Data Classification

    Zoho Mail's data classification feature allows administrators to use different labels and categorize emails sent with confidential/ sensitive information. Data classification in Zoho Mail requires admins to create a classification label, and a classification policy, and apply the policy to users.

    Once you assign the classification label and the classification policy to users, they select the label when sending an email. If required, admins can mandate users to apply labels while sending confidential/ sensitive data.

    Note:

    • The Data Classification feature is available in select regions for organizations with Mail Premium/ Workplace Professional plans and will be rolled out in phases to other locations.
    • For more details please reach out to us at support@zohomail.com.

    Classification label

    Classification Labels protect important emails when a user sends sensitive information via email. Each classification label can have different actions based on your organization's requirements. Classification labels can be used to:

    • Encrypt an email - Encrypt the email and restrict the permissions for the recipient (such as read, reply, forward, etc.).
    • Add content marking - Add header and footer to an email.

    For example, you can create a classification label with a "do not forward" restriction and associate it with a classification policy. When a user selects the label while sending an email, recipients cannot forward the email.

    Create a classification label

    Follow these steps to create a classification label and associate it with users:

    1. Log in to Zoho Mail Admin Console.
    2. Choose Security & Compliance and select Data Loss Prevention.
    3. Select Data Classification on the left pane.
    4. Click Create in the Classification Labels section.
    5. Provide a Name for the label and enter the descriptions.
      1. User description - This label description helps users select the appropriate label while composing an email.
      2. Admin description - The admin description is used as a reference to all admins in your organization.

    6. Select Add content marking and Encrypt email as per your requirement.

      Note: You can enable or disable the label actions in the following steps.

    7. Select the label color of your choice and click Next.
    8. Enable Content mark email if not enabled already.
    9. Enter the Header and Footer content to be appended to the email and click Next.
    10. If required, enable Encrypt emails and select the desired encryption option.
      • Assign users and permissions now - Emails sent with the label can be viewed only by those users to whom the label is associated. Other recipients of the email won't be able to read the email.

      • Let email sender assign users later - Sender can restrict the email access to specified users while composing the email upon label selection.

        Note: If you choose Let email sender assign users later, select Do not allow forwarding to restrict the recipients from forwarding the email.

    11. If required, select Expire access to the encrypted email.
    12. Provide the number of days or choose a custom date beyond which the email should not be accessible by the recipients.
    13. Select Specific users to apply the label to one or more users.
    14. Click Select users and choose Add organization users from the top pane.
    15. Search and add the preferred users.
    16. Choose the appropriate permission.
      1. Read - Recipients can only read the email content, view the attachment if preview is available, or download the attachment if preview is not available.
      2. Respond - Recipients have limited control such as read, reply, reply all, and download attachments.
      3. Full - Recipients have complete access and can read, reply, reply all, forward, download attachments, and copy or print the email.
    17. Click Add external emails and enter the email address as comma-separated values.
    18. Choose the appropriate permissions for the user.
    19. Review the email address and the corresponding permissions.
    20. If required, use the drop-down to modify permissions.
    21. Click Save.

    You have successfully created a classification label. Hover over the label and select the edit or delete icons to update or delete the label respectively. You can now associate the Classification Label with one or more Classification Policies.

    Classification Policy

    Once you create a classification label with the actions to be taken and the necessary permissions, you must associate it with a Classification Policy. Users can choose the appropriate label while composing an email only when you associate a Classification Policy to them.

    Create a classification policy

    To create a data classification policy, follow these instructions:

    1. Log in to Zoho Mail Admin Console.
    2. Choose Security & Compliance and select Data Loss Prevention.
    3. Navigate to Data Classification on the left pane and select Classification Policies.
    4. Click Create and enter a policy Name.
    5. Provide the policy description for your reference.
    6. If required select Mandate users to apply a classification label to their emails.
    7. Click Next to assign a label to the policy.
    8. Select Assign classification label.
    9. Use the search bar to select the desired label and click Add.
    10. Click Next. The ASSIGN USER page appears.
    11. Select the default classification label from the drop-down. This label gets selected by default when a user composes an email.
    12. Choose Specific user or All user based on your requirements.
    13. Click Add user and select one or more users from the Select Users pop-up.
    14. Verify the selected users and click Add.
    15. Click Save.

    Now that you have created a classification policy, users can view the Select label option while composing an email.

    Roles and Permissions

    Admins can assign different levels of access to users for effective Data Classification management. Zoho Mail supports two types of roles:

    System Role (Predefined)

    System roles are predefined and cannot be modified. It has full permissions to:

    • Manage Data Classification policies.
    • Create and manage Data Classification labels.

    If the admin wants other users to manage the organization’s Data Classification policies and labels with full administrative permissions, they can assign those users to a relevant predefined system role. Once assigned, the users will have full access to manage Data Classification policies and labels.

    To Associate Users with the System Role
    1. Log in to Zoho Mail Admin Console.
    2. Choose Security & Compliance and select Data Loss Prevention.
    3. Navigate to Data Classification on the left pane and select Roles & Permissions.
    4. Navigate to System Role tab.
    5. Select the desired predefined system role.
    6. Go to the Associated User tab.
    7. Click + Add Users.
    8. Enter at least 3 characters of the user’s name or email.
    9. Select the user from the suggestions.
    10. Click Add.

    Custom Role

    If you need to delegate Data Classification management responsibilities more selectively, you can create custom roles tailored to your organization’s needs and associate them to specific users. For each custom role, you can:

    • Define specific permissions (View, Create, Update, Delete).
    • Associate users to these roles.

    If a user is associated with multiple roles, they will inherit all permissions granted by each associated role.

    To Create a Custom Role
    1. Log in to Zoho Mail Admin Console.
    2. Choose Security & Compliance and select Data Loss Prevention.
    3. Navigate to Data Classification on the left pane and select Roles & Permissions.
    4. Navigate to Custom Role tab.
    5. Click + Add Custom Role.
    6. Enter the role name and description.
    7. Select permissions by checking the boxes.
    8. Click Save.
    To Associate Users with a Custom Role
    1. Log in to Zoho Mail Admin Console.
    2. Choose Security & Compliance and select Data Loss Prevention.
    3. Navigate to Data Classification on the left pane and select Roles & Permissions.
    4. Navigate to Custom Role tab.
    5. Choose the role to assign users to.
    6. Go to the Associated User tab.
    7. Click + Add Users.
    8. Enter at least 3 characters of the user’s name or email.
    9. Select the user from the suggestions.
    10. Click Add.
    To Update Custom Role Permissions
    1. Log in to Zoho Mail Admin Console.
    2. Choose Security & Compliance and select Data Loss Prevention.
    3. Navigate to Data Classification on the left pane and select Roles & Permissions.
    4. Navigate to Custom Role tab.
    5. Select the role to update.
    6. Go to the Permissions tab.
    7. Modify permissions as needed.
    8. Click Save.

    Settings

    The Settings section allows admins to enable or disable the Data Classification feature for the organization.

    To Enable/Disable Data Classification
    1. Log in to Zoho Mail Admin Console.
    2. Choose Security & Compliance and select Data Loss Prevention.
    3. Navigate to Data Classification on the left pane and select Settings.
    4. Use the toggle to enable or disable Data Classification feature for your organization.

    Note: Disabling Data Classification feature will turn off all associated policies and labels.

    PREVIOUS

    UP NEXT