Retention Policies: How Long Should an Agent Keep Mail?

Picture a typical story: an engineer spins up an OTP-extraction mailbox for the CI pipeline in the spring. It works, everyone forgets about it, and months later a security review finds the thing — an unattended inbox quietly accumulating verification emails, password-reset links, and signup confirmations for every test account the company has ever created. Nobody decided to build a credentials archive. It just happened, one retained message at a time.

That's the retention problem for agent mailboxes in a nutshell. A human cleans out an inbox occasionally, or at least owns the mess. An autonomous mailbox keeps whatever its retention settings say to keep, forever-ish, with no one looking.

What the defaults give you

On Nylas Agent Accounts (currently in beta), the free plan defaults are 30 days of inbox retention and 7 days for spam, with 3 GB of storage per organization. Both retention values are configurable through a policy — the admin-scoped resource that bundles limits and spam settings and applies to every account in a workspace.

Like all policy limits, the retention fields are optional: omit them and they default to your plan's maximum, and requesting a value above the plan maximum returns an error. So the dial only turns one way — toward keeping less — which is exactly the direction a privacy review wants it turned.