A number of compliance and operational risk acts and frameworks including SOX, HIPAA, GLBA, PCI, ISO, BASIL, BASIL II, FFIEC, SEC, NFPA, BC, DR to name a few prescribe the storage of information, which includes electronic documents of all nature, including email for a minimum number of years. One of the standard tenants of email compliance is that an email needs to be stored in a retrievable fashion, in such a way that the original email can be retrieved and proven to be original. This includes email sent internally and externally as well as email received externally at the company email gateway and sent internally to the intended recipient. Email RFC 822 bodies, headers and routing information, along with any attachments are included here, since in a court of law, email is admissible and again needs to be proven to have been received and stored legitimately.

Creating storage systems for email archives is no small feat. Email items need to be retrieved out of the email system and stored retrievably for years. This requires storage and search capability which further increases the amount of information stored, since email storage may change when moving from an email database to a relational database or other storage, search indexes need to be created, stored and maintained, and finally, the entire archive needs to be aged and trimmed when the retention period for items has been reached.

When spam and other undesired content is received, depending on the industry, laws and compliance framework, this may mean that once a piece of spam has been retrieved, it may need to be archived along with legitimate mail in order to preserve the legitimacy and integrity of the archive.

With this in mind, the financial burden for storing spam is potentially massive, since spam is stored along with the rest of the archive for posterity.

If a company is subjected to a compliance or regulatory framework, making sure that spam doesn't enter a network in the first place becomes more important that ever. Once a company receives it, i.e. it was not blocked or rejected at the gateway, it is automatically enters the compliance storage lifecycle and may only legally leave the archive once the retention period is up.

Nicolas Blank is a Microsoft Infrastructure Architect and consultant, and specializes in Exchange, Active Directory, architecture, systems management, migration and scripting. Nicolas is a Microsoft MVP for Exchange and spends what spare time he has writing, blogging and talking about Exchange and associated technologies.