Set up and manage email quarantines

G Suite super administrators can configure policies and settings to quarantine messages sent to and from your organization. In addition, you can assign admin privileges to specific users to let them access and manage messages in a quarantine. 

Quarantines can help prevent spam, minimize data loss, and protect confidential information. They can also help moderate message attachments so your users don’t send, open, or click something they shouldn’t. When a message is quarantined, it isn’t delivered to the intended recipient—it's delivered to the admin quarantine, where the admin can take any of the following actions:  

  • Deliver the message to the intended recipient.
  • Deny message delivery.
  • Take no action. The message is deleted after 30 days. 

 You can also choose to receive periodic quarantine alerts.

What about recipients and senders of quarantined messages?

  • For a quarantined inbound message, the intended recipient receives no indication of the message unless you release it for delivery.
  • A quarantined outbound message appears in the sender’s Sent Items folder, but isn’t delivered to the recipient unless you or another admin release it from the quarantine. If the sender deletes the message from their Sent folder after it appears in the quarantine, the message remains in the quarantine until you act on it, or until it is deleted after 30 days. 

Notes

  • You can only take action on quarantined messages from registered G Suite users.
  • Messages are only quarantined for users, and not for groups. 

Set up and manage email quarantines

You create quarantines by setting up policies and settings in the Admin console. You can also assign admin privileges to specific users to access and manage email messages in one or more quarantines.

Add, edit, delete, and review quarantines

In the Google Admin console, you can add, edit, delete, and review email quarantines.

To add a quarantine: 

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console, go to Appsand thenG Suiteand thenGmailand thenManage quarantines.

  3. Click Add Quarantine.

  4. Assign quarantine settings: 

    • Enter a name and description.

    • For incoming and outgoing messages, choose whether or not to send a reject message to the sender when you deny delivery of a quarantined message.

    • (Optional) Select Notify periodically when messages are quarantined.

  5. Click Save.

To edit a quarantine:

  1. From the Admin console, go to Appsand thenG Suiteand thenGmailand thenManage quarantines.
  2. Click Edit next to the desired quarantine.

  3. Make the desired changes and click Save.

To delete a quarantine:

  1. From the Admin console, go to Appsand thenG Suiteand thenGmailand thenManage quarantines.
  2. Click Delete to the right of the quarantine name and confirm. Any remaining messages in the quarantine are moved to the Default quarantine.
Note: Quarantines in use by one or more policy settings can't be deleted. To delete an active quarantine, go to the relevant setting and point it to a different quarantine. 
 

To review quarantine settings:

  1. From the Admin console, go to Appsand thenG Suiteand thenGmailand thenManage quarantines.
  2. Click Go to Admin Quarantine. All quarantines, including the admin quarantine, are displayed.
  3. To the right of the desired quarantine name, click  and choose Settings to display the current settings. 
  4. (Optional) To edit the quarantine's settings from this page, click Go to G Suite Admin Console to Edit.
Configure policies to quarantine messages

In the Admin console, you set up and configure policies to quarantine messages using any of these Gmail settings:

For each setting, you can quarantine messages that match the configuration criteria and then select the quarantine for the selected messages. For compliance and routing settings, you can also choose to notify internal senders when their outbound and internal-sending messages are quarantined.

Manage quarantined messages

After setting up and configuring policies for a quarantine, you can view and manage messages in it.

To open the admin quarantine:

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console dashboard, go to Appsand thenG Suiteand thenGmailand thenManage quarantines
  3. Click Go to admin quarantine to display all the quarantines. 
Tip: You can view any quarantine's current settings by clicking  next to the quarantine name and choosing Settings.

Inbound and outbound messages

Messages appear with the quarantine name and a status of inbound our outbound.  

  • If an inbound message includes multiple recipients, the message appears in the quarantine once for each recipient. For example, a message with five recipients appears in the quarantine five times.
  • Outbound messages you allow to be delivered are quarantined only once before delivery. For this reason, if you plan to quarantine internal mail, configure the quarantine to Internal - Sending, instead of Internal - Receiving. That way, only one message is quarantined before it’s delivered to the individual recipients.

Tip: To avoid filling the quarantine with a large number of messages, we recommend that you not allow large email lists to receive messages from the public. 

