How Do You Handle Email Retention Policies in Your Company?

We apply litigation holds on all mailboxes through CIPP. This way, if emails are deleted by mistake or if a mailbox is wiped and we need to recover emails later on, they can still be retrieved through compliance and ediscovery searches.

At my previous job, we had a harsh policy of deleting emails older than 30 days. The only exception was a specific folder that could keep emails for 90 days, but to save emails for a year, the CEO’s approval was needed. We didn’t allow PSTs, which caused a lot of friction when that was put into place. The idea was to limit the data available during a discovery process.

For Outlook, we keep emails in the main mailbox for three years. As for the archived emails, the retention is a bit longer, but I’m not sure how long exactly. What about you—how long do you keep archived emails before deleting them?

In my current role in Higher Ed, we use a default seven-year deletion policy and delete items from the 'Deleted Items' folder after 90 days. However, users in regulated areas can apply for exceptions to keep data longer.

In my small business with around 100 staff, our CEO doesn't want anyone's emails deleted. So, we rarely tell employees to tidy up their inboxes. We reached the 50 GB limit on mailboxes and enabled archiving, which gave us another 50 GB. Whenever someone left the company, we converted their mailbox to a shared one and stored it for a year for review—though that rarely happened. Eventually, when we switched away from Microsoft, the unlicensed mailboxes weren’t migrated, resulting in a spring cleaning of old emails.

How long does it take for these policies to kick in? We’re just starting and I have a policy that deletes items from the 'Deleted Items' folder after 30 days, but I still see 2023 emails lingering in there!