Advanced Security Configurations

Zoho Mail is a secure email and collaboration platform that allows administrators to configure advanced security and encryption settings through the Zoho Mail Admin Console.

Table of Contents

MTA-STS 

Mail Transfer Agent-Strict Transport Security (MTA-STS) protocol encrypts the emails sent/ received to your domain and protects the messages from Man-In-The-Middle (MITM) attacks. Once you configure MTA-STS, the sending servers will deliver an email only if a valid TLS connection is established.

MTA-STS protocol can be deployed by adding a DNS record to your domain provider's Manage DNS page. The steps to configure MTA-STS are as follows:

  • Configure an MTA-STS policy for your domain/ subdomain
  • Publish the policy in your domain's public web server
  • Create a DNS (TXT) record
  • Verify the MTA-STS configuration in Zoho Mail Admin Console.

Steps to configure MTA-STS

Follow these steps to configure MTA-STS for your domain:

  1. Log in to Zoho Mail Admin Console and navigate to Domains.
  2. Select the preferred domain/ subdomain and choose Email Configuration.
  3. Choose MTA-STS and download the policy file from the on-screen instructions provided.
  4. Set the mode to Testing/ Enforce based on your requirement and click Download.
  5. Publish the MTA-STS policy in the URL mentioned in Zoho Mail Admin Console.
  6. Open a new tab and log in to your domain provider's portal.
  7. Navigate to the Manage DNS page and add a TXT record.
  8. Switch back to Zoho Mail Admin Console and click Verify.

Once you are confident that the MTA-STS works as desired, you can modify the mode to Enforce.

TLS-RPT

Transport Layer Security Reporting (TLS-RPT) allows admins to receive TLS failure reports via email. This reporting feature helps admins to keep track of the emails that fail delivery and proactively fix the cause of failure thereby increasing the domain reputation.

Follow these steps to configure the TLS-RPT aggregate notification address for your domain:

  1. Log in to Zoho Mail Admin Console and navigate to Domains.
  2. Select the preferred domain/ subdomain and choose Email Configuration.
  3. Select TLS-RPT and enter the email address in the Aggregate notification email address field.

You have successfully configured TLS reporting for your domain.

BIMI

Brand Indicators for Message Identification (BIMI) is an email authentication technique which displays your brand's logo in the recipient's inbox against the emails you send. BIMI is an evolving email security protocol and is currently supported by very few email providers. Displaying your organization's logo in the emails you send increases the authenticity of the email and the trustworthiness of your brand. Email clients that support BIMI will automatically display your logo once you complete the BIMI configuration. 

Mandatory settings before configuring BIMI

As an administrator, there are a few mandatory configurations that you should complete before you can set up BIMI.

  • Set up MX, SPF, DKIM and DMARC for your domain.
  • Upload your brand logo to a public web server as per the recommendations.
  • Generate a Verified Mark Certificate (VMC) for your logo.
  • To obtain the Verified Mark Certificate (VMC) from BIMI-accredited certificate providers, it is essential that your brand's logo is a legitimate trademark of your organization.
  • Ensure that the VMC license subscription is active.
  • DMARC needs to be set up with the action to be taken when DMARC validation fails (Quarantine or Reject), and the policy percentage needs to be 100%.

BIMI Logo Recommendations

The logo you upload for BIMI authentication should comply with the standards specified by BIMI. The image must be in the specific Scaled Vector Graphics (SVG) profile used by BIMI. Remember the guidelines given below while creating the BIMI image:

  • Set the baseProfile attribute to "tiny-ps" and the version attribute to "1.2".
  • Enter your organization's name in the title element and an optional description in the desc element.
  • Ensure there are no external links or references (other than the specified XML namespaces).
  • Keep the image centered with a square aspect ratio for better compatibility while displaying in the emails.
  • The image size should be less than 32 KB.
  • The background should be a solid color.
  • Do not add scripts, animations or other interactive elements.
  • Do not include x= or y= attributes within the <svg> root element.

Refer to the BIMI logo guidelines for more details.

Configure BIMI in Zoho Mail Admin Console

Once you complete the mandatory configurations, upload BIMI logo and generate a valid VMC, follow the below instructions to configure BIMI:

  1. Log in to Zoho Mail Admin Console and select Domains on the left pane.
  2. Select the domain for which you want to configure BIMI.
  3. Navigate to Email Configuration and select BIMI.
  4. Enter the BIMI logo URL which you published on the web server.
  5. Enter the VMC URL to prove ownership of the logo. The VMC file needs to be in a .pem format and hosted on the web.
  6. Click Generate. The BIMI record for the select domain appears.
  7. Copy the BIMI record from the Admin Console.
  8. Log in to your domain provider's portal.
  9. Follow the steps to add a TXT record and publish the BIMI record in the Manage DNS page.
    • Sample TXT value "v=BIMI1;l=[SVG URL]; a=[PEM URL]
  10. Navigate back to Zoho Mail Admin Console and click Verify BIMI record.

Note:

  • Your brand logo will be displayed in the end-user's inbox only if BIMI is supported by the recipient's email provider.
  • This feature is available only for organizations that are part of our paid plan. Reach out to support@zohomail.com for more details.

Still can't find what you're looking for?

Write to us: support@zohomail.com