Email Retention Policy Best Practices for This Year

February 01, 2021 by Jatheon

Having an email retention policy is important for a number of reasons – the major two being the need to save space on your email server and the need to stay in line with federal and industry record-keeping regulations.

Defining how long your company will keep email communication can prove more challenging than you initially thought. The first stumbling block is that different departments will advocate for different retention windows.

How long should your retention policy really be?

There are both positive and negative aspects of having a longer retention policy, the main pros being business continuity and the fact that executives rely on old email chains to recollect past decisions. The cons are reflected in the fact that the longer the policy, the bigger the risk that some sensitive information will be exposed through unauthorized access or a security breach.

When it comes to short retention policies, they might violate various regulations that require that organizations in certain industries retain email and other electronic information for a number of years. Their major advantage, however, is that they are cheaper to implement and that they reduce the chance of being caught up in a legal investigation that focuses on information captured in emails. That’s why your legal department will generally support shorter retention periods that reflect the regulatory minimum.

The first stumbling block in defining your email retention policy is that different departments might advocate for different retention windows. Click To Tweet
Email retention policy best practices

1. Analyze relevant regulations

The process of designing an email retention policy should begin by listing all relevant regulations and the retention requirements outlined in each law that applies to your organization. These recommended retention periods may vary significantly based on the industry you belong to and the geolocation of your business. Here’s a list of major US laws and prescribed retention periods:

Industry Regulation/Regulatory Body Retention Period
All Internal Revenue Service (IRS) 7 years
All (Government + Education) Freedom of Information Act (FOIA) 3 years
All public companies Sarbanes-Oxley (SOX) 7 years
Education FERPA  5 years
Financial Gramm-Leach-Bliley Act (GLBA) 7 years
Financial (Banking) FDIC 5 years
(Brokers, dealers, investment bankers, securities firms)
FINRA, SEC 17a-4, SEC 17a-3 7 years 
DOD contractors DOD 5015.2 3 years
Credit card companies PCI DSS 1 year
Healthcare HIPAA 7 years
Pharmaceutical  FDA 2 years
Telecommunications FCC 2 years


If the retention period is not outlined for your industry or a particular type of data, it’s recommended to stick to the minimum IRS recommendation of 7 years.

It’s important to begin with these regulatory minimums and include both your IT and legal department into the creation of the policy. Legal will not only be able to provide counsel based on the above regulations, but also come up with ideas on how to segment your data for retention.

As we saw in the introduction, some C-level executives will expect to have access to their historical email for longer time periods, so you might need to specify multiple policies based on different criteria like email type, the sender, the recipient, the topic or the department.

For instance, your policy can be designed in such a way that spam messages are never retained, your general correspondence is retained for 5 years, administrative and HR for 7 years, and then CEO correspondence, invoices and sales records are kept for 10 years or forever.

It’s important to note that retaining unstructured data like social media, content from chat apps, text messages and calls is also regulated nowadays. Read more about these evolving regulations:

10 Quick Facts About Text Messaging and FOIA

Importance of Text Message Archiving in 2021

Email and Social Media in Employee Investigation & Ediscovery

Social Media Archiving in Regulated Industries: Why It Matters in 2021

Finally, your policy needs to contain strict guidelines regarding document deletion. It’s best to automate this process, which leads us to our number two best practice.

2. Get an email archiving solution

By implementing proper email retention policies, you will track the outbound, inbound and internal communication to ensure compliance. Without a comprehensive, company-wide approach to email management, you won’t know if the policies are being adhered to, especially if you leave their implementation to the judgment of department managers or end users. The majority of breaches and leaks of sensitive information happen because of the human factor – all it takes is one rogue or careless employee.

Without a comprehensive, company-wide approach to email management, you won’t know if the policies are being adhered to. Click To Tweet

To prevent that, automating the process is the answer. One of the main benefits of data archiving technology is precisely their ability to help you ensure email compliance.

Email archiving solutions allow you to define email retention policies based on various criteria (type of data, regulations, department preferences), retain the email for as long as necessary and then purge the information only after the retention period expires in order for the data not to become an unnecessary liability. For instance, if a policy is set to last for 7 years, the delete functionality will make sure that all emails are automatically deleted immediately after the retention period expires.

Your email archiving software will automatically retain emails which are matched to a certain policy and keep them for as long as you specified in the parameters. The only thing you need to do periodically after setting up a new policy or rule is to update it in order for it to reflect the new laws, regulations and best practices.

3. Use it to proactively monitor communications

Your email archiving software can also help your compliance and HR teams to track employee misbehavior or prevent the sharing of sensitive business information, which might cause legal issues.

Let’s say you want to track the use of foul language in your staff’s digital communication. On Jatheon’s cloud email archiving software (Jatheon Cloud), it can be done in the following way:

Keyword Lists screen

  • Once you’ve created the keyword list, go on to create a retention policy or a rule. On Jatheon Cloud, this is done through retention tags, where you’ll be able to define the tag name (Profanity), the time when the emails can be deleted (here it’s set to indefinitely, which means that they will remain in the archive forever), and specify the date range.

New Retention Tag creation

  • If you’re scanning for curse words in the entire email (subjects, message body, and attachments), you can choose the Message criterion under Retention Search Term, and then choose the keyword list you’ve created. Confirm by clicking the Save button.

New Retention Tag creation 2

  • You’ll then be able to see the list of all retention tags you have created so far, including Profanity.

Retention tags list

Your email archiving solution will then automatically retain emails that match the policy, scan all outgoing, incoming and internal messages for these keywords and notify admins or compliance officers in case a rule is broken.

Other practical examples of proactive monitoring through retention policies can be the scanning of electronic communication for credit card or social security numbers.

Jatheon is a global leader in data archiving, compliance and ediscovery with 17 years of experience with on-premise archiving and a new, latest-generation cloud email archiving solution. If you’re looking to retain all vital business records under one roof, see how our cloud archiver can help manage enterprise records compliantly.

Schedule Your Personal Demo

Look inside Jatheon’s solution to see how to better manage your corporate email and messaging data. Leave us your contact details and we’ll get in touch and show you around.

Join over five thousand happy businesses using Jatheon.