How Long Does Outlook 365 Keep Emails? (w/Examples) + FAQs

Outlook 365 keeps your emails forever by default unless you, an administrator, or a retention policy deletes them. The length of time a specific message survives depends on which folder it sits in, whether a Microsoft Purview retention policy applies, whether the mailbox is on Litigation Hold, and whether the account is active, inactive, or closed.

The rules that create this problem are scattered across Microsoft’s service description, the Federal Rules of Civil Procedure, SEC Rule 17a-4, FINRA Rule 4511, HIPAA §164.316, and Section 802 of the Sarbanes-Oxley Act. When you misread these defaults, you risk sanctions, spoliation findings, regulator fines, and data you thought was “safely deleted” reappearing in discovery.

According to the Radicati Group’s 2024 Email Statistics Report, the average business user sends and receives over 120 emails per day, which means a mid-size firm generates tens of millions of records a year that all fall under these retention rules.

Here is what you will learn in this guide:

• 📬 How long Outlook 365 keeps emails in each folder, including Inbox, Deleted Items, Junk, and Recoverable Items
• ⚖️ How U.S. laws like FRCP, SEC 17a-4, FINRA 4511, HIPAA, and SOX §802 change the default timelines
• 🛠️ How admins configure Microsoft Purview retention policies and labels to keep or purge email
• 🔒 How Litigation Hold and In-Place Hold freeze deletion rules
• 🧾 How inactive mailboxes preserve data after an employee leaves or a license is removed

The Default Retention Timeline in Outlook 365

Outlook 365, which runs on Exchange Online, stores mail in a set of system folders. Each folder has its own default retention window. If no admin policy overrides these windows, the clock starts the moment a message lands in the folder. Most users never change these defaults, which is why “I deleted it” rarely means the email is gone.

Inbox, Sent Items, and Custom Folders

Messages in your Inbox, Sent Items, Drafts, Archive, and any custom folder stay in place until someone deletes them or a retention policy removes them. Microsoft does not apply a built-in expiration to these folders. The plain-English rule is simple: if you do not delete it and your admin has no policy, it stays forever.

The consequence of trusting this default is that old mail can surface in discovery years later. A single unreviewed folder can hold a decade of sensitive records. A common misconception is that mail “ages out” on its own, but it does not.

For example, David, a marketing manager, kept every client email in a subfolder called “Deals.” Five years later, his company faced a contract lawsuit and opposing counsel requested every message in that folder. Because no policy had purged it, the full archive was produced.

Deleted Items Folder

When you press Delete, the message moves to the Deleted Items folder. By default, Exchange Online keeps it there indefinitely, but admins can set a retention tag to purge after 30, 60, or any chosen number of days. Microsoft’s default Managed Folder Assistant (MFA) tag for Deleted Items is commonly set to 30 days in many tenants.

The consequence of emptying this folder is that the message moves into Recoverable Items, not true oblivion. A common misconception is that pressing Shift+Delete “permanently” erases mail, but Exchange still holds it in a hidden folder.

Consider Jenna, an HR director, who dragged a sensitive complaint email into Deleted Items thinking it was gone. Her company’s tag purged the folder in 14 days, but the message stayed recoverable for another 14 days in the Recoverable Items folder behind the scenes.

Junk Email Folder

Junk email has a default retention of 30 days in Exchange Online. After 30 days, the message moves to Deleted Items and then follows that folder’s deletion path. Users can move a mistakenly flagged email back to the Inbox at any time during those 30 days.

The consequence of ignoring Junk is that legitimate business mail can vanish silently. A common misconception is that Junk mail is deleted instantly, but it survives a full month. Admins can alter this window using a default policy tag, though most tenants leave the 30-day setting untouched.

Recoverable Items Folder (the “Dumpster”)

The Recoverable Items folder, often called the “dumpster,” is the last safety net for end users. By default, it holds deleted messages for 14 days, but administrators can extend this to a maximum of 30 days using the Set-Mailbox cmdlet with the -RetainDeletedItemsFor parameter. During that window, users can restore messages through Outlook’s “Recover Deleted Items” feature.

The consequence of not extending this window is that a terminated employee’s mail can vanish in two weeks. A common misconception is that IT can always “pull the email back,” but once the dumpster purges, only a backup or hold can save it.

For example, Marcus, an IT admin at a 200-person firm, set every mailbox to 30 days after a close call where a CFO needed a message recovered on day 16. The extra two weeks now protect his entire tenant.

Purges Subfolder and Holds

Within Recoverable Items sit three hidden subfolders: Deletions, Purges, and Versions. When a mailbox is on Litigation Hold or covered by a retention policy, items “purged” by the user move to the Purges subfolder and stay there for the full hold duration, invisible to the user but visible to eDiscovery searches.

The consequence is that no user action can truly destroy mail on a hold. A common misconception is that a hold stops users from deleting; it does not, it only stops the delete from being permanent. A hold can last indefinitely until an admin releases it.

How U.S. Laws Override Outlook 365 Defaults

Federal and state laws frequently require retention periods far longer than Microsoft’s defaults. The moment a law or regulator applies to your business, Microsoft’s defaults are irrelevant and you must configure retention to match the statute. Courts have repeatedly sanctioned companies that leaned on out-of-the-box settings instead of documented, defensible retention.

Federal Rules of Civil Procedure (FRCP)

The Federal Rules of Civil Procedure require preservation of electronically stored information (ESI) once litigation is “reasonably anticipated.” Rule 37(e) lets courts issue sanctions, including adverse inference instructions, when a party fails to take reasonable steps to preserve ESI.

The consequence of failing to preserve is severe. In Zubulake v. UBS Warburg, Judge Shira Scheindlin approved an adverse inference when UBS failed to preserve relevant emails. A common misconception is that a preservation duty only starts when a complaint is filed, but it starts the moment litigation is reasonably foreseeable.

For example, Lena, a general counsel at a SaaS company, placed eight custodians on Litigation Hold the same day a demand letter arrived, locking their Outlook 365 mailboxes against deletion regardless of any retention tag.

SEC Rule 17a-4 and FINRA Rule 4511

Broker-dealers must preserve electronic communications for at least three years, with the first two years in an easily accessible place, under SEC Rule 17a-4(b)(4). FINRA Rule 4511 incorporates the same three-year floor. The 2022 amendments allow an “audit-trail alternative” in place of the older WORM requirement.

The consequence of violating 17a-4 is substantial. In 2022, the SEC and CFTC levied over $1.8 billion in fines against 16 Wall Street firms for off-channel communications, largely because of retention failures. A common misconception is that Microsoft 365 is “automatically 17a-4 compliant,” but firms must configure Purview with regulatory records management to meet the rule.

HIPAA and Sarbanes-Oxley

HIPAA §164.316(b)(2) requires covered entities to retain documentation, including email containing protected health information, for six years from creation or last effective date. Sarbanes-Oxley §802 imposes criminal penalties for altering or destroying records during a federal investigation, with up to 20 years in prison.

The consequence of a HIPAA retention failure can include Office for Civil Rights fines up to $1.9 million per violation category per year. A common misconception is that SOX applies only to public companies’ finance teams, but any employee who destroys records in a federal probe faces §1519 liability.

For example, Dr. Patel, a practice owner, set a seven-year Purview retention policy on her entire tenant to cover HIPAA’s six-year floor plus a one-year buffer for state medical-records laws.

IRS and GLBA

The Internal Revenue Service recommends keeping tax-related records for three to seven years depending on the filing. The Gramm-Leach-Bliley Act and its Safeguards Rule require financial institutions to preserve documentation sufficient to prove ongoing compliance, which typically drives a five-to-seven-year retention for customer emails.

The consequence of short retention is the inability to defend an audit. A common misconception is that “tax email” means only W-2s, but any communication supporting a deduction qualifies.

State Privacy Laws (CCPA/CPRA)

The California Consumer Privacy Act and CPRA require businesses to keep records of consumer requests for at least 24 months. At the same time, CPRA’s data minimization principle discourages keeping personal data longer than necessary, which creates a tension that retention policies must resolve with precise scoping.

The consequence of mismatched retention is either a minimization violation or an inability to prove compliance with a deletion request. A common misconception is that privacy law only reduces retention, but it also sets minimums for request logs.

