Email Retention Policy — Complete Guide
What it is, what the law requires, how to write one, and how to enforce it in Microsoft 365.
An email retention policy defines which business emails an organization must keep, for how long, where they must be stored, and when they can be deleted. It is required for compliance with regulations including SOX, HIPAA, FINRA, and GDPR, and is essential for litigation defense and audit readiness in Microsoft 365.
What Is an Email Retention Policy?
An email retention policy is a formal document that specifies:
- Which emails must be kept — by type, sender, recipient, project, or subject matter
- How long they must be kept — based on legal, regulatory, or business requirements
- Where they must be stored — in a system that is secure, searchable, and auditable
- When they can be deleted — and how deletion is authorized and documented
Email retention policies exist at the intersection of legal compliance, records management, and IT governance. They apply to all business email, not just correspondence marked “important.”
Why Email Retention Policies Matter
Legal Compliance
Regulations across industries and jurisdictions require organizations to retain email records for defined periods. Failure to comply can result in fines, sanctions, or loss of operating licenses.
Litigation Readiness
hen legal disputes arise, email is often the primary evidence. Organizations without a retention policy — or with inconsistent enforcement — risk sanctions for spoliation (destruction of evidence).
Audit Defense
Regulators and auditors expect to see documented, consistently-applied retention practices. Ad hoc storage in personal inboxes is not defensible.
Operational Continuity
Retained emails preserve institutional knowledge. When staff leave, projects close, or disputes arise, the record is there.
Email Retention Laws by Regulation
Different regulations impose different retention periods. The table below covers the most common requirements for organizations operating in the US and EU.
Regulation
Who It Applies To
Required Retention Period
Key Email Requirement
EU/EEA organizations
No fixed term — data minimization applies
Personal data in email must not be kept beyond its stated purpose
UK organizations
No fixed term — data minimization applies
UK equivalent of GDPR post-Brexit; personal data must not be kept longer than necessary
Important: Industry requirements are minimums. Many organizations retain emails longer for operational or litigation reasons. Legal counsel should define your specific retention schedule.
Government & Federal Email Retention
Federal agencies in the US are governed by the Federal Records Act and NARA guidelines, which require permanent or long-term retention of records documenting agency activities. The general rule for federal email: if it documents a government decision or action, it’s a federal record and must be retained accordingly.
State and municipal governments follow equivalent state-level records laws — retention periods vary significantly by jurisdiction.
What to Include in an Email Retention Policy
A complete email retention policy should address the following:
1
Scope
Which employees, systems, and email types are covered (include shared mailboxes, distribution lists, and service accounts)
2
Retention schedule
A table mapping email categories to retention periods (see template below)
3
Storage location
Where retained emails must be stored (e.g., SharePoint, dedicated archive, Exchange Online archive)
4
Metadata requirements
What information must be captured alongside the email (sender, recipient, date, subject, project/matter reference)
5
Legal hold procedures
How emails are preserved when litigation or investigation is anticipated, and who has authority to issue a hold
6
Deletion procedures
How and when emails are deleted after their retention period expires, and who approves deletion
7
Access controls
Who can access retained emails and under what circumstances
8
Employee responsibilities
What employees must do (and not do) to comply
9
Enforcement and monitoring
How compliance is tracked and what happens when the policy is violated
10
Review cycle
How often the policy is reviewed and updated (recommended: every 2 years, or when regulations change)
Email Retention Periods by Email Type
Use this as a starting point for your retention schedule. Adapt periods to your regulatory requirements and legal counsel’s guidance.
harmon.ie supports organizations across both Outlook environments.
Email Category
Examples
Suggested Retention Period
Financial records
Invoices, expense approvals, budget sign-offs
7 years
Legal correspondence
Contracts, settlements, regulatory notices
7–10 years
HR and employment
Hiring, disciplinary, termination records
Duration of employment + 7 years
Client communications
Project correspondence, proposals, approvals
Duration of relationship + 3–5 years
Regulatory filings
Compliance reports, audit responses
7 years (or as required by regulator)
General business
Internal decisions, operational updates
3 years
Transitory / non-record
Internal announcements, meeting logistics
90 days – 1 year
Spam / junk
No business value
Delete immediately or within 30 days
Email Retention Policy Template
Download this template and use this structure as a starting point.
Replace bracketed content with your organization’s specifics.
Email Retention Policy Best Practices
There is no single timeline for migrating to Outlook for Windows (the new Outlook). Microsoft is rolling out the new client gradually, and Outlook for Windows (classic) will remain supported for several years. This gives organizations time to plan and test their transition.
Organizations should consider moving to the new Outlook when:
1
Involve the right stakeholders from the start
Retention policy decisions affect legal, compliance, IT, HR, and records management. Building the policy in isolation — usually in IT or legal alone — leads to gaps. Bring all stakeholders into the initial scope discussion.
2
Classify before you schedule
Retention periods only make sense if you’ve classified what you’re retaining. Define your email categories first (financial, legal, client, HR, operational, transitory), then assign periods to each.
3
Apply retention at the point of save, not retrospectively
Retroactive classification of thousands of emails is expensive and error-prone. Build the policy so that emails are categorized and moved to the right location when they’re sent or received — not during an audit.
4
Store in a shared, searchable system — not personal inboxes
Emails in personal mailboxes are invisible to the organization, unprotected by backup, and inaccessible when the employee leaves. Retained emails belong in SharePoint, Teams, or a dedicated compliance archive.
5
Automate metadata capture
Human beings will not consistently fill in metadata fields. Any retention system that depends on manual tagging will fail at scale. Require a tool that extracts metadata automatically from email headers.
6
Document your legal hold process before you need it
A legal hold freezes relevant emails outside the normal deletion schedule. You need a clear, documented process for issuing holds, notifying custodians, and tracking compliance — before litigation arises, not during it.
7
Train employees on the why, not just the what
Policy compliance improves when employees understand the business reason. “We retain these emails because regulators can fine us £17.5 million for non-compliance” is more motivating than a policy manual.
8
Review the policy every two years
Regulations change. Business activities change. A policy that was adequate three years ago may have gaps today. Schedule a formal review.
Email Retention in Microsoft 365
Microsoft 365 includes built-in retention capabilities through Microsoft Purview (formerly Compliance Center): retention labels, retention policies, and eDiscovery. These tools let IT administrators apply retention rules at the tenant level without relying on user behavior.
However, Microsoft Purview manages retention at the platform level — it doesn’t solve the upstream problem of where emails are stored. Emails that stay in personal mailboxes are technically subject to Purview policies, but they’re not organized, searchable, or accessible to the teams that need them.
For a broader overview of organizing and finding email in Microsoft 365, see our Email Management in Microsoft 365
guide.
guide.
The Microsoft 365 email retention stack in practice:
Layer
Tool
What It Does
Platform retention
Microsoft Purview
Applies retention labels and deletion schedules across the tenant
Email storage
SharePoint / Teams
Stores emails as records with metadata in shared, searchable libraries
User-level filing
harmon.ie
Files emails from Outlook to the right SharePoint or Teams location with metadata at the moment of save
Search & retrieval
harmon.ie
Finds retained emails across all Microsoft 365 locations
The gap most organizations face is the middle two layers — emails don’t automatically move from inboxes to SharePoint, and metadata doesn’t appear without a tool that extracts it.
harmon.ie files Outlook emails to SharePoint and Teams
with metadata captured at save, no manual
tagging required
How harmon.ie Supports Email Retention
harmon.ie is an Outlook add-in that bridges the gap between Microsoft 365’s retention infrastructure and the people responsible for filing emails. When a user saves an email to SharePoint or Teams through harmon.ie, the email headers (To, From, Subject, Date) are automatically written into SharePoint metadata columns — without manual tagging. This makes retained emails immediately searchable and filterable by anyone with access to the library, and ensures they’re stored in a location where your Microsoft 365 governance policies apply.
For organizations using harmon.ie Classic, drop folders can automate filing entirely: link an Outlook folder to a SharePoint or Teams location, and any email placed there — manually or through Outlook rules — is saved with metadata automatically. For New harmon.ie users, Save & Send ensures outgoing emails are captured at the moment of sending.
- Drop folders can automate filing entirely: link an Outlook folder to a SharePoint or Teams location, and any email placed there — manually or through Outlook rules — is saved with metadata automatically (harmon.ie Classic)
- Save & Send ensures outgoing emails are captured at the moment of sending.
