Set up and manage email quarantines

You must be signed in as a super administrator to perform these tasks.

As an administrator, you can create settings to quarantine messages sent to and from your organization. You can also assign admin privileges to specific users to let them manage quarantined messages. 

Quarantines help prevent spam, minimize data loss, and protect confidential information. Quarantines also help manage message attachments, so users don’t open or send something they shouldn’t. When a message is quarantined, it's sent to the admin quarantine, where an admin can take any of the following actions:  

  • Display the rule that caused the message to be quarantined
  • Deliver the message to the intended recipient
  • Deny message delivery
  • Take no action

You can set up quarantine alerts to get periodic alerts when new messages are quarantined. Messages in the quarantine are stored on Google's servers until an action is taken.


  • You can only take action on quarantined messages from registered Google Workspace users.
  • You can't take action on messages associated with accounts that are suspended or disabled.
  • Messages are only quarantined for users, and not for groups.

Quarantined messages for recipients and senders

  • Quarantined incoming messages: The intended recipient isn't alerted about the message unless you release it for delivery.
  • Quarantined outgoing messages: These messages appear in the sender’s Sent folder. These messages aren't delivered to the recipient unless an admin releases them from quarantine. If the sender deletes the message from their Sent folder after it appears in the quarantine, the message remains in the quarantine until you act on it, or until it's deleted 30 days after delivery. 

Email quarantine and Vault

Quarantined messages are retained and available for up to 30 days after delivery in Admin quarantine, regardless of your Vault retention period setting. Messages are automatically removed from Admin quarantine after 30 days.

If your Vault retention period is longer than 30 days, quarantined message older than 30 days are available in Vault until the retention period expires.

Set up and manage email quarantines

Create quarantines with these policies and settings in the Admin console.

You can also assign admin privileges to specific users to access and manage email messages in one or more quarantines.

Add, edit, delete, and review quarantines

In your Admin console, you can add, edit, delete, and review email quarantines.

To add a quarantine:

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in

  2. From the Admin console, go to Appsand thenGoogle Workspaceand thenGmailand thenManage quarantines.

  3. Click Add Quarantine.

  4. Assign quarantine settings: 

    • Enter a name and description.

    • For incoming and outgoing messages, choose whether or not to send a reject message to the sender when you deny delivery of a quarantined message.

    • (Optional) Select Notify periodically when messages are quarantined.

  5. Click Save.

To edit a quarantine:

  1. From the Admin console, go to Appsand thenGoogle Workspaceand thenGmailand thenManage quarantines.
  2. Click Edit next to the desired quarantine.

  3. Make the desired changes and click Save.

To delete a quarantine:

  1. From the Admin console, go to Appsand thenGoogle Workspaceand thenGmailand thenManage quarantines.
  2. Click Delete to the right of the quarantine name and confirm. Any remaining messages in the quarantine are moved to the Default quarantine.
Note: Quarantines in use by one or more policy settings can't be deleted. To delete an active quarantine, go to the relevant setting and point it to a different quarantine. 

To review quarantine settings:

  1. From the Admin console, go to Appsand thenGoogle Workspaceand thenGmailand thenManage quarantines.
  2. Click Go to Admin Quarantine. All quarantines, including the admin quarantine, are displayed.
  3. To the right of the desired quarantine name, click  and choose Settings to display the current settings. 
  4. (Optional) To edit the quarantine's settings from this page, click Go to Google Workspace Admin Console to Edit.
Configure policies to quarantine messages

In the Admin console, you set up and configure policies to quarantine messages using any of these Gmail settings:

For each setting, you can quarantine messages that match the configuration criteria, then select the quarantine for the selected messages.

For compliance and routing settings, you can also choose to notify internal senders when their outbound and internal, sent messages are quarantined.

Manage quarantined messages

After setting up and configuring policies for a quarantine, you can view and manage messages in it.

To open the admin quarantine:

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in

  2. From the Admin console dashboard, go to Appsand thenGoogle Workspaceand thenGmailand thenManage quarantines
  3. Click Go to admin quarantine to display all the quarantines. 
Tip: You can view any quarantine's current settings by clicking  next to the quarantine name and choosing Settings.

Inbound and outbound messages

Messages appear with the quarantine name and a status of inbound our outbound.  

  • If an inbound message includes multiple recipients, the message appears in the quarantine once for each recipient. For example, a message with five recipients appears in the quarantine five times.
  • Outbound messages you allow to be delivered are quarantined only once before delivery. For this reason, if you plan to quarantine internal messages, configure the quarantine to Internal - Sending, instead of Internal - Receiving. That way, only one message is quarantined before it’s delivered to the individual recipients.

