Configure Email Delivery

Domains

The Domains section in Zoho eProtect allows administrators to view and configure their organization's Inbound and Outbound configurations. The first time you navigate to the Domains section, you can see the domains which you added or imported during setup.

Inbound Configuration

The domains you add or import into eProtect get listed in the Inbound Configuration section. The inbound configuration section allows you to:

Add Domain Manually

To add a domain manually in eProtect, follow these steps:

  1. Log in to Zoho eProtect and select Domains.
  2. Click Add in the Inbound Configuration section.
  3. Enter the domain name and click Save. The domain gets added with the status Verify domain ownership.
  4. Select the newly added domain and Verify the domain.

If necessary, use the Filter option to view your organization's domains based on verified, unverified and domains without MX records. Once you complete domain verification, Configure Email Routing

Note:

  • If you encounter any errors during domain verification refer to Troubleshoot Domain Verification Failure.
  • For domain verification instructions specific to your domain provider, select the appropriate link from the below options.
  • If your domain is not listed above and you have trouble verifying your domain using the generic domain verification instructions, please reach out to your email service provider or support@zohoeprotect.com.

Import Domains

If your email service provider is Google Workspace or Microsoft 365, you can Import domains by following easy steps. To import a domain you should comply with the below requirements:

  • For Google Workspace accounts - You must have authorized Zoho eProtect to access your Google Workspace account while setting up your organization in eProtect.
  • For Microsoft 365 accounts - While setting up your organization you must have authorized using your Microsoft 365 account admin credentials.

Follow these steps to import domains:

  1. Log in to Zoho eProtect and select Domains.
  2. Click Import in the Inbound Configuration section. The Import Domain page appears with the list of domains in your organization.
  3. Select the domains which you wish you import and click Start Import. The domains get imported to eProtect.

    Note:

    You can import only those domains which you have already verified.

  4. Navigate to the domain and click Enable Domain for eProtect.

You can now Configure Email Routing for the newly added domain.

Configure Email Routing

In a regular email hosting scenario, you will configure the destination server details in your domain provider's Manage DNS page. However, for Zoho eProtect to receive your emails, scan for threats and then route them to the intended recipient(s), you must configure the below settings:

  • Destination Server - Add your Destination Server in eProtect in order to ensure the emails reach the intended recipients.
  • MX records - Add Zoho's MX record in your domain provider's Manage DNS with the least priority so that email flows from the source server, via eProtect and then to the Destination Server.

Follow these steps to configure the email routing in eProtect:

  1. Locate your MX record for the domain in your service provider's domain settings.
  2. In Zoho eProtect, enter the Destination host (MX/ IP address).
  3. Enter the Verification email address and click Save.

Note:

  • A verification email will be sent to the email address mentioned. Check if you received the email before pointing the MX record to eProtect to ensure proper email flow.
  • Upon successful verification, email routing gets configured.

Configure MX Record

Changing the MX records to point to Zoho is critical for successful deployment to ensure all emails are processed for spam, archived and delivered to the Destination Server. The steps to locate your MX record are given below. Select the appropriate link based on your service provider:

Note:

  1. MX records and email routing settings are required in the below scenarios:
    • If your organization has enabled Email Protection.
    • If the eDiscovery Mail receiving type is set as MX.
  2. Ensure that you configure Email Protection settings before you add the MX records. This is because if you point the MX records without configuring Spam Control, susceptible emails may pass through eProtect and eventually to your organization's mailbox.
Configure MX records in Google Workspace

Follow these steps to Configure DNS records in Google Workspace:

  1. Log in to your Google Workspace account as an Admin and navigate to the Domains page.
  2. If you manage only one domain, you will be directed to that Domain page. If you manage more domains, click Manage next to the domain for which you would like to make changes.
  3. Click DNS from the left pane and navigate to the Resource records and click Custom records.
  4. If a DNS record exists, click Manage custom records and click Create new record. Ignore this step if there is no existing record.
    1. In the Host name field, enter @.
    2. Select the Type as MX from the drop-down list.
    3. Enter the TTL as 3600 (1 hour).
    4. In the Data field, enter the MX record-10 eprotect-mx.zoho.com- (add 20 eprotect-mx2.zoho.com and 30 eprotect-mx3.zoho.com) along with its Priority and click Save.

Note:

Ensure you set the least priority for Zoho eProtect's MX record. If the least priority is defined to some other MX record, eProtect might not be able to receive your emails.

