Establishing an Email Retention Policy: The IT Perspective

At most companies, end users only speak with the IT department when they have a problem. At Windows IT Pro, we're fortunate to have an IT department that we can draw on to bring you real-world stories about migrations, upgrades, and policies—such as the recently implemented document-retention policy that all of Penton Media, Windows IT Pro's parent company, is now subject to.

Under this policy, any email message older than six months will be automatically deleted—unless users move the message to one of a set of managed folders set up in Microsoft Office Outlook 2007 by the company's IT department. Each folder has a set time limit for retention, and only documents with specific legal or business requirements are allowed in those folders.

I previously shared my interview with Elise Zealand, vice president and corporate counsel for Penton, who had a lot to say about the legal need for a comprehensive document-retention policy. She also spoke very highly of Penton's IT department and the collaborative environment that let the legal department and IT work together to set up and troubleshoot this new policy.

Now it's time to hear about things from the IT perspective. I spoke with Ken Savoy, Penton's infrastructure services director, and Ben Vargas, a senior systems engineer. Ken has been managing in IT for 17 years and he worked closely with Elise to develop the retention policy. Ben, with 21 years of IT field experience, has worked in recent years primarily in administering Microsoft Exchange Server. Ben was responsible for the technical implementation of the policy on Exchange Server 2007 and Outlook 2007.

Q: Prior to the new policy, what was the company doing for document retention, if anything?

KS: We've got quotas in place specifically around email. We allow PSTs, so that kind of gets around any online quota. We try not to encourage the use of PSTs, but you can almost store an unlimited amount of email using your PST files. Now, online, within the Exchange sever itself, we limited everybody to a 2 gig file. That was an attempt to not overrun the system and to have people monitor what they've got in their email boxes.

BV: Basically, we have not had a policy in place to deal with record retention as far as Outlook and Exchange Server are concerned.

Q: But you did have the 2GB limit?

KS: That wasn't a policy as much as that was a requirement to maintain the system. If we didn't have that quota out there, we would not be able to provide the users with enough space to keep the thing running. So that was just a practical limit based on the amount of hardware we have. In past experience, no matter how much disk space we put out there, it would be overrun within a few months without quotas. Anybody that's been here any period of time—a year—usually by then, people are having to manage their email just a little bit to stay underneath that limit.

Q: Would you talk about your role in the development of the new policy and your interaction with the legal department?

KS: Well, legal wanted, just from a liability standpoint, to have a policy in place. Any more, it's not appropriate not to have a policy. So we took a look at what was reasonable from a policy standpoint, talked about some different numbers, had other conversations within the company. The six-month timeframe—it's not all that short. Six months for your email really is a lot. The vast majority of people don't look at email past two or three weeks old, let alone six months old.

Now, there is a certain need for legal documents for accounting, for records pertaining to your projects, your customers. So there were the exceptions folders created just for those. But just the casual email, the vast majority of it, there's no reason not to have a policy in place to clean them up.

A lot of it just comes down to how much time is appropriate to the average person to spend on cleaning up their email versus doing the rest of the job. So you put a policy in place, and it really does make it far easier for the employees. Granted, employees could put a policy in place themselves by using Outlook Rules and just delete everything after six months, but there's always that concern about, well, do I need it? When you put a policy in place, that helps that process. You know, it's company policy that I don't keep stuff older than six months, and you go on from there.

Legal's been very good to work with. They're headed up by a very intelligent, very well-thought-of individual. She's not asking for anything difficult here. She's been very easy to work with, to tell you the truth. She's trying to take into account all the considerations, the pros and cons, of this policy.

Q: Describe the technical implementation of the new policy—how are you setting up the exceptions folders and the policy in general?

BV: It's called managed custom folders, and it's within Exchange 2007. Basically, what we do from an organizational perspective is we create what we call exception folders. We have six of these exception folders, each with a different retention time period for emails that are moved to these folders. We have one set up for 18 months, one for 3 years, 5 years, 7 years, 8 years, and permanent. The legal department has outlined the uses for each one of these exceptions folders.

