Preserve Ex-Employee Mailbox: Inactive, Suspended, or Exported

The moment an employee leaves, their mailbox becomes a compliance object. It might be needed for a discovery request five years from now, an HR investigation next month, or a customer thread the manager opens tomorrow morning. Picking the wrong preservation path means either paying for licenses you don't need or, worse, deleting mail you were obligated to keep. This guide walks through the four real options for long-term ex-employee mailbox preservation — Microsoft 365 inactive mailboxes, Google Workspace user suspension, PST or MBOX export, and third-party archive — with the trade-offs that decide which one fits your org.

What "preserve" actually means#

Preservation has three concrete properties: the mail must be findable later, the chain of custody must be defensible, and the retention period must be enforceable. Anything that doesn't deliver all three isn't preservation — it's storage.

Findability means an eDiscovery search, a Vault query, or a grep across PST files can produce the messages on demand. The slower your search, the more expensive your discovery response gets.

Chain of custody means you can prove the mail hasn't been altered since the user departed. This is why most preservation strategies use immutable storage modes — inactive mailboxes, Vault holds, write-once-read-many archives — rather than letting a manager keep the mailbox open as a shared mailbox indefinitely.

Enforceable retention means the system will delete content when the retention period expires and won't delete it before. Both directions matter. Mail that's deleted at year three when policy says year seven is a problem. Mail that's still around at year ten when GDPR requires deletion at year seven is also a problem.

Option 1: Exchange Online inactive mailboxes#

Microsoft 365's intended path for long-term ex-employee mailbox preservation. The mailbox stays in Exchange Online indefinitely, doesn't need a license, and is searchable through eDiscovery.

When it works#

The org runs on Microsoft 365. The user had an Exchange Online Plan 2 or equivalent license (E3, E5, Business Premium). You want the mail searchable without restoring it. You can tolerate the cost of Exchange Online as your archive platform.

How it works#

Before you delete the user's account, you place a hold on the mailbox. The hold can be a litigation hold, an in-place hold (legacy), or a retention policy that covers the user. Once the hold is in place, when you delete the user account, Exchange retains the mailbox indefinitely as an inactive mailbox.

The mailbox doesn't appear in the regular Exchange admin center. It shows up in the compliance center under inactive mailboxes. It can be searched, exported, or restored back onto a licensed user.

The critical ordering rule#

The hold must be in place before the user is deleted. If you delete first and then try to apply a hold, the mailbox is soft-deleted and disappears after 30 days. You can recover it within that window, but only if you act in time.

The safe pattern: apply litigation hold the day before offboarding, then proceed with the rest of the runbook. The offboarding mailbox archive runbook covers the full sequence.

Restoring an inactive mailbox#

If a manager later needs interactive access — because they're following up on a thread, or HR wants to read context for an investigation — you restore the mailbox onto a new user. The new user gets a license. The original SMTP can be reattached, or you can keep it separate and let the manager access it as a delegate.

Restoration is one-way in the sense that once restored, the mailbox is no longer "inactive." If you want it back in inactive state, you delete the new user (which puts it back to inactive, assuming the hold is still in place).

Costs and limits#

Inactive mailboxes are free in the sense that they don't consume a license. They do consume Exchange storage, which scales by tenant size. For organizations with thousands of departed employees, the cumulative storage isn't negligible but is rarely a meaningful budget item.

Search performance on inactive mailboxes is slower than on active mailboxes for eDiscovery purposes, and bulk export can take hours for very large mailboxes.

Option 2: Google Workspace user suspension#

The Workspace equivalent of an inactive mailbox is a suspended user. Suspended users can't sign in, but their mail, Drive content, and Calendar persist and remain searchable through Vault.

When it works#

The org runs on Google Workspace. The user was on a plan that includes Vault (Business Plus, Enterprise Standard, Enterprise Plus). You want the mail searchable through Vault for as long as your policy requires.

How it works#

You suspend the user in the admin console. The user can't sign in. Mail continues to be receivable if you keep their address active (typically as an alias on a shared mailbox or with forwarding configured). The mailbox content is preserved subject to your Vault retention rules.

