For decryption you don't need to keep expired certificates on a CRL. It will only blow up their size. You don't need the public key (certificate) for opening an encrypted mail. For decryption you use your private key. Therefore it doesn't matter whether the certificate is revoked or expired. You must be able to decrypt your mails in any case.
For signed mails, if you have to keep the security information, you must use mechanisms for long term archiving - outside of the MUA (e.g. LTANS: https://datatracker.ietf.org/wg/ltans/documents/). IMHO, a MUA is not made to verify digital signatures long time after the generation of the signature. After expiry of a certificate used for signing the MUA should display a message saying that the certificate is expired and that no revocation information is available anymore.

@srdavidson I'd like to see the option that CRL is optional. Considering the suggestion made by Google, I've drafted language that will capture both cases. This allows usage of both at the same time, or only one of the two, while having a requirements on having at least one option at all times.