G Suite super administrators can configure policies and settings to quarantine messages sent to and from your organization. In addition, you can assign admin privileges to specific users to let them manage messages in a quarantine.
Quarantines can help prevent spam, minimize data loss, and protect confidential information. They can also help moderate message attachments so users don’t send, open, or click something they shouldn’t. When a message is quarantined, it's delivered to the admin quarantine, where an admin can take any of the following actions:
- Display the rule that caused the message to be quarantined
- Deliver the message to the intended recipient
- Deny message delivery
- Take no action. Messages are automatically deleted when your Vault retention period expires. The default retention period is 30 days from the time the message was sent or received.
You can also choose to receive periodic quarantine alerts. Messages in the quarantine are stored on Google's servers until an action is taken.
What about recipients and senders of quarantined messages?
- For a quarantined inbound message, the intended recipient receives no indication of the message unless you release it for delivery.
- A quarantined outbound message appears in the sender’s Sent folder, but isn’t delivered to the recipient unless an admin releases it from the quarantine. If the sender deletes the message from their Sent folder after it appears in the quarantine, the message remains in the quarantine until you act on it, or until it's deleted 30 days after delivery.
- You can only take action on quarantined messages from registered G Suite users.
Messages are only quarantined for users, and not for groups.
You create quarantines by setting up policies and settings in the Admin console. You can also assign admin privileges to specific users to access and manage email messages in one or more quarantines.Add, edit, delete, and review quarantines
In the Google Admin console, you can add, edit, delete, and review email quarantines.
To add a quarantine:
From the Admin console, go to AppsG SuiteGmailManage quarantines.
Click Add Quarantine.
Assign quarantine settings:
Enter a name and description.
For incoming and outgoing messages, choose whether or not to send a reject message to the sender when you deny delivery of a quarantined message.
(Optional) Select Notify periodically when messages are quarantined.
- Click Save.
To edit a quarantine:
- From the Admin console, go to AppsG SuiteGmailManage quarantines.
Click Edit next to the desired quarantine.
Make the desired changes and click Save.
To delete a quarantine:
- From the Admin console, go to AppsG SuiteGmailManage quarantines.
- Click Delete to the right of the quarantine name and confirm. Any remaining messages in the quarantine are moved to the Default quarantine.
To review quarantine settings:
- From the Admin console, go to AppsG SuiteGmailManage quarantines.
- Click Go to Admin Quarantine. All quarantines, including the admin quarantine, are displayed.
- To the right of the desired quarantine name, click and choose Settings to display the current settings.
- (Optional) To edit the quarantine's settings from this page, click Go to G Suite Admin Console to Edit.
In the Admin console, you set up and configure policies to quarantine messages using any of these Gmail settings:
For each setting, you can quarantine messages that match the configuration criteria and then select the quarantine for the selected messages. For compliance and routing settings, you can also choose to notify internal senders when their outbound and internal-sending messages are quarantined.
After setting up and configuring policies for a quarantine, you can view and manage messages in it.
To open the admin quarantine:
From the Admin console dashboard, go to AppsG SuiteGmailManage quarantines.
Click Go to admin quarantine to display all the quarantines.
Inbound and outbound messages
Messages appear with the quarantine name and a status of inbound our outbound.
- If an inbound message includes multiple recipients, the message appears in the quarantine once for each recipient. For example, a message with five recipients appears in the quarantine five times.
- Outbound messages you allow to be delivered are quarantined only once before delivery. For this reason, if you plan to quarantine internal mail, configure the quarantine to Internal - Sending, instead of Internal - Receiving. That way, only one message is quarantined before it’s delivered to the individual recipients.
Tip: To avoid filling the quarantine with a large number of messages, we recommend that you not allow large email lists to receive messages from the public.
View and manage quarantined messages
|Action||How to do it|
View quarantined, allowed, and denied messages
By default, all quarantined messages appear in the list when you sign in. To sort the messages, click a label on the left. If you don't see the quarantine list on the left, click Menu .
