not enough info to make a judgement.
-was the email from a known source of spam, a BCC, or from an actual correspondent?
-was the subject line indicative of the content?
-should the company's email filter have been able to detect and reject the email?
-was the email saved on a local disk, or on the company server?
-does he use OE, and if so, does the company normally require him to 'double-delete' any unwanted mail? are the delete/save prompts on his email app similar enough that it would have been difficult for him to know which he had just done?
-finally, was the zero tolerance policy clearly spelled out in employee literature? the reason i ask is this: if he knew that his job was at stake, and he knew that the item was sensitive, one would think that he'd be very thorough in its removal. not passing judgement on him, just the way the policy was enforced in this situation.