Question 1: Do keys in the Key Cache get purged periodically?
Answer: Yes, they are cleaned out after 1 day by default.

For additional information, see the following article:

162609 - Symantec Encryption Management Server (SEMS) Key Cache purge routines differ depending on how keys are retrieved

Question 2: What is the Max Duration for the Key Cache on SEMS?
Answer: The lowest value keys can be cached is 1 hour and the maximum value configurable for this is 999 days.

Important Note: Keys that are cached via Keyserver lookups or other methods will purge after this value configured; however, keys that are cached via "inbound mail" will not be honored with this setting.  Instead, keys that are cached via the inbound mailflow will be cached for 180 days per a hard-coded setting.  

As an example, if the SMIME key is harvested via an inbound email, this method is harvested as a source of "mailflow":

In this example, the keys should be cached for 180 days and then purged regardless of the Cache Settings parameters. 

For more information on this behavior, see the following article:

162609 - Encryption Management Server Key Cache purge routines differ depending on how keys are retrieved

Question 3: I have my server in the mailflow, but it's not caching keys--why?
Answer: In order for the keys to be cached, the email containing the key must be an "Inbound" message.  In other words, the SEMS does not harvest keys that are sent "Outbound" as typically all the keys for users sending outbound already exist as "Internal Users" on the SEMS.  Only Inbound emails will harvest these keys.

Question 4: I have an email that came from an external domain, why is it still not caching it?
Answer: Depending on how the proxies of SEMS are configured, the email from an external recipient may be interpreted by SEMS as an "Outbound" message.  If the Proxies are configured with an MTA that is the inbound and outbound connector into SEMS, then having two interfaces on the SEMS with different IP Addresses is recommended.  In this way, the messages for "Inbound" always go to the Inbound IP, and the messages destined for the external domains will always use the Outbound IP Address.

Question 5: Should I purge the Key Cache before the timeout value is reached?
Answer: If you know a single key has been updated, then delete the single key in question from the Key Cache.

Question 6: Immediately after I created a cluster member, the cached keys on the host server are removed and are not replicated.

Answer: The timeout value for cached keys has expired.  After one or more servers are joined to the host server during the creation of a server cluster, one of the services checks the cached key timeout setting as it restarts. If the current date minus the keys’ create date exceeds the defined timeout value, the service flushes the key cache.

Question 7: I have keys cached, but when I send email outbound, the message is not getting encrypted.

Answer: The PGP server will encrypt automatically to cached keys if the keys are cached via a keyserver search.  The PGP server will not encrypt to keys by default if they are observed in the mailflow.  For more information on how to get this to work, see the following article:

233835 - Symantec Encryption Management Server is not Encrypting to cached keys