Email Policy Customization
An email policy or email usage policy is a set of rules and regulations laid down by an organization for its users to follow while using their professional email addresses. This can easily be confused with the email policy which administrators configure for specific users or groups. The Email Policy section under Mail Settings in Zoho Mail Admin Console allows an admin to manage and review the organization's email sending and receiving parameters.
In Zoho Mail, you can define multiple email policies and apply them to various sets of users and groups. You can add email policies to restrict email access from other devices, other networks and also add account restrictions in the email policies.
It also helps the administrator to define and apply different privilege levels and restrictions to users and groups based on their role, requirement, and permissions in the organization. The different types of policies that can be set using Zoho Mail's secure email policy can be classified based on email and domain, access, account and email forwarding restrictions.
Table of Contents
Zoho Mail applies the default Zoho Mail Business Policy to users and groups on creation. You can create new policies based on your organization's requirement and apply them to specific users and groups.
Steps to define new email policy
- Create a new email policy.
- Configure the General Restrictions for the policy.
- Add an Email and domain Restriction.
- Add an Account Restriction.
- Add an Access Restriction.
- Add an Email Forwarding Restriction.
- Apply the relevant restrictions to the policy.
- Apply the configured policy to users and groups.
Creating a new email policy
- Login to the Zoho Mail Admin Console.
- Go to the Mail Settings menu from the left pane and select Email Policy.
- You will see the default Zoho Mail Business Policy listed.
- Click Create to create a new policy.
- Enter a name for the policy that you are going to create, and click Create.
- You will now have to define the restrictions that you would like to apply in this policy.
General Restrictions
- In the General tab of a policy that you have created, you can change the name of the policy if required.
- Enter the maximum incoming and outgoing email size that you want to allocate for this policy. A maximum of 40MB is permitted.
- Then, enter the number of incoming emails permitted per minute in this policy. A maximum of 100 emails per minute is permitted.
- You can choose to enable/ disable the Mailbox delegation access to the users to whom the policy is assigned.
- Choose whether to allow older, less secure applications to send emails. These applications often do not use modern security protocols like OAuth, which ensures safer authentication. By default, Zoho Mail blocks these less secure apps to protect your account from potential vulnerabilities. However, if necessary, you can allow such apps to send emails through this policy, though it is generally recommended to keep this disabled for enhanced security.
Email Restrictions
In this section, you can define the allowed or blocked domains, email addresses, attachment types and the subject text for incoming and outgoing emails.
Steps to define new email restrictions:
- In the Admin Console, go to the Mail Settings menu.
- Go to the Email Restrictions section.
- Click Create and enter a new name for the restriction.
- You can define restrictions for domains, email addresses, attachments and email subjects in this section.
Domains
The options available under domain restrictions are:
- No restrictions
- Org Domains only - To allow emails only within the organization
- Blocked domains
- Allowed domains
You can define the restrictions for incoming emails, outgoing emails or for both. You can allow or block certain domains for incoming and/or outgoing emails.
Allow: When you specify a domain as allowed domain for outgoing, the users and groups for whom the policy is applied will be able to send emails only to those domains. When they send emails to other domains, the outgoing server will reject them and bounce the email back to the sender.
Block: When you specify a domain as a blocked domain, emails can be sent to all the domains, other than the ones specified in the blocked domain.
Org Domains only: You can also allow email sending or receiving within the organization domains alone. When this restriction is applied, emails cannot be sent outside the organization domains or received from external accounts.
You can choose no restrictions to allow sending and receiving of emails without any domain restrictions.
Email Address
The options available under email address restrictions are:
- No restrictions
- Blocked email addresses
- Allowed email addresses
You can define the restrictions for incoming emails, outgoing emails or for both. You can allow or block certain email addresses for incoming and/or outgoing emails.
Allow: When you specify an email address as allowed email address for outgoing, the users and groups for whom the policy is applied will be able to send emails only to those email addresses. When they send emails to other email addresses, the outgoing server will reject them and bounce the email back to the sender. The same can be applied to incoming emails as well. When the restriction is applied for incoming, the incoming emails are delivered only from the allowed email addresses. Any email from the other email addresses not specified in the list will be rejected (bounced back).
