Domain Setup
MX records, SPF, DKIM, and DMARC are non-negotiable. The MX records point to mx.zoho.com (priority 10), mx2.zoho.com (20), and mx3.zoho.com (50) for the global data center; EU and India use different hostnames. SPF should read v=spf1 include:zoho.com ~all if Zoho is your only sender, or include other systems (e.g. SendGrid, HubSpot) explicitly. DKIM is generated per domain in the admin console; publish the TXT record under the selector Zoho provides (typically zmail._domainkey). Start DMARC at p=none for the first two weeks to collect aggregate reports, then move to p=quarantine, and finally p=reject once you confirm no legitimate mail is being marked.
Account Provisioning
Individual user accounts, group addresses, aliases, and forwards are managed under Mail Admin → Users. SSO via SAML 2.0 ties Zoho Mail into Okta, Azure AD, or Zoho Directory. SCIM provisioning is supported on Enterprise plans — newly provisioned users in your IdP appear in Zoho within minutes. Aliases are free and unlimited; use them for role-based addresses (sales@, support@) rather than creating a paid mailbox per role.
Routing
Mail routing rules handle shared inboxes, group distribution, and policy-driven redirection. Catch-all routing forwards mail to misspelled addresses to a designated mailbox — useful but a spam magnet if left on without filtering. Auto-forwarding requires admin approval at the org level (a 2026 default to prevent BEC exfiltration). Filter rules at domain level catch policy violations (e.g. block .exe attachments) before they hit user inboxes.
Compliance
Retention policies, eDiscovery, and legal hold are required in regulated industries. Set retention upfront — changing it retroactively does not recover already-deleted mail. eDiscovery search runs across all mailboxes for admins with the eDiscovery role. Legal hold suspends deletion for a specified mailbox or query; once placed, users cannot purge held mail even from Trash. The Audit Logs retain admin actions for 180 days on Standard, 1 year on Enterprise.
Admin Controls
Login audit, suspicious activity alerts, and MFA enforcement live under Security → Admin Console. Force MFA for all admin accounts on day one and roll out to users within 30 days. The IP Restriction feature limits login to specific IP ranges — useful for high-security tenants but breaks remote workers, so combine it with VPN-mandated access. Geo-restrictions block login from countries you don’t operate in. Review the Suspicious Activity Report weekly initially, monthly at steady state.
What Changed in 2026
Zoho Mail rolled out Zia-powered phishing detection that flags BEC patterns (CEO impersonation, payroll-redirect requests) at the gateway. The DLP module now supports custom policies via Deluge, so a wire transfer keyword in outbound mail can trigger a quarantine-for-review action.
// DLP custom policy snippet
if (subject.containsIgnoreCase("wire transfer") && !recipient.endsWith("@yourdomain.com")) {
quarantine = true;
notify_admin("[email protected]");
}What to do this week
Move DMARC to p=quarantine if you’ve been at p=none for two weeks, force MFA on every admin account, and configure the suspicious activity weekly report.
