You must be signed in as a super administrator to perform these tasks.
As an administrator, you can create settings to quarantine messages sent to and from your organization. You can also assign admin privileges to specific users to let them manage quarantined messages.
Quarantines help prevent spam, minimize data loss, and protect confidential information. Quarantines also help manage message attachments, so users don’t open or send something they shouldn’t. When a message is quarantined, it's sent to the admin quarantine, where an admin can take any of the following actions:
- Display the rule that caused the message to be quarantined
- Deliver the message to the intended recipient
- Deny message delivery
- Take no action
You can set up quarantine alerts to get periodic alerts when new messages are quarantined. Messages in the quarantine are stored on Google's servers until an action is taken.
- You can only take action on quarantined messages from registered Google Workspace users.
- You can't take action on messages associated with accounts that are suspended or disabled.
- Messages are only quarantined for users, and not for groups.
Quarantined messages for recipients and senders
- Quarantined incoming messages: The intended recipient isn't alerted about the message unless you release it for delivery.
- Quarantined outgoing messages: These messages appear in the sender’s Sent folder. These messages aren't delivered to the recipient unless an admin releases them from quarantine. If the sender deletes the message from their Sent folder after it appears in the quarantine, the message remains in the quarantine until you act on it, or until it's deleted 30 days after delivery.
Email quarantine and Vault
Quarantined messages are retained and available for up to 30 days after delivery in Admin quarantine, regardless of your Vault retention period setting. Messages are automatically removed from Admin quarantine after 30 days.
If your Vault retention period is longer than 30 days, quarantined message older than 30 days are available in Vault until the retention period expires.
Create quarantines with these policies and settings in the Admin console.
You can also assign admin privileges to specific users to access and manage email messages in one or more quarantines.Add, edit, delete, and review quarantines
In your Admin console, you can add, edit, delete, and review email quarantines.
To add a quarantine:
From the Admin console, go to AppsGoogle WorkspaceGmailManage quarantines.
Click Add Quarantine.
Assign quarantine settings:
Enter a name and description.
For incoming and outgoing messages, choose whether or not to send a reject message to the sender when you deny delivery of a quarantined message.
(Optional) Select Notify periodically when messages are quarantined.
- Click Save.
To edit a quarantine:
- From the Admin console, go to AppsGoogle WorkspaceGmailManage quarantines.
Click Edit next to the desired quarantine.
Make the desired changes and click Save.
To delete a quarantine:
- From the Admin console, go to AppsGoogle WorkspaceGmailManage quarantines.
- Click Delete to the right of the quarantine name and confirm. Any remaining messages in the quarantine are moved to the Default quarantine.
To review quarantine settings:
- From the Admin console, go to AppsGoogle WorkspaceGmailManage quarantines.
- Click Go to Admin Quarantine. All quarantines, including the admin quarantine, are displayed.
- To the right of the desired quarantine name, click and choose Settings to display the current settings.
- (Optional) To edit the quarantine's settings from this page, click Go to Google Workspace Admin Console to Edit.
In the Admin console, you set up and configure policies to quarantine messages using any of these Gmail settings:
For each setting, you can quarantine messages that match the configuration criteria, then select the quarantine for the selected messages.
For compliance and routing settings, you can also choose to notify internal senders when their outbound and internal, sent messages are quarantined.
After setting up and configuring policies for a quarantine, you can view and manage messages in it.
To open the admin quarantine:
From the Admin console dashboard, go to AppsGoogle WorkspaceGmailManage quarantines.
Click Go to admin quarantine to display all the quarantines.
Inbound and outbound messages
Messages appear with the quarantine name and a status of inbound our outbound.
- If an inbound message includes multiple recipients, the message appears in the quarantine once for each recipient. For example, a message with five recipients appears in the quarantine five times.
- Outbound messages you allow to be delivered are quarantined only once before delivery. For this reason, if you plan to quarantine internal messages, configure the quarantine to Internal - Sending, instead of Internal - Receiving. That way, only one message is quarantined before it’s delivered to the individual recipients.