View and manage quarantined messages

Action How to do it

View quarantined, allowed, and denied messages

By default, all quarantined messages appear in the list when you sign in. To sort the messages, click a label on the left. If you don't see the quarantine list on the left, click Menu Menu.

Only messages received in the last 30 days appear in Denied or Allowed. If you don’t act on or deny a message after 30 days, it’s automatically deleted from the quarantine.

View message content

Click the message in the list.

Search for messages

Enter a search term in the field. The search returns currently quarantined messages from the default quarantine and any quarantines you create. It doesn’t search Denied or Allowed messages.

The entire message is searched, including the sender and recipient address, subject, and message body. You can use advanced search operators to search a particular part of the message.

Allow delivery of one or more quarantined messages

Check the box to the left of each recipient name, and then click Allow.

If a user doesn’t see an allowed message in their inbox, ask them to search for the message in all folders, including the Trash folder.

Note: Some messages are so spammy they're rejected at connection time. Those messages are not routed to the admin quarantine, even if you selected the "Put spam in administrative quarantine" option in your Spam setting.

Deny delivery of one or more quarantined messages

Check the box to the left of each recipient name and click Deny; then click Deny again to confirm.

Notes on rejection notices:

  • When you deny a message, the quarantine either drops the message or sends a default rejection notice, depending on the currently selected quarantine.
  • If a message appears in multiple quarantines, the action taken depends on which quarantine is currently selected, even if the other quarantines are set up to perform a different action.
  • All messages appear in the default quarantine. If you reject a message in the default quarantine, the reject action that's been set up for the default quarantine is applied.

Bulk Action

When you begin selecting messages, the bulk action option becomes available. Unlike the Select All box, which only applies to messages in your current view, you can deny or approve all messages in the selected quarantine or search results using bulk action.

 

Send reject messages

If you choose to send a reject message when you deny a quarantined message, keep the following in mind:

  • If you deny an inbound message sent to multiple recipients in your domain, the sender receives a reject message each time you select a group of recipients to deny. To get around this, you can check the boxes for all message recipients so that the sender receives a single reject message containing the entire list of rejected recipients. If you don’t select all recipients and later reject other recipients, the sender receives a second notification.
  • Reject messages include the subject of the original message as part of the body of the reject message. For this reason, if the term that caused the original message to be quarantined appears in the subject, the reject message may also be quarantined when the message is denied, depending on if you set up the quarantine to include either Outbound or Internal - Sending messages.
  • If you deny an inbound group message, a reject message is not delivered to the sender. The reject message is simply dropped.
Identify unsupported message types 

S/MIME signing and encryption:       

  • If a sender requests S/MIME signing and encryption for outgoing Gmail messages, the message is automatically rejected and is not delivered to the quarantine. 
  • If an admin sets compliance and routing rules for S/MIME signing and encryption for outgoing messages, the message is unaffected and is delivered to the quarantine.   
Receive quarantine alerts

If you select Notify periodically when messages are quarantined when you add or edit a quarantine in the Admin console, you'll receive periodic alerts when new messages are quarantined.

The quarantine alerts show the following for the quarantines configured to receive alerts:

  • The number of messages received for each quarantine.

  • The total number of messages quarantined during the notification interval.

You'll be notified of newly quarantined mail within an hour of its appearance in admin quarantine. The frequency and timing of the alerts varies based on how often new quarantined mail arrives, but will never be more than once hourly.

NOTE: The quarantine summary report and Admin quarantine are not the same. Learn more.

Let users manage email quarantines

G Suite super administrators can assign admin privileges to specific users to manage messages in the default quarantine and other customized quarantines. When a user with an admin role signs in to their Google account, they see the Admin console.

Note: The steps in this section assume you've created and configured policies for your quarantines. If you need help setting up and configuring quarantines, see the instructions at top the of this article.

Assign admin roles and quarantines

The admin role you assign a user determines which quarantines they can see and manage.

  • Access Admin Quarantine—Users can see and manage messages in any quarantine, including the default quarantine.
  • Access restricted quarantine—Users can see and manage messages in restricted quarantines.

To ensure privacy, each time a user signs into either admin role to manage email messages, the message ID and quarantine name is recorded. You can search for these events in Admin Reports to see what action was taken.