Block: When you specify an email address as blocked email address, the emails can be sent to all the email addresses, other than the one specified in the blocked email addresses.
You can choose no restrictions to allow sending and receiving of emails without any email address restrictions.
Attachment
The options available under attachment restrictions are:
- No restrictions
- Blocked attachments
- Allowed attachments
You can define the attachment type restrictions for incoming, outgoing or for both. You can allow or block certain attachment types for incoming and/or outgoing emails.
Allow: When you specify some attachment types as allowed type for outgoing, the users and groups for whom the policy is applied will be able to send emails only with the specified attachment type. When they send emails with other attachment types, the outgoing server will reject them and bounce the email back to the sender.
Block: When you specify a type as blocked attachment type, the emails can be sent with any other attachment, other than the ones specified in the blocked attachment.
You can make sure that attachments with specific file names are blocked or allowed for both the incoming and outgoing emails.
For example, if you want to specify files with the name check, follow the below instructions:
- Select whether you want to apply the attachment conditions for incoming or outgoing.
- Once you click on either incoming or outgoing, select the condition you want to apply.
- You can choose no restrictions to allow sending and receiving of emails without any attachment restrictions.
- If you choose either the Allowed or Blocked option, enter the file name that you would like to specify.
- Follow the below convention to mention the file names:
- Mention check if the file might contain the name check
- Mention "check" if the name of the file might be check
- Mention *check if the file name might end with check
- Mention check* if the file name might begin with check
- The restriction will be applied according to your specifications.
Subject
The options available under email subject restrictions are:
- No restrictions
- Blocked subjects
- Allowed subjects
You can define the restrictions for incoming, outgoing or for both. You can allow or block certain subjects for incoming and/or outgoing emails.
Allow: When you specify some subjects as allowed email subject for outgoing, the users and groups for whom the policy is applied will be able to send emails only with that subject. When they send emails with other subjects, the outgoing server will reject them and bounce the email back to the sender.
Block: When you specify a subject as a blocked email subject, the emails can be sent with any other subject, other than the ones specified in the blocked subject.
Ex: If you specify the word "pharmacy" in the subject, it will block the emails irrespective of where the word appears in the subject.
You can choose no restrictions to allow sending and receiving of emails without any subject restrictions.
Account Restrictions
You can define the account-based restrictions in this section. In this section, you can provide permissions to add external accounts as POP in Zoho and options to customize their signatures in Zoho Mail. You can also restrict the import/export of emails by the users and groups.
Steps to define new account restrictions:
- In the Admin Console, go to the Mail Settings menu.
- Go to the Account Restrictions section.
- Click Create and enter a new name for the restriction.
- You can define account-based restrictions such as external account access, import/export of emails, etc. from this section.
External Accounts Access
By default, Zoho Mail allows users to configure their external accounts via POP or IMAP. As an administrator, if you do not want the users to access their other accounts via POP, you can turn it off in this section. When turned off, the users for whom the policy is applied, will not be able to add the external accounts via POP.
Signature Customization
Zoho Mail allows the users to configure and use multiple signatures for their accounts. As an administrator, you can turn off the feature. When the option is turned off, the users for whom the policy is applied, will not be able to customize their signatures, from the webmail console.
Import/ Export Emails
In the webmail and in the Admin Console, users and administrators have a feature to migrate emails in EML or ZIP format using the Import/Export Emails option. For security and privacy reasons, you can choose to turn off this feature for the users through email policy.
When turned off, the users will not be able to import emails into Zoho Mail or export the emails from Zoho Mail.
Add to Cloud
Users can save incoming attachments to Zoho Docs and also other cloud services like Google Drive, Dropbox, etc. However, the administrator can turn off the Add to Cloud option using the email policy to not allow users to save attachments to cloud storage.
Attach from Cloud
Users can attach files from Zoho Docs or other cloud services like Google Drive, Dropbox, etc. to the emails that they are sending. However, the administrator can turn off the Attach from Cloud option using the email policy to not allow users to add attachments from cloud services.
Display BCC
While composing emails, users will have the option to send emails as a Blind Carbon Copy (BCC). However, the administrator can turn off the Display BCC option, to make sure that users do not have the option to BCC email addresses in their emails.
