What’s the industry practice for bounce list retention?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Here's a question that sounds simple but trips up a lot of senders: how long do you actually need to keep a record of an address that bounced? The answer depends on the bounce type, and getting it wrong can hurt you in two very different ways.

Hard bounces: keep them indefinitely. A hard bounce means the address is permanently invalid. Maybe it never existed, maybe the domain is gone, maybe the mailbox was deleted. Whatever the reason, that address will never accept email. Keeping that record isn't about being nosy. It's about protection. Without it, the same address could sneak back into your list through a form submission, a data import, or a third-party source. Mailing a known-invalid address again signals poor list hygiene to mailbox providers, and doing it repeatedly can start to damage your sender reputation.

The record you need to keep is minimal. You don't need the subscriber's full profile or their campaign history. You just need the email address flagged as suppressed. That's it. That's what protects you.

Soft bounces: a different story. A soft bounce is a temporary failure. The mailbox was full, the server was down, something transient happened. Most ESPs retry automatically. The question is how long to retain the pattern data after the fact.

Now most senders keep 90 to 180 days of soft bounce history for analysis. That window is enough to spot an address that soft-bounces consistently (which is often a sign it's quietly becoming invalid) without hoarding data for no good reason. If an address has soft-bounced on every send for three months straight, it's worth treating it the same way you'd treat a hard bounce.

The compliance angle. If you're sending to EU contacts, GDPR's data minimization rules apply here. You can absolutely keep a suppression list for legitimate interest purposes. Preventing yourself from re-mailing a bounced address is a legitimate interest. What you can't do is keep detailed personal data far beyond what's needed for that purpose. So if someone invokes their right to erasure (the "right to be forgotten"), you have a choice: delete everything and risk re-adding them later, or keep a minimal tombstone record showing the address is suppressed. Most legal guidance favors the tombstone approach for exactly this reason. You're not retaining data to profile someone. You're retaining it to protect them from unwanted contact.

Outside the EU, regulations like CAN-SPAM and CASL don't specify exact retention windows for bounce data, but the general principle holds. Keep what you need to run a clean list. Don't keep what you don't.

A quick decision framework:

  • Hard bounce. Keep the suppression record forever. Strip out any extra personal data fields if you have no other reason to hold them.
  • Soft bounce pattern (repeated failures). After 3 to 5 consecutive bounces, promote it to a hard bounce and treat it accordingly.
  • One-off soft bounces. Keep 90 to 180 days of history for pattern detection, then archive or delete.
  • Right to erasure request (GDPR). Replace the full record with a minimal suppressed flag. Don't delete entirely if you risk re-adding the address.

If you're unsure whether your current bounce handling is set up correctly, our SOS hotline is free and we're happy to walk through your setup with you.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Get a bounce retention recommendation for your setup

Tell me about your bounce list situation. How are you currently handling bounces (hard and soft), how old is your list, and are you sending to any EU contacts? I'll give you specific retention recommendations and flag any compliance gaps.

Edit the yellow boxes, then send to the AI of your choice.