Proofpoint Quarantine Management
Overview
Proofpoint quarantine holds messages that have been identified as threats, spam, or policy violations. The quarantine API allows administrators to search, preview, release, and delete quarantined messages. This is a critical workflow for MSP help desk teams who need to respond to "missing email" requests from end users.
Quarantine operates at two levels:
- Admin quarantine - Managed by administrators, holds threats and policy violations
- End-user quarantine - Self-service spam quarantine with digests
Key Concepts
Quarantine Reasons
| Reason | Description | Default Retention |
|---|---|---|
spam | Message scored above spam threshold | 30 days |
phish | Message identified as phishing | 30 days |
malware | Message contained malware | 30 days |
impostor | Message flagged as BEC/impostor | 30 days |
bulk | Bulk/marketing email | 14 days |
adult | Adult content filter match | 30 days |
policy | Custom policy rule match | Configurable |
dmarc | Failed DMARC authentication | 30 days |
dkim | Failed DKIM verification | 30 days |
spf | Failed SPF check | 30 days |
Quarantine Folders
| Folder | Contents | Release Allowed |
|---|---|---|
quarantine | Admin quarantine (threats, policy) | Admin only |
spam | End-user spam quarantine | End-user or admin |
bulk | Bulk/graymail quarantine | End-user or admin |
Message States
| State | Description |
|---|---|
quarantined | Message is held in quarantine |
released | Message was released to recipient |
deleted | Message was permanently deleted |
expired | Message exceeded retention period and was removed |
Field Reference
Quarantine Message Fields
| Field | Type | Description |
|---|---|---|
id | string | Unique quarantine message identifier |
GUID | string | Message GUID (links to TAP events) |
QID | string | Queue ID from mail server |
sender | string | Envelope sender address |
recipients | string[] | List of recipient addresses |
subject | string | Message subject line |
date | datetime | When the message was received |
quarantineDate | datetime | When the message was quarantined |
reason | string | Why the message was quarantined |
folder | string | Which quarantine folder holds the message |
size | int | Message size in bytes |
headerFrom | string | Display From address (may differ from envelope sender) |
replyTo | string | Reply-To address if present |
spamScore | int | Spam confidence score |
phishScore | int | Phishing confidence score |
malwareScore | int | Malware confidence score |
impostorScore | int | Impostor/BEC confidence score |
Search Parameters
| Parameter | Type | Description |
|---|---|---|
sender | string | Filter by sender address (exact or partial) |
recipient | string | Filter by recipient address |
subject | string | Filter by subject (substring match) |
startDate | datetime | Start of date range |
endDate | datetime | End of date range |
reason | string | Filter by quarantine reason |
folder | string | Filter by quarantine folder |
limit | int | Maximum results (default 25, max 500) |
offset | int | Pagination offset |
MCP Tools
| Tool | Description | Key Parameters |
|---|---|---|
proofpoint_quarantine_search | Search quarantined messages | sender, recipient, subject, reason, startDate, endDate |
proofpoint_quarantine_list | List recent quarantined messages | folder, limit, offset |
proofpoint_quarantine_get | Get details of a specific quarantined message | id |
proofpoint_quarantine_preview | Preview message content without releasing | id |
proofpoint_quarantine_release | Release message to original recipient | id, recipient |
proofpoint_quarantine_delete | Permanently delete quarantined message | id |
proofpoint_quarantine_bulk_release | Release multiple messages at once | ids[] |
proofpoint_quarantine_bulk_delete | Delete multiple messages at once | ids[] |
Common Workflows
User Reports Missing Email
- Get the sender and approximate time from the user
- Call
proofpoint_quarantine_searchwithrecipient=<user>andsender=<expected_sender>and appropriate date range - If found, call
proofpoint_quarantine_previewto verify the message is legitimate - If legitimate, call
proofpoint_quarantine_releaseto deliver the message - If the sender is consistently quarantined, consider adding a safe sender policy
Daily Quarantine Review
- Call
proofpoint_quarantine_listwithfolder=quarantineandlimit=100 - Review messages grouped by reason
- Release any false positives
- Delete confirmed threats
- Note recurring senders for blocklist consideration
Bulk Release for Known-Good Sender
- Call
proofpoint_quarantine_searchwithsender=<known_good_sender> - Collect all message IDs from results
- Call
proofpoint_quarantine_bulk_releasewith the collected IDs - Recommend adding the sender to the organization's safe sender list
Investigate Quarantine Spike
- Call
proofpoint_quarantine_searchwith a narrow time window - Group results by
reasonto identify what type of messages increased - Group by
senderto identify if a single source is responsible - Cross-reference with TAP data using message GUIDs
- Determine if this is a targeted attack or spam campaign
Clean Up Expired Threats
- Call
proofpoint_quarantine_searchwithreason=malwareand date range > 14 days - Review any remaining malware-quarantined messages
- Call
proofpoint_quarantine_bulk_deleteto remove confirmed threats - Document any messages that were released for audit trail
Error Handling
Common API Errors
| Code | Message | Resolution |
|---|---|---|
| 400 | Invalid date range | Ensure startDate is before endDate |
| 400 | Invalid folder | Use quarantine, spam, or bulk |
| 401 | Authentication failed | Verify service principal and secret |
| 403 | Insufficient permissions | Ensure quarantine management is enabled |
| 404 | Message not found | Message may have expired or been deleted |
| 409 | Message already released | Message was already released by another admin |
| 429 | Rate limit exceeded | Implement backoff; limit bulk operations |
Release Failures
If a release fails:
- The message may have been deleted or expired
- The recipient mailbox may be full or invalid
- The downstream mail server may be rejecting delivery
- Check the message ID is correct and the message still exists in quarantine
Search Returning Too Many Results
- Narrow the date range
- Add more specific filters (sender + recipient + subject)
- Use pagination with
limitandoffset - Filter by specific quarantine reason
Best Practices
- Preview before release - Always preview a message before releasing to verify it is legitimate
- Document releases - Keep a log of released messages for audit purposes
- Use bulk operations carefully - Bulk release should only be used for verified false positives
- Monitor quarantine volume - Spikes may indicate a targeted attack or misconfigured policy
- Set up digests - Enable end-user quarantine digests to reduce help desk load
- Review retention policies - Ensure quarantine retention matches your compliance requirements
- Never release confirmed threats - If a message is confirmed malware or phishing, delete it
- Cross-reference with TAP - Use the GUID to check TAP threat data before releasing
- Safe sender lists - For recurring false positives, add the sender to the safe sender list rather than releasing each time
- Train users - Educate users on checking their quarantine digest before