Tip: To avoid filling the quarantine with a large number of messages, we recommend you prevent large email lists from getting external messages.
View and manage quarantined messages
|Action||How to do it|
View quarantined, allowed, and denied messages
By default, all quarantined messages appear in the list. To sort the messages, click a label on the left. If you don't see the quarantine list on the left, click Menu .
Only messages delivered within your Vault retention period appear in Denied or Allowed. If you don’t act on or deny a message, it's automatically deleted when your retention period expires. The default retention period is 30 days from the time the message was sent or received.
|Display message and rule definition that triggered quarantine||
Click the message in the list to display the message and the rule definition that caused the email to be routed to the quarantine.
If the matched string value is found in the visible fields of the message (sender header, recipients header, message body, or subject), it's highlighted in the message.
Important: Source and matched string are displayed when available. Gmail makes a best effort to display the rule associated with a message, but some messages may not display a rule.
Search for messages
Enter a search term in the field. The search returns currently quarantined messages from the default quarantine and any quarantines you create. It doesn’t search Denied or Allowed messages.
The entire message is searched, including the sender and recipient address, subject, and message body. You can use advanced search operators to search a particular part of the message.
Allow delivery of one or more quarantined messages
Check the box to the left of each recipient name, and then click Allow.
If a user doesn’t see an allowed message in their inbox, ask them to search for the message in all folders, including the Trash folder.
Note: Some spam messages might be rejected when Gmail makes a connection to transmit the message. These messages aren't sent to admin quarantine, even if you selected the Put spam in administrative quarantine option in your Spam setting.
Deny delivery of one or more quarantined messages
Check the box to the left of each recipient name and click Deny, then click Deny again to confirm.
Notes about rejection notices:
When you start selecting messages, the bulk action option becomes available. Unlike the Select All box, which only applies to messages in your current view, you can use the bulk action to deny or approve all messages in the selected quarantine or search results.
If you choose to send a reject message when you deny a quarantined message, keep the following in mind:
- If you deny an inbound message sent to multiple recipients in your domain, the sender receives a reject message each time you select a group of recipients to deny.
To get around this, you can check the boxes for all message recipients so that the sender receives a single reject message containing the entire list of rejected recipients. If you don’t select all recipients and later reject other recipients, the sender receives a second notification.
- Reject messages include the subject of the original message as part of the body of the reject message. For this reason, if the term that caused the original message to be quarantined appears in the subject, the reject message may also be quarantined when the message is denied, depending how you set up the quarantine (to include either Outbound or Internal - Sending messages).
- If you deny an inbound group message, a reject message is not delivered to the sender. The reject message is dropped.
S/MIME signing and encryption:
- If a sender requests S/MIME signing and encryption for outgoing messages, the message is rejected and is not delivered to the quarantine.
- If an admin sets compliance and routing rules for S/MIME signing and encryption for outgoing messages, the message is unaffected and is delivered to the quarantine.
If you select Notify periodically when messages are quarantined when you add or edit a quarantine in the Admin console, you'll get periodic alerts when new messages are quarantined.
The quarantine alerts show the following for the quarantines configured to receive alerts:
The number of messages received for each quarantine.
The total number of messages quarantined during the notification interval.
You're notified of newly quarantined mail within an hour of its appearance in admin quarantine. The frequency and timing of the alerts varies based on how often new quarantined mail arrives, but will never be more than once hourly.
Let users manage email quarantines
Super administrators can assign admin privileges to specific users to manage messages in the default quarantine and other customized quarantines.
Note: These steps assume you've created and configured quarantine policies. If you need help setting up and configuring quarantines, see the instructions at top the of this article.Assign admin roles and quarantines
The admin role you assign a user determines which quarantines they can see and manage.
- Access Admin Quarantine: Users can see and manage messages in any quarantine, including the default quarantine.
- Access restricted quarantine: Users can see and manage messages in restricted quarantines.
To ensure privacy, each time a user signs into either admin role to manage email messages, the message ID and quarantine name is recorded. You can search for these events in Admin Reports to see what action was taken.
