Email & Messaging Records
Treating email, chat, and text as records: the Capstone approach, messaging-app capture, and litigation-ready management.
Few categories of records have grown as explosively, or proven as legally consequential, as the messages people exchange every day. Email, instant messaging, text, and the conversational streams inside collaboration platforms have become the connective tissue of how organizations decide, direct, and document their work. Yet these same communications are deceptively easy to treat as ephemeral chatter rather than what they often legally are: federal, corporate, or public records subject to retention schedules, discovery obligations, and oversight. The discipline of managing email and messaging records is the practice of recognizing that a record’s status depends on its content and function, not on the channel it traveled through, and then capturing, retaining, and disposing of those communications in a defensible, consistent way.
This matters because messaging sits at the intersection of three pressures that rarely align cleanly: staggering volume, informal user behavior, and high legal stakes. A single employee may generate thousands of messages a week across half a dozen tools, most of them transitory, a meaningful minority of them substantive records that must survive for years. Getting the distinction right — and proving you got it right — is the central challenge this topic addresses.
What Counts as a Record, Regardless of Channel
The foundational principle is channel neutrality. A communication is a record when it documents an organization’s activities, decisions, transactions, or obligations, whether it arrives as a formal memo, a one-line email, a chat thread, or a text message. Courts and oversight bodies have repeatedly affirmed that the medium does not exempt content from recordkeeping duties. This means a policy decision hashed out over a messaging app carries the same legal weight as one captured in a signed letter.
The practical difficulty is that messaging blends record and non-record material indiscriminately. The same inbox holds a binding contract approval next to a lunch invitation; the same chat channel mixes a documented project decision with idle banter. Effective management therefore depends less on capturing everything than on applying judgment — supported by policy and technology — to identify what has lasting value while letting genuinely transitory material expire on schedule.
The Capstone Approach to Email
Because email volume defeats traditional message-by-message classification, many organizations — and the U.S. federal government in particular — have adopted what is known as the Capstone approach. Rather than asking every employee to file each email against a retention schedule, Capstone bases retention primarily on the role and seniority of the account holder. The accounts of senior officials whose work shapes policy and major decisions are designated as permanent or long-term records and preserved largely in their entirety, while the email of most staff is retained for a shorter, fixed period and then disposed of.
This role-based model trades granular accuracy for scalability and consistency. It accepts that a senior leader’s inbox will contain some non-record clutter in exchange for reliably capturing the high-value correspondence that matters most for accountability and history. Capstone has become a widely cited template precisely because it makes email retention administrable at scale, and understanding its logic — and its limits — is essential to any modern email program.
Retention, Archiving, and the Lifecycle
Managing messaging records means situating them within the full records lifecycle: creation, active use, maintenance, retention, and ultimately either destruction or permanent preservation. Two related but distinct concerns frequently get conflated here, and separating them is important.
- Email retention strategies govern how long messages are kept and when they are dispositioned, driven by retention schedules tied to the business function the messages document. Retention is fundamentally about compliance and disposition.
- Email archiving is a storage and access technique — moving older messages into a searchable, tamper-evident repository. Archiving supports retention but is not the same thing; an archive that keeps everything forever without disposition authority can itself become a liability.
Good practice aligns the two: archiving preserves messages for as long as their retention requires, applies legal holds that suspend disposition during litigation or investigation, and then permits defensible deletion once obligations lapse. Indefinite retention “to be safe” is increasingly recognized as a risk, not a virtue, because it expands the surface area for discovery, breach, and cost.
Text Messages, Off-Channel Communication, and Personal Devices
The hardest frontier is everything that happens outside the managed email server. Text messages exchanged on mobile phones, conversations on consumer messaging apps, and ephemeral or auto-deleting chats all carry record potential yet routinely evade capture. Regulators have treated failures to preserve such “off-channel” communications as serious compliance breaches, and the use of disappearing-message features in a business context has drawn particular scrutiny because it can frustrate both retention duties and discovery.
Closely tied to this is the bring-your-own-device, or BYOD, question. When employees conduct business on personal phones, the organization faces a genuine tension between its recordkeeping and discovery obligations and the individual’s privacy. Sound programs resolve this through clear policy: defining approved channels for official business, requiring that records created on personal devices be captured into official systems, and establishing the organization’s right to preserve and produce relevant content while respecting personal data. The recurring lesson is that prohibiting a channel on paper does not make its records disappear — it only makes them harder to manage when they inevitably surface.
Social Media and Collaboration Platforms
Messaging now extends well beyond one-to-one exchange into social media posts, comments, and the dynamic, multi-author content of collaboration suites. These present novel recordkeeping problems: content is often interactive, frequently edited, embedded with links and attachments, and hosted on third-party platforms the organization does not control. Capturing a social media record may require preserving not just text but context — timestamps, threading, reactions, and the state of a post at a given moment. The same principle holds throughout: if the content documents organizational business, it is a record, and the program must find a way to capture it authentically.