Microsoft Purview Retention Policies and Labels

Microsoft Purview is the admin tool that overrides every default above. Purview offers two main instruments: retention policies (applied to locations like Exchange mailboxes) and retention labels (applied to individual items, often automatically by content). Either can force mail to be retained, deleted, or both.

How Retention Policies Work

A retention policy can apply to all mailboxes or a subset. The admin chooses a duration (days, months, or years) and an action: retain only, delete only, or retain then delete. When a user deletes an email under a retain-only policy, the message moves to the Recoverable Items Purges folder and stays until the policy period ends.

The consequence of a misconfigured policy is either overretention (privacy risk) or underretention (regulatory risk). A common misconception is that a Purview policy deletes mail the moment the duration ends, but the Managed Folder Assistant runs on a rolling cycle that can take up to seven days.

Retention Labels and Auto-Labeling

A retention label can be applied by users or applied automatically based on keywords, sensitive information types, or trainable classifiers. Labels override policies when they conflict, under the principle of retention.

For example, Ahmed, a compliance officer at a bank, built an auto-label that tags any email containing a credit-card number with a seven-year retention label, satisfying PCI DSS and FINRA requirements at once.

Principles of Retention

When policies and labels conflict, Microsoft applies four ordered principles: retention wins over deletion, the longest retention wins, explicit inclusion wins over implicit inclusion, and the shortest deletion loses. The consequence is that you cannot accidentally shorten retention by layering a weaker label on top. A common misconception is that the “newest” policy wins, but order of application does not matter.

Litigation Hold, In-Place Hold, and eDiscovery Holds

Holds are the nuclear option. When a mailbox is placed on hold, every message is preserved, including items purged by the user, until the hold is released.

Litigation Hold

Litigation Hold is a mailbox-level switch set with the Set-Mailbox -LitigationHoldEnabled $true cmdlet. It preserves all content indefinitely unless a duration is specified. The hold survives password resets, license changes, and user deletions as long as the mailbox is converted to inactive.

The consequence of forgetting to release a hold is unbounded storage growth and potential privacy violations. A common misconception is that a hold requires extra licensing in every plan, but it is included in Exchange Online Plan 2, E3, and E5.

In-Place Hold (Legacy)

In-Place Hold was retired for new holds in July 2020 but existing holds still function. It allowed granular, query-based preservation. Microsoft now steers admins to eDiscovery holds associated with a case.

The consequence of relying on In-Place Hold for new matters is that you cannot create new ones. A common misconception is that In-Place Hold still works for new scopes, but only legacy holds survive.

eDiscovery (Standard and Premium) Case Holds

An eDiscovery case hold preserves content tied to a specific matter. eDiscovery Premium adds custodian management, legal hold notifications, analytics, and review sets. Holds can be query-based, limiting preservation to specific keywords or date ranges.

For example, Lena the general counsel built an eDiscovery Premium case that held 14 custodians, issued legal-hold notices through Purview, and produced a defensible audit trail the court accepted.

Inactive Mailboxes and Deleted Accounts

What happens to mail when an employee leaves is where most tenants break down.

Inactive Mailboxes

When an admin removes a license or deletes a user in Entra ID, the mailbox is soft-deleted for 30 days, during which it can be restored. If the mailbox was on Litigation Hold or a Purview retention policy before deletion, it becomes an inactive mailbox and preserves data for the hold duration without consuming a license.

The consequence of deleting a user before applying a hold is permanent data loss after 30 days. A common misconception is that the mailbox automatically becomes inactive, but it only does if a hold or policy existed at the time of deletion.

For example, Marcus the IT admin built a checklist that places every departing employee on Litigation Hold before the license is removed, guaranteeing an inactive mailbox the company can search for years.

Deleted Accounts Without a Hold

If no hold or policy was in place, the mailbox is purged after 30 days. Data in OneDrive and Teams chats follow separate rules, typically 30 and 30 days respectively without policy.

The consequence is that a rushed termination can erase evidence. A common misconception is that Microsoft keeps backups forever, but Microsoft does not offer traditional backups of individual mailboxes.

Three Real-World Retention Scenarios

Three Named Examples

Mistakes to Avoid

Avoid these specific errors because each triggers a concrete negative outcome.

