Cloud email platforms like Microsoft 365 and Google Workspace are not backup services. They retain data under their own policies Microsoft recommends third-party backup in its own service agreement. Accidental deletion, ransomware, account closure and insider threats can all cause permanent data loss. The most reliable protection is exporting your email archives to a format you own and control: PST, MBOX or EML files stored outside the cloud provider. Univik’s converter tools handle this export directly on Windows without uploading your data anywhere.
Here is something most IT teams find out too late.
Moving your email to Microsoft 365 or Google Workspace does not mean your email is backed up. It means your email is hosted in the cloud. Those are very different things.
About 60% of an organisation’s business-critical information lives in email contracts, financial approvals, client communications, compliance records. If you assume your cloud provider is protecting all of that, you are making a bet that Microsoft and Google themselves have told you not to make.
The Myth: Cloud Email Means Backed-Up Email
When organisations move from on-premise Exchange servers to Microsoft 365 or Google Workspace, most assume the backup problem is solved. The cloud provider stores everything. It runs on enterprise infrastructure. What could go wrong?
Quite a lot, as it turns out.
Cloud platforms retain your email under their own policies, for their own purposes. Retention is not the same as backup. A backup creates a recoverable snapshot of your data at a specific point in time that you can restore from. Retention means the provider keeps some data for some period under their own rules which they can change and which may not align with your legal or business requirements.
Microsoft says this directly in its own service agreement
Microsoft recommends third-party backup solutions for Microsoft 365 in its Services Agreement stating it three times. Google Workspace’s terms carry the same implication. Both providers acknowledge that their platforms are not designed to serve as your backup system.
What Microsoft and Google Actually Retain
| Scenario | Microsoft 365 | Google Workspace |
|---|---|---|
| User deletes an email | Moves to Deleted Items, then Recoverable Items for 14–30 days | Moves to Trash, recoverable for 30 days |
| Admin permanently deletes a mailbox | Soft-deleted for 30 days, then gone permanently | Data may be unrecoverable after account deletion |
| Ransomware encrypts mailbox data | Recovery depends on whether retention policies covered the data | No native protection against encryption by compromised credentials |
| Point-in-time restore of full mailbox | Not natively available | Not natively available |
| Retention policy coverage | Complex configuration required gaps are common | Vault policies require separate setup and licensing |
The pattern is consistent. Both platforms offer some data retention but neither provides what most organisations need: a point-in-time restore of an entire mailbox to exactly the state it was in before a specific event.
The Real Risks That Catch Organisations Off Guard
Accidental Deletion
Someone permanently deletes an email thread they should not have. Or an IT admin removes a mailbox during an employee offboarding and misses the 30-day recovery window. Or a bulk operation goes wrong and clears a folder that nobody realises is gone until three months later well past any native recovery option.
Human error accounts for 95% of cybersecurity incidents. Email deletion accidental and intentional is one of the most common data loss events organisations experience and one of the hardest to recover from without an independent backup.
Ransomware
Modern ransomware does not just encrypt local drives. It targets cloud-connected accounts. An attacker who compromises a Microsoft 365 or Google Workspace account can encrypt, exfiltrate or delete email data. Because the attack comes through authenticated credentials, the cloud provider sees it as legitimate user activity.
Native retention policies offer partial protection but only for data that falls within the policy window. Email data outside that window is permanently lost. An independent offline backup stored outside the cloud environment is the only reliable recovery option for a full ransomware event.
Account Termination
Vendor relationships end. Licensing disputes happen. In the rare case of a cloud provider experiencing a significant outage or service change, organisations with no local copy of their email data have no fallback. When Microsoft or Google is the only place your email exists, you have no leverage and no recovery path if access is interrupted.
Insider Threats
Malicious data destruction from inside an organisation is a documented risk. In a 2021 case, lawyers at Elliott Greenleaf law firm stole email data to set up a rival firm and then double-deleted all communications to destroy evidence. Cloud platforms have some audit logging but deletion by authorised users even malicious deletion is difficult to reverse beyond the standard recovery window.
Compliance Is Not Backup
Many IT teams point to their Microsoft 365 retention policies or Google Vault configuration as their “backup strategy.” This is a misunderstanding worth correcting before it causes a serious problem.
Compliance retention preserves specific types of data for a defined period under specific conditions. It is designed to meet regulatory requirements GDPR, HIPAA, financial record-keeping laws. It is not designed to restore a deleted mailbox to a previous state, recover emails lost in a ransomware attack or provide a searchable archive independent of the live platform.
Backup creates a recoverable snapshot. Retention preserves data under policy. They serve different purposes and no organisation should rely on one to substitute for the other.
The 30-day trap
Microsoft’s deleted item recovery window is 14 to 30 days depending on configuration. Google’s is 30 days. Most organisations discover a missing email or deleted mailbox well outside this window often when someone needs to reference a specific communication for a legal dispute, an audit or a client query that happened months earlier. By then, the native recovery option is gone.