Only messages delivered within your Vault retention period appear in Denied or Allowed. If you don’t act on or deny a message, it is automatically deleted when your retention period expires. The default retention period is 30 days from the time the message was sent or received.
|Display message and rule definition that triggered quarantine||
Click the message in the list to display the message and the rule definition that caused the email to be routed to the quarantine.
If the matched string value is found in the visible fields of the message (sender header, recipients header, message body, or subject), it is highlighted in the message.
Important: Source and matched string are only displayed when available. Although the best effort is made to display the rule associated with a message, some messages may not display a rule.
Search for messages
Enter a search term in the field. The search returns currently quarantined messages from the default quarantine and any quarantines you create. It doesn’t search Denied or Allowed messages.
The entire message is searched, including the sender and recipient address, subject, and message body. You can use advanced search operators to search a particular part of the message.
Allow delivery of one or more quarantined messages
Check the box to the left of each recipient name, and then click Allow.
If a user doesn’t see an allowed message in their inbox, ask them to search for the message in all folders, including the Trash folder.
Note: Some messages are so spammy they're rejected at connection time. Those messages are not routed to the admin quarantine, even if you selected the "Put spam in administrative quarantine" option in your Spam setting.
Deny delivery of one or more quarantined messages
Check the box to the left of each recipient name and click Deny; then click Deny again to confirm.
Notes on rejection notices:
When you begin selecting messages, the bulk action option becomes available. Unlike the Select All box, which only applies to messages in your current view, you can deny or approve all messages in the selected quarantine or search results using bulk action.
If you choose to send a reject message when you deny a quarantined message, keep the following in mind:
- If you deny an inbound message sent to multiple recipients in your domain, the sender receives a reject message each time you select a group of recipients to deny. To get around this, you can check the boxes for all message recipients so that the sender receives a single reject message containing the entire list of rejected recipients. If you don’t select all recipients and later reject other recipients, the sender receives a second notification.
- Reject messages include the subject of the original message as part of the body of the reject message. For this reason, if the term that caused the original message to be quarantined appears in the subject, the reject message may also be quarantined when the message is denied, depending on if you set up the quarantine to include either Outbound or Internal - Sending messages.
- If you deny an inbound group message, a reject message is not delivered to the sender. The reject message is simply dropped.
S/MIME signing and encryption:
- If a sender requests S/MIME signing and encryption for outgoing messages, the message is rejected and is not delivered to the quarantine.
- If an admin sets compliance and routing rules for S/MIME signing and encryption for outgoing messages, the message is unaffected and is delivered to the quarantine.
If you select Notify periodically when messages are quarantined when you add or edit a quarantine in the Admin console, you'll receive periodic alerts when new messages are quarantined.
The quarantine alerts show the following for the quarantines configured to receive alerts:
The number of messages received for each quarantine.
The total number of messages quarantined during the notification interval.
You'll be notified of newly quarantined mail within an hour of its appearance in admin quarantine. The frequency and timing of the alerts varies based on how often new quarantined mail arrives, but will never be more than once hourly.
Let users manage email quarantines
G Suite super administrators can assign admin privileges to specific users to manage messages in the default quarantine and other customized quarantines.
Note: The steps in this section assume you've created and configured quarantine policies. If you need help setting up and configuring quarantines, see the instructions at top the of this article.Assign admin roles and quarantines
The admin role you assign a user determines which quarantines they can see and manage.
- Access Admin Quarantine—Users can see and manage messages in any quarantine, including the default quarantine.
- Access restricted quarantine—Users can see and manage messages in restricted quarantines.
To ensure privacy, each time a user signs into either admin role to manage email messages, the message ID and quarantine name is recorded. You can search for these events in Admin Reports to see what action was taken.
Before you begin
As a G Suite administrator, you set up and assign admin roles to specific users that let them access and manage messages in a quarantine. You must complete all the steps below to successfully set up and associate users with quarantines.