Vault holds can be applied at the org level or scoped to individual users. A user-level hold preserves their content indefinitely regardless of the default retention policy.

The licensing question#

Suspended Workspace users count against billing in most plan tiers. This is the biggest practical difference from Microsoft 365's inactive mailboxes. Some editions and reseller agreements treat suspended users differently — check your contract.

Workarounds for the cost include downgrading suspended users to a cheaper Workspace plan (where allowed by your contract) or exporting and deleting the user after the immediate-access period ends, relying on the export as the archive.

Vault retention vs Vault holds#

Two different mechanisms:

Vault retention rules are policies that determine how long content is preserved by default. They apply to all users matching the policy and enforce both minimum retention and maximum retention.

Vault holds override retention rules and preserve content indefinitely regardless of policy. Holds are applied for specific legal or investigatory reasons.

For ex-employees, the typical setup is a retention rule covering the org's policy (e.g., 7 years for finance staff) plus per-user holds for anyone under litigation or investigation.

Option 3: Export to PST, MBOX, or EML#

Sometimes you don't want to keep paying your mail provider to store ex-employee data. Export the mailbox to a file format and stash it on cheaper storage.

When it works#

Long-tail retention where interactive search is rare. Cost-sensitive environments. Off-platform archive strategy where mail is stored alongside other corporate records. Regulatory requirements that mandate independent archival.

Format choice#

PST is the Microsoft 365 native export. Outlook opens it. eDiscovery can produce PSTs. Most archive systems ingest PST. Best for Microsoft-shop orgs that may need to re-open mail in Outlook later.

MBOX is the Google Workspace native export, produced by Takeout or Vault. Plaintext, well-understood by every Unix mail tool. Best for Workspace orgs and for any org with a Linux-centric IT stack.

EML is the maximally portable format — one file per message. Any mail client can open an individual EML. Bulk handling is awkward because mailboxes produce hundreds of thousands of files.

The PST, MBOX, EML migration guide covers the trade-offs and conversion paths in depth.

Export mechanics#

For Microsoft 365: Compliance Search produces a PST export of any mailbox content, including inactive mailboxes. The export download tool runs on a Windows machine and pulls the data over a few hours for a typical mailbox.

For Google Workspace: Vault export produces MBOX (mail) and other formats for Drive and Chat. Export goes to Google Cloud Storage initially and can be downloaded from there.

For both: third-party migration tools, including Mailbox Taxi for IMAP-accessible sources, can produce EML or MBOX exports running locally on the IT admin's machine. The desktop-first approach matters when you want the data to never traverse a third-party cloud.

Storage of exports#

Once you have PST or MBOX files, where do they live? Options ranked by typical cost and access pattern:

• On-premises NAS, encrypted at rest: Cheap, fully controlled, no recurring fees, but you operate the infrastructure
• Cloud object storage with object lock (S3, Azure Blob): Cheap, scalable, immutable when configured correctly, requires retrieval and re-mounting for search
• Dedicated archive system (Veritas Enterprise Vault, Mimecast, Proofpoint): Higher recurring cost but provides search UI and chain-of-custody documentation
• The IT manager's external hard drive: Don't

Storage of exported PSTs is where chain-of-custody often breaks. Build a logging layer that records every read or copy of an archive file, and back it with object lock or filesystem ACLs that prevent modification.

Option 4: Third-party archive systems#

Dedicated email archive products provide preservation, search, and compliance reporting as a service. They sit alongside your mail provider and ingest a stream of every message sent and received, with separate retention and discovery workflows.

When it works#

Highly regulated industries (financial services, healthcare, legal). Organizations with hundreds or thousands of ex-employees where mailbox-level preservation gets expensive. Multi-platform environments where you have mail in both Microsoft 365 and Google Workspace and want one search experience.

Common products#

The category includes Mimecast, Veritas Enterprise Vault, Proofpoint Archive, Smarsh, Global Relay, and several others. They differ in cloud-vs-on-prem deployment, search UI, ingestion mechanics, and integration with eDiscovery workflows.

