Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=quarantined-messages

Quarantined messages

The Quarantine page lists the email messages that have been quarantined for all your protected mailboxes.

This option is only available if your license includes Sophos Email Security.

If you aren't using M365 Security, you only see one list, with quarantined emails from all your email domains. If you're using M365 Security and have turned on Auto search and destroy, you see two tabs. Click Post delivery quarantine to see emails quarantined by M365 Security. Your other quarantined emails are listed under Email security quarantine.

By default the report displays the emails that have been processed during the current day.

Advanced Search

You can use Advanced Search to filter messages by the following terms:

  • From: Sender. Supports partial strings. Not case sensitive.
  • To: Recipient. Supports partial strings. Not case sensitive.
  • Subject: Supports partial strings. Not case sensitive. Click the subject of a message to see its details.
  • Message size: Greater than or less than a number of MB. This uses the MIME size of an email, which may be greater than the raw file size. See Calculating email attachment file sizes.

  • Attachment: Type of attachment. Supports partial strings.

    Note

    When we analyze senders and recipients of messages, we use their SMTP envelope sender and recipient addresses, not their from-header and to-header addresses.

You can combine different search terms. They are applied with the AND condition.

You can filter messages by Direction, Status, or Reason.

If you change the date range or filter the messages, you need to click the refresh icon to update the search results.

Search results

In your search results the search terms you selected appear in the search box. You can refine your search by clicking individual parameters to remove them. Your search results are updated immediately.

You can click the direction arrow to filter your results for inbound or outbound messages. The down arrow is for inbound messages, the up arrow for outbound messages. If you click a direction arrow your search results are updated immediately.

There's no indication of email direction in the Post delivery quarantine list because all the emails are inbound.

To view message details, click the Subject.

Email gateway message details

In Message Details you can click the following for more information about the message:

  • Details: shows general information about the message.

    Click Add to blocklist if you want to add the IP address or domain to the Inbound Allow/Block list, then click Ok to confirm your choice. Any sender using this IP address or domain is blocked. Click Cancel to cancel the action.

  • Raw Header: shows the email header details.

  • Message: shows the body of the email.

  • Attachments: shows the name and size of attachments.

    You can strip, download, and reattach attachments from messages. You can also reattach attachments removed by Data control rules.

    Attachment management features might not be available for all customers yet.

  • URLs: shows URLs in the message.

You can delete or release emails from the message list, or from Message Details. Do as follows:

  • Click Release to release messages from quarantine and send them to users.
  • Click Release and Allow to release messages and add the sender's email address to the Inbound Allow/Block list.
  • Click Delete to delete quarantined messages.
  • Click Delete and Block to delete messages and add the sender's email address to the Inbound Allow/Block list.

If you've turned on Allow / Block List for your users, you can also see options to add IP addresses and domains to allow or block lists. See Manage settings for Sophos Central Self Service.

Post delivery quarantine message details

This section only applies to messages in the Post delivery quarantine list. If you don't have Post delivery protection turned on, this list doesn't appear.

In Message Details you can click the following for more information about the message:

  • Details: shows general information about the message.

    Click Add to blocklist if you want to add the IP address or domain to the Inbound Allow/Block list, then click Ok to confirm your choice. Any sender using this IP address or domain is blocked. Click Cancel to cancel the action.

  • Raw Header: shows the email header details.

  • Message: shows the body of the email.

  • Attachments: shows the name and size of attachments.

    You can strip, download, and reattach attachments from messages. You can also reattach attachments removed by Data control rules.

    Attachment management features might not be available for all customers yet.

  • URLs: shows URLs in the message.

You can delete or release emails from the message list, or from Message Details. Do as follows:

  • Click Release to release messages from quarantine and send them to users.
  • Click Delete to delete quarantined messages.

If you've turned on Allow / Block list for your users, you can also see options to add IP addresses and domains to allow or block lists. See Manage settings for Sophos Central Self Service.

Emails in Post delivery quarantine that aren't released or deleted within 30 days are deleted.