Smart Alerts - Incoming Email Alerts
With Incoming Email Alerts, administrators can configure alert messages or banners that will be displayed when users view specific sets of emails. Incoming alerts can be associated with a user, multiple users, or the entire organization, protecting them from phishing or fraudulent emails. All the enabled alerts will be processed in sequence and trigger specified actions for emails with the matching conditions.
These alerts are designed to enhance security and efficiency in managing incoming emails. For example, you can add alerts for emails from external users who are not a part of your organization. These alerts play a crucial role in safeguarding users from deceptive emails.
Note:
- It is mandatory to enable Organization Rules from the Spam Processing section in the Admin Console.
- The Incoming Alerts feature will be rolled out in a phased manner and be available only for organizations that use one of our paid plans.
- If you want the option enabled for your organization, please reach out to us at support@zohomail.com.
Table of Contents
Note:
- The Incoming Alerts feature is currently available under Mail Settings in the Admin Console for organizations hosted in the IN Data Center. These changes will be rolled out to other regions in a phased manner.
- For now, organizations hosted in other Data Centers can continue to access Incoming Alerts from Zoho Mail Admin Console > Security & Compliance > Smart Alerts > Incoming Alerts and follow the steps below to configure them.
Create New Alert
Follow these steps to create a new Incoming Alert:
- Log in to Zoho Mail Admin Console and select Mail Settings on the left pane.
- Navigate to Smart Alerts and select Incoming Alerts.
Click Create Now or select the Create button from the top menu, if there are any existing alerts.
Note:
If Organization Rules setting is not enabled, the below note will be displayed while creating an alert. Click Enable now to enable it and proceed with the configuration.
- Provide an Alert Name and an optional Alert Description. If the entered alert name is already in use, "Name already exists" warning is shown.
- Specify an Expiry date if needed.
- Select the Condition Type as per your requirement:
- Apply for matching conditions - Preferred action will be performed only if the incoming emails satisfy the conditions provided by you.
- No Conditions. Apply to all emails. - When chosen, all the emails you receive will go through the preferred action.
- Select one or more Conditions, the Operating parameter and the corresponding Action.
- Click +Add values under Conditions to enter multiple values separated by a delimiter which you can choose from Choose delimiter drop-down. Select Custom from the drop-down, to add your own custom delimiter for the values and select Update.
- Select the users, to whom you want to apply the alert from the Apply To section:
- All users - The alert will be applied to all the users in your organization.
- Selected Users - The alert will be applied to the specific set of users you add.
- Selected Groups/Shared Mailbox - The alert will be applied only to the users who are members of the specified groups/Shared Mailbox.
- Excluded Users - The alert will not be applied to the selected list of users.
- Excluded Groups/Shared Mailbox - The alert will not be applied to the users who are members of the selected groups/Shared Mailbox.
- Skip to this step if you chose All users.
- Select the users you want to add to the list and click Submit. You can also remove a user from the list by clicking the Delete icon next to the user.
- Select the Reset to default button when you have to clear all the selected conditions and provide a different criteria.
- Review your alert and do one of the following:
- Create and enable alert- Your alert will not only be created but also be activated automatically to start processing emails with respect to its conditions and actions.
- Create alert - Your alert will only be created and not activated. That means if you want the alert to be applied to the emails you receive, you will have to manually activate it.
- Click Yes in the Confirm Action! dialog box.
Select either Done or Go to created alert or Add more alerts depending on your requirement once the alert is created successfully.
Note:
The maximum number of incoming alerts that can be configured for an organization is 500.
Available Condition
Zoho Mail provides multiple conditions based on which you can add alerts to the incoming emails. There can be more than one condition for a single alert depending on your organization's requirement. The various conditions are listed in the tables that follow:
| Parameter | Description | Value |
| Subject | The subject of the email | Click Add values, enter the desired subject and click Add. |
| MIME Message ID* | The ID that can be gathered from a MIME email's header | Click Add values, enter the desired MIME value and click Add. |
| MIME size (in MB) | The size of the non-text attachment specified in MB | Enter a value between 1 to 40. |
| X Mailer* | The desktop client from which the email was sent | Click Add values, enter the X-Mailer you wish to validate and click Add. |
| Header | The email header that needs to be verified for the provided values | Enter the Header Name and Header Value. |
Note:
*MIME message - Multipurpose Internet Mail Extensions supports non-text email attachments. A MIME header is added to the original email header from where you can gather the unique content ID/message ID used to identify the message.
