The legal E-mail archiving requires companies in Germany to store and view business emails in a tamper-proof manner. It is based on the German Commercial Code, the German Fiscal Code and the GoBD and ensures legally compliant work, digital traceability and tax documentation obligations.
Key points
- Retention periods6 to 10 years depending on the type of e-mail
- GoBD conformityMandatory for software solutions
- Data integrityEncryption and access controls are required
- AutomationArchiving and deletion must be rule-based
- Training coursesEmployees must understand archiving-compliant processes
Companies often underestimate the effort involved in fully compliant email archiving. Even minor carelessness can lead to gaps in archiving - for example, if an email with a tax reference is deleted manually or an automated system is not configured correctly. Such mishaps can be avoided by carefully reviewing existing processes and introducing clearly documented guidelines.
It should also be noted that legal requirements can be constantly updated. One example of this is changes in data protection regulations, such as the GDPR or country-specific amendments. It is therefore advisable to continuously monitor legal and technical updates. This is the only way to ensure that the archiving system not only meets the legal standards today, but will continue to do so in the future.
Legal basis of e-mail archiving
In Germany, companies must archive business emails securely by law - this means that they must be traceable, unalterable and complete at all times. The relevant legal bases are Section 147 of the German Fiscal Code (AO), Section 257 of the German Commercial Code (HGB) and the GoBD. These regulations govern how long business-related emails must remain digitally available. Tax-related emails, such as invoices, must 10 years be stored. For purely business or commercial letters, a 6-year-old Deadline.
Some freelancers and small businesses are not subject to this obligation - with the exception of industry-specific special regulations. The definition of a commercial letter also regularly includes emails about offers, contractual arrangements or business agreements. Anyone who fails to archive these properly risks severe fines and tax complaints.
In order to increase legal certainty, it is advisable to include provisions on the retention of email data in contracts with IT service providers and hosting providers. This gives both parties clarity about their respective obligations and reduces the risk of disputes in the event of discrepancies regarding data retention. It is also important for companies to be able to prove at any time that emails are available unchanged in the archive and that their content has not been subsequently manipulated.
Requirements for audit-proof archiving
Audit-proof archiving means that emails must not be changed or deleted unnoticed at a later date. In addition, all records must be stored completely and verifiably. Conventional storage in the email inbox or local file folder is not sufficient for this. Companies need archiving software that fulfills these criteria and provides a clear Access structure offers.
GoBD-compliant systems have log functions, log all changes and offer versioning of individual messages. This guarantees traceability from a legal perspective. Anyone using Microsoft 365 or comparable platforms can create a legally compliant archiving connection via specialized add-ons or APIs.
Particular attention must be paid to the so-called Journaling archive: Depending on the email infrastructure, a copy of every incoming and outgoing message is automatically moved to a defined archive. This leaves no room for accidental or deliberate deletion of important correspondence. Exactly how journaling is implemented depends heavily on the email system used, which is why close coordination with the IT manager or the provider of the archiving solution is advisable.
Technical implementation and software integration
Many archiving systems allow direct integration into common groupware systems such as Microsoft Outlook, Exchange, Gmail or Zimbra. This allows incoming and outgoing emails to be automatically captured and moved to the archive. Archiving is rule-based, often based on sender, subject, timestamp or attachments. With a corresponding add-on solution, the following can be archived via Plesk e-mail addresses securely - both in advance and retrospectively.
It is crucial that the selected software complies with GoBD § 146 para. 1 AO. This means that the emails must be stored in a timely, machine-readable and structured manner. The software should also support automatic deletion after the retention period has expired - this helps to conserve storage space and system performance. Some archiving solutions also support special formats such as .eml or .msg, provide an API for third-party systems or enable storage in cloud storage with a compliant audit function.
