Preserve Bcc and expanded distribution group recipients for eDiscovery

Litigation holds, eDiscovery holds, and Microsoft 365 retention policies created in the Microsoft Purview compliance portal allow you to preserve mailbox content to meet regulatory compliance and eDiscovery requirements. Information about recipients directly addressed in the To and Cc fields of a message is included in all messages by default. But your organization may require the ability to search for and reproduce details about all recipients of a message. This includes:

  • Recipients addressed using the Bcc field of a message: Bcc recipients are stored in the message in the sender's mailbox, but not included in headers of the message delivered to recipients.
  • Expanded distribution group recipients: Recipients who receive the message because they're members of a distribution group to which the message was addressed, either in the To, Cc or Bcc fields.

Exchange Online and Exchange Server 2013 (Cumulative Update 7 and later versions) retain information about Bcc and expanded distribution group recipients. You can search for this information by using an eDiscovery tool in the compliance portal.

Tip

If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.

How Bcc recipients and expanded distribution group recipients are preserved

Information about Bcc'ed recipients is stored with the message in the sender's mailbox. This information is indexed and available to eDiscovery searches and holds.

Information about expanded distribution group recipients is stored with the message after you place a mailbox on In-Place Hold or Litigation Hold. In Microsoft 365, this information is also stored when a Microsoft Purview retention policy is applied to a mailbox. Distribution group membership is determined at the time the message is sent. The expanded recipients list stored with the message isn't impacted by changes to membership of the group after the message is sent.

Information about... Is stored in... Is stored by default? Is accessible to...
To: and Cc: recipients Message properties in the sender and recipients' mailboxes. Yes Sender, recipients, and compliance officers
Bcc: recipients Message property in the sender's mailbox. Yes Sender and compliance officers
Expanded distribution group recipients Message properties in the sender's mailbox. No. Expanded distribution group recipient information is stored after a mailbox is placed on In-Place Hold or Litigation Hold, or assigned to a Microsoft Purview retention policy. Compliance officers

Searching for messages sent to Bcc and expanded distribution group recipients

When searching for messages sent to a recipient, eDiscovery search results now include messages sent to a distribution group that the recipient is a member of. The following table shows the scenarios where messages sent to Bcc and expanded distribution group recipients are returned in eDiscovery searches.

Scenario 1: John is a member of the US-Sales distribution group. This table shows eDiscovery search results when Bob sends a message to John directly or indirectly via a distribution group.

When you search Bob's mailbox for messages sent... And the message is sent with... Results include message?
To: John John on To: Yes
To: John US-Sales on To: Yes
To: US-Sales US-Sales on To: Yes
Cc: John John on Cc: Yes
Cc: John US-Sales on Cc: Yes
Cc: US-Sales US-Sales on Cc: Yes

Scenario 2: Bob sends an email to John (To/Cc) and Jack (Bcc directly, or indirectly via a distribution group). The table below shows eDiscovery search results.

When you search... For messages sent... Results include message? Notes
Bob's mailbox To:/Cc: John Yes Presents an indication that Jack was Bcc'ed.
Bob's mailbox Bcc: Jack Yes Presents an indication that Jack was Bcc'ed.
Bob's mailbox Bcc: Jack (via distribution group) Yes List of members of the Bcc'ed distribution group, expanded when the message was sent, is visible in eDiscovery search preview, export, and logs.
John's mailbox To:/Cc: John Yes No indication of Bcc recipients.
John's mailbox Bcc: Jack (directly or via distribution group) No Bcc: information isn't stored in the message delivered to recipients. You must search the sender's mailbox.
Jack's mailbox To:/Cc: John (directly or via distribution group) Yes To:/Cc: information is included in message delivered to all recipients.
Jack's mailbox Bcc: Jack (directly or via distribution group) No Bcc: information isn't stored in the message delivered to recipients. You must search the sender's mailbox.

Frequently asked questions

When and where is Bcc recipient information stored?

Bcc recipient information is preserved by default in the original message in sender's mailbox. If the Bcc recipient is a distribution group, distribution group membership is only expanded if the sender's mailbox is on hold or assigned to a Microsoft 365 retention policy.

When and where is the list of expanded distribution group recipients stored?

Group membership is expanded at the time the message is sent. The list of expanded distribution group members is stored in the original message in the sender's mailbox. The sender's mailbox must be on In-Place Hold, Litigation Hold, or assigned to a Microsoft 365 retention policy.

Can the To/Cc recipients see which recipients were Bcc'ed?

No. This information isn't included in message headers, and isn't visible to To/Cc recipients. The sender can see the Bcc field stored in the original message stored in their mailbox. Compliance officers can see this information when searching the sender's mailbox.

How can I ensure that expanded distribution group recipients are always preserved?

To ensure that expanded distribution group members are always preserved with a message, Place all mailboxes on hold or create an organization-wide Microsoft 365 retention policy.

Which types of groups are supported?

Distribution groups, mail-enabled security groups, and dynamic distribution groups are supported.

Is there a limit on the number of distribution group recipients that are expanded and stored in the message?

Up to 10,000 members of a distribution group is preserved.

Are nested distribution groups supported?

Yes, 25 levels of nested distribution groups are expanded.

Where is the Bcc and expanded distribution group recipient information visible?

Bcc and expanded distribution group recipients information is visible to Compliance officers when performing an eDiscovery search. Bcc and expanded distribution group recipients are included in search results copied to a Discovery mailbox or exported to a PST file and in the eDiscovery log included in search results. Bcc recipient information is also available in search preview.

What happens if a member of a distribution group is hidden from the organization's global address list (GAL)?

There's no impact. If recipients are hidden from the GAL, they're still included in the list of recipients for the expanded distribution group.