Governing Authorities and Standards
The legal scaffolding for messaging records draws on records statutes and freedom-of-information regimes that define what constitutes a record and impose preservation duties; on litigation rules governing the preservation and production of electronically stored information; and on sector-specific regulations, especially in regulated industries where communications must be retained and supervised. For electronic recordkeeping more broadly, the standards landscape has shifted. The long-dominant DoD 5015.2 design criteria lost their status as the federal benchmark when the National Archives and Records Administration revoked its endorsement of that standard in 2022, redirecting attention toward the Universal Electronic Records Management Requirements and the Federal Electronic Records Modernization Initiative. These newer frameworks are intended to be technology-neutral and outcome-focused, emphasizing what an electronic records system must accomplish rather than prescribing a single product certification.
Common Pitfalls and Good Practice
The failures in this domain are remarkably consistent: treating messaging as too trivial to govern, allowing unsanctioned channels to flourish, retaining everything indefinitely out of caution, and lacking the technical means to capture messages in their original context. The countermeasures are equally well understood — clear and channel-neutral policy, employee training that explains why a casual chat can be a record, automated capture wherever feasible, disciplined retention with defensible disposition, and reliable legal-hold mechanisms. Above all, defensibility comes from consistency: a documented, routinely followed process withstands scrutiny far better than heroic after-the-fact reconstruction.
Looking ahead, the trajectory points toward capture that is increasingly automated and embedded directly into the communication tools themselves, with classification and retention decisions assisted by machine learning rather than left entirely to individual judgment. As organizations adopt ever more conversational platforms, the enduring task will remain what it has always been — recognizing that a record is defined by what it says and does, not by where it was sent — and building programs disciplined enough to honor that principle at the speed and scale of modern communication.
Articles in Email
Capturing Chat from Collaboration Platforms
How to identify, preserve, and manage chat and channel messages from collaboration platforms as federal and organizational records.
Disappearing and Ephemeral Messaging Apps
How records management principles apply to disappearing and ephemeral messaging apps, where auto-deletion collides with retention, FOIA, and litigation duties.
Email Journaling vs. Mailbox Capture
A practical comparison of email journaling and mailbox capture as methods for preserving messages as records, with their tradeoffs and governance implications.
Encryption and Email Record Integrity
How encryption protects and complicates email records, and how to preserve integrity, accessibility, and authenticity across an email record's full lifecycle.
Migrating Legacy Email Archives
A principle-based guide to planning, executing, and validating the migration of legacy email archives while preserving recordkeeping integrity.
Mobile Messaging and Recordkeeping Policy
How organizations govern text messages, chat, and other mobile messaging as records through policy, capture, retention, and legal-hold practices.
BYOD and Personal-Device Recordkeeping
When employees use personal phones for work, business records end up on devices the organization doesn't control. Here's how to manage recordkeeping in a BYOD world.
Email Archiving vs. Records Management
An email archive captures and stores messages; records management governs which are records and how long to keep them. They overlap but aren't the same — here's the difference.
Email Retention Strategies
Email is the largest source of records in most organizations — and the hardest to retain well. Here are the main strategies, from role-based Capstone to retention by content.
Managing Text Messages as Records
Text messages are records when they document business — and regulators have penalized organizations that failed to capture them. Here's how to manage texts as records.
Managing Social Media as Records
Government and organizational social media posts can be records subject to retention and disclosure. Here's why social media is a recordkeeping concern and how to capture it.
Off-Channel Communications: Lessons from Recent Enforcement
Regulators have fined firms heavily for business conducted on unmonitored texting and messaging apps. The lesson for everyone: capture business communications wherever they happen.
Managing Email as Records: The Capstone Approach
Capstone is NARA's role-based approach to email records — capturing senior officials' email as permanent and applying time-based retention to the rest. Here's how it works.
Common questions
- Are emails between teachers and parents considered education records under FERPA?
- Are emails in my Sent folder and Inbox both records, or just one copy?
- Are emails on my personal phone discoverable in a lawsuit?
- Are ephemeral or disappearing messages legal to use for work, or do they violate recordkeeping rules?
- Are text messages and chat business records?
- Can a company be sanctioned for failing to preserve employee text messages during litigation?
- Can an EU employee's GDPR right-to-erasure request force deletion of a work email that US litigation or FOIA rules require us to keep?
- Can blockchain or immutable ledgers prove our email and chat records have not been altered?
- Can I delete an email after I forward it to a coworker or our records system, assuming they now have the official copy?
- Can I delete spam and newsletters from my work inbox without breaking records rules?
- Can I just rely on my company's email backup tapes as our official email archive, or do backups not count as records retention?
- Can I use personal email for work?
- Do disappearing or auto-delete messages violate records laws?
- Do HIPAA rules require a hospital to keep emails and texts that contain patient health information?
- Do I have to keep email attachments separately from the email itself?