Tip: To avoid filling the quarantine with a large number of messages, we recommend you prevent large email lists from getting external messages. 

View and manage quarantined messages

Action How to do it

View quarantined, allowed, and denied messages

By default, all quarantined messages appear in the list. To sort the messages, click a label on the left. If you don't see the quarantine list on the left, click Menu "".

Only messages delivered within your Vault retention period appear in Denied or Allowed. If you don’t act on or deny a message, it's automatically deleted when your retention period expires. The default retention period is 30 days from the time the message was sent or received.

Display message and rule definition that triggered quarantine

Click the message in the list to display the message and the rule definition that caused the email to be routed to the quarantine.

  • Rule description: Name or description of rule
  • Source: The area of the message that triggered the rule, for example, message body  
  • Matched string: String or expression that matched email content 

If the matched string value is found in the visible fields of the message (sender header, recipients header, message body, or subject), it's highlighted in the message. 

Important: Source and matched string are displayed when available. Gmail makes a best effort to display the rule associated with a message, but some messages may not display a rule. 

Search for messages

Enter a search term in the field. The search returns currently quarantined messages from the default quarantine and any quarantines you create. It doesn’t search Denied or Allowed messages.

The entire message is searched, including the sender and recipient address, subject, and message body. You can use advanced search operators to search a particular part of the message.

Allow delivery of one or more quarantined messages

Check the box to the left of each recipient name, and then click Allow.

If a user doesn’t see an allowed message in their inbox, ask them to search for the message in all folders, including the Trash folder.

Note: Some spam messages might be rejected when Gmail makes a connection to transmit the message. These messages aren't sent to admin quarantine, even if you selected the Put spam in administrative quarantine option in your Spam setting.

Deny delivery of one or more quarantined messages

Check the box to the left of each recipient name and click Deny, then click Deny again to confirm.

Notes about rejection notices:

  • When you deny a message, the quarantine either drops the message or sends a default rejection notice, depending on the currently selected quarantine.
  • If a message appears in multiple quarantines, the action taken depends on which quarantine is currently selected, even if the other quarantines are set up to perform a different action.
  • All messages appear in the default quarantine. If you reject a message in the default quarantine, the reject action that's been set up for the default quarantine is applied.

Bulk Action

When you start selecting messages, the bulk action option becomes available. Unlike the Select All box, which only applies to messages in your current view, you can use the bulk action to deny or approve all messages in the selected quarantine or search results.


Send reject messages

If you choose to send a reject message when you deny a quarantined message, keep the following in mind:

  • If you deny an inbound message sent to multiple recipients in your domain, the sender receives a reject message each time you select a group of recipients to deny.

    To get around this, you can check the boxes for all message recipients so that the sender receives a single reject message containing the entire list of rejected recipients. If you don’t select all recipients and later reject other recipients, the sender receives a second notification.

  • Reject messages include the subject of the original message as part of the body of the reject message. For this reason, if the term that caused the original message to be quarantined appears in the subject, the reject message may also be quarantined when the message is denied, depending how you set up the quarantine (to include either Outbound or Internal - Sending messages).
  • If you deny an inbound group message, a reject message is not delivered to the sender. The reject message is dropped.
Identify unsupported message types 

S/MIME signing and encryption:       

  • If a sender requests S/MIME signing and encryption for outgoing messages, the message is rejected and is not delivered to the quarantine. 
  • If an admin sets compliance and routing rules for S/MIME signing and encryption for outgoing messages, the message is unaffected and is delivered to the quarantine.   
Receive quarantine alerts

If you select Notify periodically when messages are quarantined when you add or edit a quarantine in the Admin console, you'll get periodic alerts when new messages are quarantined.

The quarantine alerts show the following for the quarantines configured to receive alerts:

  • The number of messages received for each quarantine.

  • The total number of messages quarantined during the notification interval.

You're notified of newly quarantined mail within an hour of its appearance in admin quarantine. The frequency and timing of the alerts varies based on how often new quarantined mail arrives, but will never be more than once hourly.

Note: Quarantine summary reports are different than Admin quarantine. Learn more.

Let users manage email quarantines

Super administrators can assign admin privileges to specific users to manage messages in the default quarantine and other customized quarantines. 

Note: These steps assume you've created and configured quarantine policies. If you need help setting up and configuring quarantines, see the instructions at top the of this article.

Assign admin roles and quarantines

The admin role you assign a user determines which quarantines they can see and manage.

