Compliance

Email Archiving: Legal Requirements and Technical Implementation

Which emails must be archived and how to meet the requirements

Business-relevant emails are subject to retention requirements. The GoBD, Section 147 AO and Section 257 HGB stipulate that emails with tax-relevant content and business correspondence must be archived in an audit-proof manner — immutable, complete, searchable and machine-readable. An Outlook folder or PST file does not meet these requirements.

This article explains which emails must be archived, what the GoBD requires for email archiving, which technical approaches exist, and which common mistakes businesses should avoid.

Which Emails Must Be Archived?

Distinguishing between business-relevant and private emails

Subject to Archiving

  • Quotes and order confirmations — classified as commercial correspondence (6 years)
  • Invoices (as email or attachment) — classified as accounting vouchers (10 years)
  • Complaints and defect notifications — business-relevant correspondence (6 years)
  • Contract negotiations and conclusions — 6-10 years depending on contract type
  • Tax-relevant correspondence — communication with tax office, tax advisor (10 years)
  • Payment advices and reminders — accounting vouchers (10 years)

Not Subject to Archiving

  • Private emails from employees — must not be archived due to data protection
  • Spam and newsletters — no business relevance
  • Internal coordination emails — unless they contain tax-relevant content
  • Appointment scheduling — generally not classified as business correspondence

Practical challenge: If a business permits private email use at work, it cannot archive all emails indiscriminately — this would violate telecommunications secrecy and the GDPR. The solution: prohibit private email use (employment agreement) or provide separate email accounts for personal use.

GoBD Requirements for Email Archiving

What the GoBD specifically require for emails

Immutability

Archived emails must not be subsequently altered or deleted. This includes the email text, attachments, header information, and metadata. Technically, this is ensured through hash values and write protection.

Completeness

The email must be archived in its entirety: text, attachments, headers (sender, recipient, date, subject), and embedded images. It is not sufficient to save only the attachment and delete the email itself.

Searchability

Archived emails must be searchable — by sender, recipient, date, subject, and content. Attachments must also be searchable, which requires OCR text recognition for scanned documents in attachments.

Machine Readability

The tax authority must be able to evaluate archived emails electronically during a tax audit — filtering, sorting, and exporting. A simple email inbox does not provide this functionality.

Audit Trail

Every access to archived emails must be logged: who accessed, exported, or downloaded which email, and when?

Technical Approaches to Email Archiving

Three paths to GoBD-compliant email archiving

1. Journaling (Automatic)

With journaling, every incoming and outgoing email is automatically forwarded to an archive system — in real time, without user interaction. This is the most reliable approach because no email can be "forgotten". However, all emails are archived, which can be problematic if private use is permitted.

2. Server-Side Archiving (Exchange/M365)

Microsoft Exchange and Microsoft 365 offer built-in archiving features (In-Place Archive, Retention Policies). These can be configured to archive emails automatically based on defined rules. However, the archiving then resides in the Microsoft cloud — which may be problematic for on-premises requirements.

3. Manual Filing

Employees manually save business-relevant emails in the archive system — for example via drag-and-drop into a monitored folder or by forwarding to an archive email address. This approach is error-prone because it depends on employee discipline. Individual emails can be forgotten.

Recommendation: For maximum compliance and minimum effort, a combination of automatic import (journaling or mailbox monitoring) and audit-proof archiving in PDF/A format is the best solution. Docuflair Archive supports automatic import from email mailboxes.

Common Email Archiving Mistakes

These mistakes can be costly during a tax audit

Mistake 1: PST Files as Archive

PST files (Outlook data files) are not audit-proof archiving. They can become corrupted, offer no write protection, and no access logging. They are also often stored on the employee's local hard drive and are not backed up.

Mistake 2: Deleting Emails Without Review

Many employees routinely delete emails to tidy their inbox — without checking whether the email is business-relevant and therefore subject to archiving. An accidentally deleted invoice or order confirmation can become a problem during a tax audit.

Mistake 3: Missing Procedural Documentation

Even if the technical email archiving functions correctly, the procedural documentation is often missing. The GoBD require a written description of how emails are captured, classified, archived, and protected. Without this documentation, the archiving is formally not GoBD-compliant.

Mistake 4: Outlook Folder Equals Archive

An Outlook folder named "Archive" is not an archive in the GoBD sense. Emails in Outlook folders can be moved, deleted, and altered. There is no audit trail, no write protection, and no machine readability in the GoBD sense.

Mistake 5: Archiving Only Attachments

Some businesses archive only email attachments (e.g., the PDF invoice) but not the email itself. This violates the completeness requirement of the GoBD: the email is part of the business transaction and must be archived together with the attachment.

Email Archiving with Docuflair

Docuflair Archive automatically imports emails from your mailboxes and archives them in an audit-proof manner in PDF/A format — with OCR full-text search across email text and attachments, a complete audit trail, and role-based access control. Fully on-premises.

Request Free Demo Discover Docuflair Archive

Frequently Asked Questions

Answers to the most important questions about email archiving

Which emails must be archived?

All business-relevant emails must be archived: quotes, order confirmations, invoices, complaints, contract negotiations and tax-relevant correspondence. Private emails from employees must not be archived due to data protection regulations.

Is an Outlook folder considered audit-proof archiving?

No. An Outlook folder or PST file is not audit-proof archiving. Emails can be deleted, moved or altered there without any log being created. The GoBD require immutable, complete and machine-readable archiving.

How long must business emails be retained?

Business emails classified as commercial or business correspondence must be retained for 6 years. Emails serving as accounting vouchers (e.g. invoices sent via email) must be retained for 10 years (Section 147 AO, Section 257 HGB).

What is the difference between email archiving and email backup?

An email backup is a security copy for recovery in case of data loss. Email archiving is GoBD-compliant, immutable long-term storage with an audit trail and full-text search. Backups do not replace archiving because they are neither immutable nor audit-proof.

See it live in 15 min

No obligation & free
Start Demo