• Assuming default settings are compliant, which leads directly to SEC or HIPAA fines when audited
• Deleting a user before applying a Litigation Hold, which causes the mailbox to be purged in 30 days
• Relying on Outlook’s local PST files for archiving, which Microsoft discourages and which break chain of custody
• Setting retention shorter than the longest applicable law, which exposes you to spoliation sanctions under FRCP 37(e)
• Setting retention longer than needed on personal data, which creates CCPA data-minimization violations
• Using In-Place Hold for new matters, which is impossible because Microsoft retired it for new scopes in July 2020
• Forgetting to release Litigation Holds after a matter closes, which causes unbounded inactive-mailbox growth
• Believing Microsoft takes point-in-time backups, which is false and leaves you without restore options outside the 14–30 day window
• Skipping legal hold notifications to custodians, which undermines defensibility under Zubulake
• Mixing regulated and unregulated mailboxes under one policy, which makes FINRA and HIPAA audits far harder

Do’s and Don’ts

Do the following because each protects your organization.

• Do configure Purview retention policies that match the longest applicable law, because defaults do not meet SEC, FINRA, or HIPAA
• Do extend Recoverable Items to 30 days tenant-wide, because the default 14 days is too short for most HR timelines
• Do document your retention schedule in a written policy, because courts expect a defensible, written rationale
• Do test restores quarterly, because an untested process fails at the worst moment
• Do use Audit Log retention alongside mailbox retention, because user activity logs have separate rules
• Do train users on hold notifications, because compliance depends on user action

Don’t do the following because each creates specific risk.

• Don’t rely on users to “just not delete” regulated email, because human error is inevitable
• Don’t remove licenses before confirming a hold, because the 30-day window is unforgiving
• Don’t layer contradictory labels, because the principles of retention will surprise you
• Don’t keep personal data longer than needed, because CPRA and GDPR penalize overretention
• Don’t delete a Purview policy to shorten retention, because the preservation lock may prevent it
• Don’t assume Teams and SharePoint follow the same rules, because each workload has its own retention engine

Pros and Cons of Outlook 365 Retention

Pros of Microsoft’s retention model:

• Native integration means no third-party archive license, which reduces cost
• Purview labels scale from one to hundreds of thousands of mailboxes, which suits growth
• Litigation Hold includes inactive mailboxes without extra license fees on E3/E5
• Auto-labeling uses sensitive information types that cover PII, PHI, and PCI out of the box
• Audit trail integrates with Microsoft Purview Audit, supporting defensibility

Cons of Microsoft’s retention model:

• Configuration is complex, with policies, labels, and holds interacting in non-obvious ways
• True backup is absent, so a ransomware event on your tenant is not covered by Microsoft’s retention
• Regulatory records management (17a-4 mode) requires E5 Compliance or add-on licensing
• Default windows are dangerously short for most regulated industries
• Changes to policies can take up to seven days to apply via the Managed Folder Assistant
• PST exports remain a weak link for chain of custody, because users can tamper with local files

Configuring Retention Step by Step

Admins configure retention in the Purview compliance portal. The process has consistent steps that every retention plan follows.

Step 1: Map Your Obligations

List every law, contract, and internal policy that touches your email. The consequence of skipping this step is choosing an arbitrary duration that satisfies none of your obligations. A common misconception is that one number fits all; in practice, a large firm may need 3, 5, 6, 7, and 10-year buckets.

Step 2: Create Retention Labels

In the Purview portal, go to Solutions → Records Management → File Plan and create a label per obligation. Each label specifies a retention period, a trigger (creation date or event-based), and a disposition (delete, review, or retain forever).

The consequence of event-based retention without events is that nothing ever deletes. A common misconception is that event-based triggers fire automatically, but they require an event to be created manually or via API.

Step 3: Publish or Auto-Apply

Publish the label to users, or auto-apply it based on content, senders, or classifiers. The consequence of publishing too many labels is user confusion; most practitioners limit user-visible labels to under ten.

Step 4: Layer a Baseline Policy

Apply a tenant-wide retention policy as a safety net, typically with a retain-only duration equal to the shortest mandatory minimum. The consequence of skipping the baseline is gaps where unlabeled content escapes retention. A common misconception is that labels cover everything, but unlabeled items rely on the baseline policy.

