Business Email Retention Policies: What to Keep, What to Delete, and How Long

Most businesses have email retention policies in the same way they have emergency procedures: written down somewhere, last reviewed years ago, and nobody quite sure what the current policy actually says. That's a problem — not because auditors are lurking, but because retention decisions have real consequences for storage costs, legal exposure, and your ability to recover when something goes wrong.
A business email retention policy doesn't have to be complicated. But it does have to be deliberate.
Why Retention Policies Matter
Email is evidence. In a dispute, a regulatory inquiry, or an employment matter, email records become critical. Without a documented retention policy, you face two opposite risks: keeping mail too long (privacy exposure, GDPR liability, storage costs) or deleting it too soon (destroying evidence, failing audits, missing legal holds).
Regulators in most industries have specific retention requirements. Healthcare organizations in the US generally require six years under HIPAA. The SEC mandates seven years for broker-dealers. FINRA has its own schedule. EU businesses must align with GDPR's data minimization principle, which generally means not keeping personal data longer than necessary for its stated purpose.
Getting this wrong isn't just a compliance fine. Courts have sanctioned companies for "spoliation" — destroying evidence — when employees deleted mail that was subject to a legal hold. A thoughtful policy protects you both ways.
Retention vs Archiving: They're Not the Same
Retention is a policy: how long you keep email before deleting it. Archiving is a mechanism: a read-only, tamper-evident copy of email stored separately from the live mailbox system.
You can have retention without archiving (keeping mail in live mailboxes and purging on a schedule), but you can't have effective archiving without a retention policy — or you end up archiving everything forever, which creates its own problems.
For most businesses, the right approach is both: an email archive that captures all mail automatically, with a retention policy that determines when archived records are permanently deleted.
The email archiving best practices guide covers the archiving side in depth — this article focuses on the policy layer.
How Long Should You Keep Email?
The answer depends on your industry, jurisdiction, and the type of email. That said, a reasonable general framework for businesses not subject to specific regulations:
- Standard operational email: 2–3 years
- Contracts, agreements, and deal-related correspondence: 7 years after the relationship ends
- HR-related email (hiring, performance, termination): 5–7 years depending on jurisdiction
- Finance-related email: 7 years (aligns with typical tax audit windows)
- Executive communications: 7 years minimum, often longer
If you operate across jurisdictions, use the longest applicable requirement as your baseline for each email category.
Legal Holds and Why They Override Everything
A legal hold (also called a litigation hold) is a directive to preserve all potentially relevant records when litigation is anticipated or underway. When a legal hold is in place, it overrides your normal retention policy. Email that would ordinarily be deleted on schedule must be preserved until the hold is lifted.
Your retention policy needs to explicitly account for this. The process should be:
- Legal team identifies that a hold may be needed
- Hold is applied to relevant mailboxes immediately
- Normal deletion processes are suspended for those mailboxes
- Hold is documented and tracked
- When resolved, hold is formally lifted and normal retention resumes
Without a documented process for this, legal holds slip through the cracks — particularly when IT and legal teams aren't communicating clearly.
Implementing Retention in Practice
Retention enforcement happens at the email platform level, not in individual mailboxes. This is important: relying on users to delete their own mail on a schedule is not a retention policy. Users keep things they think they'll need, delete things they shouldn't, and ignore schedules entirely.
Effective enforcement means your mail platform automatically purges messages from archives after the policy period expires — and does so in a way that can be audited.
What to configure:
- Retention rules by email category or folder (if your archive supports tagging)
- Automatic deletion from the archive after the policy period
- Legal hold workflow that suspends deletion for flagged mailboxes
- Audit logs showing when deletions occurred and why
The GDPR Dimension
Under GDPR, personal data shouldn't be kept longer than necessary for its stated purpose. Email is full of personal data — names, contact details, private communications. A retention policy that keeps everything indefinitely is likely incompatible with GDPR's data minimization requirements.
This creates a real tension for businesses that want to keep email "just in case" but are subject to GDPR. The resolution is usually a documented policy with specific, justified retention periods for each category of email — not open-ended retention.
The compliance guide covering GDPR, CAN-SPAM, and CASL is worth reviewing alongside your retention policy work. For MailDog's own data handling commitments, see the privacy policy.
Making the Policy Stick
A retention policy that exists only on paper isn't a policy — it's a liability. The policy needs to be:
- Written, approved, and version-controlled
- Technically enforced (not just reliant on user behavior)
- Communicated to employees
- Reviewed annually or when regulations change
- Integrated with onboarding and offboarding processes (particularly for departing employee mailboxes)
The MailDog mail service supports configurable storage and archiving settings. For questions about how to structure retention for your specific situation, the documentation is a good starting point.


