Set up email quarantine

Send messages to a quarantine for review before they're delivered

You must be signed in as a super administrator to set up an email quarantine.

Email quarantine is a feature of the Google Workspace Moderation Tool. With email quarantine, Google Workspace admins can create settings that send incoming and outgoing email messages to a quarantine before they’re delivered to recipients. Learn more about the Moderation Tool.

When email messages are quarantined, you and others in your organization can review them before they’re delivered to recipients. Email quarantine helps prevent spam, minimizes data loss, and protects confidential information. Email quarantine also helps you manage message attachments, so people in your organization don’t open or send something they shouldn’t.

As an admin, add custom settings in your Google Admin console that specify which messages are quarantined. For example, you may want to quarantine outgoing messages that contain confidential information, incoming messages that have suspicious links or attachments, or all messages with personal or sensitive information, such as credit card or taxpayer ID numbers.

When a message is quarantined, you can take any of these actions on the message:

  • Identify the setting that sent the message to quarantine.
  • Release the message from quarantine so it’s delivered to the original recipient.
  • Block the message from being delivered to the recipient, and optionally let the sender know it was blocked.

Quarantined messages are stored until one of the actions is taken. If no action is taken on a quarantined message, the message is permanently deleted after 30 days. Learn more in Manage quarantined messages.

Quarantine features and limits 

This section describes the behavior and limitations you should be familiar with when using email quarantine.

Expand all  |  Collapse all

Quarantine retention period

Quarantined messages are stored in quarantine up to 30 days after sending. Messages are automatically and permanently deleted after 30 days. Messages deleted from quarantine can’t be recovered by admins or users.

If you use additional email storage with an extended retention period, for example Google Vault, quarantined messages older than 30 days are available in the additional storage until the retention period expires. To learn more about Vault retention periods, visit Retain Gmail messages with Vault.
Default quarantine

Your Google Workspace account comes with one quarantine already set up. This is called the default quarantine. Quarantines that you create are called custom quarantines. If you add a setting that quarantines messages, but don’t specify a custom quarantine in the setting, messages quarantined by the setting are sent to the default quarantine.

If you delete a custom quarantine that contains quarantined messages, the messages in the deleted quarantine are moved to the default quarantine.

Custom and restricted quarantines

Super admins can create custom quarantines to:

  • Support specific business needs. For example, you may want to quarantine all outgoing messages that contain the phrase “company confidential.”
  • Give quarantine access to specific groups of users. This is called a restricted quarantine.
  • Send a rejection notice to senders when you block delivery of their quarantined messages.
  • Send automatic notifications to admins about quarantined messages.
Send messages to multiple quarantines

You can create multiple custom quarantines. For example, you might want to create one quarantine for outgoing messages that contain sensitive content, and a different quarantine for incoming messages that have potentially dangerous attachments.

Messages can be sent to more than one quarantine. This happens when you have multiple quarantines and multiple settings that send messages to different quarantines. When a message matches more than one quarantine setting, it’s sent to all quarantines specified in the matched settings.

Delete quarantines
You can’t delete custom quarantines that are referenced in a quarantine setting. To delete these quarantines, first delete the setting that references the quarantine. Or, edit the setting to send messages to another quarantine.
Supported message types

You can take action only on quarantined messages to or from users registered with your Google Workspace account. These message types can’t be quarantined:

  • Messages sent to Groups
  • Messages to or from suspended or deactivated accounts
Outgoing messages
  • Outgoing messages that are quarantined appear in the sender’s Sent folder. Deleting the message from the Sent folder has no impact on the message quarantine status.
  • To avoid sending a large number of messages to quarantine, don’t send external messages to large email lists. When a group or list message is quarantined, a copy of the message is quarantined for each recipient. This can result in a large number of quarantined messages.
Notifications

Turn on notifications in the quarantine’s settings:

  • To notify senders when their message is quarantined, use the quarantine setting option Send the default reject message.
  • To notify admins periodically about newly quarantined messages, use the quarantine setting option Notify periodically when messages are quarantined.

Recipients are never notified when a message is quarantined.

S/MIME messages
  • If a sender requests S/MIME encryption for an outgoing message that matches a quarantine setting, the message is rejected and isn’t sent to quarantine.
  • If an admin sets compliance and routing rules for S/MIME for outgoing messages, messages that match the settings are sent to quarantine.  

Set up an email quarantine

Google Workspace has a default email quarantine that you can use for all quarantined messages. If your organization is relatively small or doesn’t send or receive a lot of email, then the default quarantine might meet your quarantine requirements.

Admins can create custom quarantines for more flexibility and scale. You can create multiple custom quarantines. For example, you might want to create one quarantine for outgoing messages that contain sensitive content, and a different quarantine for incoming messages that have potentially dangerous attachments.

With custom quarantines, you can:

  • Give quarantine access to specific groups of users, called a restricted quarantine.
  • Send a rejection notice to senders when you deny delivery of quarantined messages.
  • Sending an automatic message when quarantined messages are denied delivery.

To set up a custom email quarantine, first add a new quarantine, then add settings that send messages to the quarantine.

Step 1: Add an email quarantine

Set up one or more quarantines in your Google Admin console.

Do this step before adding settings to quarantine messages, because you must specify the quarantine in the setting.