- COMING SOON: Automatic email saving identifies which emails should be saved and where
See how harmon.ie handles email retention in Microsoft 365.
Key Takeaways
The transition from Outlook for Windows (classic) to Outlook for Windows is a major platform shift.
However:
1
An email retention policy must define what to keep, how long, where, and when to delete — and must be enforced consistently, not just documented.
2
Retention requirements vary by regulation and industry — the same organization may have different schedules for financial, HR, legal, and operational email.
3
Storing retained emails in personal inboxes is not defensible. They belong in a shared, searchable, governed system.
4
Metadata is what makes retained emails findable later — and it needs to be captured at the moment of save, not retroactively.
5
Microsoft 365 provides the retention infrastructure. The missing piece for most organizations is getting emails out of inboxes and into SharePoint or Teams with the right metadata.
FAQ: Email Retention Policy
What is an email retention policy?
An email retention policy is a formal document that defines which emails an organization must keep, for how long, where they must be stored, and when they can be deleted. It exists to meet legal and regulatory requirements, support litigation readiness, and maintain consistent records management across the organization.
How long should emails be retained?
It depends on the email type and applicable regulations. Financial and legal emails typically require 7 years under regulations like SOX. HIPAA requires 6 years for healthcare-related records. HR records are often retained for the duration of employment plus 7 years. Transitory emails with no business value can be deleted within 90 days to 1 year. A formal retention schedule, reviewed by legal counsel, should define the periods for your specific organization.
Is an email retention policy legally required?
Not universally — but many industries are subject to regulations that effectively require one. Financial services (SOX, SEC, FINRA), healthcare (HIPAA), and publicly listed companies all face mandatory retention requirements. Even where no specific regulation applies, having a documented and enforced policy is considered a baseline of reasonable compliance and is essential for litigation defense.
What is the difference between email retention and email archiving?
Retention refers to the rules governing how long emails must be kept and when they can be deleted. Archiving is a storage method — moving emails to a compressed, separate store to reduce mailbox size. Archiving without a retention policy is just hoarding. A retention policy without proper storage (archiving or SharePoint/Teams) is unenforceable.
What is a legal hold and when does it apply?
A legal hold (or litigation hold) suspends normal deletion for emails relevant to anticipated or active litigation, regulatory investigation, or audit. Once a hold is issued, employees must preserve all potentially relevant emails regardless of the normal retention schedule. Failing to comply with a legal hold can result in sanctions for spoliation.
How do I set up an email retention policy in Microsoft 365?
Microsoft 365 includes Microsoft Purview (formerly Compliance Center), which lets administrators create tenant-wide retention policies and labels. These can be applied to Exchange mailboxes, SharePoint libraries, and Teams channels. However, Purview manages retention at the platform level — it doesn’t automatically move emails from inboxes to organized, searchable SharePoint libraries. Most organizations use a combination of Purview for enforcement and a tool like harmon.ie for user-level filing and metadata capture.
What is an email deletion policy?
An email deletion policy defines when and how emails are deleted after their retention period expires. It is typically part of the broader retention policy. Emails should only be deleted through an authorized, documented process — not by individual employees on an ad hoc basis. Emails subject to a legal hold must never be deleted regardless of age.
How should employees be trained on email retention?
Focus on the why, not just the what. Employees are more likely to comply when they understand the business and legal reasons. Training should cover: what types of email must be saved, where they must be saved, how to use the tools provided (e.g., harmon.ie), and what to do if they receive a legal hold notice. Annual refreshers and clear escalation paths for questions help sustain compliance.
What metadata should be captured for retained emails?
At minimum: sender, recipient(s), date sent, subject line, and whether attachments are present. For regulated industries, you may also need project number, matter reference, client name, or regulatory category. The most reliable approach is to use a tool that automatically extracts email header data at the moment of saving — not to rely on employees to fill in fields manually.
What happens if we don't have an email retention policy?
Without a policy, you risk: regulatory fines for non-compliance, sanctions in litigation for failing to produce required records, inability to defend against claims due to missing documentation, and operational disruption when institutional knowledge walks out the door with departing employees.
Related Resources
To deepen your understanding of effective email management:
Get Started Today!
See how harmon.ie simplifies document and email management – all from Outlook