Before you begin

As a G Suite administrator, you set up and assign admin roles to specific users that let them access and manage messages in a quarantine. You must complete all the steps below to successfully set up and associate users with quarantines.  

Step 1: Create a new role with quarantine privileges

  1. From the Admin Console, click Admin roles; then click Create a new role.
  2. Enter a name and a description and click Create.
  3. On the Privileges tab, under Gmail, check the Access Admin quarantine or Access restricted quarantines box.
  4. Click Save. The new role is selected and displayed under User created roles.

Step 2: Assign users to the admin role

  1. With the role selected, click the Admins tab, and then click Assign admins. Enter a user name or email address. (Entering a user's name automatically displays their email address.)
  2. If you're assigning more than one user to the role, click Assign more. When you've entered the desired user names, click Confirm assignment.

Step 3: Create a group for users 

  1. From the Admin console, click Groups; then click Add Add.
  2. Enter a name, email address, and description for the group.
  3. For Access Level, select Restricted
  4. Click Create.

Next, add the users to the group.  

Step 4: Add users to the group 

  1. From the Admin console, go to Users.
  2. Find the user in the list and click to open their account page.
  3. On the user's account page, click Groups. Any groups the user already belongs to are displayed.
  4. Click Add Add.
  5. Locate and select the group you created for users with quarantine privileges.
  6. Click Add.

Step 5: Add the group to a quarantine  

  1. Go to Apps > G Suite > Gmail to display the Gmail settings page.
  2. Select Manage quarantines; then click Edit next to the desired quarantine.
  3. In the Edit quarantine panel, click Select groups and select the group you created for admin quarantine users.
  4. Click Save.

After completing the steps above, users can sign in and access the quarantine they're assigned to. Users with admin privileges see the Admin console when they sign in.  

Manage users' access to quarantines

After assigning a user admin privileges to a quarantine, they can access and manage messages in the quarantine they're associated with.   

To manage messages in a quarantine:

  1. Sign into your G Suite account.
  2. In your web browser, go to https://email-quarantine.google.com/adminreview. Depending on the admin role you're assigned, all quarantines associated with a group you're a member of appear.
  3. Select the desired quarantine at the left; then view and manage quarantine messages
Additional quarantine and admin rules

Messages that appear in quarantines are based on a user's admin privileges and the policies configured for the quarantine. The following guidelines apply to quarantines and the users associated with them and may help you troubleshoot common quarantine issues.

Messages in the default quarantine

Messages in the default quarantine have been identified as spam or match a policy you configured. Additional messages may appear in the default quarantine for the following reasons:

  • If you configure a quarantine rule but don't associate it with a quarantine, messages are sent to the default quarantine.  
  • If a quarantine is deleted, all messages in that quarantine are sent to the default quarantine. 

Messages in the All Quarantines folder

Messages that appear in the All Quarantines folder are based on the user's admin privilege.

  • Access admin quarantine—Emails in all quarantines, including the default quarantine, are displayed. 
  • Access restricted quarantine—Emails in restricted quarantines the admin is associated with are displayed. Messages in the default quarantine are not displayed. 

Important: If any admin denies message delivery from the All Quarantines folder, the settings associated with the default quarantine apply, even if they're different than the settings of the current quarantine. 

Messages in the Denied and Allowed folders

Messages that appear in the Denied and Allowed folders are determined by the user's admin privilege.

  • Access admin quarantine—Emails in the Denied and Allowed folders are displayed, including the default quarantine.  
  • Access restricted quarantine—Only emails in Denied and Allowed folders with quarantines the user is associated with are displayed. Messages in the default quarantine are not displayed. 

Messages in a restricted quarantine

Messages in restricted quarantines can only be managed (allowed or denied) by users with admin privileges for those quarantines. Messages in the default quarantine are not displayed. 

Admin user removed from a group

If a user with admin privileges is removed from a group associated with a quarantine, messages in that quarantine are no longer displayed and can't be managed by the user. If the user tries to load a quarantine or manage message delivery, an error is displayed.  

Groups removed from a quarantine  

If a group is no longer associated with a quarantine, admins with restricted quarantine privileges lose access to that quarantine. 

Was this article helpful?
How can we improve it?