Step 1: Create a new role with quarantine privileges
- From the Admin Console, click Admin roles; then click Create a new role.
- Enter a name and a description and click Create.
- On the Privileges tab, under Gmail, check the Access Admin quarantine or Access restricted quarantines box.
- Click Save. The new role is selected and displayed under User created roles.
Step 2: Assign users to the admin role
- With the role selected, click the Admins tab, and then click Assign admins. Enter a user name or email address. (Entering a user's name automatically displays their email address.)
- If you're assigning more than one user to the role, click Assign more. When you've entered the desired user names, click Confirm assignment.
Step 3: Create a group for users
- From the Admin console, click Groups; then click Add .
- Enter a name, email address, and description for the group.
- For Access Level, select Restricted.
- Click Create.
Next, add the users to the group.
Step 4: Add users to the group
- From the Admin console, go to Users.
- Find the user in the list and click to open their account page.
- On the user's account page, click Groups. Any groups the user already belongs to are displayed.
- Click Add .
- Locate and select the group you created for users with quarantine privileges.
- Click Add.
Step 5: Add the group to a quarantine
- Go to Apps > G Suite > Gmail to display the Gmail settings page.
- Select Manage quarantines; then click Edit next to the desired quarantine.
- In the Edit quarantine panel, click Select groups and select the group you created for admin quarantine users.
After completing the steps above, users can sign in and access the quarantine they're assigned to. Users with admin privileges see the Admin console when they sign in.
Note: When mail messages are quarantined, notifications are sent only to the super admin. Quarantine notifications are not sent to groups with quarantine privileges.
After assigning a user admin privileges to a quarantine, they can access and manage messages in the quarantine they're associated with.
To manage messages in a quarantine:
- Sign into your G Suite account.
- In your web browser, go to https://email-quarantine.google.com/adminreview. Depending on the admin role you're assigned, all quarantines associated with a group you're a member of appear.
- Select the desired quarantine at the left; then view and manage quarantine messages.
Messages that appear in quarantines are based on a user's admin privileges and the policies configured for the quarantine. The following guidelines apply to quarantines and the users associated with them and may help you troubleshoot common quarantine issues.
Messages in the default quarantine
Messages in the default quarantine have been identified as spam or match a policy you configured. Additional messages may appear in the default quarantine for the following reasons:
- If you configure a quarantine rule but don't associate it with a quarantine, messages are sent to the default quarantine.
- If a quarantine is deleted, all messages in that quarantine are sent to the default quarantine.
Messages in the All Quarantines folder
Messages that appear in the All Quarantines folder are based on the user's admin privilege.
- Access admin quarantine—Emails in all quarantines, including the default quarantine, are displayed.
- Access restricted quarantine—Emails in restricted quarantines the admin is associated with are displayed. Messages in the default quarantine are not displayed.
Important: If any admin denies message delivery from the All Quarantines folder, the settings associated with the default quarantine apply, even if they're different than the settings of the current quarantine.
Messages in the Denied and Allowed folders
Messages that appear in the Denied and Allowed folders are determined by the user's admin privilege.
- Access admin quarantine—Emails in the Denied and Allowed folders are displayed, including the default quarantine.
- Access restricted quarantine—Only emails in Denied and Allowed folders with quarantines the user is associated with are displayed. Messages in the default quarantine are not displayed.
Messages in a restricted quarantine
Messages in restricted quarantines can only be managed (allowed or denied) by users with admin privileges for those quarantines. Messages in the default quarantine are not displayed.
Admin user removed from a group
If a user with admin privileges is removed from a group associated with a quarantine, messages in that quarantine are no longer displayed and can't be managed by the user. If the user tries to load a quarantine or manage message delivery, an error is displayed.
Groups removed from a quarantine
If a group is no longer associated with a quarantine, admins with restricted quarantine privileges lose access to that quarantine.