Set up and manage email quarantines

You must be signed in as a super administrator to perform these tasks.

As an administrator, you can create settings to quarantine messages sent to and from your organization. You can also assign admin privileges to specific users to let them manage quarantined messages.

Quarantines help prevent spam, minimize data loss, and protect confidential information. Quarantines also help manage message attachments, so users don't open or send something they shouldn't. When a message is quarantined, it's sent to the admin quarantine, where an admin can take any of the following actions:

  • Display the rule that caused the message to be quarantined
  • Deliver the message to the intended recipient
  • Deny message delivery
  • Take no action

You can set up quarantine alerts to get periodic alerts when new messages are quarantined. Messages in the quarantine are stored on Google's servers until an action is taken.

Important:

  • You can only take action on quarantined messages from or to users in your Google Workspace account.
  • You can't take action on messages associated with accounts that are suspended or disabled.
  • Only messages for users are quarantined. Messages sent to groups can't be quarantined.

Quarantined messages for recipients and senders

  • Quarantined incoming messages—The intended recipient isn't alerted about the message unless you release it for delivery.
  • Quarantined outgoing messages—These messages appear in the sender's Sent folder. These messages aren't delivered to the recipient unless an admin releases them from quarantine. If the sender deletes the message from their Sent folder after it appears in the quarantine, the message remains in the quarantine until you act on it, or until it's deleted 30 days after delivery.

Email quarantine and Vault

Quarantined messages are retained and available for up to 30 days after delivery in Admin quarantine, regardless of your Vault retention period setting. Messages are automatically removed from Admin quarantine after 30 days.

If your Vault retention period is longer than 30 days, quarantined messages older than 30 days are available in Vault until the retention period expires. For more information, go to Retain Gmail messages with Vault.

Set up and manage email quarantines

You can create quarantines with these policies and settings in the Admin console. You can also assign admin privileges to specific users to access and manage email messages in one or more quarantines.

Add, edit, delete, and review quarantines

In your Admin console, you can add, edit, delete, and review email quarantines.

To add a quarantine:

  2. From the Admin console, go to Apps and then Google Workspace and then Gmail and then Manage quarantines.

  3. ClickAdd Quarantine.

  4. Assign quarantine settings:

    • Enter a name and description.

    • For incoming and outgoing messages, choose whether or not to send a reject message to the sender when you deny delivery of a quarantined message.

    • (Optional) Select Notify periodically when messages are quarantined.

  5. Click Save.

Note:  You can set up a Quarantine reviewers group to enable other users in your organization to review quarantines. For details, see Let users manage email quarantines.

To edit a quarantine:

  1. From the Admin console dashboard, go toApps and then Google Workspace and then Gmail and then Manage quarantines.
  2. Find the quarantine nameand thenclick Edit.

  3. Make the desired changesand then Save.

To delete a quarantine:

Any remaining messages in the quarantine are moved to the default quarantine.

  1. From the Admin console dashboard, go toApps and then Google Workspace and then Gmail and then Manage quarantines.
  2. Find the quarantine nameand thenclick Delete and then Confirm Deletion.

    Any remaining messages in the quarantine are moved to the default quarantine.

Note: Quarantines in use by one or more policy settings can't be deleted. To delete an active quarantine, go to the relevant setting and point it to a different quarantine.

To review settings for quarantined messages:

  1. From the Admin console dashboard, go to Manage quarantine.
  2. Click Manage quarantine.
  3. Click Go to Admin Quarantine.
    • All quarantined messages are displayed, including messages in the default quarantine.
    • If a message is in a customized quarantine, the quarantine name displays beside the email subject.
  4. Click a quarantine name. This opens a pop-up window showing the quarantine details.
  5. (Optional) To edit the quarantine's settings from this page, click Edit in Admin Console.

Configure policies to quarantine messages

In the Admin console, you set up and configure policies to quarantine messages using any of these Gmail settings:

  • Content compliance

  • Objectionable content

  • Attachment compliance

  • Routing

  • Spam

For each setting, you can quarantine messages that match the configuration criteria, then select the quarantine for the selected messages.

For compliance and routing settings, you can also choose to notify internal senders when their outbound and internal, sent messages are quarantined.

Manage quarantined messages

After setting up and configuring policies for a quarantine, you can view and manage messages in it.

To open the admin quarantine:

  2. From the Admin console dashboard, go toApps and then Google Workspace and then Gmail and then Manage quarantines.

  3. ClickGo to admin quarantine to display all the quarantines.

Inbound and outbound messages

Messages appear with the quarantine name and the direction of inbound or outbound.

  • If an inbound message includes multiple recipients, it appears in the quarantine once for each recipient. For example, a message with five recipients appears in the quarantine five times.
  • Outbound messages you allow to be delivered are quarantined only once before delivery. For this reason, if you plan to quarantine internal messages, configure the quarantine to Internal - Sending, instead of Internal - Receiving. Then, only one message is quarantined before it's delivered to the recipients.

Tip: You can avoid filling the quarantine with a large number of messages by not sending external messages to large email lists.

View and manage quarantined messages

Action How to do it

View quarantined, pending triage, allowed, and denied messages

By default, all quarantined messages appear in the list. You can filter messages by quarantine or status.

  • Click Quarantine, select a quarantine from the listand thenclick Apply.
  • Click Status, select Pending triage, Denied, or Allowed and thenclick Apply.

Only messages delivered within your Vault retention periodappear inDenied or Allowed. If you don't act on or deny a message, it's automatically deleted when your retention period expires. The default retention period is 30 days from the time the message was sent or received.
Display message and rule definition that triggered quarantine

Click the message in the list to display the message and the rule definition that caused the email to be routed to the quarantine.

  • Rule description—Name or description of rule
  • Source—The area of the message that triggered the rule, for example, message body
  • Matched string—String or expression that matched email content

Important: Source and matched string are displayed when available. Gmail makes a best effort to display the rule associated with a message, but some messages may not display a rule.
Display message metadata

Click the messageand then Show Original.

Displays the textual representation of a Gmail message

Search for messages

Click Search in the filter bar, enter a search term in the badge and click on "search contains..." This searches according to the current filter status.

The entire message is searched, including the sender and recipient address, subject, and message body. You can use advanced search operators to search a particular part of the message.

Allow delivery of one or more quarantined messages

Check the box to the left of each recipient nameand thenclick Allow.

If a user doesn't see an allowed message in their inbox, ask them to search for the message in all folders, including the Trash folder.

Note: Some spam messages might be rejected when Gmail makes a connection to transmit the message. These messages aren't sent to admin quarantine, even if you selected the Put spam in administrative quarantine option in your Spam setting.

Deny delivery of one or more quarantined messages

Check the box to the left of each recipient nameand thenclick Deny. Click Deny again to confirm.

Notes about rejection notices:

  • When you deny a message, the quarantine either drops the message or sends a default rejection notice, depending on the currently selected quarantine.
  • If a message appears in multiple quarantines, the action taken depends on which quarantine is currently selected, even if the other quarantines are set up to perform a different action.
  • All messages appear in the default quarantine. If you reject a message in the default quarantine, the reject action that's been set up for the default quarantine is applied.

Bulk Action

When you start selecting messages, the bulk action option becomes available. Unlike the Select All box, which only applies to messages in your current view, you can use the bulk action to deny or approve all messages in the selected quarantine or search results.

Send reject messages

If you choose to send a reject message when you deny a quarantined message, keep the following in mind:

  • If you deny an inbound message sent to multiple recipients in your domain, the sender receives a reject message each time you select a group of recipients to deny.

    To avoid this, you can check the boxes for all message recipients so that the sender receives a single reject message containing the entire list of rejected recipients. If you don't select all recipients and later reject other recipients, the sender receives a second notification.

  • The body of a reject message includes the subject of the original message. For this reason, if the term that caused the original message to be quarantined appears in the subject, the reject message may also be quarantined when the message is denied. This depends on how you set up the quarantine (to include either Outbound or Internal - Sending messages).
  • If you deny an inbound group message, the reject message is dropped and is not delivered to the sender.

Identify unsupported message types

S/MIME signing and encryption:

  • If a sender requests S/MIME signing and encryption for outgoing messages, the message is rejected and is not delivered to the quarantine.
  • If an admin sets compliance and routing rules for S/MIME signing and encryption for outgoing messages, the message is unaffected and is delivered to the quarantine.

Receive quarantine alerts

If you selectNotify periodically when messages are quarantined when you add or edit a quarantine in the Admin console, you'll get periodic alerts when new messages are quarantined.

The quarantine alerts show the following for the quarantines configured to receive alerts:

  • The number of messages received for each quarantine.
  • The total number of messages quarantined during the notification interval.

You're notified of newly quarantined mail within an hour of its appearance in admin quarantine. The frequency and timing of the alerts varies based on how often new quarantined mail arrives, but will never be more than once hourly.

Note: Quarantine summary reports are different from Admin quarantine. Learn more.

Let users manage email quarantines

Super administrators can assign admin privileges to specific users to manage messages in the default quarantine and other customized quarantines.

Note: These steps assume you've created and configured quarantine policies. If you need help, go to Set up and manage email quarantines at the top of this article.

.

Assign admin roles and quarantines

The admin role you assign a user determines which quarantines they can see and manage.

