Email Retention and eDiscovery

Email retention

Email retention is the process of retaining emails in the organization accounts for a specific period, for compliance or other such purposes, based on the organizational policies. The main purpose of retention policy are the following:
1) Retention of email content for a specific period, so that it cannot be permanently deleted before the retention period. 
2) Deleting the email content permanently after the defined retention period. 

Email retention policy helps in compliance for legal purposes to: 
1) Compliance of industry regulations and internal policies to retain content for a minimum period of time. 
2) Reduce the risk, in case of any event of security breach or litigation caused due to deletion of content by employees.

Importance of email retention for organizations

Email is the standard, universal and reliable communication mode for businesses. The emails in the organization are crucial and sometimes confidential. They are often needed as substantial evidence. So a copy of the communication must be retained to ensure that the organization follows the compliance standards and can respond to any legal issues that arise related to such communications. This ensures that there is no data loss due to the deletion of data by the employees. 


eDiscovery refers to the process using which the emails retained can be quickly searched and retrieved from accounts within the organization. The advanced eDiscovery portal in Zoho Mail provides a complete solution to retain, review, export the emails related to your organization's internal, external or legal investigations. It empowers the legal teams to manage the holds and investigations. 

Overall, it assures that the legal team can gather and access the required information in a simple interface, without technical dependency or complexity.

Default retention policy

The default retention policy defines the period for which the organization data should be retained in the eDiscovery portal. The default value is 'Retain forever', but the organization can define a specific period in terms of the number of days. You can define your default retention policy from the eDiscovery portal.

Steps to create a default retention policy:

  1. Log in to your Admin account at
  2. The eDiscovery portal welcomes you with a small intro to email retention and eDiscovery. 
    enabling eDiscovery for your emails
  3. Click the 'Enable eDiscovery' button to enable eDiscovery for your organization. 
  4. Click Next, to choose the default retention period. 
    Setting up email retention policy
  5. By default, the retention period is forever. 
  6. You can define a specific number of days as the retention period, based on your requirements.
  7. Click Next to set the retention rules for the default retention policy.

Once you define the retention period, you can go ahead and define the retention rules. 


The storage space for the retained emails will be taken from the overall storage of the respective users.

Retention Rules

Retention rules provide you the options to choose the types of emails that you want to retain in the eDiscovery portal. The Rules provide flexible options to define whether you want to save sent emails or received emails or retain only specific sent/ received emails and so on. 

  1. You can view or set the retention rules from the Settings section of the eDiscovery portal.
    Email retention - rules and conditions
  2.  Retention rules help you define the default rules required for retention. 
  3. You can choose to retain all the emails or select specific conditions to retain emails. 
  4. You can choose one or more from the following options available. 
    • Retain emails sent - outside the organization
    • Retain emails sent - only within the organization
    • Retain all sent emails
    • Alternatively, you can specify selected domains and choose to retain the emails that are sent only to those domains.
    • Retain emails received - from external organization accounts 
    • Retain emails received - only within the organization 
    • Alternatively, you can specify selected domains and choose to retain the emails that are received from those domains.
    • Retain all received emails
    • Retain deleted emails
    • Retain spam emails 
  5. In case you want to exclude spam emails from retention, in this section, you can choose all the options and uncheck the spam emails to avoid spam emails from your retention. 

As the next step, you need to select the users for whom the email retention should be enabled. 

User accounts

Once you define the retention period and retention rules, you will now select the users for whom the Retention should begin. Click 'Enable Retention' to start the retention process for the selected set of users. 

Email retention for selective users

You can click 'Select all users' to enable retention for all the user account. 

Once you enable the retention and define the retention policy, the emails that get delivered to the organization accounts will be retained in the eDiscovery portal, based on the retention rules. The retention period will be based on the default retention rule applied to the accounts. The sync to the eDiscovery portal may take a while, after which you will be able to search/ view/ export the retained emails from the portal.

Custom retention policy

In case there are any special or custom requirements that need certain emails to be retained for a different period of time, the administrators can define custom retention rules. Custom retention rules can be defined based on various parameters.

To define new custom policies or to view existing policies, you need to navigate to the Retention and eDiscovery portal at

  1. In the 'Retentions section', just below the Default retention policy, custom retention policies will be listed.
  2. If you are creating a new policy, click the button 'Create Custom Retention Policy' button. 
  3. Provide a name for the custom policy 
    Setting different email retention rules for different users in your organization
  4. Select whether you want to retain the emails marked as spam also. 
  5. Select the period for which you want to retain the emails that match the requirements of the custom policy. 
  6. In the Condition query, provide the conditions based on which you want to define the custom policy for email retention. 
  7. The conditions can be based on one or more of the following parameters. 
    • Contains - contains text/ email address in the entire email
    • Subject - subject contains the selected tern
    • Content - email content contains
    • From - from email address contains
    • To - To email address contains
    • Cc - Cc email address contains
    • Bcc - Bcc email address contains
    • Reply To - Reply to email address contains
    • Has attachment - Only the emails with attachment
    • Attachment name - Attachment content contains
    • Attachment content -  Attachment content contains
    • Only outgoing emails - Include only outgoing emails
  8. Select the period for which you want the emails to be retained under the custom policy. 
    Custom email retention policy based on time and subject query
  9. You can use 'Preview Results' to check whether the condition query provides the expected results. 
  10. You can 'Save' the retention policy if the search results match the conditions needed for the custom retention policy. 

