How does quarantine differ from deletion?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Picture this: your email filter flags an incoming message as suspicious. Now you have to decide what happens next. Do you hold it somewhere safe so someone can take a closer look, or do you delete it on the spot? That choice is the difference between quarantine and deletion, and getting it wrong in either direction has real consequences.

Quarantine holds the message in an isolated area, away from the inbox but not gone forever. An admin (or sometimes the recipient) can review it, confirm it's safe, and release it. If it really is malicious, they can confirm the threat and remove it. The key point is that the option to recover exists.

Deletion removes the message permanently. No review queue, no safety net. If your filter misfired and flagged a legitimate email, that email is just gone.

The practical question is when to use each. Quarantine makes sense for anything your filter flags with less-than-total certainty. That includes messages caught by new or evolving malware patterns, emails from unfamiliar senders, and anything where the confidence score sits in a grey zone. Quarantine also gives you an audit trail, which matters if you're in a regulated industry or you just need to show what happened and why.

Deletion is the right call when confidence is very high. Known malware signatures, confirmed phishing URLs, and messages your system has definitively identified as threats don't need a review queue. Holding those just adds admin overhead without any meaningful benefit.

A few practical thresholds worth knowing:

  • Most organizations quarantine anything flagged as "suspicious" and only auto-delete at "high confidence threat" level.
  • Quarantine retention is typically 14 to 30 days. After that, auto-delete kicks in. Holding quarantined mail indefinitely isn't useful and creates storage overhead.
  • End-user quarantine digests (where recipients get a daily summary of held messages) reduce the admin burden and catch false positives that would otherwise go unnoticed.

So the default-to-quarantine approach is genuinely the safer one for most teams. A false positive that gets deleted is gone for good. A false positive that sits in quarantine for 30 days is recoverable. (The only case where aggressive deletion makes sense is in very high-volume, high-threat environments where the admin team simply can't process a review queue.)

If you're not sure how your current mail security setup handles borderline cases, our SOS hotline is free and we're happy to walk through your policy with you.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Get a quarantine policy recommendation

Based on my organization's email security setup, help me decide when to quarantine and when to delete flagged messages. Consider these factors: 1. What confidence threshold should trigger quarantine vs. auto-delete? 2. How long should my quarantine retention period be before auto-deletion kicks in? 3. Should end users get quarantine digests or should admins review everything? 4. Are there compliance or audit-trail requirements in my industry that affect this policy?

Edit the yellow boxes, then send to the AI of your choice.