SecurityApril 25, 20265 min read

Should Your Email Archive Scan for Viruses? Why the Answer Is No

Virus scanning inside an email archive seems like a sensible security layer — but it actually undermines the archive's core purpose. Here's why malware scanning belongs at the MTA layer, not in the archive.

When evaluating email archiving solutions, IT and security teams sometimes ask: "Does it scan attachments for malware?" It sounds like a reasonable security requirement. In practice, however, virus scanning inside the archive is not just unnecessary — it actively conflicts with what an archive is supposed to do. Understanding why requires looking at the distinct roles these systems play in your email infrastructure.

What an Email Archive Is For

An email archive exists to create a faithful, tamper-proof record of every message your organisation sends and receives. That record must accurately represent what was actually delivered — not a modified version of it. This is the foundation of everything the archive is used for:

  • Legal discovery (eDiscovery): Courts and regulators require access to the original communication, as received. An archive that silently stripped or quarantined attachments cannot credibly prove it holds the original.
  • Compliance audits: Regulations such as GDPR, SOX, MiFID II, and HIPAA require complete, unaltered records. An archive that transforms messages at ingest — even with good intentions — may not satisfy auditors.
  • Internal investigations: HR and legal teams need to reconstruct what was sent, not what the archive decided to keep.
  • Dispute resolution: The value of archived email as evidence depends entirely on its integrity.

The moment an archive modifies a message — stripping an attachment, replacing a file with a placeholder, or flagging and quarantining content — it ceases to be a reliable record of what actually happened.

Why Scanning at the Archive Layer Is the Wrong Approach

It Creates an Integrity Problem

An email archive's most important property is immutability: what goes in must match what was delivered. Virus scanning breaks this guarantee. If a scanner removes or quarantines a malicious attachment before archiving, the stored message no longer reflects the original. You have no proof of what the email actually contained — only what survived the scanner.

This is particularly damaging in legal contexts. Opposing counsel or a regulator can challenge the completeness of your archive the moment you cannot demonstrate that every message was stored exactly as received.

Virus Definitions Change — Archives Are Permanent

A file that passes a scanner today may be flagged as malicious when definitions are updated tomorrow. Conversely, a file detected as malware today may later be reclassified as a false positive. Archives retain data for years or decades. If the scanning decision is baked into what gets stored, your historical records become inconsistent and untrustworthy over time.

False Positives Corrupt the Record

Virus scanners produce false positives. A legitimate business attachment — a PDF, a compressed archive, a macro-enabled spreadsheet — may be incorrectly identified as a threat and stripped from the message before archiving. The organisation then has an incomplete record of a perfectly legitimate communication, with no way to recover the original.

The Security Job Is Already Done Upstream

By the time an email reaches the archiver, it has already been processed by your MTA (mail transfer agent) or mail gateway. That upstream layer is the correct place for malware scanning, for several reasons:

  • It acts before the message is delivered to mailboxes, blocking threats at the perimeter.
  • It can quarantine or reject messages without them ever entering the mail flow.
  • Security tools at the MTA level are purpose-built for this task, with sandboxing, reputation checking, and real-time threat intelligence.
  • A blocked or stripped message never reaches the archiver — meaning the archive correctly holds only messages that were actually delivered.

The Right Architecture

A well-designed email infrastructure has clear separation of concerns:

Inbound email
      │
      ▼
 MTA / Mail Gateway          ← Virus scanning, spam filtering,
 (Postfix, Exchange,            policy enforcement happens HERE
  Proofpoint, Mimecast, etc.)
      │
      ▼ (clean, delivered messages only)
 Mailboxes + Email Archive   ← Faithful, tamper-proof storage
                                of what was actually delivered

The archiver receives only messages that passed your security layer. It stores them exactly as they arrived. If a malicious email slips through your gateway — a genuine security failure — the archive records that too, which is exactly what you want: an honest record of what happened.

What About Archiving Old Mailboxes?

A common scenario is importing historical email from mailboxes or PST files into a new archive. Even here, scanning at import time is problematic for the same reasons — you would be modifying the historical record. The correct approach is to import everything as-is, and rely on your endpoint security tooling to prevent any archived malware from being re-executed if it is ever retrieved.

What the Archive Should Do

Rather than scanning for malware, a well-designed email archive should focus on what it does best:

  • Immutable storage — every message stored exactly as received, with cryptographic integrity verification
  • Indexed, instant retrieval — full-text search across millions of messages in seconds
  • Policy-based retention — automated lifecycle management aligned with your compliance obligations
  • Legal hold — preserving specific messages outside normal retention cycles
  • Access controls — ensuring only authorised users can retrieve sensitive communications
  • Audit trails — recording who accessed what and when

Security scanning is not on that list — and intentionally so.

Summary

Virus scanning in an email archive sounds like a sensible defence-in-depth measure. In reality, it undermines the archive's core function by modifying the record it is meant to preserve. Malware scanning belongs at the MTA and mail gateway layer, where it can block threats before delivery without compromising the integrity of your archived communications. Keep these responsibilities separate and both systems will do their jobs more effectively.

If you are evaluating email archiving solutions, look for strong immutability guarantees, tamper-proof storage, and comprehensive audit logging — not a built-in virus scanner.

Ready to Enhance Your Email Security?

Discover how Piler Enterprise can help you with advanced email archiving, compliance, and security features.

Start Free Trial View live Demo
← Back to Blog