The Underestimated Risks of Spam and Quarantine Folders
In many companies, email quarantine is considered a standard component of IT security. What may seem like a sensible protective measure at first glance actually entails significant legal risks in practice. A ruling by the Federal Court of Justice makes it clear that companies should reassess the consequences of email quarantine.
Emails in the quarantine folder are considered delivered
On October 6, 2022 (Case No. VII ZR 895/21), the Federal Court of Justice (BGH) issued a ruling clarifying when an email is considered received in business correspondence. The BGH ruled that emails made available for retrieval on the recipient’s email server during normal business hours are deemed delivered to the recipient as of that time. Important: This also includes spam and quarantine folders, and it does not depend on whether the email is actually retrieved or acknowledged.
In concrete terms, this means: An invoice, a notice of default, or a contract offer that lands in the quarantine folder and remains unnoticed there is nevertheless deemed to have been legally received, with all the resulting consequences.
The Specific Case
The Federal Court of Justice’s decision addressed the question of whether the parties had entered into a valid settlement agreement following a dispute over a claim for payment of wages. The plaintiff sent the defendant a settlement offer via email on a Friday, but then stated in a follow-up email approximately 45 minutes later that a final review of the claim amount had not yet been completed and that the first email should be disregarded. The defendant paid the original settlement amount shortly thereafter. The claim for the difference failed because the first offer had already been effectively received before the revocation was received.
The email server is within the recipient’s sphere of control
The sender bears the “risk of transmission”, that is, the risk that their message will not reach the recipient’s sphere of control. Once the message enters the recipient’s sphere of control, the “risk of receipt” shifts to the recipient. For this reason, case law does not focus on the recipient’s actual knowledge of the declaration.
However, the recipient’s email server can only be considered the “sphere of control” if the recipient, by publishing their email address or making other statements in the course of business, indicates their intention to conclude legal transactions via electronic declarations in the form of emails. Therefore, anyone who operates and communicates using a business email address automatically assumes responsibility for all messages received there, including those in the quarantine folder.
The practical implications for businesses are enormous: Business owners should check not only their inbox but also their spam folder multiple times during regular business hours.
Another Case in Austria
The legal issue is not limited to Germany. The Austrian Supreme Court (OGH) ruled in a decision (3 Ob 224/18i) that the spam folder must be checked and that legally relevant documents are considered received even if they end up in the spam folder. The Bonn Regional Court had also ruled as early as 2014 that failing to check the spam folder daily can constitute a culpable breach of duty.
The responsibility lies with the recipient
Since the sender has no control over whether the recipient uses email protection or what type of protection they use, it is solely the recipient’s responsibility to check spam and quarantine folders. There is also an additional procedural risk: it is not sufficient for the email to appear in the “Sent Items” folder of the sender’s email program. In the event of a dispute, the sender must prove that the email was actually received on the recipient’s email server, a technically complex requirement.
Operational Burden and Technical Shortcomings
In addition to the legal consequences, quarantine solutions also pose operational challenges. Monitoring and maintaining the spam folder takes time and resources that would certainly be better spent elsewhere. If someone, out of convenience or in a hurry, quickly deletes all the contents, they may end up deleting important emails.
Technically, quarantine also does not offer complete protection: Emails stored in individual users’ spam folders can often still be opened, and malicious links can still be clicked. This means that a risk remains even after incoming emails have been filtered.
Blocking Instead of Sorting
NoSpamProxy operates without spam or quarantine folders. Unlike other solutions, NoSpamProxy blocks spam emails so that they are not accepted in the first place. In other words: These emails do not reach the recipient’s inbox and cannot have any legal effect. Since blocked emails are not considered delivered, companies using NoSpamProxy avoid the potential legal consequences that can arise from the mere delivery of an email.
If NoSpamProxy rejects an email due to suspected spam or a virus, the sender is notified of the rejection by their own email server. The email must then be resent. The recipient has no way of accessing the content of the rejected email because it was never fully received.
Quarantine is a risk
The Federal Court of Justice’s case law is clear: quarantine folders do not relieve companies of their obligation to review incoming emails. Failure to monitor these folders thoroughly exposes companies to significant legal risks, ranging from missed contract deadlines to settlement offers accepted without notice. When combined with the operational burden and technical shortcomings of quarantine, it becomes clear: Quarantine does not solve problems, it creates new ones.
An Overview of the Most Important Questions About Email Quarantine
Are emails in the spam or quarantine folder considered delivered?
Yes. According to the Federal Court of Justice (BGH), emails are considered delivered as soon as they arrive on the recipient’s mail server during business hours. This also applies to spam and quarantine folders, regardless of whether the email has been read.
Does a company need to check its spam folder regularly?
Yes. Companies are required to regularly check their spam and quarantine folders. Legally relevant emails may end up there and are still considered delivered even if the recipient is not aware of them.
What risks are associated with unchecked spam folders?
Failure to check spam folders can lead to missed deadlines, unintended contract agreements, and legal consequences. Since emails are considered delivered, this creates liability risks even if the message was never read.
Who is responsible for emails that are overlooked?
The recipient bears full responsibility. As soon as an email reaches the mail server, it falls under the company’s control. The risk of not being aware of this therefore lies with the recipient.
Is the “Sent” folder sufficient proof of sending?
No. The “Sent” folder is not sufficient proof. In the event of a dispute, the sender must prove that the email was actually received on the recipient’s mail server.
How secure are quarantine and spam filters, really?
Quarantine and spam filters offer only limited protection. They sort emails, but they do not prevent legal service of process or completely eliminate all security risks, such as phishing or malware.
Is there an alternative to email quarantine?
Yes. Modern approaches focus on rejecting suspicious emails before they are accepted (“Reject instead of Quarantine”). This prevents these messages from ever reaching the recipient’s mail server.
Does this legal situation apply only in Germany?
No. Similar rulings have been issued in other countries, such as Austria. There, too, it has been ruled that spam folders must be checked regularly and that emails may be considered delivered.
Not yet using NoSpamProxy?
Block emails now instead of moving them to a cluttered quarantine folder. Try the NoSpamProxy Protection spam filter for 30 days free of charge.
