Managing email in Office 365

What is an email account in Office 365?   It is a special type of document library, that doesn’t need version control, doesn’t need extra metadata fields and doesn’t live in SharePoint.

It now seems a little incongruous for organisations to ask their staff to move important emails out of email accounts and into a ‘corporate record system’.  If Office 365 is your corporate record system then email accounts are within it already!

One of the things that Microsoft had to do in order to make Office 365 work as a service offering was to get their SharePoint team working with their Exchange team – something that famously never happened whilst both products were predominantly on-premise offerings.  Microsoft customers implementing on-premise SharePoint alongside their on-premise Exchange email system  had to deploy third-party plug-ins if they wanted staff to be able to drag and drop an email into a SharePoint document library without leaving their Outlook email client.

There are two routes Microsoft could have gone with the relationship between Exchange and SharePoint within Office 365:

  • the integration route – building in features that make it easier to move emails from Exchange to SharePoint;
  • the governance route – making common governance features available so that emails in an email account could be governed using the same policies as documents in a document library in SharePoint.

Microsoft’s choice of direction for Office 365 has implications for the policy decisions that organisations need to take on email:

  • If Microsoft were to go down the integration route then it would fit in with the records management belief that an email system is not a ‘record system’ but is instead a ‘communications tool’.  Many organisations over the course of the past decade have designated SharePoint as their corporate records system and asked staff to move important emails into SharePoint.
  • If Microsoft were to go down the governance route then it would fit with the information governance belief that distinctions between record systems and non-records systems are meaningless and unhelpful because organisations are under legal, regulatory and ethical obligations to manage all their business information systems in accordance with information governance principles.

From a marketing point of view, there are clear advantages to Microsoft from going down the governance route rather than the integration route:

  • If Microsoft went down the integration route it would imply that they viewed a SharePoint document library as a better place to store business email than an Exchange email account. This is despite the fact that Exchange was built for and designed around the storage of email messages, whereas SharePoint document libraries were not designed with email in mind.
  • By going down the governance route Microsoft can stay neutral on the question of whether an email is better stored in SharePoint or in Exchange, and can gradually remove any necessity for organisations to move emails out of Exchange and into SharePoint.

It is therefore no surprise to see Microsoft putting their emphasis on the governance route rather than the integration route.

Office 365 comes with a ‘Security & Compliance Centre’ that sits separately from SharePoint or Exchange or any of the other component parts of Office 365.   The Security & Compliance Centre gives you two different means of applying retention rules to content:

  • retention policies which are applied to the containers within which content sits (SharePoint sites, email accounts etc.);
  • retention labels which are applied to individual items of content (emails/documents etc.).

This effectively gives you three alternative options for applying retention to email:

  • apply retention policies to email accounts without applying retention labels; OR
  • ask end users to apply retention labels to emails (or automate the application of labels if and when you develop automation capability), without applying retention policies; OR
  • use a combination approach by applying a default retention policy to email accounts whilst allowing staff (or machines!) to apply a retention label to particular emails that deserve a retention rule that differs from the default.

Note that in applying retention from the Security & Compliance Centre to content in OneDrive, Office 365 groups or SharePoint you will be faced with variations of the three options listed above.   The variation relates to the type of container that you would be applying retention policies to, and the type of content that you would be applying retention labels to.

The fact that Microsoft allows an email account to be treated in the same way as a document library for retention purposes will not stop organisations wanting to apply different retention periods to email accounts than to document libraries even when they arise from a similar business function.  The cost and risk profile of an email account differs significantly from that of a document library.

However Office 365 is a game changer in two ways:

  • it brings the application of retention rules to email in email accounts firmly into the information governance, rather than the IT domain.  The retention policy  and retention label menus in the Office 365 Security & Compliance centre can be used to apply retention policies and/or retention labels to Exchange email accounts and SharePoint sites (as well as other parts of Office 365 including Office 365 groups and OneDrive accounts);
  • it creates the possibility of applying different types of policy towards email. For example if you wanted to apply a Capstone policy towards email you could do so out of the box in Office 365 by simply:
    • setting two retention policies on email; a Capstone retention policy for application to the relatively small number of email accounts that you wish to retain permanently, and a non Capstone retention policy for application to email accounts that you do not wish to retain permanently;
    • deploying  retention labels to enable staff with Capstone email accounts to identify trivial and personal emails so that those emails are exempt from the permanent retention applied to the rest of the correspondence in their email account.

