After having talked to an attorney about the sticky issues involved with this, the technical stuff is not that hard.
Capture all traffic to- and from his workstation using either the capabilities of your router, or by injecting a device for that particular purpose into the network (it’s not too hard to do that with a bridging Linux host, for instance). If said employee uses unencrypted SMTP sessions (and (un)fortunately, most people do), you can just read the cleartext of whatever leaves his workstation. Hardware required : none (if your router already supports this kind of stuff) or a linux box with 2 nics and a bridging interface set up.
If the SMTP connections are encrypted and you control the mailserver on the other end, just have the mailserver hold on to mails being sent for longer than is strictly necessary. (In some countries, this has strong legal implications that can land you in jail, so again, TALK TO YOUR ATTORNEY). If your email host is dreamhost, you do not have full control over your mailserver, and you won’t be able to easily do this kind of thing. In all other cases it’s technically feasible (and the amount of work needed to do it depends on what MTA you use).
If the SMTP connections are encrypted and you do not control your mailserver, you are out of luck. Try a rootkit, but your employee will eventually catch on to that sort of stuff.
Keyloggers do not have to be in software. Most people will not check for a little blob in their keyboard cable before using their computers. If you use wireless keyboards, talk to a local hacker about how to capture those signals. If you can tamper with the hardware without your employee knowing and you have a bit of a budget, you can also install a PCI card to log activity.
If your email client is an open-source one (such as thunderbird) and regular upgrades are expected and nothing out of the ordinary, you could just compile your own Thunderbird with some nifty added internal functionality that’ll make sure you get a copy.
What do you mean by “finding nothing due to him clearing itout every time he sends an email out” ? Have you done some forensic analysis on the harddrive ? It’s entirely possibly that those “delete” files still reside on the disk but are just inaccessible from the filesystem. Decent computer forensics people cost some money to hire though, and doing this convertly would be a cloak-and-dagger operation.
Whether or not any of this will lead to (admissible) evidence is in the stars, and also influenced by the savvy your rogue employee displays. Any and all of these measures can be thwarted with due diligence. Fortunately for you, most people don’t even know what they’d need to thwart, so there is a decent chance you’ll be successful if your target isn’t a prototypical hacker.
If you are sure this is worth the work you are putting into it (seeing as you might well be in an at-will employment state and can just fire the guy without giving a reason), good luck.