former employee's email always arrives after the easy window has closed.

The Policy That Makes It Defensible

Technology enforces; the written policy defends. A workable one fits in a few pages: the record categories you keep and their periods (mapped to the rules above), the deletion schedule, who can invoke a litigation hold and how it's executed, and who owns the annual review. Get counsel's eyes on the periods — the overlap with FTC Safeguards, HIPAA, or your industry's regime is legal judgment, not IT judgment. Then train the habit that matters most: business records belong in business systems, because the policy can't retain what walked off into personal accounts.

The Bottom Line

Email retention is one of those controls that costs almost nothing right up until it's the whole ballgame — an audit, a dispute, a records request. Map the rules that touch your business, implement keep-and-delete schedules in the platform you already pay for, journal so deletion can't beat the record, and write the policy down. If you'd like retention configured properly across your tenant — and the policy drafted to match — our managed IT team sets this up alongside the rest of your compliance posture. Get in touch before someone asks for the messages.