Get started with Email Retention and Compliance policies

By Niraj

What most users ask of their Email system is merely that it work seamlessly in the background, proving quick and easy access to colleagues, clients, and vendors. However, as an administrator, you need to think beyond the obvious technical requirements to actually create a smooth-functioning Email system.




There are three main reasons why any business should have a formalized Email retention policy in place:

  • Regulatory requirements: Your business might need to abide by certain government rules and regulations. Laws often vary by nation, state, and even industry.
  • Litigation: Your business might be involved in legal action that could require Email correspondence be submitted as evidence.
  • Knowledge management: Email is used for most of our business communication and it might be of use – in future projects, for example – that old communications be easily searched for and retrieved.


An Email retention policy might include:

  • Types of messages that will be archived
  • Length of time – by type of message or user
  • Offsite backup policies
  • Document and attachment retention
  • Specific rules for certain departments of employee roles


While many of us tend to think of Email as an informal means of communication, the legal and IT departments have to go beyond this and look at Email as a critical resource. While it’s often up to a business to decide what kind of mail and other communication it wants to archive and make discoverable, some businesses are tightly bound by governmental rules. In most countries, including the US, any Email sent (or received) from a government mail box is a part of the public record and must be archived. Strict rules also apply to the financial services industry, publicly listed organizations, and those in the medical and healthcare sectors.

Apart from these, many sectors or industries have their own best practices, which though not enshrined in law, might be a good place to start. Some laws and bodies that lay down requirements data and Email security, privacy, and retention include:

Keep in mind that local and state government might also add specific requirements. Companies operating in other regions – especially the UK and EU – should also be aware that local laws might often differ – and be more stringent - from those found in the US.

Looking at the United Kingdom as an example, companies falling under the jurisdiction of British law have to meet requirements set by:

  • Data Protection Act 1998
  • Civil Procedure Rules

This tangled web of rules and regulations can make it difficult for IT admins to pinpoint the terms they need to comply with – it is recommended that any entity take legal advice in drawing up its Email and data retention/compliance policies.

Also, while legal requirements governing data retention might be the driver for an Email and data retention policy, it might also be in your self-interest to save certain kinds of records for a while: Some organizations archive the CVs and (other communications) of all job applicants – this can often be useful if a discrimination lawsuit is ever brought against the company.


Some pointers to keep in mind when designing your Email retention policy:

  • Involve your company’s legal department in this exercise
  • Ensure that you meet the requirements set forth in any jurisdiction your company falls under
  • Identify specific departments or roles that might need to abide by more stringent guidelines
  • Draw up an Email policy (including any content and attachment rules)
  • Educate all employees and obtain any necessary signatures
  • Ensure that the policy is formalized and documented
  • Ensure that privacy and data protection laws are complied with
  • Include an offsite backup in your planning
  • Make sure that archiving validation is included in your system


Email admins have a wide selection of archival solutions to search from. Apart from these software solutions, there are also hardware ‘appliances’ that offer easy-to-configure Email archival for businesses hosting their own mail. Here’s a look at some of the options out there:

Using Google vault for email archiving and retention

Organizations using Google Apps for Email hosting can turn to Google Vault ( for a comprehensive Email storage solution. Some features Vault offers include:

  • Domain-wide Email searches
  • Domain-wide Email retention policies
  • Per-user Litigation hold feature allowing for full Email backups
  • IM /chat backup
  • Email export


Perhaps the best-known Emails security and archival solution, Postini services are slowly being transferred to Google Apps (Google acquired Postini back in 2007. Organizations that haven’t made the move yet can use Postini’s in-built archiving, search, and logging features. Head over to for a comprehensive look at what all’s possible.


Proofpoint offers cloud-based archival solutions that work with platforms such as Microsoft’s Office 365. Some of the features on offer include Email and document archival, SEC/FINRA compliance, Exchange integration, and more. Get more information at

Using Hardware appliances for Email retention

Orgs running their own Email hosting can also turn to hardware solutions. These Email archiving appliances usually work with leading platforms like Exchange, Notes, and Groupwise and may meet government-issued compliance laws. Here’s a short list of such appliances:

About the author

Niraj is the Founder of Hiver. Hiver turns Gmail into a powerful collaboration tool by letting you manage Shared Inboxes right from your inbox. Niraj can be reached on Twitter at nirajr.