Advanced Security Configurations

Zoho Mail provides a secure email and collaboration platform by allowing administrators to configure various advanced email security and encryption settings from Zoho Mail Admin Console.

Table of Contents

MTA-STS Overview

The Mail Transfer Agent-Strict Transport Security (MTA-STS) protocol encrypts emails sent or received to your domain, safeguarding your email communication against common threats like SMTP downgrade attacks and Man-In-The-Middle (MITM) attacks. Once configured, MTA-STS ensures that sending servers deliver emails only when a valid TLS connection is established, thereby enhancing the overall security posture of the email infrastructure.

MTA-STS protocol can be deployed by adding a DNS record to your domain provider's Manage DNS page. The steps to configure MTA-STS are as follows:

  • Configure an MTA-STS policy for your domain/ subdomain
  • Publish the policy in your domain's public web server
  • Add a DNS (TXT) record
  • Verify the MTA-STS configuration in Zoho Mail Admin Console.

Steps to configure MTA-STS

Follow these steps to configure MTA-STS for your domain:

  1. Log in to Zoho Mail Admin Console and navigate to Domains.
  2. Select the preferred domain/ subdomain and choose Email Configuration.
  3. Choose MTA-STS and download the policy file from the on-screen instructions provided.
  4. Set the mode to None / Testing / Enforce based on your requirement to define how strictly TLS encryption should be enforced when sending emails, and then click Download.
    • None -  In this mode, the MTA-STS policy does not require TLS encryption for sending emails to the domain. 
    • Testing - In this mode, email servers can retrieve and evaluate the policy without enforcing strict TLS (Transport Layer Security) encryption requirements. It indicates that the domain owner is in the process of setting up or testing their MTA-STS policy. It's important to note that emails sent in this mode aren't fully secure because TLS isn't enforced yet.
    • Enforce - In enforce mode, the MTA-STS policy requires that all email communication with the domain must be encrypted using TLS. If a sending email server cannot establish a TLS-encrypted connection, the receiving mail server will reject the email, thereby enforcing secure communication.

  5. Once done, publish the MTA-STS policy file you downloaded under the well-known folder on the web server.

    Note:

    Ensure it's accessible at the following URL:

    https://mta-sts.yourdomain.com/.well-known/mta-sts.txt. (Replace "yourdomain.com" with your actual domain/subdomain name)

    This ensures that email servers can fetch the policy file when sending emails to your domain.

  6. Open a new tab and log in to your domain provider's portal.
  7. Navigate to the Manage DNS page and add a TXT record with the values generated in Admin Console..
  8. Switch back to Zoho Mail Admin Console and click Verify.

It is generally recommended to first set MTA-STS to Testing mode. This allows you to verify that your MTA-STS policy is configured correctly and that email delivery is not disrupted. Once you are confident that the MTA-STS works as desired, you can modify the mode to Enforce.

TLS-RPT

Transport Layer Security Reporting (TLS-RPT) allows admins to receive TLS failure reports via email. This reporting feature helps admins to keep track of the emails that fail delivery and proactively fix the cause of failure thereby increasing the domain reputation.

Follow these steps to configure the TLS-RPT aggregate notification address for your domain:

  1. Log in to Zoho Mail Admin Console and navigate to Domains.
  2. Select the preferred domain/ subdomain and choose Email Configuration.
  3. Select TLS-RPT and enter the email address in the Aggregate notification email address field.
  4. Click Generate, and copy the generated TXT records.
  5. Open a new tab and log in to your domain provider's portal.
  6. Navigate to the Manage DNS page and add a TXT record with the values generated in Admin Console.
  7. Switch back to Zoho Mail Admin Console and click Verify.

You have successfully configured TLS reporting for your domain.

BIMI

Brand Indicators for Message Identification (BIMI) is an email authentication technique which displays your brand's logo in the recipient's inbox against the emails you send. BIMI is an evolving email security protocol and is currently supported by very few email providers. Displaying your organization's logo in the emails you send increases the authenticity of the email and the trustworthiness of your brand. Email clients that support BIMI will automatically display your logo once you complete the BIMI configuration.

Mandatory settings before configuring BIMI

As an administrator, there are a few mandatory configurations that you should complete before you can set up BIMI.

  • Set up MX, SPF, DKIM and DMARC for your domain.
  • Upload your brand logo to a public web server as per the recommendations.
  • Generate a Verified Mark Certificate (VMC) for your logo.
  • To obtain the Verified Mark Certificate (VMC) from BIMI-accredited certificate providers, it is essential that your brand's logo is a legitimate trademark of your organization.
  • Ensure that the VMC license subscription is active.
  • DMARC needs to be set up with the action to be taken when DMARC validation fails (Quarantine or Reject), and the policy percentage needs to be 100%.

BIMI Logo Recommendations

The logo you upload for BIMI authentication should comply with the standards specified by BIMI. The image must be in the specific Scaled Vector Graphics (SVG) profile used by BIMI. Remember the guidelines given below while creating the BIMI image:

  • Set the baseProfile attribute to "tiny-ps" and the version attribute to "1.2".
  • Enter your organization's name in the title element and an optional description in the desc element.
  • Ensure there are no external links or references (other than the specified XML namespaces).
  • Keep the image centered with a square aspect ratio for better compatibility while displaying in the emails.
  • The image size should be less than 32 KB.
  • The background should be a solid color.
  • Do not add scripts, animations or other interactive elements.
  • Do not include x= or y= attributes within the <svg> root element.

Refer to the BIMI logo guidelines for more details.

Configure BIMI in Zoho Mail Admin Console

Once you complete the mandatory configurations, upload BIMI logo and generate a valid VMC, follow the below instructions to configure BIMI:

  1. Log in to Zoho Mail Admin Console and select Domains on the left pane.
  2. Select the domain for which you want to configure BIMI.
  3. Navigate to Email Configuration and select BIMI.
  4. Enter the BIMI logo URL which you published on the web server.
  5. Enter the VMC URL to prove ownership of the logo. The VMC file needs to be in a .pem format and hosted on the web.
  6. Click Generate. The BIMI record for the select domain appears.
  7. Copy the BIMI record from the Admin Console.
  8. Log in to your domain provider's portal.
  9. Follow the steps to add a TXT record and publish the BIMI record in the Manage DNS page.
    • Sample TXT value "v=BIMI1;l=[SVG URL]; a=[PEM URL]
  10. Navigate back to Zoho Mail Admin Console and click Verify BIMI record.

Note:

  • Your brand logo will be displayed in the end-user's inbox only if BIMI is supported by the recipient's email provider.
  • This feature is available only for organizations that are part of our paid plan. Reach out to support@zohomail.com for more details.

Still can't find what you're looking for?

Write to us: support@zohomail.com