Another technical aspect is the speed of access to archived emails. A high-performance solution can quickly pay for itself, especially in larger companies that receive thousands of emails per day. Security issues and network bandwidths should also be taken into account when deciding on an on-premises or cloud variant. In principle, a dedicated archiving appliance provides more control in-house - a cloud-based solution, on the other hand, can offer scaling and maintenance benefits.
Administrators should continuously check the logging of access - because in the event of an audit, it is precisely this logging that can provide information about who accessed archived emails and when, and whether changes were made. Monitoring the system - similar to an IDS/IPS (intrusion detection/prevention system) - can also help to detect unauthorized manipulation at an early stage and initiate countermeasures in good time.
Retention periods and archive structure
The legally prescribed deadlines are based on the content of the email, not its format. From a tax perspective, the distinction is important because PDF invoices with attachments or information on VAT liability must also be archived. The following table provides an overview of typical archiving requirements:
| Typical content | Category | Retention period (years) |
|---|---|---|
| Invoices / Offers | Relevant for tax purposes | 10 |
| Contract correspondence | Commercial letter | 6 |
| Final reports / annual financial statements | Balance sheet documents | 10 |
| Project agreements | Business letter | 6 |
| Personal data | GDPR-relevant | Context-dependent |
The archive structure should be based on the business processes and, for example, divided into folders or categories that correspond to the respective content. This is because a clear structure makes it easier to find relevant emails quickly - whether for internal searches or as part of audits. In addition, sensitive content (such as personal data) can be stored in specially secured areas and thus meet the requirements of the GDPR and internal compliance.
Security: Encryption and access protect data
Data security is an essential component of legally compliant archiving. Every stored e-mail must be secured in such a way that no unauthorized access can take place. Modern systems therefore encrypt all stored content during transmission and at rest. In addition, access is regulated via multi-level rights assignment - for example via LDAP or Active Directory. This means that every access can be traced in the event of an audit.
A reliable E-mail encryption complements the security concept. In addition, an automated system check with malware scan is recommended to weed out compromised or harmful content at an early stage. Backups in encrypted form and recurring test restores ensure the long-term integrity of archived messages.
Another step that IT departments often take is to implement uniform security guidelines that apply to both the productive email system and the archive. This ensures that anti-malware programs, spam filters and restrictions for executable attachments are consistently implemented in both environments. In this way, the company minimizes the risk of infected or malicious files entering the archive.
Guidelines and training create clarity
Companies should have clear Archiving guidelines that document internal processes and responsibilities. Work instructions for handling emails, defined storage locations, retention periods and procedures for special cases (e.g. personal data) prevent loss of information and minimize room for interpretation.
Training courses help employees to develop an awareness of the correct handling of business-relevant emails. Employees should know how to recognize content that needs to be archived and when manual intervention is required. A practical example: automated archiving of all emails from the domains "@kunde.de" or "@steuerberater.de". This systematically secures important business transactions.
In addition to these training courses, it can be useful to define internal points of contact for archiving issues - for example, an "archiving officer" or the IT department. This way, employees have quick help and valuable expertise at their fingertips when needed. New employees in particular benefit from being given an overview of email archiving and its importance in their first few weeks.
Automation and compliance control
Sophisticated automation makes it much easier for the company to comply with internal and external rules. Archiving tools can automatically apply deletion deadlines, group emails according to specific rules and generate reports on storage status and rule violations. Compliance does not become a one-off project, but a daily part of the IT infrastructure.
Experienced administrators carry out regular audits - either internally or with the help of external auditors. This ensures that there are no legally critical gaps. In addition, many systems offer REST APIs or webhooks to link archiving with third-party systems such as ERP or DMS. This reduces manual sources of error and supports efficient working.
An often underestimated factor is the Monitoring of storage resources. Automated email archiving can quickly drive up data volumes, especially with large attachments. Regular capacity planning and the early expansion of storage capacities prevent bottlenecks. This not only has an impact on system performance, but can also prevent older emails from being accidentally deleted or moved to another location.