How they integrate#

Most archive systems ingest mail via journaling — your mail provider is configured to send a copy of every message to a journaling mailbox or directly to the archive system. The archive system stores immutably and provides its own search and retention controls. Ex-employee mail is preserved automatically because it was already ingested while the user was active.

When the user departs, you mark their identity in the archive system as departed. The mail stays searchable indefinitely or until retention policy expires.

Trade-offs#

Archive systems add a recurring per-user cost on top of your mail subscription. The benefit is unified preservation across multiple mail platforms, faster search at scale, and a chain-of-custody story that often satisfies regulators more easily than tenant-native tools. For orgs that already have legal hold and discovery as a regular operational activity, the math usually favors a dedicated archive. For smaller orgs with rare discovery events, tenant-native preservation is enough.

Retention policy: the choice that governs everything#

The technical choice between inactive mailbox, suspension, export, and archive is downstream of your retention policy. Write the policy first, then pick tools that implement it.

A workable retention policy specifies:

• Retention period by employee role and department
• Mandatory hold triggers (litigation, regulatory inquiry, internal investigation)
• Deletion criteria when retention expires
• Access procedures for active retention periods
• Exception handling for international transfers (GDPR, similar regional rules)
• Audit logging requirements

The email migration compliance guide covers the regulatory and policy framework. For EU-relevant data, the GDPR email migration guide covers the additional obligations around data minimization, storage limitation, and the right to erasure as they apply to ex-employee mail.

Audit logging: prove what you preserved and what you deleted#

Preservation systems are only credible if you can show, after the fact, that they did what they were supposed to do. Audit logging is the evidence layer.

What to log:

• Every preservation action: hold applied, mailbox marked inactive, user suspended, export performed
• Every access: who opened the inactive mailbox, who searched Vault, who downloaded the PST
• Every deletion: when retention expired, what was deleted, what review confirmed the deletion was permitted
• Every policy change: who changed the retention policy, when, with what approval

Microsoft 365 unified audit log captures most of this for tenant-native actions. Google Workspace audit log captures the equivalent. Third-party archive systems have their own audit subsystems. For exported PST files on filesystem storage, you build the logging layer yourself or use a storage system that provides immutable access logging.

The email migration audit log guide walks through what to log and how to make those logs hold up to external review.

A decision framework#

When deciding which option fits a given departure, walk through this sequence:

1. Is there an active or anticipated litigation hold? If yes, choose the option that supports immutable preservation indefinitely — inactive mailbox with hold, suspended user with Vault hold, or third-party archive. Skip exports unless they're additive.

2. What's the retention period? Under 12 months means tenant-native preservation is fine. 7 years or more starts to favor exports or archive systems on cost grounds.

3. How often will the mailbox be searched? Frequent search favors tenant-native options. Rare search favors exports.

4. Is there a multi-platform requirement? If you have Microsoft 365 and Workspace and need unified search, third-party archive wins. Otherwise, native tools are cheaper.

5. What's the budget reality? Inactive mailboxes are effectively free in Microsoft 365. Suspended users cost money in Workspace. Archive systems cost money everywhere. Export-and-store is cheap but operationally expensive.

Most mid-sized organizations end up with a mix: tenant-native preservation for the first 12 to 24 months, then export to cold storage for long-tail retention. Larger organizations or regulated industries lean toward archive systems for unified compliance posture.

What changes in the next five years#

The preservation landscape is stable in the short term — the options above will still be the options two years from now. The longer-term shifts to watch:

• Tenant-native preservation features continue to improve, reducing the gap with third-party archive on search and chain-of-custody
• Object-lock storage on AWS, Azure, and GCP makes DIY archive cheaper and more defensible
• Regulatory pressure (GDPR, state privacy laws, sector-specific rules) is pushing toward shorter retention by default with explicit justification for longer

The strategy that ages best: pick whichever option implements your current retention policy with the lowest operational burden, document the choice, and revisit it every two years. Don't lock in to a vendor or a tenant feature you can't migrate off later.