Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Where do attachments live once they’re sent?

Question: I am very nervous about the security of an email attachment that I sent not long ago. I was in the process of obtaining a new job which I didn’t end up taking and I had to fill out a form that included information like my Social Security Number, date of birth and so on. I didn’t think about it at the time, but it was for legitimate reasons so I went ahead and scanned it and attached it to a Yahoo email. I sent the email to a trusted person and went on with my life. However, what I didn’t think about was that the attachment in Yahoo was not encrypted as far as I know. I ended up not taking the job and deleting the email from my Sent folder. Now, for all I know, it’s still sitting in the inbox of the other person and could do so until eternity. Where would this attachment be stored? On their severs or Yahoo’s? If I were to simply delete my Yahoo email account, would that render the attachment gone on their end? I’m being a little paranoid, I know, I’ll admit it. I just want to know if there’s anything else I can do other than to avoid sending attachments like that again?

Attachments live “with” the email, and the short answer about email is what’s been sent cannot be unsent. Once you send a piece of email, you lose all control over it.

It’s kind of like the internet; once you’ve posted something, it’s almost impossible to remove all the copies.

Now, email is definitely not public, but I do want to emphasize the word “copies.”

Become a Patron of Ask Leo! and go ad-free!

Copy of a copy of a…

When you send email, it’s copied – attachment and all – from your machine to a mail server owned by your email service. Eventually it gets copied from that mail server to the mail server of your recipient, and then from that last server it’s copied to your recipient’s mail program.

Each one of those is a copy operation and it assumes two things:

  • The mail with its attachment is a file on a hard disk somewhere, be it in an email server or on the user’s PC.
  • After  the copy completes the version that’s left behind is appropriately deleted.

Now, what’s the definition of “appropriately”? I don’t know. For most busy mail servers (like those at Yahoo), I assume it’s deleted almost immediately. There’s really no reason for them to be keeping things.

But it’s not just the servers that are causing the problem.

How long the copy stays

Attach FilesThe person who received your email with the attachment probably accessed their email through either:

  • A website that downloaded the email from Yahoo to their PC
  • An email program which automatically downloaded the email to their PC.

We actually don’t know; there’s no way to tell from your perspective or mine whether the actual email or the attachment is living on Yahoo’s servers or the recipient’s own desktop PC.

The file could easily still be sitting in their inbox, in a sub-folder, or wherever they happen to put it for however long that email account exists.

Then there are back ups. Most companies back up their email servers, so your email could be sitting in the recipient’s inbox as well as one of several daily, weekly, monthly, or however frequent back up files taken of the email server or the recipient’s PC.

All of these copies are OK. Really.

All of this doesn’t scare me, to be honest.

I actually do what you do fairly regularly. I send semi-sensitive information to people via email from time to time with the understanding that yes, it could be backed up on this sever and copies could be over on that server and so on. It doesn’t bother me.

When I send something that I consider to be very sensitive, then I just take the additional step of encrypting it first and making sure that my recipient either understands how to decrypt it. I send the appropriate decryption password via phone,  text, or some other channel that is not the same path that the encrypted email would take.

Why am I okay with it all? I know that servers and backups at Yahoo or the recipient’s company are only going to be accessible to very trusted employees. The only time anyone may look at your email from a server is if an employee goes rogue or there’s a court order requesting those backups.

As for the recipient’s machine, it might just stay in their inbox forever.

And backups are only kept for so long. We just don’t know how long that is for each email service.

It’s all a matter of trust

The point there is that you need to trust that:

  • Yahoo and the actual IT infrastructure for your recipient’s business actually store your email on their servers as part of their normal email workflow.
  • Your recipient will not keep the file any longer than they need to and keep their own machine and backups secure.

Whenever you send email, there will be multiple copies of it. That’s nothing to be overly concerned about because it’s just part of how email works.

About deleting your Yahoo! account

Finally, it’s worth noting that deleting your Yahoo! account has absolutely no impact on any of the email that you’ve sent in the past or the attachments they may have included. Those emails and attachments left your control as soon as you hit Send.

Deleting the account will do absolutely nothing other than inconvenience you.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

4 comments on “Where do attachments live once they’re sent?”

  1. The other thing to think about in the OP’s situation, is that just because it was done technologically doesn’t make it any more or less secure.

    For example, we can probably assume that no one at Yahoo is going to scan email attachments for social security numbers. And let’s suppose that the person you sent it to was collecting it for a legitimate purpose. Now, if it still exists on Yahoo’s server, anyone successful hacking in is not going to be looking through the email and not through the attachments looking for social security numbers. That’s not what they’re doing these days (at least not from my wife’s experience).

    Now suppose the recipient actually downloaded the mail to his own PC. The fact that it’s there again, makes it no more or less secure. In the old days, people would fax documents like that, and before that send them through the post office. You really don’t know how secure the fax line is, so again, what’s the difference to sending it by email.

    If you sent it through the post office, once you dropped it in the mailbox, you don’t know and can’t control the security of it, just like you can’t control the security of the email path. And if you had sent it through the post office, you have no idea whether this many years later it is still sitting in a file cabinet somewhere. That again, is not much different than it still sitting in his computer. Also, even if you had sent it through the mail, you have no idea whether he created a database of applicants on his computer and included SSNs. So again, it’s not much more or less secure just because you sent it by email and that email might still be sitting around.

    Would I suggest you do it again in the future? No. But what’s done is done and it’s out of your control.

  2. And less to worry about because it was a _scanned_ document–a graphic. Even an SSN sniffer or a search could not find it. From a practical standpoint, almost nothing but a human pair of eyes could turn that graphic back into an SSN.

  3. Using AOL I sent a large file (folder) of 150 pictures to an email thinking it was another attachment. My wife who is also an AOL user, on her computer at this time, and also on the same router noticed all the pictures sent in the email she received. After her warning, I realized that a file was still downloading (all the pictures were ‘still’ downloading). I cx the file download. Did the other two receive (who are not AOL) the files or was the email sent deleted since the files didn’t completely download? Records don’t show that they were sent/or deleted.


    • There’s really no way to know for sure with the information given. It’s really up to how AOL handles these things. Chances are it did NOT get sent, but that it was received by even one person could mean that others got it as well.


Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.