What’s the most commonly deleted data users want to get back? Their email. What can you do to make that more likely? Recovery tools, archiving, snapshots, and off-site backup are all key, but it starts with the right policy.
There are plenty of things you need to protect your mail server against – from hackers, to insecure devices connection, to physical damage to your data center – which includes freak accidents, like the air conditioning unit that recently went wrong in the Glasgow City Council data center, setting off the fire suppression system that in turn discharged over the mail server, shutting off the email systems for one of the UK’s largest councils for nearly a week. But, you also need to protect the email messages on the server from users, who delete them and then ask you to get them back.
Retrieving deleted emails and mailboxes is the number one request most IT admins get from their users (ahead of disaster recovery and missing data). In one survey done by Kroll Ontrack, 61% of the admins they talked to said they were asked to find a message that had been deleted five times a month (and another 11% had to get deleted messages back ten times a month). Sometimes, the request was because of an internal investigation, which is why you need to have good retention and hold policies that you can turn on as soon an investigation starts; choose between keeping everything until eDiscovery is complete, preserving messages that match specific queries or using time-based holds to make sure you protect messages for a specific length of time.
But most of the time, it was because the user had accidentally deleted the message or attachment. Those mistakes happen across the business – legal departments, IT security, and sales and marketing were the top three offenders in the survey.
Cloud mail services certainly avoid the problems of failure and damage in your own data center and might reduce how many messages get deleted in the first place. The cost of storage (and the cost of mail admin time to upgrade storage in a mail server) has kept mail quotas unrealistically low for many years; users got in the habit of deleting email regularly just to make room for new messages. A 50GB mailbox quota means users can take their finger off the delete key, and tools like the Focused Inbox in Outlook apps for iOS and Android or Clutter in Office 365 that push important messages up the list make it less likely they’ll delete less important messages just to find what matters more easily.
You still need to be able to retrieve messages they have deleted.
If they only just deleted the message, it might still be in the Outlook Deleted Items folder. Since early 2015, Office 365 has kept mail in the Deleted Items folder indefinitely rather auto-deleting them after 30 days (https://blogs.office.com/2015/02/20/extended-email-retention-deleted-items-office-365/). If a user emptied their Deleted Items, send the user to the Folder tab in their Outlook client; the Recover Deleted Items button in the ribbon will show all the messages they can get back themselves (which Microsoft rather charmingly refers to as being in the ‘dumpster’). This shows mail that’s been deleted from the Junk Mail folder as well, so warn them not to open any spam or phishing messages by mistake.
What you can see here depends on your retention policy; the usual default in recent versions of Exchange Server is 14 days, although on Office 365 those items move to the archive after 14 days rather than being permanently deleted. You can extend the time deleted mail remains recoverable, and with Exchange Server 2013 and Office 365, you can apply different retention periods to different users and even different folders using retention tags (https://technet.microsoft.com/en-us/library/dd297955(v=exchg.150).aspx).
Recovering individual messages or individual mailboxes from backup is something you should have tested already (not least because it’s a good way of being sure that the data in your backup set is valid). You haven’t actually taken a backup until you’re sure you can recover the data in it. You can’t treat a mail server as a bunch of flat files either; Exchange Server is a transactional database that needs to be backed up as an application, so make sure your backup tools support that (http://blog.enowsoftware.com/solutions-engine/the-7-deadly-sins-of-exchange-server-backups). But you don’t want to have to create a recovery server just to dig out individual messages; look for third-party tools that let you extract those from your backups more easily.
Another option is a mail archiving service, which combines the advantage of off-site backup and secondary access to mail when your mail service or cloud mail service is unavailable with self-service access to old email. Instead of asking the help desk to get a message back from them, users can go in and retrieve the message from the archive themselves. This also encourages them to treat their email as a resource; the details of how your company works with its customers and suppliers is often buried in email conversations, and making that searchable makes it easier to learn from previous issues and successes. This is part of the shift from seeing email as a temporary message store, to a repository of potentially valuable information that you can mine with data analysis tools that give you a wider view of how a business works. For day-to-day productivity, getting those specific messages back still matters, so be prepared.
Mary Branscombe is a freelance technology journalist for a wide range of sites. She has been a technology writer for more than two decades, covering everything from early versions of Windows and Office to the first smartphones, the arrival of the Web, and most things in between, from consumer and small business technology, to enterprise architecture and cloud services. She also dabbles in mystery fiction about the world of technology and startups. Visit www.marybranscombe.com or follow @marypcbuk on Twitter.
