Email is among the most voluminous and legally consequential record types an organization produces, and encryption is now woven through nearly every stage of its existence. Messages are encrypted in transit between mail servers, encrypted at rest in mailboxes and archives, and increasingly encrypted end-to-end so that only the sender and recipient can read the content. Each of these protections serves a legitimate security and privacy purpose, yet each also changes what it means to capture, preserve, and trust an email as a record. Records professionals must therefore understand encryption not as a single feature but as a set of distinct mechanisms with very different implications for record integrity.
Record integrity, in the recordkeeping sense, means that a record remains complete, unaltered, and demonstrably what it purports to be over its full retention period. Encryption interacts with integrity in two opposite directions. Used well, cryptographic techniques can prove integrity by detecting tampering and binding a message to its author. Used carelessly, encryption can defeat integrity by rendering a record unreadable, uncapturable, or impossible to authenticate years after the keys that protected it have been lost. Sound email recordkeeping depends on telling these cases apart.
Encryption in Transit, at Rest, and End-to-End
Transport encryption (such as TLS between mail servers) protects messages while they move across networks but leaves them readable once delivered. It has little direct effect on recordkeeping because the message arrives in plain form at the mailbox where capture occurs. Encryption at rest protects stored mailboxes and archives from unauthorized access to the underlying storage; because the mail system itself holds the keys, authorized recordkeeping processes can still read, index, and export the records. The challenging case is end-to-end encryption, where only the communicating parties hold the decryption keys. Here the mail server, the archive, and any centralized capture tool see only ciphertext. A message that cannot be read by the recordkeeping system cannot be reliably classified, searched, reviewed for disclosure, or migrated, and it may be effectively lost the moment a key is rotated or an employee departs.
How Cryptography Strengthens Integrity
The same technologies that obscure content can also protect it. Digital signatures and cryptographic hashes let an organization prove that an email has not been altered since a known point in time. A hash value computed at the moment of capture acts as a fixity check: if even one byte of the stored message changes, the recomputed hash will differ, signaling corruption or tampering. Digital signatures go further by binding a message to a verifiable identity, supporting non-repudiation. These mechanisms align closely with the recordkeeping characteristics emphasized in standards such as ISO 15489 — authenticity, reliability, integrity, and usability — and they are well suited to demonstrating the trustworthiness of records over time.
Capturing Encrypted Email Without Losing the Record
The governing principle is to capture the email as a usable record at the point where it is legitimately readable, before it leaves the organization’s control. Common, defensible approaches include:
- Decrypt-on-capture into a managed repository, so the authoritative record is stored in a readable, preservation-friendly form while access controls protect it.
- Key escrow or organizational key management, ensuring that the enterprise — not only an individual employee — retains the ability to decrypt records it is obligated to keep.
- Policy limits on personal or unmanaged encryption for messages that constitute records, so employees cannot unilaterally place official records beyond the organization’s reach.
- Preserving signature and verification metadata alongside the message, so that integrity and authorship can still be demonstrated after capture.
The aim is not to weaken security but to reconcile it with the duty to maintain complete and accessible records. Encryption should protect records from unauthorized parties, not from the organization’s own lawful recordkeeping obligations.
Long-Term Preservation and the Key-Loss Problem
Encryption is fundamentally hostile to long-term preservation when keys are not managed for the full retention period. Cryptographic keys expire, algorithms are deprecated, and people leave; an encrypted message whose key is gone is indistinguishable from random data. Because many email records carry multi-year or permanent retention, the durable practice is to preserve the decrypted content as the record of authority, while retaining hashes or signatures as evidence of integrity. This mirrors broader digital preservation guidance, which stresses keeping content in stable, well-documented, openly readable formats and avoiding dependencies that will not survive technology change. An encrypted blob locked to an obsolete key is the opposite of a preservable record.
Standards, Requirements, and the Shift Away from DoD 5015.2
Functional requirements for electronic recordkeeping increasingly treat capture, integrity, and accessibility of encrypted communications as core concerns. Notably, the National Archives revoked its endorsement of the DoD 5015.2 standard in 2022, shifting toward the technology-neutral Universal Electronic Records Management (ERM) Requirements developed through the Federal Electronic Records Modernization Initiative (FERMI). This reflects a broader move away from certifying specific products toward stating outcomes a system must achieve — including reliably capturing email records and maintaining their integrity, authenticity, and usability over time, regardless of how they were transmitted or secured. International standards reinforce the same expectations: records must remain authentic, reliable, and usable for as long as they are required.
Practical Guidance for Records Programs
Treat encryption as a recordkeeping design decision, not just a security setting. Coordinate early with information security and IT so that capture and preservation are built into the email and encryption architecture rather than retrofitted after records become unreadable. Document where in the message flow records are captured, how keys are managed across the retention period, and how integrity will be demonstrated if a record is later challenged in litigation or a disclosure request. Most importantly, ensure that no encryption choice quietly removes records from the organization’s lawful control. For related guidance on capturing and governing messaging records, see the email and messaging topic hub.
Sources & further reading
Authoritative government and non-profit references.
- Records management policy and guidance — National Archives (NARA)
- ISO 15489-1 Records management — ISO
- Digital preservation (Library of Congress) — Library of Congress
How to cite this page
APA
RM University Editorial Team. (2026). Encryption and Email Record Integrity. Records Management University. https://www.recordsmgmt.org/articles/encryption-and-email-record-integrity/
MLA
RM University Editorial Team. "Encryption and Email Record Integrity." Records Management University, 16 June 2026, www.recordsmgmt.org/articles/encryption-and-email-record-integrity/.