An Exchange Server 2007 feature that's gotten surprisingly little attention is messaging records management (MRM). I suspect this is because of its name, which doesn't do a good job of conveying what MRM does and how you can make use of it.

Even if you're not subject to the bewildering maze of acronyms such as GLB, SOX, HIPAA, and SEC 17a3-4, you probably have some awareness of corporate governance and compliance requirements—at least that such requirements exist. At bottom, these regulatory regimes usually require that you do three things: define policies that control what happens to messages, enforce those policies, and provide sufficient auditing or inspection tools to prove that your policies are effective. The specifics of the policy you use will vary according to what regulations you have to comply with, but the general outline remains the same.

Corporate governance is quite different from these legal requirements; here the goal is typically to show that your company is following some generally accepted best practice from the business world. For example, if you work for a law firm, the American Bar Association standards and practices probably apply; there are many industry-specific governance "suggestions." The point behind following these is typically to insulate yourself from liability (or even criticism) by proving that you follow the industry standard for a particular area.

Exchange 2007's MRM features play in both of these arenas. MRM provides tools that let you design retention or archiving policies, then apply them to selected folders. This functionality is similar to that of the Mailbox Manager from previous versions of Exchange in that you can specify policies that control how long certain item types should be retained, depending on what folder they're in. Microsoft calls this functionality Managed Default Folders because these MRM policies can be applied only to the standard folders you see in an Exchange mailbox: Inbox, Sent Items, and so on.

The Managed Custom Folders feature is significantly more useful: It lets you define a policy that adds folders to users' folder trees. For example, you can create a policy that will push a folder named "XYZ Company Confidential" to every user's mailbox (or one titled "A/C Privileged" to the members of the Legal organizational unit, or whatever). Then you can create separate retention policies for each of these folders. For example, imagine setting up a policy that will empty out the Deleted Items folder every 7 days, plus another that specifies the "Sales Lead" folder to be purged after 18 months, plus one that specifies the life of unfiled items in the Inbox to be 180 days. Presto! You now have a way to keep users' mailboxes free of unwanted or unnecessary mail—after 180 days, messages will be moved from the Inbox to the Deleted Items folder, from which they'll be purged after another 7 days. By creating an appropriate folder structure, you can have fine-grained control over which items you retain, where they're stored, and how long Exchange maintains them. Couple this with an archiving system, which Exchange itself most definitely doesn't provide, and you've got the makings of a flexible compliance and governance system.

There are some other related features that come in handy for compliance and governance, such as the new message classification feature. I'll write about these features in future UPDATE issues.