Along with each one of these managed custom folders, we also have managed content settings. And these content settings allow us to specify exactly how long we are going to retain email items in these folders, and also what we're going to do after the retention period. For example, for 18 months, for that exception folder, we have a retention policy that's exactly 18 months. For email items users put into that folder, when that time period has expired, we will delete the email out of that folder. Same thing for 3 years, 5 years, 7 years, 8 years. The only exception is the permanent exception folder—that will not have content settings associated with it as far as record retention.

Once we create the managed custom folders, we then create a managed folder mailbox policy, again at the organizational level. We then assign the managed custom folders that are going to be managed with this policy. In addition to the exception folders, we also include managed content settings for the Entire Mailbox managed default folder. The Entire Mailbox managed default folder pertains to all other folders in the mailbox except managed custom folders and managed default folders that are part of the managed folder mailbox policy. Our managed content settings only include email items. We do not apply managed content settings to any other type of mailbox item such as calendar items or contacts.

Once we create the managed folder mailbox policy, we then assign that policy on an individual mailbox basis. Since this is going to be the default policy for all mailboxes, we assign it to each mailbox that we have. However, if we needed, say, a mailbox for a service account or something like that, we could exclude those individual mailboxes from this managed folder mailbox policy.

Q: We've published articles about managed custom folders on, so if readers want more detailed information about the process, they should check out "Meet Email-Retention Needs with Exchange 2007." Did you find that establishing these folders and policies was difficult?

BV: Technically difficult to implement? No. I mean, we do have some situations where it isn't as clean as I would like. For example, we have quite a few Entourage clients. Entourage clients cannot recover deleted items. An Entourage user who needs to recover an email item that was deleted by our managed content settings can only do so by using Outlook or Outlook Web Access via a Windows computer. While we are able to implement managed custom folders for Entourage clients, it's just not as clean when it comes to recovering a deleted email item as it is for Outlook 2007 clients. Technically, we're able to do the same thing, so it's not that big of a deal.

But I think what it comes down to as far as why custom folders may not catch on—it's just something that's new. And with anything new, especially something that's automated like this, when you're dealing with, in our situation, eventually deleting emails automatically—just the idea of that can be somewhat scary.

KS: Also, I think you've got to have executive buy-in. You've got to have an executive sponsor to manage email globally. Without an executive sponsor, I don't think an IS department has any chance of implementing something like this.

Q: Where does the responsibility lie for ongoing maintenance and oversight of the policy?

BV: Well, that defaults within our group. If any changes need to be made to the policy or, like I said before, maybe we have mailboxes that need to be excluded from the policy, we can do that. However, once it's set up, there really isn't much management that needs to be done on an ongoing basis.

Q: Do you find there are benefits strictly from an IT perspective of implementing a policy such as this?

KS: I suppose we've got less email to manage. I'm going to save some disk space. It'll shrink the online data stores, maybe make them a little bit quicker.

BV: Really, that's it. What it comes down to is just managing the information stores themselves. While we do implement a 2 gig limit, a storage quota for all mailboxes, this policy is going to help us to reduce the size of our stores simply because it's automatically going to delete those messages that are maybe ignored by a user and really don't need to be stored any longer.

Q: Are you doing anything for email archiving other than this policy? For instance, are you using a third-party email archiving product?

KS: Well, we've talked about it. But, you know, there's no reason. Honestly, if we're going to limit email retention to six months, it actually is kind of counter to the policy to archive something.

Q: Have you been involved in e-discovery requests?

KS: I have not been involved in retrieving email off of old tapes, but it would be a real problem. We no longer have the hardware to read some of the really old tapes.

Q: Any last words for IT pros on what they should be doing with records retention?

KS: I say talk to the legal department. Talk to executives to get an executive sponsor. I think, technically, like Ben says, this isn't a technical challenge. This is an organizational challenge.

BV: And I would second that. While it is fairly easy to do this technically, it's really much easier to implement once you do have executive-level buy-in.

Related Reading:

For additional articles "from the trenches" with Penton Media's IT team:

For articles about email retention with Microsoft Exchange Server 2007:

For articles about email archiving and e-discovery:

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.