8 thoughts on “Managing email in Office 365

  1. Nice post James. Where do you see context as fitting into the mix. M365 does introduce such tools but it tends to be premised on a bucket approach. I take your point re “Ask end users to apply retention labels to emails (or automate the application of labels if and when you develop automation capability), without applying retention policies.” Oh how we yearn for improvements in auto classifications and ontological approaches 🙂

    The core M365 Security and Compliance model does feels more like an email risk mitigation (i,e, a good replacement for our black box email archive system) approach rather than nuanced information management though. Any other thoughts on that?

    1. Hi Russell My personal view is that with email there is no point in trying to get extra context on a message-per-message basis. The individual messages are too low in value to justify any extra time spent enhancing their metadata. The key contextual information about email is the role carried out by the email account holder, because that is what links an email account to business function and hence to retention rules. James

      1. Thanks for that clarification James. I’d like to acknowledge that its always far easier to find faults with ideas than it is to propose better solutions. I personally believe that the concept of email has been seriously broken as a business communication tool (irrespective of any record keeping challenges) for at least a decade if not more yet here we are continuing to wrestle with it. By context what I was alluding to is that the O365 in-place records management model you are referencing is a format and application specific solution whereas for any given business function or activity there will doubtless be a myriad of non-email records intrinsically related to the specific activity. I am interested in what I am interpreting as your suggestion to focus on the individual’s roles rather than the content of their emails. So for example this would be premised on a number of assumptions that position holders x,y,z are more likely to be the recipients or creators of records of higher value than perhaps junior roles a,b,c? That feel more aligned to risk mitigation than records management to me – something that could be applied as a hygiene measure to a black box email archive while complementing over record keeping approaches?

        I can see the attraction of the concept but my experience of the realities of the workplace does nag at me that the randomness of the world would mess with this quite a bit. As I say though, I have no better solutions to offer than the flawed ones we currently have.

        I think this is a valuable debate to continue. If I wished to be provocative I’d argue that records management is dead. Instead the archival regulators need to adopt a far more selective identification of high value approach (rather than trying to value everything so as to make the destruction of rubbish an incredibly high cost exercise) and implement a far more risk based model that encourages principles based defensible disposal of all record forms. In some ways I see this as part of the continuing struggle within the profession between the pragmatists, the technologists and the antiquarians. Each are flawed.


      2. Hi Russell,

        For the past twenty years our organisations have been aggregating most of their business correspondence into aggregations (email accounts) that represent the individual who sent/received that correspondence.

        In theory there are two alternative ways we can link emails to the business activity they arose from:

        – One is on an item-by-item basis, moving (or linking) each individual email (or each thread of emails) into a structure that reflects business activity. The problem is that for the past twenty years no organisation has had the capability to do this on a corporate scale across all of their activities.

        – The other option is to move up a level of aggregation and link email accounts to business activity. This is possible because we know the role that individual email account holders play in our organisations and we know what range of activities they are tasked with.

        Australian archival theorists such as Peter Scott, Ian MacLean and Frank Upward have conceived of records as the outcome of how individuals and teams have carried out business activities. Accountability requirements vary. Sometimes society may have concerns about how a particular business activity was carried out. At other times society may have concerns about the conduct of a particular team or a particular individual.

        According to Australian record series theory and records continuum theory it does not matter whether records are organised by business activity or by team/individual:
        – if records are organised by business activity but the accountability need relates to a particular individual or team, then the accountability need can be met by establishing what activities that team/individual worked on and consulting the records for those business activities;
        – if records are organised by individual but the accountability need relates to understanding how a certain business activity was carried out then this accountability need can be met by establishing which individuals carried out that business activity and consulting the records of those individuals (this is how eDiscovery searches typically proceed on email systems);
        – if records are organised by team but the accountability need relates to understanding how a certain business activity was carried out then the need can be met by establishing which team(s) was responsible for that business activity and consulting the records of that team/those teams.

        Contemporary organisations have a hybrid set of repositories and communication channels. Some of these repositories are organised by business activity, some by team, some by individual. The link between the records in all of these systems is provided by the triangular link between individuals, the teams they belong to, and the business activities they and their teams are responsible for.