To add a quarantine:

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Appsand thenGoogle Workspaceand thenGmailand thenManage quarantines.
  3. Click Add Quarantine.
  4. In the Add Quarantine settings box, take these steps:
    Setting option What to do
    Name

    Enter a name for the quarantine. You might want to use a name that describes what type of rule sends messages to this quarantine, for example, Suspicious attachments. This name appears next to each message in the quarantine dashboard.

    Description (Optional) Add more details about this quarantine. This description is displayed on the quarantine dashboard.
    Quarantine reviewers group

    (Optional) You can let other people in your organization access this quarantine. They must be in a group that you set up for this purpose. If you don’t select a group, access to this quarantine is limited to super admins and admins that have been assigned the Access Admin Quarantine Gmail privilege.

    To create a new group for quarantine access, in the Add quarantine box, click Manage Groups. For detailed steps, visit Let your users access email quarantine.

    To give an existing group access to this quarantine:

    1. Click Select groups.
    2. In the Select groups window, scroll or search to find a group.
    3. Click the group name to select it.
    4. In the upper right of the Select group window, click X to close the window and save the group in the quarantine setting.
    5. To give access to more groups, repeat steps a to d.
    Inbound denial consequence

    Select an action to take when you prevent delivery of incoming messages that are quarantined by this setting:

    • Drop message: The message isn’t delivered to the recipients and is deleted. The sender doesn’t get a notification about this.
    • Send the default reject message: The message isn’t delivered to the recipients and is deleted. A rejection message is delivered to the sender.

    Learn more about reject message behavior in Using default reject messages.

    Outbound denial consequence

    Select an action to take when you prevent delivery of outgoing messages that are quarantined by this setting:

    • Drop message: The message isn’t delivered to the recipients and is deleted. The sender doesn’t get a notification about this.
    • Send the default reject message: The message isn’t delivered to the recipients and is deleted. A rejection message is delivered to the sender.

    Learn more about reject message behavior in Using default reject messages.

    Notify periodically when messages are quarantined

    (Optional) Select this option to send periodic automated notifications to super admins when messages are quarantined. 

    Notification content: Notifications include the number of messages added to each quarantine and the total number of messages quarantined during the notification period.

    Timing: Notifications are sent within an hour after a message is quarantined. Notification frequency and timing is based on how often new messages are quarantined. There's a maximum of 1 notification per hour.

    Recipients: Notifications are sent only to super admins. They’re not sent to users with Access Admin Quarantine admin role privileges, or to groups with quarantine privileges.

  5. At the bottom of the Add setting box, click Save. The new quarantine is added to the Manage quarantines table.
    Changes can take up to 24 hours but typically happen more quickly. Learn more
  6. To add more quarantines, repeat these steps.

To delete or modify a quarantine, in the Manage quarantines table, select the action in the Actions column.

Using default reject messages

This section has important information about the Send the default reject message option in quarantine settings.

  • When you deny an inbound group message, reject messages are dropped (aren’t delivered to the sender), even when this option is selected in the quarantine's setting.
  • Each time you deny one or more messages in a single action, the sender gets a reject message. For example, if you select 3 messages from a sender, and click Deny, and then select 5 messages from the same sender and click Deny, the sender gets 2 reject messages. To minimize the number of reject messages to senders, select all messages from a single sender at once, then click Deny. The sender gets a single reject message listing all denied messages and their recipients.
  • Reject messages include the subject of the original, quarantined message in the message body. So, if the subject caused the original message to be quarantined, the reject message is also at risk of being quarantined. To address this, update the quarantine’s settings to exclude messages of type Outbound or Internal - Sending.

Step 2: Add settings to quarantine messages

After you create one or more quarantines, add settings that specify messages to be quarantined.

Messages are sent to quarantine based on settings you add in your Google Admin console. The Gmail settings in the table below have an option to quarantine messages that meet criteria specified in the setting. The setting also specifies which quarantine messages are sent to. You can send messages to the default quarantine or to a custom quarantine that you created.

For detailed steps to add, delete, or update settings that quarantine email messages, visit the page linked from the Setting column, below:

Setting Description
Attachment compliance

Quarantine messages based on attachment file name, attachment file type, or total message size (including attachments). For example, you might want to quarantine incoming and outgoing messages that contain attachments of type .exe because the attachment might be dangerous software.

Notifications: This setting has an option to send a notification to senders in your organization when they send an internal message that’s quarantined with the setting.

Content compliance

Quarantine messages if they contain a type of sensitive content that you specify, and where the sensitive content is located in the message. For example, you might want to quarantine outgoing messages that contain a credit card number in the message body.

Notifications: This setting has an option to send a notification to senders in your organization when they send an internal message that’s quarantined with the setting.

Objectionable content Quarantine messages based if they include certain words that you specify, from a list of custom words that you create. For example, you might want to quarantine incoming messages that contain profane language.
Routing

Quarantine messages based on who sent them or who the recipients are. For example, you might want to quarantine all incoming messages from a domain that has sent malicious emails to your users in the past.

Notifications: This setting has an option to send a notification to senders in your organization when they send an internal message that’s quarantined with the setting.

Spam Quarantine incoming messages that Gmail determines to be spam.

Related topics

Manage quarantined messages

Let your users access email quarantine

Moderate Chat and Gmail messages

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu