Gmail

Gmail Quarantine & Content Compliance Setup

Step-by-step guide for IT admins to configure Gmail quarantine rules and content compliance policies in Google Workspace Admin Console.

Ash Ganda

10 min read

Most Australian SMBs have at least one horror story: a staff member forwarded a sensitive client document to the wrong email address, an invoice with banking details arrived in a spam folder rather than the client's inbox, or a phishing email dressed up as a supplier request slipped through and cost the business hours of damage control. These are not edge cases. They are the predictable consequences of running business email without deliberately configured compliance controls.

Gmail's quarantine and content compliance features sit inside the Google Workspace Admin Console and give IT admins fine-grained control over what happens to inbound, outbound, and internal email that matches specific patterns. Quarantine holds suspicious or policy-violating messages for admin review before they reach user inboxes. Content compliance rules let you route, modify, reject, or flag email based on message content, sender, recipient, and attachment characteristics.

Together, these two capabilities form a powerful second layer of email governance that goes well beyond spam filtering. For organisations subject to Australia's Privacy Act 1988, the Spam Act 2003, or industry-specific regulations, they also create an auditable record of policy enforcement that regulators expect to see.

What this guide covers:
- What Gmail quarantine does and when to use it
- Step-by-step quarantine configuration in the Admin Console
- What content compliance rules can enforce
- Practical rule examples tailored to Australian businesses
- Best practices for rollout, monitoring, and maintenance
- How these controls align with Australian compliance frameworks

What Gmail Quarantine Actually Does

Quarantine in Google Workspace is a holding area for email that matches a policy you have defined. Instead of delivering a message to the recipient's inbox or rejecting it outright, Gmail routes it to a quarantine queue where an admin can review it and decide whether to deliver, reject, or take further action.

This is fundamentally different from spam filtering. Gmail's spam filter makes automated decisions about likely junk mail. Quarantine is a deliberate admin policy for messages that match specific organisational rules, such as emails containing regulated data types, messages from non-whitelisted external domains, or emails that trigger a content compliance check.

When Quarantine Is the Right Tool

Quarantine is most useful in three scenarios:

  1. Policy review before delivery: Messages that might violate your email policies need human review before reaching staff. For example, inbound emails from competitors or high-risk external domains.
  2. Compliance gating: Outbound emails containing sensitive data types (Tax File Numbers, credit card numbers, contract terms) that should be reviewed before leaving the organisation.
  3. Interim protection during rule tuning: When you are deploying new content compliance rules and are not yet confident in your detection logic, quarantine lets you catch potential false positives before a blocking rule goes live.

Licence Requirements

Gmail quarantine is available on all Google Workspace Business and Enterprise plans, including Business Starter, Business Standard, Business Plus, Enterprise Standard, and Enterprise Plus. Content compliance rules are available on the same plans. There are no additional licence costs to use these features if you are already on a paid Workspace plan.

Step-by-Step: Setting Up a Gmail Quarantine

Step 1: Access Compliance Settings in the Admin Console

  1. Sign in to the Google Admin Console at admin.google.com using a Super Admin account or a delegated admin account with the "Services settings" privilege.
  2. Navigate to Apps then Google Workspace then Gmail.
  3. Scroll to the Compliance section. This is where both quarantine configurations and content compliance rules live.

Step 2: Create a Quarantine

Before you can apply quarantine to a compliance rule, you need to define the quarantine itself.

  1. Still inside the Gmail settings, scroll to the Compliance section and click Manage quarantines.
  2. Click Add quarantine.
  3. Give the quarantine a clear, descriptive name. Examples: Outbound Sensitive Data Review, Inbound Unrecognised Domain, Contract Email Review.
  4. Write a description so other admins understand its purpose: "Holds outbound emails that may contain Tax File Numbers for admin review before delivery."
  5. Under Inbound quarantine, configure who can release quarantined inbound messages. Options are:
  6. Admin only: Only admins can release. Use this for high-risk quarantine scenarios.
  7. Admin or recipient: The recipient can also release the message from their quarantine folder. Use this for lower-risk scenarios where user judgement is acceptable.
  8. Under Outbound quarantine, configure who can release quarantined outbound messages. Typically this should be Admin only since outbound quarantine usually relates to data leaving the organisation.
  9. Enter the notification email address for the admin who will receive alerts when messages enter this quarantine queue. Use a shared inbox that your IT team monitors daily.
  10. Click Save.

You can create multiple quarantines with different reviewers and notification settings. A common setup for an Australian SMB is:
- One quarantine for sensitive outbound data review (admin-only release, IT security team notified)
- One quarantine for inbound domain review (admin or recipient release, IT helpdesk notified)

Step 3: Apply Quarantine via a Compliance Rule

A quarantine queue does nothing on its own. You need a content compliance rule or routing rule to send messages into it.

  1. In the Gmail Compliance section, scroll to Content compliance and click Configure.
  2. Click Add rule (or Add another rule if you have existing rules).
  3. Give the rule a descriptive name: Quarantine - Outbound TFN Detection.
  4. Under Email messages to affect, select the direction this rule applies to:
  5. Inbound: Emails arriving at your domain from external senders
  6. Outbound: Emails sent from your domain to external recipients
  7. Internal - sending: Messages sent between users within your domain
  8. Internal - receiving: Messages received by users within your domain
  9. Under Add expressions that describe the content you want to search for in each message, click Add condition and configure what triggers the rule. (This is covered in detail in the Content Compliance section below.)
  10. Under If the above expressions match, do the following, select Quarantine message and choose the quarantine you created in Step 2 from the dropdown.
  11. Optionally, configure whether to send a bounce notification to the sender and whether to include a custom rejection message explaining why the email was held.
  12. Under Account types to affect, select Users (and optionally Groups and Unverified senders) based on your requirements.
  13. Click Save.

Configuring Content Compliance Rules

Content compliance rules are broader than quarantine. They can quarantine messages, but they can also reject them outright, prepend warning text, route copies to a compliance archive, or modify the message before delivery. The detection logic is the same regardless of the action you choose.

Detection Conditions Available

When you add a condition to a content compliance rule, you can detect based on:

  • Simple content match: A plain text string, such as your organisation's confidential document header.
  • Advanced content match: Match against the message headers, subject, body, sender, recipient, attachment content, or attachment file type.
  • Predefined content detectors: Google's built-in detectors for sensitive data patterns, including Australian Tax File Numbers, Medicare numbers, credit card numbers, ABNs, ACNs, and BSB-format bank account numbers.
  • Regular expression: A custom pattern you define. Useful for internal document codes, client reference numbers, or proprietary identifiers that Google's predefined detectors cannot recognise.

For each condition, you can combine multiple expressions using AND (all must match) or OR (any must match) logic. This is critical for reducing false positives. For example, detecting a TFN and the phrase "payroll" in the same email is a stronger signal than detecting a TFN anywhere in any email.

Practical Content Compliance Rule Examples

These rules address the most common email governance needs for Australian SMBs. You can create all of them following the step-by-step process above.

Rule 1: Quarantine Outbound Emails Containing Tax File Numbers

  • Direction: Outbound
  • Condition: Predefined content detector — Australia Tax File Number, High likelihood
  • Action: Quarantine message (route to "Outbound Sensitive Data Review" quarantine)
  • Why it matters: Under the Privacy Act 1988 and the ATO's Tax File Number Guidelines, TFNs must be protected from unauthorised disclosure. Most outbound TFN emails are either accidental errors or a sign that TFN data is not being stored and shared through appropriate secure channels.

Rule 2: Reject Inbound Emails With Executable Attachments

  • Direction: Inbound
  • Condition: Advanced content match — Attachment type matches *.exe, *.bat, *.msi, *.scr, *.vbs
  • Action: Reject message, send bounce with message: "Your email contained an attachment type not permitted by our email policy. Please contact us by phone or use a secure file transfer method."
  • Why it matters: Executable attachments are the primary delivery mechanism for malware and ransomware. There is no legitimate business reason to receive executable files via email that cannot be served by a file-sharing platform like Google Drive.

