Email Security

    How to Manage Microsoft 365 Email Retention Policies

    A comprehensive Microsoft 365 email retention policy can reduce compliance and cybersecurity risks — and simplify email management.

    by Samuel Greengard

    Key Points

    • The default email retention settings in Microsoft 365 aren’t adequate for most organizations’ regulatory, legal and security requirements.
    • Setting automated email retention policies with Microsoft 365 tools can help ensure that emails are properly archived and deleted.
    • Enhancing Microsoft 365 archiving with third-party email management services can further boost compliance, e-discovery and business continuity.


    Email remains the primary way businesses communicate and interact with the world. As a result, it’s critical to adopt strict policies for email retention and apply them to Microsoft 365. By default, the widely used platform keeps emails until they are manually deleted, which can present compliance and cybersecurity risks. It also uses valuable server space.

    The problem is further complicated by accidental deletion and data loss, as folders holding messages go missing through inadvertent clicks or malicious activity. The huge number of messages contained in typical business environments only magnifies the risk.

    Consequently, businesses should review their current Microsoft 365 email retention policy and understand how to update and change settings in the platform to better suit the business’s needs. Another question is whether to further boost retention and archiving capabilities beyond what Microsoft offers with a third-party email security and archive services provider.

    The Importance of Email Retention Policies

    Today, email acts as an organization’s central nervous system. It contains trade secrets, customer data and other proprietary information, and it increasingly intersects with regulatory and legal requirements, cybersecurity needs and data privacy rules.

    The first step toward formulating a more effective email retention strategy is to review what email data exists, what needs to be protected, and what messages can and should be purged from a system. According to Microsoft, there are three key factors at the center of an email retention strategy:[1]

    • Complying with industry regulations and internal policies: These include mandates like the California Consumer Privacy Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR) for data privacy, Health Insurance Portability and Accountability Act (HIPAA) covering personal health information, Sarbanes-Oxley Act for accounting and financial disclosures and your company’s own standards for proper procedures and employee behavior. Many of these regulations have specific time periods attached to email retention or deletion policies. Different industries are subject to different requirements, and even within an organization, departmental obligations may differ.
    • Reducing risks associated with a security breach and/or litigation: Email retention and deletion policies can expose far less of your sensitive data to cybersecurity risks. They can also preserve information you could someday need for a legal defense.
    • Optimizing performance: Not only does the right framework reduce the need for storage, but it also ensures that workers see only what’s relevant to them.

    Introduction to Microsoft 365 Retention Policies

    Data classification provides the foundation for email retention policies. It isn’t a task to take lightly.[2] It can require input from different leaders and teams across the organization. But once an organization has a clear idea of how, when and where to retain and delete messages and the associated data, it’s possible to set policies that match specific roles and responsibilities.

    Within Microsoft 365, administrators can establish an archiving and deletion policy that automatically moves items to a desired location. An administrator starts by creating a retention policy in the platform using sensitivity labels and retention tags.[3] A rule can be assigned to specific mailboxes and programmed to move items to an archive and then delete them based on age and other parameters.

    Here’s an illustrative example of how an organization could set an email retention policy and use the tools just described to implement it: An administrator may create an archive mailbox for everyone in the organization or for different groups of employees. The administrator may tag certain groups of messages to automatically archive after three years in order to free up space in a user’s primary mailbox. At five years, items in the “deleted items” folder are sent to a hidden deleted items folder, where they can still be recovered, if necessary. Finally, at seven years, the system purges messages in both the archive and hidden folders.

    How to Set Up Retention Policies for Microsoft 365

    Microsoft recommends a four-step approach to setting up a retention framework:[4]

    1. Enable archive mailboxes: The Microsoft 365 platform offers bulk editing tools for setting up groups of mailboxes. It also enables individualized treatment of specific employees.
    2. Create new retention tags for the archive and deletion policies: This includes adding a name, retention action and retention period. It also includes a custom deletion default policy tag and a custom retention policy tag for the deleted items folder.
    3. Create a new retention policy: Using custom tags, it’s possible to assign specific policies based on the different criteria.
    4. Assign the new retention policy to user mailboxes: Any time an administrator creates a new mailbox, it’s automatically named “default MRM.” Microsoft limits the number of retention policies associated with an account to one, so it’s important to replace the default name with the new retention policy created in the previous step.

    Deleted emails can be held in the Microsoft 365 platform nearly indefinitely by reconfiguring the default Messaging Records Management (MRM) from 30 to 24,855 days.[5]

    Managing Retention Policies and Audit Logs

    Managing your email retention policy is not a “one and done” activity; it must be periodically reviewed and revised. As one legal advisor put it: “Shifts in state and federal law, regulatory refinements, and advancing technology are just a few of the external influences that require regular oversight to remain in compliance.”[6]

    Another ongoing consideration involves keeping audit logs as daily detailed records that can provide evidence if a malicious actor launches a cyberattack or an employee engages in unauthorized activity.[7]

    Third-party email service providers like Mimecast offer enhancements to Microsoft 365 email retention capabilities, with web-based consoles and granular management features enabling administrators to set, maintain and enforce policies, track and audit activities and integrate related tools for such requirements as e-discovery. 

    The Bottom Line

    Running Microsoft 365 email retention on its default settings is not a recipe for good regulatory compliance, cybersecurity and operational efficiency. An organization must classify data, formulate an email retention policy specific to its needs and set up controls to ensure that employees adhere to its policies and rules. Many of these activities can be handled on the Microsoft 365 platform, while more robust functionality is available from third-party email service providers like Mimecast.

    [1]Learn about retention policies and retention labels,” Microsoft

    [2]Know your data — data classification overview,” Microsoft

    [3]Learn about sensitivity labels,” Microsoft

    [4]Set up an archive and deletion policy for mailboxes in your organization,” Microsoft

    [5]Configure Deleted Item Retention and Recoverable Items Quotas,” Microsoft

    [6]7 Factors to Consider Before Creating an Email Retention Policy,” Special Counsel

    [7]Search the Audit Log to Investigate Common Support Issues,” Microsoft


    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Haut de la page