Email is the most regulated and most disputed business record in many industries. Your mailbox holds the only evidence of contracts, agreements, customer commitments, and supplier disputes. But mailboxes have quotas, get hacked, and aren’t really designed as long-term archives. This guide covers how long businesses should keep email, the difference between mailbox storage and archiving, and practical approaches for small businesses on cPanel hosting.
Mailbox vs archive — different jobs
- Mailbox — active working inbox, sent items, organized folders. Optimized for read/write/search. Limited by quota.
- Archive — long-term cold storage of completed messages. Optimized for retention and search. Typically larger storage, separate from active mailbox.
Many businesses use the mailbox as both — and run into problems: quotas hit, performance degrades on huge inboxes, and a mailbox compromise loses years of records. Splitting the two solves both problems.
How long should you keep email
Varies by industry and jurisdiction. General guidelines:
| Category | Typical retention |
|---|---|
| Routine correspondence | 2-3 years |
| Customer contracts / agreements | 7 years (or contract length + statute of limitations) |
| Financial records / invoices | 7-10 years |
| HR / employment-related | 5-7 years after termination |
| Tax-related | 7-10 years (jurisdiction-dependent) |
| Healthcare / regulated industries | Often indefinite (HIPAA, etc.) |
| Litigation hold | Indefinitely until released |
If unsure, check with your accountant and legal counsel for your specific industry and jurisdiction. Default: keep 7 years for everything business-related.
Strategy 1: Mailbox folder archive (simplest)
Inside the mailbox, create folders by year:
Inbox
Sent
Archive/
├── 2023/
├── 2024/
├── 2025/
└── 2026/ (current year, fills up)Periodically (annually or quarterly) move old messages from Inbox/Sent into the appropriate year folder. Keep active conversations in Inbox.
Pros: simple, works with any IMAP client, no extra tools.
Cons: still in the same mailbox so counts against quota; mailbox compromise still loses everything; no compression or deduplication.
Strategy 2: Local Thunderbird archive
Use a desktop client like Thunderbird with local folders configured. Old messages move from the server (IMAP) to local storage (POP3-style folders, but for archival not active use).
- Thunderbird → create Local Folders if not present.
- Create subfolders by year inside Local Folders.
- Drag old messages from server folders to local archive.
- Messages moved are removed from server (quota freed) but kept on your hard drive.
Pros: frees server quota; messages safe from mailbox compromise; full message bodies and attachments preserved.
Cons: depends on your local backup discipline — if your hard drive dies and you don’t have a backup, archive is gone; not searchable from anywhere else; only one person can access.
Pair with cloud backup (Time Machine + cloud, Backblaze, Duplicati to S3) for protection.
Strategy 3: Dedicated archive mailbox
Create a separate mailbox (e.g. archive@yourdomain.com) with much higher quota. Periodically forward or move messages there.
cPanel:
- Create email account
archive@yourdomain.comwith maximum quota. - From your active mail client, move messages from main account to archive account folders.
Pros: server-side, accessible from anywhere; isolated from main mailbox compromise; quota separated.
Cons: counts against total account disk; archive mailbox must also be backed up; manual process to move.
Strategy 4: Automatic BCC archive
Configure auto-BCC of all outbound and inbound mail to a separate archive address. cPanel forwarders make this easy:
- cPanel → Forwarders → Add Forwarder.
- Set up so all mail to/from your main account also goes to
archive@yourdomain.com.
Result: archive accumulates a complete record automatically; main mailbox can be cleaned up without losing the historical record.
Caveat: also captures sensitive replies; archive needs strong security.
Strategy 5: Third-party archiving service
Services like Mimecast, Barracuda, Proofpoint, and others offer dedicated email archiving with compliance certifications. Useful for:
- Regulated industries (financial services, healthcare).
- Legal e-discovery requirements.
- Large organizations with many mailboxes.
- WORM (write-once-read-many) retention requirements.
Cost: $5-15/mailbox/month typically. Justified when compliance is non-negotiable; overkill for small operations.
A practical small-business setup
For a typical 1-10 person business on iWebVault:
- Main mailbox — daily working messages, last 1-2 years actively.
- Yearly folders — within the main mailbox, organize older messages by year.
- Quarterly local backup — Thunderbird exports of full mailbox to your local machine. JetBackup at server level also covers this.
- Important contracts in cloud storage — copy signed contract emails (with attachments) to Google Drive / Dropbox folder organized by client/year.
This handles 95% of small-business needs without the complexity of dedicated archiving systems.
Litigation hold considerations
If your business is under or anticipating litigation:
- STOP all deletion of email (legal hold). Even routine cleanup paused.
- Disable automatic deletion / archiving rules.
- Preserve everything until your attorney releases the hold.
- Document what you have and where (chain of custody matters).
Talk to a lawyer if you’re unsure whether litigation is foreseeable — the obligation to preserve starts before formal filing.
Common questions
“Can I just download a .pst / .mbox file annually?” Yes — Thunderbird exports as .mbox, Outlook as .pst. Save to a labeled location. Useful for backup but harder to search than a live mailbox archive.
“What about deleted messages — can I prove deletion was authorized?” Most email systems don’t capture deletion events well. For litigation purposes, having an immutable archive (auto-BCC, third-party archive) is better than relying on deletion logs.
“Does iWebVault back up my email?” JetBackup backups capture mail folders — you can restore from there. But for compliance-grade archiving, you should keep your own copies too. Don’t rely solely on host backups.
“How do I know if a regulator considers my archive sufficient?” Industry-specific. Generally need: (1) tamper-evident, (2) full message preservation including headers, (3) searchable, (4) retention period documented. Consult your industry compliance lead.
What’s next
- Cleaning up bloated mailboxes: Email quota guide.
- If migrating providers: IMAPSync guide.
- Server-level backups: JetBackup.
Pick a strategy and apply it consistently. The worst archive is the one you’ll spend hours setting up but never use. Yearly folder organization plus quarterly local backups handles small business needs cleanly. Scale up only when compliance demands it.
Was this helpful?
Thanks for your feedback!
