Agree, use Email Log Search.

So i actually managed to get an answer from google, its a issue on their end where their filter is flagging random things as spam, sometimes including their own emails to us in regards to the issue. Last I heard about 6 hours ago they were still working on it

Email Log Search will tell you exactly which compliance rule caused the message to be quarantined, like in this example: 

@christiannewman 
No, it doesn't. That's why the OP made this. 

@CHPSysAdmin If it doesn't, then where did I get the screenshot I attached to my previous reply? 🤔🤔🤔

I promise you, Email Log Search will tell you exactly which compliance rule caused a given message to be quarantined.

No, it probably doesn't.

I'm having the same issue. The email log does not display any rule tripped (perhaps that's part of a particular service plan) and the admin quarantine simply displays a blank under "matched rule".

Mail will only be sent to an admin quarantine if you have a compliance rule set that was matched.

Email Log Search absolutely identifies which compliance rule was triggered, as you can see in my screenshot below (under Quarantine - Matched rules).

Even Business Starter edition supports Gmail compliance rules so all Google Workspace editions should behave the same in this regard.

If you're having challenges managing admin quarantines and Gmail compliance rules, I recommend reaching out to your Google Cloud Partner for assistance.

This is what I see, the email log search in the first image:

And this is what's displayed in the quarantine:

What am I missing?

Here's a wider view... look under recipient details not post-delivery message status:

This is what I see:

Was this an email received from internal or external?

I usually only see this on the sender of internal emails (appears in Email Log Search as a separate recipient) but on the actual recipient (expand that section instead) it will display the rule matched as in my screenshot.

Here's an example (email sent from tim to christian😞

Emails sent from an external source that are quarantined will show only recipients, with the quarantine rule matched, like this:

External to our organization, sent from a Gmail address.

I don't think anything internal gets quarantined, if so it's very rare. The overwhelming majority of emails that are quarantined look like this.

This default Google Workspace quarantine doesn't seem to be related to the DMARC record at all, as I currently have the DMARC policy set to none. A google tech support rep at one point told me that this was accurate.

DMARC p=none is a temporary starting point for your DMARC policy. You'll want to monitor your DMARC reports and strengthen this policy as you gain confidence that you're correctly authenticating all authorized senders. See my recent post on this topic.

Mail (whether inbound, outbound, internal-sending or internal-receiving) will only be quarantined if you have a compliance rule set up to do so OR if you have Gmail Safety settings instructing potentially malicious messages to be quarantined.

If no compliance rule is being matched, then it's likely that one of your Gmail Safety settings is sending it to quarantine (this wouldn't display a matched rule because there is none). Based on your Safety settings this could be due to:

• anomalous attachment type
• unauthenticated sender
• encrypted attachment
• spoofed user name
• spoofed group
• etc

Check into those settings and see which ones you tell to quarantine.

Thanks for the blog post link, that's really helpful! We're in the midst of actualy migrating from Google to o365, but I do need to work on our DMARC policy.

The only Gmail safety setting I have set to quarantine is this:

And I have a content compliance rule in place to quarantine, but it's only on matches of 2 specific strings, and I'm fairly confident that rule isn't being tripped in any of the messages I see in quarantine. I have seen the rule tripped before, and it does display properly in the quarantine "matched rules" when it happens, which is exceedingly rare.

Basically, I've got everything extremely loose as far as I'm aware, (not ideal obviously) to no avail here.

YES - This is what I see too on MOST of mine. Only a few show an actual rule 

I've been interested in this thread. Mail has worked until yesterday. I too can't find the rule or setting that has my outgoing mail to quarantine. Did you get this resolved?

As noted in another response - if you go to Gmail>Safety>Spoofing and Authentication there are a a few options there that can be turned on or off, some with additional settings - including what quarantine to place it in. What I have done is create a separate quarantine for each of these, with their names so I know what triggered it to be quarantined. You can then see them individually or all at once. I still haven't found any method to modify these at all to never quarantine some items based on my needs.