  • Access Admin Quarantine: Users can see and manage messages in any quarantine, including the default quarantine.
  • Access restricted quarantine: Users can see and manage messages in restricted quarantines.

To ensure privacy, each time a user signs into either admin role to manage email messages, the message ID and quarantine name is recorded. You can search for these events in Admin Reports to see what action was taken.

Before you begin

As an administrator, you set up and assign admin roles to specific users that let them access and manage messages in a quarantine. You must complete all the steps below to successfully set up and associate users with quarantines.  

Step 1: Create a new role with quarantine privileges

  1. From the Admin Console, click Admin roles, then click Create a new role.
  2. Enter a name and a description and click Create.
  3. On the Privileges tab, under Gmail, check the Access Admin quarantine or Access restricted quarantines box.
  4. Click Save. The new role is selected and displayed under User created roles.

Step 2: Assign users to the admin role

  1. With the role selected, click the Admins tab, and then click Assign admins. Enter a user name or email address. Entering a user's name automatically displays their email address.
  2. If you're assigning more than one user to the role, click Assign more. After you enter the user's names, click Confirm assignment.

Step 3: Create a group for users 

  1. From the Admin console, click Groups; then click Add "".
  2. Enter a name, email address, and description for the group.
  3. For Access Level, select Restricted
  4. Click Create.

Next, add the users to the group.  

Step 4: Add users to the group 

  1. From the Admin console, go to Users.
  2. Find the user in the list and click to open their account page.
  3. On the user's account page, click Groups. Any groups the user already belongs to are displayed.
  4. Click Add "".
  5. Locate and select the group you created for users with quarantine privileges.
  6. Click Add.

Step 5: Add the group to a quarantine  

  1. Go to Apps and thenGoogle Workspaceand thenGmail to display the Gmail settings page.
  2. Select Manage quarantines; then click Edit next to the desired quarantine.
  3. In the Edit quarantine panel, click Select groups and select the group you created for admin quarantine users.
  4. Click Save.

After completing the steps above, users can sign in and access the quarantine they're assigned to. Users with admin privileges see the Admin console when they sign in.  

Note: When mail messages are quarantined, notifications are sent only to the super admin. Quarantine notifications are not sent to groups with quarantine privileges.

Manage users' access to quarantines

After assigning a user admin privileges to a quarantine, they can access and manage messages in the quarantine they're associated with.   

To manage messages in a quarantine:

  1. Sign into your Google Workspace account.
  2. In your web browser, go to Depending on the admin role you're assigned, all quarantines associated with a group you're a member of appear.
  3. Select the desired quarantine at the left; then view and manage quarantine messages
Additional quarantine and admin rules

Messages that appear in quarantines are based on a user's admin privileges and the policies configured for the quarantine. The following guidelines apply to quarantines and the users associated with them and may help you troubleshoot common quarantine issues.

Messages in the default quarantine

Messages in the default quarantine have been identified as spam or match a policy you configured. Additional messages may appear in the default quarantine for the following reasons:

  • If you configure a quarantine rule but don't associate it with a quarantine, messages are sent to the default quarantine.  
  • If a quarantine is deleted, all messages in that quarantine are sent to the default quarantine. 

Messages in the All Quarantines folder

Messages that appear in the All Quarantines folder are based on the user's admin privilege.

  • Access admin quarantine: Emails in all quarantines, including the default quarantine, are displayed. 
  • Access restricted quarantine: Emails in restricted quarantines the admin is associated with are displayed. Messages in the default quarantine are not displayed. 

Important: If any admin denies message delivery from the All Quarantines folder, the settings associated with the default quarantine apply, even if they're different than the settings of the current quarantine. 

Messages in the Denied and Allowed folders

Messages that appear in the Denied and Allowed folders are determined by the user's admin privilege.

  • Access admin quarantine: Emails in the Denied and Allowed folders are displayed, including the default quarantine.  
  • Access restricted quarantine: Only emails in Denied and Allowed folders with quarantines the user is associated with are displayed. Messages in the default quarantine are not displayed. 

Messages in a restricted quarantine

Messages in restricted quarantines can only be managed (allowed or denied) by users with admin privileges for those quarantines. Messages in the default quarantine are not displayed. 

Admin user removed from a group

If a user with admin privileges is removed from a group associated with a quarantine, messages in that quarantine are no longer displayed and can't be managed by the user. If the user tries to load a quarantine or manage message delivery, an error is displayed.  

Groups removed from a quarantine  

If a group is no longer associated with a quarantine, admins with restricted quarantine privileges lose access to that quarantine. 

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue

Clear search
Close search
Google apps
Main menu
Search Help Center