Step 5: Monitor and Report

Use the Purview content explorer and activity explorer to verify coverage. The consequence of skipping monitoring is discovering a gap only during an audit.

Court Rulings That Shape Email Retention

Several decisions define the standard of care for Outlook 365 retention.

Zubulake v. UBS Warburg

In Zubulake v. UBS Warburg, the Southern District of New York held that a party must preserve relevant ESI once litigation is reasonably anticipated and issued an adverse-inference instruction for UBS’s failure.

Pension Committee v. Banc of America

In Pension Committee v. Banc of America Securities, Judge Scheindlin laid out graduated culpability for preservation failures, which directly shapes how courts evaluate your Outlook 365 hold procedures today.

VOOM HD v. EchoStar

In VOOM HD Holdings v. EchoStar Satellite, the New York Appellate Division applied Zubulake to state-court matters, confirming that the duty to preserve email starts at reasonable anticipation, not at filing.

State-by-State Retention Nuances

While federal rules set floors, states add layers.

California

California’s CPRA requires 24-month retention of consumer-request records. California attorneys follow Rule 1.15.1 which shapes communication retention for client funds matters.

New York

New York’s SHIELD Act and DFS Cybersecurity Regulation 23 NYCRR 500 set a five-year retention for audit trails for covered financial entities, which typically pulls email retention along with it.

Texas

The Texas Business and Commerce Code §72.004 sets a general three-year retention for business records, and the State Bar of Texas requires five-year retention of trust account records.

Illinois

The Illinois Personal Information Protection Act drives breach notification, which in turn requires retention of mail related to any incident for the longer of state tort limits or contractual demands.

Florida

Florida’s Information Protection Act and Florida Bar Rule 5-1.2 drive six-year retention for regulated attorneys and financial firms.

Frequently Asked Questions

Does Outlook 365 automatically delete old emails?

No. Outlook 365 does not automatically delete emails from your Inbox or custom folders. Only Junk email (30 days) and Recoverable Items (14 days by default) have automatic deletion, and both can be changed by an administrator.

How long does the Deleted Items folder keep mail?

No default hard limit exists for Deleted Items itself. Most tenants apply a retention tag of 14 or 30 days. After that, items move to the Recoverable Items folder before permanent purge.

Can I recover an email after 30 days?

Yes, but only if your administrator extended Recoverable Items to 30 days, a Purview policy applies, or the mailbox is on Litigation Hold. Without those, a 14-day default purge is final.

Does Microsoft keep a backup of my mailbox?

No. Microsoft does not provide traditional point-in-time backups. Native data protection comes from retention policies, Recoverable Items, and inactive mailboxes, not from restorable backups of a chosen date.

Does Litigation Hold preserve email forever?

Yes. A Litigation Hold with no duration preserves mail indefinitely. You can also set a specific duration, after which items become eligible for deletion under normal policies.

Is Outlook 365 compliant with SEC Rule 17a-4 out of the box?

No. You must configure Microsoft Purview Records Management with regulatory records mode, and obtain the required third-party assessment, to meet SEC 17a-4 and FINRA 4511 requirements.

What happens to email when an employee is terminated?

Yes, the mailbox is preserved if a hold or retention policy existed before license removal, becoming an inactive mailbox. No, it is not preserved beyond 30 days if no hold was in place when deletion occurred.

Does HIPAA require a specific email retention period?

Yes, HIPAA §164.316(b)(2) requires covered entities to retain documentation, including qualifying emails, for six years from creation or last effective date, whichever is later.

Can users override a Purview retention policy?

No. Users cannot delete mail in a way that escapes a retention policy or hold. Deleted items move to Recoverable Items Purges and remain discoverable by admins until the policy expires.

Do retention policies apply to Teams chats too?

Yes, but through a separate Teams retention policy. Teams chats are stored in a hidden Exchange mailbox folder and follow their own rules set in the Purview portal.

How long are audit logs kept in Microsoft 365?

Yes, audit logs default to 180 days for most activities in E3 and up to one year in E5, with up to ten-year retention available via add-on license.

Does deleting a Purview retention policy delete my email?

No, removing a policy does not force deletion. Items already under retention enter a grace period, and a preservation lock can prevent policy removal entirely for regulated scenarios.