Configure MX records in Microsoft 365

Follow these steps to Configure DNS records in Microsoft 365/Office 365:

  1. Log in to the Office 365 Admin portal.
  2. Click Domains from the left pane and select the domain you wish to manage.
  3. Click Domain Settings.
  4. Under Exchange Online, locate the MX row in the table from the Points to address column.
  5. To configure the MX record, follow these steps:
    1. Log in to your domain's DNS manager.
    2. It is recommended to delete the existing MX records or set the least priority for eProtect's MX record.
    3. Navigate to the Mail Exchanger (MX) tab in Zoho eProtect under Domains section and copy the MX value from the Address field.
    4. In your domain's DNS manager page, add a new MX record and paste the value you copied from eProtect.
  6. Click Verify MX records from Zoho eProtect.
  7. Allow some time for the propagation.

Note:

  • If you cannot make these changes yourself, contact your sysadmin, hosting provider, ISP, or DNS provider and arrange for the MX records for your domains to be modified.
  • Click here to learn more about MX record configuration for the most common domain providers.
  • Once MX verification is completed, your domain status will change to Verified and emails will start flowing through eProtect. If a domain is verified once, you don't have to verify it again unless you delete it for some reason.
Configure MX records for other Email Providers

Follow these steps to configure MX records if your email is hosted with a provider other than Google Workspace or Microsoft 365:

  1. Log in to Zoho eProtect and select Domains in the left pane.
  2. Select the preferred domain, navigate to the Mail Exchanger (MX) tab and copy the MX value from the Address field.
  3. Log in to your domain provider's portal.
  4. Select the domain for which you wish to add Zoho's MX record.
  5. Select Manage DNS.
  6. Click Add a new record and choose MX from the available options.
  7. Enter @ in the Hostname field.
  8. Paste the MX value that you copied in eProtect and click the Save button.
    • 10 eprotect-mx.zoho.com
    • 20 eprotect-mx2.zoho.com
    • 30 eprotect-mx3.zoho.com
  9. Navigate back to eProtect and click Verify MX Records.

If the records have propagated properly, you can see the message Your domain's MX Records are pointed to Zoho.

Outbound Gateway Configuration

Upon configuring the Outbound Protection settings, Zoho eProtect ensures your organization's outgoing emails are routed via Zoho's server, scanned for threats based on the configured settings and then sent to the destined recipient. The emails sent from your organization will be scanned for any sort of threat once you configure the Outbound Protection settings in eProtect. Outbound protection helps in retaining your domain's brand image and the credibility of the emails sent from your organization. Setting up outbound protection in eProtect includes:

  • Configuring the outbound IP addresses in Zoho eProtect
  • Configuring outbound settings in your email service provider.

When you add an IP address in the Outbound Protection section, eProtect scans the emails that originate from that IP address. Threat protection/scanning is based on the Email Protection settings configured by the admin. The outbound configuration works in tandem with the outbound rules configured in the Email Protection section. For more details refer to the Outbound Rules section.

Outbound Gateway Settings for Google Workspace

Follow these steps to configure outbound gateway settings in your Google Workspace account:

  1. Log in to Zoho eProtect and select Domains in the left menu.
  2. Select Outbound Configurations and enable Outbound Relay.
  3. Enter your email provider's outbound IP address and IP mask and click Add.
    connector and smart host destination
  4. Log in to your Google Workspace Admin Console.
  5. Select Apps on the left menu and select Google Workspace.
  6. Navigate to Gmail and select Routing.
  7. Hover over the Outbound gateway section and click the edit icon.
  8. Add eProtect's outbound Server details in the Outbound gateway section and click SAVE.
    • eprotect-outbound.zoho.com
    • eprotect-outbound2.zoho.com
    • eprotect-outbound3.zoho.com

You have successfully configured the outbound relay settings. Your organization's sent emails will be scrutinized by eProtect and then delivered to the intended recipients.

Note:

Since your emails will now be sent via Zoho eProtect, there is a possibility of an SPF mismatch and hence your emails could land in the spam folders. To avoid this, it is recommended that you configure Zoho eProtect's SPF records in your domain provider's DNS settings.

Outbound Gateway Settings for Microsoft 365

Follow these steps to configure outbound gateway settings in your Microsoft 365 account:

  1. Log in to Zoho eProtect and select Domains in the left menu.
  2. Select Outbound Configurations and enable Outbound Relay.
  3. Enter your email provider's outbound IP address and IP mask and click Add.
    connector and smart host destination
  4. Log in to your Microsoft Exchange Admin Center and select Mail flow on the left menu.
  5. To create a connector follow these instructions:
    1. Navigate to Connectors and click the Add a connector button. The New connector page appears.
    2. Choose Office 365 in the Connection from and Partner organization in the Connection to and click Next.
    3. Enter a connector name, an optional description and click Next. Make sure that the Turn it on checkbox is selected.
    4. Select Only when I have a transport rule set up that redirects messages to this connector and click Next.
    5. On the Routing page, select Route email through these smart hosts.
    6. Add the below outbound Server details by clicking the + icon.
      • eprotect-outbound.zoho.com
      • eprotect-outbound2.zoho.com
      • eprotect-outbound3.zoho.com
    7. Click Next. The Security restrictions page appears.
    8. Select the default security settings and click Next.
    9. Enter an active email address for validation, click the + icon and then select Validate.
    10. Click the Next button once validation is successful and click Save.
  6. To create a rule, navigate to the Rules section under Mail flow and follow the below steps:
    1. Click Add a rule on the top menu and select Create a new rule.
    2. Enter a rule name in the Set rule conditions page.
    3. Select The sender and is external/internal in the Apply this rule if field.
    4. Choose Inside the organization in the select sender location and click Save.
    5. Select Redirect the message to and the following connector in the Do the following field.
    6. Choose the connector which you created for eProtect in the select connector drop-down and click Save.
    7. Click Next. The Set rule settings page appears.
    8. Retain the default settings and click Next.
    9. Review the rule and click Finish.

You have successfully configured the outbound relay settings in your Microsoft 365 account. Your organization's sent emails will be scrutinized by eProtect and then delivered to the intended recipients.

Note:

Since your emails will now be sent via Zoho eProtect, there is a possibility of an SPF mismatch and hence your emails could land in the spam folders. To avoid this, it is recommended that you configure Zoho eProtect's SPF records in your domain provider's DNS settings.

Configure SPF records

It is recommended that you add Zoho eProtect's SPF record to your domain provider's Manage DNS page.​ Follow these steps to configure the SPF record:

  1. Log in to your domain provider's Manage DNS page.
  2. Locate the option to add a TXT record on the DNS page and click Add a record.
  3. In the Name/ Host/ Alias/ TXT, enter @ or leave it blank.
  4. In the Value/ Points To/ Destination field, add the SPF value v=spf1 include:one.zoho.com -all.
  5. If the TTL is editable, set it to the minimum possible value recommended by your domain provider.
  6. Save the TXT Record and give it an hour to two to propagate.
  7. Switch back to Zoho eProtect and click Proceed.
    connector and smart host destination

    Troubleshoot Domain Verification Failure

    After adding a CNAME/ TXT/ HTML, if you get an error during Domain Verification, do the below step:
    If you opted for the CNAME method, open the browser and type <zb******>.<yourdomain name.com>. If the Domain name is correct, you will be redirected to the Zoho Login page. If the login page does not appear, check your CNAME value again.

    Table of Contents

    DNS Provider Conflict

    Ensure you add the CNAME/ TXT records to the correct provider where the Name Servers are pointed. Otherwise, your CNAME/ TXT records become invalid, and this results in domain verification failure.

    Perhaps, you changed the DNS Provider to host your website or for your previous email provider configuration or based on your choice.

    Hence, do a 'NameServer' Lookup for your domain, to check where your domain is hosted. You may also check with your Domain Registrar or the technical contact for your domain on where the name servers are pointed to if you are not sure.

    Longer TTL

    Time To Live (TTL) is the duration required to propagate the changes you do in your DNS. The TTL value varies from one domain provider to another. 

    If the TTL value is 24Hrs./ 48Hrs., then the CNAME/ TXT records would not have propagated at the time of domain verification. It might take up to 12 - 24 hours for DNS changes to take effect, based on the TTL set. Please check the TTL value and try verifying after a while.

    Incorrect Values

    Adding the CNAME value often varies with different DNS Providers. Certain DNS Providers expect the domain name also to be added along with the hostname (zb*****.<yourdomain.com>), whereas some domain providers ask you to fill just the hostname part (zb*****) and append the hostname from their end. Hence it is recommended to check the help pages or instruction manuals or reach out to the support team of your DNS provider, to add the respective CNAME records.

    Typos/Spelling Errors

    Check if you have added the correct domain name (without any spelling errors) in Zoho eProtect. In case you have deleted the domain and re-added it, a new zbcode will be generated for the domain. In this case, the old zbcode will be invalid, and your domain will not be verified. You need to add a new CNAME with zb code for verification.
    After adding the CNAME or TXT record value, DO NOT add a dot or space at the end of the value. This will affect the values from getting propagated properly.

    Domain Re-verification

    You need to re-verify the domain ownership in the following cases:

    • When your domain got expired and has been renewed recently
    • When you have changed your domain registrar.

    In these cases, you will not be able to send and/or receive emails using your domain until you re-verify your domain. To verify your domain, follow these instructions:

    1. Log in to Zoho eProtect and navigate to the Domains section.
    2. Click on the ‘Yet to reverify ownership’ link next to the respective domain.
    3. Verify your domain by using any of the following methods:

    Once you verify the domain, you will be able to configure Email Protection and eDiscovery.