Before you begin
As an administrator, you set up and assign admin roles to specific users that let them access and manage messages in a quarantine. You must complete all the steps below to successfully set up and associate users with quarantines.
Step 1: Create a new role with quarantine privileges
- From the Admin Console, click Admin roles, then click Create a new role.
- Enter a name and a description and click Create.
- On the Privileges tab, under Gmail, check the Access Admin quarantine or Access restricted quarantines box.
- Click Save. The new role is selected and displayed under User created roles.
Step 2: Assign users to the admin role
- With the role selected, click the Admins tab, and then click Assign admins. Enter a user name or email address. Entering a user's name automatically displays their email address.
- If you're assigning more than one user to the role, click Assign more. After you enter the user's names, click Confirm assignment.
Step 3: Create a group for users
- From the Admin console, click Groups; then click Add .
- Enter a name, email address, and description for the group.
- For Access Level, select Restricted.
- Click Create.
Next, add the users to the group.
Step 4: Add users to the group
- From the Admin console, go to Users.
- Find the user in the list and click to open their account page.
- On the user's account page, click Groups. Any groups the user already belongs to are displayed.
- Click Add .
- Locate and select the group you created for users with quarantine privileges.
- Click Add.
Step 5: Add the group to a quarantine
- Go to Apps Google WorkspaceGmail to display the Gmail settings page.
- Select Manage quarantines; then click Edit next to the desired quarantine.
- In the Edit quarantine panel, click Select groups and select the group you created for admin quarantine users.
After completing the steps above, users can sign in and access the quarantine they're assigned to. Users with admin privileges see the Admin console when they sign in.
Note: When mail messages are quarantined, notifications are sent only to the super admin. Quarantine notifications are not sent to groups with quarantine privileges.
After assigning a user admin privileges to a quarantine, they can access and manage messages in the quarantine they're associated with.
To manage messages in a quarantine:
- Sign into your Google Workspace account.
- In your web browser, go to https://email-quarantine.google.com/adminreview. Depending on the admin role you're assigned, all quarantines associated with a group you're a member of appear.
- Select the desired quarantine at the left; then view and manage quarantine messages.
Messages that appear in quarantines are based on a user's admin privileges and the policies configured for the quarantine. The following guidelines apply to quarantines and the users associated with them and may help you troubleshoot common quarantine issues.
Messages in the default quarantine
Messages in the default quarantine have been identified as spam or match a policy you configured. Additional messages may appear in the default quarantine for the following reasons:
- If you configure a quarantine rule but don't associate it with a quarantine, messages are sent to the default quarantine.
- If a quarantine is deleted, all messages in that quarantine are sent to the default quarantine.
Messages in the All Quarantines folder
Messages that appear in the All Quarantines folder are based on the user's admin privilege.
- Access admin quarantine: Emails in all quarantines, including the default quarantine, are displayed.
- Access restricted quarantine: Emails in restricted quarantines the admin is associated with are displayed. Messages in the default quarantine are not displayed.
Important: If any admin denies message delivery from the All Quarantines folder, the settings associated with the default quarantine apply, even if they're different than the settings of the current quarantine.
Messages in the Denied and Allowed folders
Messages that appear in the Denied and Allowed folders are determined by the user's admin privilege.
- Access admin quarantine: Emails in the Denied and Allowed folders are displayed, including the default quarantine.
- Access restricted quarantine: Only emails in Denied and Allowed folders with quarantines the user is associated with are displayed. Messages in the default quarantine are not displayed.
Messages in a restricted quarantine
Messages in restricted quarantines can only be managed (allowed or denied) by users with admin privileges for those quarantines. Messages in the default quarantine are not displayed.
Admin user removed from a group
If a user with admin privileges is removed from a group associated with a quarantine, messages in that quarantine are no longer displayed and can't be managed by the user. If the user tries to load a quarantine or manage message delivery, an error is displayed.
Groups removed from a quarantine
If a group is no longer associated with a quarantine, admins with restricted quarantine privileges lose access to that quarantine.