Practical tips for beginners and administrators
A functioning archiving system makes all the difference when it comes to legal disputes or tax audits. I start every new email archiving project with an inventory check: What is already stored and how? Are there any shadow mailboxes? Have emails been deleted manually up to now? Only then do I select a suitable system.
I also recommend creating a list of typical email types in the company and assigning specific archive classes to them. For example: Invoices → 10 years, internal meeting minutes → no archiving obligation. This reduces uncertainty and creates transparency in planning. Be sure to consider scanned paper documents or attachments from third-party sources and digitize in a compliant manner.
Rules of thumb help with implementation: for example, you can specify that all emails with a certain customer or project number are sent to a special sub-archive by default. This not only provides security, but also significantly improves the traceability of business transactions. If you also use clear naming rules (e.g. "2023_ProjectXY_Invoice.pdf"), this makes it even easier to find them quickly.
Extended practical guides: Common sources of error and solutions
Particularly in the initial phase of introducing audit-proof email archiving, typical stumbling blocks are encountered. A common mistake, for example, is to assume that simply capturing all emails is sufficient. However, if you do not define clear rules for deletion periods and categorization, you will quickly be faced with a mountain of data that no one can find their way around. This can be remedied by Role and rights modelwhich determines who can see or edit which categories.
A second common mistake is the use of multiple, non-synchronized archiving systems. If certain project emails are saved manually in local folders while other emails end up in a cloud archive, this creates gaps or overlaps that can no longer be traced in case of doubt. The following applies here: Single Point of Truth - there should be a central system that is clearly responsible and is identified as an authoritative source.
I also advise against having employees delete large amounts of data from their mailboxes without prior consultation. Even if it is only seemingly unimportant messages, carelessly deleted communication may be missing later when it comes to warranty issues or disputes. The archive should therefore take effect automatically and without loopholes, so that manual filtering is no longer possible.
Administrators can also carry out test restores at regular intervals: This involves checking whether archived emails can be restored as expected and whether data integrity and timestamps have been correctly preserved. Such exercises not only promote trust in the archive, but also uncover technical or organizational deficits that could go unnoticed during ongoing operations.
Ensuring sustainability through regularity
Archiving has to work in the long term - not just once when it is introduced, but permanently in everyday use. I therefore plan regular system checks, check the consistency of entries, run sample searches and evaluate function logs. If you document when and how your archive works on an annual basis, you save yourself a long investigation in the event of an emergency.
Once a year, I also update the software used and check for new features or legal changes. Updates should not be underestimated - requirements often change due to new administrative directives or industry-specific recommendations. You can also find out more about this in our guide to legal requirements and best practices.
The sustainability of an email archiving solution is ultimately determined by how well it can be adapted to growing and changing business requirements. Companies that expand or change their business area may need to define new categories and archive classes. Integration into other systems (e.g. ERP, CRM) can also grow and should be included in the planning at an early stage. As email archiving is often used in conjunction with other data backup strategies, it is advisable to create an overall concept that provides a sufficient buffer for future developments.
Long-term archiving also requires an awareness of data protection regulations, which can change over time. One example is the retention of data of former employees, especially in contexts with GDPR-relevant information. Here, the company must weigh up which data must continue to be stored and which can or should be deleted.
The importance of metadata is also underestimated: Many archiving systems allow additional information to be stored, such as keywords or customer IDs. If such fields are consistently maintained, the archive can become a powerful knowledge pool in which historical project processes or customer communication can be found much more easily. This not only guarantees legal certainty, but also provides real added value in day-to-day business.
Final considerations
Those who deal with email archiving comprehensively and in good time will save costs and reduce risks in the long term. Incomplete or unstructured archiving can be very expensive in an emergency - be it through fines, lost legal proceedings or damaged customer relationships due to untraceable communication. With clear guidelines, a well-chosen software solution and regular checks, companies create a stable foundation for the professional handling of their email data.