Rule 3: Prepend Disclaimer on External Inbound Emails

  • Direction: Inbound
  • Condition: Sender is external (all inbound emails from outside your domain)
  • Action: Prepend text to message body — "EXTERNAL EMAIL: This message originated from outside your organisation. Exercise caution before clicking links or opening attachments."
  • Why it matters: Visual warnings about external email origin reduce the success rate of phishing attempts, particularly for staff who are not naturally cautious about unsolicited email. This is a low-friction, high-value control recommended in the ASD Essential Eight.

Rule 4: Copy Specific Email Patterns to Compliance Archive

  • Direction: Outbound and Internal - sending
  • Condition: Recipient address matches a list of external legal or regulatory addresses, OR subject contains keywords like "contract", "settlement", "legal", "confidential"
  • Action: Change route — add BCC to your legal archive mailbox (e.g., legal-archive@yourdomain.com.au)
  • Why it matters: Legal and compliance teams often need a searchable archive of contract-related correspondence for dispute resolution and regulatory audits. Rather than relying on staff to manually copy lawyers into relevant threads, a BCC rule captures this automatically and consistently.

Rule 5: Block Outbound Emails to Competitor Domains

  • Direction: Outbound
  • Condition: Recipient domain matches a defined list (e.g., @competitorA.com.au, @competitorB.com.au)
  • Action: Reject message with bounce notice: "Your email was not delivered. If you believe this is an error, please contact IT."
  • Why it matters: For organisations concerned about sensitive information being deliberately or accidentally sent to direct competitors, domain-level blocking is a blunt but effective control. Implement with care and communicate clearly with staff to avoid operational disruption.

Best Practices for Quarantine and Compliance Rule Deployment

Start With Monitoring Before Enforcing

The strongest action available — rejecting an email — should never be your starting point. When you first deploy a content compliance rule, configure the action as Add headers or route a BCC copy to an admin mailbox. Review what the rule is capturing over two weeks before switching to quarantine or rejection.

This approach prevents two common problems: blocking legitimate business email that accidentally triggers a detection condition, and eroding staff trust in IT by holding or bouncing emails without warning.

Name and Document Every Rule

The Gmail compliance section can accumulate many rules over time, and without clear naming conventions, it becomes unmanageable. Adopt a naming structure such as:

[Direction] - [Action] - [Detection type]

For example:
- Outbound - Quarantine - TFN Detection
- Inbound - Reject - Executable Attachment
- All - BCC Archive - Contract Keywords

Add a description to every rule explaining why it exists, not just what it does. Future IT staff (or your future self) will thank you.

Set Up Quarantine Notifications and Review Schedules

A quarantine queue that nobody reviews is worse than useless. It creates a false sense of security while legitimate email sits undelivered. Establish a clear process:

  • Configure quarantine notifications to a shared IT inbox, not an individual's personal email.
  • Set a maximum review time of 24 business hours for inbound quarantine (so legitimate emails are not held indefinitely).
  • For outbound quarantine, consider a 4-hour review target during business hours, with an escalation path if the reviewing admin is unavailable.
  • Review the quarantine queue at the same time each day as part of your IT operations routine.

Use Organisational Units to Scope Rules

Not every compliance rule needs to apply to your entire organisation. If you have an OU for your Finance team, a TFN-quarantine rule on outbound email might apply only to Finance rather than triggering for a sales rep who happens to type a 9-digit number in an email body.

Scoping rules to the relevant OUs reduces false positives and minimises the operational impact on staff who handle different types of content. Navigate to the Gmail compliance settings and configure each rule's scope under the Organisational unit selector.

Review and Audit Rules Quarterly

Compliance rules can fall out of alignment with your business as your organisation changes. A rule that blocked a domain may need to be removed if you start working with that domain as a partner. A keyword list may become outdated as your product names change.

Schedule a quarterly review of all Gmail compliance rules. For each rule, ask:
- Is this rule still necessary?
- Is it triggering on what it should, and not triggering on what it should not?
- Has the action (quarantine, reject, archive) remained appropriate given changes to our risk profile?
- Does it still align with our Privacy Act and industry compliance obligations?