Access Restrictions
You can define the access restrictions in this section. You can provide permissions to access the account via POP, IMAP, and/or ActiveSync. Additionally, you can also decide whether the user can set up email forwarding from the account or not.
Steps to define new email restrictions:
- In the Admin Console, go to the Mail Settings menu.
- Go to the Access Restrictions section.
- Click Create and enter a new name for the restriction.
- You can define restrictions for domains, email addresses, attachments and email subjects in this section.
POP Access
Zoho Mail allows users to enable their POP access, and retrieve emails via POP in email clients like Outlook, Thunderbird, etc. If you want to enable any access restrictions, you can turn off the POP access for the specific set of users. When turned off, the users, for whom the policy is applied, will not be able to access the Zoho account via POP. If they try to enable POP in webmail, they will receive an error message.
IMAP Access
Zoho Mail allows users to enable their IMAP access, and retrieve emails via IMAP in email clients like Outlook, Thunderbird, etc. When turned off, the users for whom the policy is applied, will not be able to access the Zoho account via IMAP in other clients like iPhone, K9 etc.
ActiveSync
When turned off, the users for whom the policy is applied, will not be able to access the Zoho account via Active Sync in other clients like iPad, Android etc.
Email Forwarding
When turned off, the users, for whom the policy is applied, will not be able to configure email forwarding from the Zoho accounts to external accounts.
Display POP/IMAP Settings
The POP/IMAP options will be visible to the users in their Settings Page. However, if the admins turn off the Display POP&IMAP Settings option, users will not be able to change their POP/IMAP status. Only the admins will be able to enable/disable POP/ IMAP access for the users' accounts.
Display Email Forwarding Settings
The Email Forwarding options will be visible to the users in their Settings Page. However, if the admins turn off the Display Mail Forward Settings option, users will not be able to change their email forwarding settings. Only the admins will be able to add or remove the email forwarding for the users' accounts.
You can also specify the IP restrictions if any for the users to whom the policy is applied to.
Maximum Session Count
The maximum number of open sessions for a specific user account can be set. Turn on the Max Session Count option and enter the necessary limit. A minimum limit of 1 and a maximum limit of 25 can be set. Once the maximum limit set has been crossed, the user will not be able to log into their account in a new session. The user can close the current sessions and then log in to a new one.
Mail Client IP Restriction
If you have set up an IP restriction for your users, you can turn on the Mail Client IP Restriction to apply the IP range if external email clients are being used. Users to whom this policy has been applied will be able to access their mailbox only from this IP range, irrespective of whether they are logging in from webmail or external email clients. If an IP range is not set, this IP restriction will not take effect.
Allowed IP Addresses
If you would like to restrict the IP addresses from which users can log in to their accounts, you can set up the IP range in the Allowed IP Addresses section. Users will not be able to log in to their accounts outside this IP range.
Strict TLS
Transport Layer Security (TLS) is an email encryption technique which encrypts the communication between the server and the web applications to prevent hackers from getting unauthorized access to your sensitive data. Strict TLS ensures emails are sent/ received only between servers which support TLS. Administrators can enable Strict TLS, associate it with an email policy and then associate the policy to the desired users/ groups. When Strict TLS is enabled:
- Organization users can send emails only when the destination server supports TLS.
- Users receive a bounce message when an email is sent to a domain which does not support TLS.
- Users will not receive emails from a domain which does not support TLS.
Follow these steps to configure Strict TLS for your organization:
- Log in to Zoho Mail Admin Console and navigate to Mail Settings on the left pane.
- From the Policies section create a new policy.
- Configure the desired restrictions (General, Email, Account, Access and Forward) for the policy from the Restrictions drop-down.
- Click the Restrictions drop-down and select Strict TLS.
- Enable Strict TLS and select the preferred option:
- Incoming emails
- Outgoing emails
- Both
- Click Enable and select either to include or exclude domains.
- Included - Emails sent or received to/ from the domains added here will be scrutinized for a secure connection.
- Excluded - Emails can be sent or received to/ from the domains even when there is no TLS connection.
- Click Add.