  • Access Admin Quarantine—Users can see and manage messages in any quarantine, including the default quarantine.
  • Access restricted quarantine—Users can see and manage messages in restricted quarantines.

To ensure privacy, each time a user signs into either admin role to manage email messages, the message ID and quarantine name is recorded. You can search for these events in Admin log events to see what action was taken.

Before you begin

As an administrator, you set up and assign admin roles to specific users that let them access and manage messages in a quarantine. You must complete all the steps below to successfully set up and associate users with quarantines.

Step 1: Create a new role with quarantine privileges

  1. From the Admin Console, click Admin roles and thenclick Create a new role.
  2. Enter a name and a descriptionand thenclickCreate.
  3. On the Privileges tab, underGmail, check the Access Admin quarantine or Access restricted quarantinesbox.
  4. Click Save. The new role is selected and displayed under User created roles.

Step 2: Assign users to the admin role

  1. With the role selected, click the Admins taband then Assign admins. Enter a user name or email address.

    Entering a user's name automatically displays their email address

  2. If you're assigning more than one user to the role, click Assign more. After you enter the user names, clickConfirm assignment.

Step 3: Create a group for users

  1. From the Admin console, click Groups and then "".
  2. Enter a name, email address, and description for the group.
  3. For Access Level, select Restricted.
  4. Click Create.

Next, add the users to the group.

Step 4: Add users to the group

  1. From the Admin console, go toUsers.
  2. Find the user in the list and click to open their account page.
  3. On the user's account page, click Groups. Any groups the user already belongs to are displayed.
  4. Click"".
  5. Locate and select the group you created for users with quarantine privileges.
  6. Click"".

Step 5: Add the group to a quarantine

  1. Sign in to your Google Admin console.
  2. From the Admin console dashboard, go to Apps and then Google Workspace and then Settings for Gmail.
  3. Select Manage quarantines and thenclick Edit next to the desired quarantine.
  4. In the Edit quarantine panel, click Select groups and select the group you created for admin quarantine users.

  5. ClickSave.

After completing the steps above, users can sign in and access the quarantine they're assigned to. Users with admin privileges see the Admin console when they sign in.

Note: When mail messages are quarantined, notifications are sent only to the super admin. Quarantine notifications are not sent to groups with quarantine privileges.

Manage users' access to quarantines

After assigning a user admin privileges to a quarantine, they can access and manage messages in the quarantine they're associated with.

To manage messages in a quarantine:

  1. Sign into your Google Workspace  account.
  2. In your web browser, go to https://email-quarantine.google.com/adminreview. Depending on the admin role you're assigned, all quarantines associated with a group you're a member of appear.
  3. Select the desired quarantine in the filter barand thenview and manage quarantine messages.

Additional quarantine and admin rules

Messages that appear in quarantines are based on a user's admin privileges and the policies configured for the quarantine. The following guidelines apply to quarantines and the users associated with them and may help you troubleshoot common quarantine issues.

Messages in the default quarantine

Messages in the default quarantine have been identified as spam or match a policy you configured. Additional messages may appear in the default quarantine for the following reasons:

  • If you configure a quarantine rule but don't associate it with a quarantine, messages are sent to the default quarantine.
  • If a quarantine is deleted, all messages in that quarantine are sent to the default quarantine.

Messages in the Pending triage folder

Messages that appear in the Pending triage status are based on the user's admin privilege.

  • Access admin quarantine—Emails in all quarantines, including the default quarantine, are displayed.
  • Access restricted quarantine—Emails in restricted quarantines the admin is associated with are displayed. Messages in the default quarantine are not displayed.

Important: If any admin denies message delivery from the Pending triage folder, the settings associated with the default quarantine apply, even if they're different from the settings of the current quarantine.

Messages in the Denied and Allowed folders

The user's admin privilege determines which messages appear in the Denied and Allowed folders.

  • Access admin quarantine—Emails in the Denied and Allowed folders are displayed, including the default quarantine.
  • Access restricted quarantine—Only emails in Denied and Allowed folders with quarantines the user is associated with are displayed. Messages in the default quarantine are not displayed.

Messages in a restricted quarantine

Only users with admin privileges for restricted quarantines can manage messages (allow or deny) in those quarantines. Messages in the default quarantine are not displayed.

Admin user removed from a group

If a user with admin privileges is removed from a group associated with a quarantine, messages in that quarantine are no longer displayed and can't be managed by the user. If the user tries to load a quarantine or manage message delivery, an error is displayed.

Groups removed from a quarantine

If a group is no longer associated with a quarantine, admins with restricted quarantine privileges lose access to that quarantine.

Was this helpful?

How can we improve it?