Australian Compliance Alignment

Gmail quarantine and content compliance rules directly support several Australian regulatory requirements:

  • Privacy Act 1988 (APP 11): You are required to take "reasonable steps" to protect personal information. Quarantine rules that hold or reject outbound emails containing TFNs or Medicare numbers are direct evidence of those steps.
  • Notifiable Data Breaches scheme: If an outbound TFN email is quarantined rather than delivered, you may have documentary evidence that no breach occurred — a critical distinction in an NDB investigation.
  • ASD Essential Eight (Email Content Filtering): Blocking executable attachments and prepending external sender warnings directly implements the email filtering strategy in the Essential Eight maturity model.
  • Spam Act 2003: While the Spam Act primarily governs commercial email marketing rather than business-to-business email, compliance archiving rules help maintain records of commercial message consent and opt-out handling.

For Australian organisations in financial services, healthcare, or legal industries, additional compliance overlays such as APRA CPS 234, the My Health Records Act, and legal professional privilege considerations may impose stricter email governance requirements than the baseline controls described here. Consult your compliance team or legal counsel for industry-specific guidance.

Quick-Reference Configuration Checklist

Use this checklist when deploying or auditing Gmail quarantine and content compliance:

  1. Create quarantine queues in Admin Console > Apps > Google Workspace > Gmail > Compliance > Manage quarantines
  2. Assign admin reviewers with shared mailbox notification addresses — not individual accounts
  3. Set review SLAs — maximum 24 hours for inbound, 4 hours for outbound
  4. Deploy rules in monitoring mode first — use BCC to archive before quarantine or reject
  5. Scope rules to relevant OUs rather than applying organisation-wide by default
  6. Configure executable attachment rejection on inbound email
  7. Add external sender warning banners on all inbound email from outside your domain
  8. Set up TFN quarantine on outbound email, scoped to Finance and HR OUs
  9. Establish a compliance archive for contract-related and legally sensitive email threads
  10. Name every rule using a consistent convention and add a description explaining the rationale
  11. Schedule quarterly rule reviews as a recurring calendar event for your IT admin team
  12. Test rules by sending test messages that should and should not trigger before going live

Affiliate & Partner Programs

If you are evaluating or recommending Google Workspace for your organisation's email governance requirements, the following may be useful:

  • Google Workspace Referral Program: https://referworkspace.app.goo.gl/ — Google's official referral program for Workspace plans. New customers receive introductory pricing, and referrals help support the production of independent guides like this one. Google Workspace Business Starter starts from around AU$10.80 per user per month (approximately USD$6.86), with Business Standard at around AU$21.60 per user per month — both inclusive of Gmail, quarantine, and content compliance features.

Wrapping Up

Gmail quarantine and content compliance rules are two of the most underused capabilities in the Google Workspace Admin Console. Most IT admins configure SPF, DKIM, and DMARC — and those are essential — but stop short of the deliberate policy controls that govern what happens to email that passes authentication but still violates your internal policies or regulatory obligations.

The configuration is not technically complex. Setting up a quarantine takes under five minutes. Creating a content compliance rule takes ten to fifteen. The discipline required is in the planning: deciding which email patterns matter to your organisation, scoping rules carefully to avoid disrupting legitimate workflows, and building a reliable review process so quarantined messages do not sit unread.

Start with two rules: an executable attachment rejection on inbound email and a TFN detection quarantine on outbound email for your Finance OU. Monitor both in BCC mode for two weeks. Review what each rule captures. Then activate them. From that foundation, add rules progressively as you identify additional risks or compliance requirements.

The goal is not to build a compliance wall that frustrates your staff. It is to create a deliberate, auditable set of controls that demonstrate your organisation is taking email governance seriously — both as an operational discipline and as an evidence base for your obligations under Australia's privacy and data protection frameworks.

Need help configuring compliance controls for your Google Workspace environment? Contact our team for a free consultation.

Read more