Is Microsoft 365 / Exchange Online GoBD-compliant?
In short: Exchange Online stores your email, but it does not make your mailbox GoBD-compliant on its own. The built-in tools cover individual requirements, yet they do not enforce the tamper-proof immutability the rules demand. Here is what you actually need and how to solve it cleanly.
Published on June 25, 2026 · Daniel Gläser

What the GoBD require
The GoBD are Germany's principles for the proper keeping and retention of books, records and documents in electronic form. They are not a separate law but a binding administrative directive from the Federal Ministry of Finance (the governing BMF letter dates from 28 November 2019 and has been amended several times since).
At their core are a few principles: traceability and verifiability, completeness, accuracy, timely recording, order and, above all, immutability. Records subject to retention must be available at all times throughout the period, readable without delay, machine-evaluable and identical in content to the original (Section 147(2) of the German Fiscal Code). The tax authorities have a right of access (Section 147(6)).
Does this apply to my small business?
Yes. The retention obligations apply to all taxpayers required to keep books and records, regardless of size, including SMEs and sole proprietors.
Which emails you have to keep
Not every message belongs in the archive. Subject to retention are emails that are relevant under tax or commercial law, in particular those that function as a commercial or business letter or as an accounting document.
- Quotes, order confirmations, invoices and contracts by email: must be kept.
- Newsletters, pure scheduling messages or private notes: usually not.
- If an email is merely the carrier for an attachment subject to retention (an invoice PDF, for example) and contains no further relevant information itself, keeping the attachment is enough.
In day-to-day operations this distinction is almost impossible to make reliably. That is why most companies, for good reason, archive their entire email traffic completely and automatically rather than leaving the call to individual employees.
For how long? The retention periods
- 10 years: books, records, inventories, annual financial statements (Section 147(3) Fiscal Code, Section 257(4) Commercial Code).
- 8 years: accounting documents. This period was shortened from 10 to 8 years by the Fourth Bureaucracy Relief Act and has applied since 1 January 2025 to all documents whose period had not yet expired at the end of 2024.
- 6 years: received and sent commercial and business letters and other tax-relevant documents.
A common misconception
The reduction to 8 years did not come from the Growth Opportunities Act but from the Fourth Bureaucracy Relief Act. And it only affects accounting documents: books, financial statements and inventories remain at 10 years.
Is Microsoft 365 / Exchange Online enough for this?
Exchange Online stores email reliably and does include compliance features: an online archive, retention policies via Microsoft Purview, Litigation Hold and journaling. These cover individual GoBD goals. They do not, however, add up to complete, automatic GoBD compliance.
Where the built-in tools reach their limits
- An Exchange Online mailbox cannot be designated as a journaling mailbox. Journal reports must go to an on-premises system or a third-party archiving service (Microsoft Learn).
- Microsoft itself calls journaling a legacy feature and recommends in-place retention via Microsoft 365 Retention instead.
- Litigation Hold and retention policies can be disabled or removed again by administrators with the right permissions via PowerShell. After removal only a 30-day delay hold applies, after which items marked for deletion are permanently removed.
- With journaling, monitoring non-delivery reports is your responsibility. Rejected journal reports can be lost and cannot be recovered.
The decisive point: with the built-in tools, immutability is not enforced systemically but remains administratively controllable. Yet that is exactly the heart of the GoBD.
There is no state GoBD certification
Neither Microsoft 365 nor any other product is 'GoBD-certified by the tax office'. A state GoBD certification does not exist. Nor is any specific technology (such as WORM storage) legally required.
What tamper-proof archiving has to deliver
- Complete, automatic capture of the relevant email traffic, ideally before anyone can delete anything.
- Immutability, secured through technical and organisational measures.
- Availability, readability and machine-evaluability across the entire retention period.
- Procedural documentation that describes how archiving works. At its core, GoBD is also a process topic, not just a software question.
A proven solution: central archiving with MailStore
For Microsoft 365 and Exchange I use MailStore Server (MailStore Software GmbH, part of OpenText since December 2019). The software stores complete, exact copies of all emails in a central archive and connects Exchange, Microsoft 365 and Google Workspace via journaling or mailbox archiving. Access stays the way users know it, through the familiar folder structure, full-text search or directly from Outlook.
MailStore backs tamper protection technically with SHA hash values of the email content and internal AES256 encryption. With Legal Hold enabled, no emails can be deleted from the archive regardless of any other settings. Administrator activity is logged, and a dedicated auditor access lets you give reviewers read access without write rights. MailStore Server is also regularly examined by an independent IT auditor against the IDW PS 880 standard.
Honest stays honest
MailStore itself puts it cautiously: a professional archiving solution can help meet the GoBD requirements for email data. Compliance also depends on your procedural documentation and your organisational processes. The software is half the job, the process is the other half.
Whether it runs on-premises (you keep everything in house) or as a hosted variant depends on your size and requirements. Both are possible, and I will discuss both honestly with you up front.
Sources
- § 147 AO, Ordnungsvorschriften für die Aufbewahrung (gesetze-im-internet.de)
- § 257 HGB, Aufbewahrung von Unterlagen (gesetze-im-internet.de)
- BMF: Änderung der GoBD (Stand 2024)
- Viertes Bürokratieentlastungsgesetz (BGBl. 2024 Nr. 323)
- Microsoft Learn: Journaling in Exchange Online
- Microsoft Learn: Litigation holds
- MailStore: E-Mail-Archivierung und GoBD
- MailStore: Rechtssicherheit (IDW PS 880, SHA/AES256)
This article is carefully researched guidance, not legal or tax advice. For binding information, please consult your tax advisor or lawyer.
Frequently asked questions
Is Microsoft 365 / Exchange Online GoBD-compliant?+
Exchange Online stores email and includes compliance features, but on its own it is not automatically GoBD-compliant. Immutability remains administratively controllable (holds and policies can be removed via PowerShell). Tamper-proof archiving requires additional measures.
Do I really have to archive every email?+
Only emails relevant under tax or commercial law are mandatory, for example those functioning as a commercial or business letter or an accounting document. In practice, complete automatic archiving is usually still the better choice because the case-by-case decision rarely works cleanly day to day.
How long do I have to keep emails?+
10 years for books, statements and inventories, 8 years for accounting documents (since 1 January 2025, previously 10 years) and 6 years for commercial and business letters.
Is there an official GoBD certification?+
No. A state GoBD certification does not exist, and no specific technology is mandated. Reputable solutions can, however, be attested by independent auditors, MailStore for example against IDW PS 880.
On-premises or cloud?+
Both are possible. On-premises keeps all data in house, a hosted variant takes operations off your plate. Which fits depends on size, data protection requirements and your existing IT. We clarify that in the initial call.
Email archiving that holds up to an audit
I set up tamper-proof, GoBD-compliant email archiving with MailStore for your company, including the Microsoft 365 connection and procedural documentation. From Chemnitz, on-site in Saxony and remote across Germany.

Daniel Gläser
Owner of Gläser IT-Solutions, Chemnitz
I build software and run IT infrastructure for small and medium businesses, from the first analysis to day-to-day operations. Everything here comes from real projects and is backed by sources.