You can create and save multiple retention policies for different purposes. Mostly each custom retention policy will differ based on periods of retention and the conditions required for retention. 

Create an Investigation

An Investigation or a case is a legal probe against certain email communications or documents. When there is a legal case or a probe or an investigation pertaining to email communication, the organization needs to retain all the related emails until that investigation is completed/ closed.
eDiscovery - email investigation

The eDiscovery administrator creates a new Investigation to manage the entire investigation cycle. Sometimes the Investigation can be required for the purpose of internal investigation or inspection also.

Steps to create an Investigation in Zoho Mail:

  1. In the eDiscovery portal, go to Inspections tab to view or create Investigations. 
  2. Click the '+' symbol to create a new Investigation
  3. Provide the investigation name and a detailed description, for the particular investigation.

Creating an investigation on emails in your company

You can create single or multiple holds based on different conditions, as required for the investigation. The emails that are retained via investigations will not be deleted even based on the periods defined by default or custom retention policy. You can prepare a set of conditions based on which the emails should be retained to proceed with the investigation. These sets of conditions can then be defined in a single hold or multiple holds depending on the requirements. 

Prepare a Search

Before you create a Hold, list down the criteria required for the particular investigation. Based on the various criteria, create different search conditions. You can save each of these search conditions as a 'Saved search'.  In case you need to get this reviewed by legal or compliance or admin teams, you can get it reviewed before you create a 'Hold'. Saved search helps you to validate the different search conditions needed for the investigation before creating the Holds. 

To create a search, select the condition with which you'd like to perform the search and enter the search key respective to the condition. You can perform a search with multiple conditions, in which case the results returned will match all of the conditions that you have set for the search. In other words, an AND search will be performed

For example, if you choose the To condition and enter the search key, then choose the Cc condition and enter the search key, and finally pick the Has attachment condition, the results returned will be emails that have attachments and have been sent to, Cc'd to The emails that match all three of the entered conditions will be returned as results for this search. 

  • To search for an exact phrase, enter the search key in double-quotes. For example, if you choose the condition Contains and enter the search key as "media information", only the emails that contain the exact words 'media information', in that exact sequence will be returned as results. In case there are emails with the words 'information media', those will not be returned as results. 
  • If you want to search for emails that have words beginning with specific terms, add an * (asterisk) to the end of those terms. For example, if you want to search for emails that contain words beginning with the term gat, choose the contains parameter and enter the search key as gat*.

Create a Hold

Each 'Investigation' will retain emails based on one or more holds as needed for the Investigation. A 'Hold' retains the email that is required for the investigation, based on a specific set of conditions. Since a single investigation or case may require to retain different sets of emails based on various conditions like the subject, received time, sender, attachments and so on, there may be multiple 'Holds' created for each Investigation. 

Once a 'Hold' is created, the emails retained by the 'Hold' will be retained until the Hold exists. 


The results of a 'Hold' or a 'Saved Search' can be exported by the administrator, whenever required. These exports will be scheduled and the administrators can download the exported files from the eDiscovery portal. 

Exporting emails held in data theft category

Audit Logs for an investigation

Once you have created an investigation, you can also view all the related activity in the Audit Logs section, inside that particular investigation. 

Follow the below steps to view the Audit Logs related to a particular investigation:

  1. Go to the Investigations section, and select the relevant investigation.
  2. Navigate to the Audit Logs tab.
  3. Enter the dates within which you would like to view the activity.
  4. Select the checkboxes across the actions that you would like to retain. You can choose to narrow down your search by unchecking the irrelevant checkboxes.
  5. Select the Preview Audit option to view the activity or click the Download Audit option to download the activity onto your machine.

Tagging Emails

In a specific investigation, you can choose to tag emails from the search preview or the hold preview. 

To create a tag and apply it to an email, follow the instructions below:

  1. Go to the Investigations section, and select the relevant investigation.
  2. Navigate to the Tags tab.
  3. Select the Create Tag option, enter a tag name, pick a color, and click Save.
  4. Now, select a saved search or a hold from the Searches or Holds tab.
  5. Click the Preview Results option.
  6. Select the checkboxes across the emails that you want to tag.
  7. Select the Tag as ​option and choose the relevant tag.

These tagged emails can also be viewed from the Tags section. Click on a particular tag and all the emails associated with that tag will be listed.

Audit Logs

All the actions of the administrators in this portal will be recorded in the Audit logs section. Instead of viewing the activity specific to an investigation, you can view all the activity in the eDiscovery portal here. 

Auditing logs in your eDiscovery portal

Share this post : FacebookTwitter

Still can't find what you're looking for?

Write to us: