EMAIL-008 recommended Email Monitoring
Email log retention
Intentionally defined retention period (typically 2-4 weeks) for transactional and marketing logs
Question to ask
"How far back can you prove what emails you sent and to whom?"
Verification guide
Severity: Recommended
Email logs should be retained long enough to investigate issues but not indefinitely. 2 weeks to 1 month is typically sufficient.
Ask user:
- "What's your email log retention period for transactional emails?"
- "What's your email log retention period for marketing emails?"
- "Is this intentionally configured or just the provider default?"
- If outside 2-4 weeks: "What's the rationale for this retention period?"
Pass criteria:
- Retention period defined for both transactional and marketing
- Retention is an intentional decision (not "whatever the default is")
Note (not fail):
- Retention outside 2-4 weeks range - just document the rationale
- Longer retention may be required for compliance
- Shorter retention may be intentional for privacy
Fail criteria:
- No defined retention policy ("I don't know" or "whatever the default is")
- Keeping logs indefinitely with no rationale (storage waste, privacy risk)
Evidence to capture:
- Retention period for transactional logs
- Retention period for marketing logs
- Whether configured intentionally or default
- Rationale if outside typical 2-4 week range