  2. If the final goal is to increase the governance of emails inside the email account themselves, we must also think of what we want to achieve.
    Some emails (received and sent emails) are also corporate documents essential for supporting business functions and we have to keep each of them in compliance with different legal requirements.
    Moreover, it is importat to be able to link each document with all the others produced or received to support the same business operation, process, function or service.
    What I have read above is a good improvement step, but in my opinion it is not sufficient yet.
    The idea of organising the governance of email records directly inside IT systems bespoke for emails is great, but more arrangements and developments are needed.
    First and foremost, corporate personal email accounts, i.e. email account specifically linked with a particular individual, will never be appropriate for good records management or information governance because – irrespective of which progress can be made by implementing automated classiifcation, intelligent search and the like – these environments are associated with a specific person and – as such – are affected by all the privacy rules and provisions of European and UK legislation – we are not in US where whatever object is kept is in a corporate environment is automatically considered to be a corporate asset.
    However, this is a good piece of news and I too think that the governance route is in principle the right option. But more progress is needed.
    Thank you for your post, James.

    1. Hi Massimiliano

      I agree that filing business correspondence by sender/recipient (which is effectively what email systems do) has disadvantages from a records management/information governance point of view. But we should only recommend the re-filing of business correspondence into an alternative structure if and when we can be sure that such a re-filing will be done consistently.

      Email systems have the capability to automatically file correspondence by ‘sender/recipient’. They do not (currently) have the ability to automatically file email by ‘business activity’. This is because ‘sender/recipient’ is a field that is built into the email protocol that every email adheres to. There is no metadata field in the email protocol for ‘business activity’.

      This puts records managers in a dilemma. We could insist that business emails are re-filed into some kind of business activity structure.
      This typically involves us deploying an email system that automatically files all correspondence by sender/recipient and then asking our colleagues to manually re-file their business correspondence into a business activity structure.

      This is bound to fail. The sender/recipient has little or no incentive to refile the correspondence that has been automatically filed into their email account. The human refiling of email into ‘record systems’ cannot keep pace with the automatic filing of email into email accounts by email systems.

      The data protection act does not forbid the arrangement of business correspondence by sender/recipient. It simply imposes obligations on organisations with regard to how personal correspondence within those accounts is treated.


  3. Dear James, thank you very much for your reply!

    As to Data Protection issues, my concerni does not relate to how emails are arranged in a personal business account, but to the fact that if a corporation needs to access for whatever reason to important documenst kept in a personal business account (e.g. or this might give rise to problems because a person is entitled to protect his/her own privacy even in a corporate environment, and therefore it would be better to use general business corporate email accounts (e.g.,, and the like)

    As to all of your remaining observations, they are sensible, and I think we should fight automation by automation – possibly by subdviding the email flows in more steps and trying to introduce some “help” for the machines – and take a risk assessment perspective

    1) Firstly we might sift business-related emails from non-business related emails through a step where a user is forced to make that choice. The business-related emails might be diverted either in a corporate application or in a general business corporate email account

    Even the implementation of this first step would immediately solve some problems (e.g. when a staff member leaves a corporation you can decommission after a period of time his / her personal email account by minimising the risk something important is destroyed before the time is due; if you have to look for an email the number of accounts or places you have to search through is reduced)

    2) Then we can try to deal with the emails gathered in a “totally” corporate environment (general business corporate email account, IT application or network) by sorting them as appropriate. If – as it is often the case – email volumes are too big to be handled manually by humans, automated classification tools should be used, possibly with the assistance of humans who supervise and sample-check what the tool does. I acknowledge that automated classification tools are not up to what we need, but we humans can “help” them both by supervising and auditing them – as I have said above – and possibly by adding some metadata elements which may facilitate their work (e.g. for some emails sent by a corporation and relating to particular kinds of activities we might provide key words or expression to be included in the subject line – I concede we can do that only in some cases and for some particular significant business actions, but I think something is better than nothing; likewise, for some emails sent to a corporation we might e.g. create a pop-up window or another step enabling the officer receiving the emails to associate them with a metadata element intended to facilitate automated-based or even human-based analysis).

    By resorting to these “tricks” you may not solve every problem, but you might improve the situation of email management, and I think improvement steps are always good and sometimes ‘best’ is enemy of ‘good’.
    Of course, the whole approach should be risk-based – information objects are becoming more and more numerous and “ad impossibilia nemo tenetur” (it is Latin legal maxim: it means the “nobody must keep a commitment to do impossible things”).
    When you have done all that your resources and knowledge allow you to do, you may also be confident that your case will be well supported before authorities should you be challenged by someone.

    Thank you again for your wonderful and informative website, James.

    Massimiliano Grandi

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s