- Mention the domain names separated by a comma and click Add.
Strict TLS is now configured for the policy. Navigate to the Associated Users and Associated Groups tabs and assign the policy as per your requirement.
Forward Restrictions
If you would like all outgoing emails sent by users to whom this policy is applied to be forwarded to another email address in the organization, you can configure it here.
Steps to define new forward restrictions:
- In the Admin Console, go to the Mail Settings menu.
- Go to the Forward Restrictions section.
- Click Create and enter a new name for the restriction.
- In the Outgoing Email Forwarding Policy field, enter the email address to which all outgoing emails should be forwarded.
The outgoing emails can be forwarded only to another organization account and not to any external account.
Applying restrictions to the policy
After you have created all the necessary restrictions, you need to apply them to the relevant policy.
- In the Admin Console, go to the Mail Settings menu.
- Go to Policies, and select the policy with which you would like to associate the restrictions.
- In the Restrictions dropdown, select Email Restriction.
- In the Email Restriction Applied dropdown, select the restriction that you'd like to associate with this policy.
- Review the settings once, and click Change.
- In the Restrictions dropdown, select Account Restriction.
- In the Account Restriction Applied dropdown, select the restriction that you'd like to associate with this policy.
- Review the settings once, and click Change.
- In the Restrictions dropdown, select Access Restriction.
- In the Access Restriction Applied dropdown, select the restriction that you'd like to associate with this policy.
- Review the settings once, and click Change.
- In the Restrictions dropdown, select Forward Restriction.
- In the Mail Forward Restriction Applied dropdown, select the restriction that you'd like to associate with this policy.
- Review the settings once, and click Change.
Now, the relevant restrictions will be applied to the policy that you have created.
Settings Customization
In this section, administrators can grant permissions to users, either allowing them to make modifications to their existing settings or imposing specific restrictions to prevent changes. You can also customize the settings and apply them to all users associated with this policy, automatically modifying their settings to match the configurations set here. Follow these steps to set user permissions:
- Navigate to the Settings Customization tab of the policy that you have created.
- Select the setting you want to configure from the left menu.
- Customize the settings available under each section according to your preferences.
- Choose the User Permission options against each setting to allow users to:
- Read & Write - Users can both view and make modifications to their settings and will continue to retain their existing settings.
- Overwrite - If selected, any changes made to the settings will become the default settings for all users who are part of the policy. However, users will have the flexibility to modify these settings based on their specific needs if required.
- Read Only - Users will have the settings configured here as their default fixed settings. They can only view the settings and cannot make any modifications.
- Hide - Users are restricted from both viewing and modifying the settings but will continue to use the settings configured here.
- Read & Write - Users can both view and make modifications to their settings and will continue to retain their existing settings.
- Once done, click Save.
Associate policy with users and groups
Next, you need to associate this policy with the respective users and groups.
Steps to associate policy with users and groups
- In the Admin Console, go to the Mail Settings menu.
- Go to Policies, and select the policy with which you would like to associate users and groups.
- Go to the Associated Users tab.
- Click Add to manually select the users for this policy. Select the users that you'd like to add, and click Proceed.
- Click Import if you'd like to import users for this policy using a CSV file. Browse and select the CSV file containing the user list, and click Import.
- Similarly, go to the Associated Groups tab.
- Click Add to manually select the groups for this policy. Select the groups that you'd like to add, and click Proceed.
- Click Import if you'd like to import groups for this policy using a CSV file. Browse and select the CSV file containing the group list, and click Import.
- You can also change the policy of users in this section by clicking the Change Policy icon the respective user. You can also select multiple users, click on the Change Policy icon and select the policy you'd like to apply for all the selected users.
You can also apply the email policy for users and groups in the user-specific or group-specific settings, or even at the time of creating the user or group.
Note:
- You can create multiple policies and apply them to different sets of users or groups, but you can apply only one policy to a particular user or group.
- If you delete a specific policy, all users or groups under that policy will be moved to the Default Policy.
- If an admin associates another admin with an email policy, the restrictions in that policy will apply to the admin as well.
- The restrictions created by the email policy apply not only in the Mail Settings but in the Mail Admin Console too.