What to Do: Export to a Format You Own
The most reliable protection is a copy of your email data in a format you own, stored in a location you control, independent of the cloud provider.
This means regular exports of your email archives to PST, MBOX or EML format stored on local hardware or a backup drive that is physically separate from your cloud environment. If your cloud account is compromised, suspended or deleted, you still have the data.
Univik’s email converter tools handle this export on Windows without uploading anything to any server. Your email data stays on your machine throughout the process.
PST Converter exports Microsoft 365 and Outlook mailbox archives (PST files) to MBOX, EML, MSG or PDF. Works without Outlook installed. Handles multi-GB archives without timeout.
MBOX Converter exports Google Workspace Takeout archives (MBOX format) to PST, EML, PDF and other formats. Converts Gmail history into portable files you can store independently.
EML Converter converts individual EML message files to PST, MBOX, MSG and PDF in batch. Useful for exporting specific folders or time-period slices of email history.
Email Converter converts between all major email archive formats. Preserves full folder hierarchy, timestamps, attachments and metadata throughout the conversion.
Export Your Email Archives Before They Disappear
Univik Email Converter runs entirely on Windows. Export PST, MBOX and EML archives to portable formats you own PDF for compliance, MBOX for re-import to any mail client, EML for individual message access. No internet connection required. Your email data never leaves your machine.
✓ PDF, MBOX, EML, MSG output
✓ Preserves folder hierarchy
✓ 100% offline for Windows
Which Format Should You Export To?
| Format | Best For | Re-importable? |
|---|---|---|
| PST | Microsoft 365 and Outlook environments. Single-file archive that Outlook can open directly | Yes directly into Outlook |
| MBOX | Google Workspace and cross-platform migrations. Universal format supported by Thunderbird, Apple Mail and all major mail clients | Yes into Gmail, Thunderbird, Apple Mail |
| EML | Individual message preservation. Each email is a separate file easy to search, sort and produce for legal review | Yes into any mail client |
| Compliance and legal archiving. Non-editable, universally readable, court-accepted format | No read-only archive format |
For most organisations, the practical answer is to maintain two export types: MBOX or PST for operational recovery (so you can re-import into a mail client if the account is lost) and PDF for compliance and legal hold purposes. Keep both in at least two separate physical locations.
If you are also planning a migration away from your current cloud provider, see our Outlook to Google Workspace migration guide for the full export and conversion workflow.
Frequently Asked Questions
Is Microsoft 365 email automatically backed up?
No. Microsoft 365 retains deleted items for 14 to 30 days depending on configuration and offers some retention policies for compliance purposes. But it does not provide a true backup there is no point-in-time restore of a full mailbox and data that falls outside the retention window is permanently unrecoverable. Microsoft’s own service agreement recommends using a third-party backup solution.
Does Google Workspace back up my email?
Google Workspace retains deleted emails in the trash for 30 days. Google Vault provides compliance-oriented retention and eDiscovery features but is not a backup system. It does not allow you to restore a mailbox to a previous state or recover data lost to a ransomware attack on the account. Like Microsoft, Google recommends independent backup strategies for business-critical data.
What is the difference between email retention and email backup?
Retention preserves specific data under policy rules for compliance or legal reasons. Backup creates a recoverable snapshot of your data at a point in time that you can restore from when something goes wrong. Retention is reactive and rule-based. Backup is proactive and restorative. You need both they are not interchangeable.
How often should I export my email archives?
At minimum, monthly for active business mailboxes. Weekly for mailboxes in regulated industries (healthcare, legal, finance) or for accounts handling high-value contracts. After any significant event a system migration, an employee departure, a security incident export immediately regardless of schedule.
Does exporting email to PST or MBOX protect against ransomware?
Yes, if the export is stored offline or on a system that is not connected to the same cloud account. Ransomware that compromises your Microsoft 365 or Google Workspace credentials cannot reach a PST file stored on a local hard drive or an offline backup drive. The key is physical separation: the backup copy must not be accessible through the same credentials as the live email account.
Can I re-import exported email archives back into Microsoft 365 or Gmail?
Yes. PST files can be imported back into Outlook and Microsoft 365 through the Import/Export wizard or the Microsoft 365 admin import service. MBOX files can be imported into Gmail using the Google Workspace Migrate tool or through an IMAP import process. EML files can be imported into most mail clients individually or in batch.
Conclusion
Last updated: May 2026. Microsoft 365 and Google Workspace retention terms verified against official documentation as of May 2026. Recovery window timings sourced from Microsoft’s Exchange Online and Google Workspace admin documentation.
Cloud email is not backed-up email. The distinction matters and the consequences of missing it are serious permanent data loss, compliance failures and no recovery path when something goes wrong.
The answer is simple: export your email archives to a format you own on a regular schedule and store the copies independently of your cloud provider. PST for Outlook environments, MBOX for Google Workspace, PDF for legal compliance. All of these are portable, re-importable and entirely under your control.
What is your current email backup strategy cloud retention policies, independent exports or something else? That answer tells you exactly how exposed you are right now.