Drafting up an email retention policy for our MS Exchange 2003 system. Curious as to what other people have as a policy -- how many days to keep online, delete, etc. Thanks!

  • 114,104
  • 20
  • 206
  • 289
Matt Rogish
  • 1,512
  • 6
  • 25
  • 41
  • 2
    I'm tempted to give this a "SFINAL" tag... as in "Server Fault Is Not A Lawyer". – Evan Anderson Jul 20 '09 at 21:04
  • Yep this would all be run thru the legal team but their hourly rate >> my hourly rate so I gotta get as much down on paper first for them to tweak slightly, rather than write it all themselves – Matt Rogish Jul 20 '09 at 21:07

3 Answers3


Legal issues aside, I am in favor of keeping emails as long as I possible can. My own email database go back about a dozen years, and it is quite useful at times to have access to that information. Disk space is cheap, and getting cheaper, and machines are getting faster and cheaper as well.

  • 1,329
  • 5
  • 15
  • 23

It should be part of your overall document retention policy, not just a policy for your Exchange server. Our document retention policy (drafted by Legal) states that emails older than 90 days must be deleted. If the information in the email is required past 90 days of receipt then it is to be saved to disk (NOT a .pst file) as a file (rtf, doc, pdf, whatever) at which point it is under the governance of our document retention policy. Automated archiving mechanisms are not permitted.

EDIT: in response to Evan's comment:
Yeah, good question. It is draconian to be sure. However, much time (ugh) is spent here forcing this policy down the organization and policing (ie- auditing), so it is working. The first attempt at it met with such a rebellion as you describe, then it was reworked again and recently redeployed. I do agree that email should be included in the overall retention policy and not left to an autonomous policy. There is still much wailing and gnashing of teeth about not being able to utilize Outlook features to manage email here. More so the fact that dept heads must annually audit to the retention policy and sign-off their dept's compliance, accountable to internal controls.

There are arguable benefits to your storage solution using such a policy, even when mailbox quotas are implemented. There are still a lot of questions related to the "useless" that are being met with statments like "do it".

  • 37,618
  • 10
  • 90
  • 145
  • 2
    I did a contract gig at a public company with a policy like that, and users ignored it. I don't want you to "rat out" work, per se, but I'm curious if such draconian policies actually work. The "rebellion" against the policy that I saw directly related to the "useless" that was created when email was moved out of a tool designed to manage email (Outlook) and placed into a container (the filesystem) that was profoundly useless at helping to manage email. I saw a _lot_ of printing and filing of email at this particular company... I believe that trees hate them. – Evan Anderson Jul 20 '09 at 21:06
  • Thanks for the edit. Is the basis for the policy coming from the legal department, or from IT management, out of curiosity? (I've seen this kind of thing come from legal deparments and I've never been in a position to ask on the lawyers why such policies should apply to email but not, say, to all other types of files, both electronic or otherwise. I'd love to do that sometime... Perhaps we need Jeff and Joel to start, like, a "Affidavit Explosion" site... >smile<) – Evan Anderson Jul 21 '09 at 03:55
  • The basis is coming from legal. I think most of it is that they don't want the emails to show up in a court room. This policy applies to EVERYTHING at our place, paper or electronic. The annual audit I mentioned covers mail, network shares, local drives, file cabinets, desk drawers, you name it. Then I have to cross-audit it as a member of the data security organization. – squillman Jul 21 '09 at 11:15

I agree with squillman in terms of addressing legality obstacles. I would talk to the legal department first and foremost to avoid any headaches later on, and for possible compliance issues (HIPAA/SOX/PCI). Seems to me that industry usually dictates compliance in tandem with legal more than anything else.

From then on I would focus on common metrics within IT such as the total number of users, avg. growth rate per hour/day/week/month, etc. etc. to determine how many days to keep online storage (if legal hasn't mandated anything). From my experience, always leave a little slack too in terms of storage for YOU, not the users. Often users will take as much email storage as they're given (especially Outlook/Exchange shops), so if money is tight and storage is at a premium, lower the retention policy a little to alleviate future financial/technical headaches.

  • 3,875
  • 2
  • 23
  • 31