*X-Mailer - Specifies which desktop client (For example, Apple client, Thunderbird, etc) was used to draft or send the email. Can be found in the email header.
| Parameter | Description | Value |
| Sender domain | The domain address of the email sender | Click Add domains, enter the sender domain name and click Add. |
| Sender IP address | The IP address of the email sender | Enter the sender's IP address that you wish to validate. |
| Sender DNS | The DNS address of the sender | Click Add values, provide the sender DNS and click Add. |
| Sender display name | The display name of the sender | Click Add values, enter the user's display name and click Add. |
| New sender | Checks if the email is received for the first time from the sender | Select Yes or No from the drop-down. |
| Is external sender | Checks if the sender is not part of the organization | Select Yes or No from the drop-down. |
| Is authenticated sender | Validates whether the sender's identity is authenticated | Select Yes or No from the drop-down. |
| Return path email address | The reverse-path/ bounce address of an incoming email | Click Add email addresses, enter the desired email address and click Add. |
| Reply-to email address | The reply-to address of an incoming email | Click Add email addresses, enter the desired email address and click Add. |
| Return path domain | The reverse-path/ bounce address's domain | Click Add domains, enter one or more domain names and click Add. |
| Sender email address | The 'from' address of the email sender | Click Add email addresses, enter the desired email address and click Add. |
| Parameter | Description | Value |
| To/CC email address | The email address in the To/CC field | Click Add email addresses, enter the desired email address and click Add. |
| Recipient domain | Validates the domain address of the recipient | Click Add domains, enter one or more domain names and click Add. |
| Recipient count | Validates the number of recipients in the email | Provide a value between 1 to 100. |
| Parameter | Description | Value |
| SPF verification | The result of SPF verification | Select the desired authentication result from the available list:
|
| DKIM verification | The result of DKIM verification | Select the desired authentication result from the available list:
|
| DMARC verification | The result of DMARC verification | Select the desired authentication result from the available list:
|
| Parameter | Description | Value |
| Content | The content of the email | Click Add values, enter the content to be validated and click Add. |
| Email language | The language in which the email was composed | Click Select languages, add the desired languages and click Add. |
| Originating country | The country from which the email was sent | Click Select countries, add the desired countries and click Add. |
| URL domain in content | The domain names of the URLs available in email content | Click Add domains, enter one or more domain names and click Add. |
| URL in content | The existence of specified URLs in the email content | Click Add values, provide the URLs to be validated and click Add. |
| Parameter | Description | Value |
| Has attachment | Checks if any file is attached | Select Yes or No from the drop-down. |
| Attachment type | The type of attached file | Click Select attachments, add the attachment types and click Add. |
| Attachment size (in MB) | The size of the attached file in MB | Enter a value between 1 to 40. |
| Parameter | Description | Value |
| Has web bugs | The existence of web bugs in incoming email content | Select Yes or No from the drop-down. |
| Has JavaScript content | The existence of javascript content in the email content | Select Yes or No from the drop-down. |
| Has macros | The existence of macros in the email content | Select Yes or No from the drop-down. |
| Is bulk email | Validates if the email received is a bulk email | Select Yes or No from the drop-down. |
| Has frame tags | The existence of iframe tags in the email content | Select Yes or No from the drop-down. |
| Has object tags | The existence of object tags in the email content | Select Yes or No from the drop-down. |
| Has embed tags | The existence of embed tags in the email content | Select Yes or No from the drop-down. |
| Has form tags | The existence of form tags in the email content | Select Yes or No from the drop-down. |
| Has shortened URL | The existence of shortened URLs in the email content | Select Yes or No from the drop-down. |
| Has suspicious macros | The existence of suspicious macros in the email content | Select Yes or No from the drop-down. |
| Is sender display name spoofed | Verifies if the email sender name is spoofed | Select Yes or No from the drop-down. |
| Is cousin domain verification failed | Validates whether the cousin domain verification is failed for the sender domain | Select Yes or No from the drop-down. |
| Is suspicious FROM header | Verifies if the FROM header is suspicious | Select Yes or No from the drop-down. |
| Operators | Description |
| is | The respective parameter in the incoming email should exactly match the given criteria value. |
| is not | The respective parameter in the incoming email should not match the given criteria value. |
| contains | The respective parameter in the incoming email doesn't have to be an exact match but will pass even if it contains the given criteria value. |
| does not contain | The respective parameter in the incoming email doesn't have to be an exact match but will pass if it does not contain the given criteria value. |
| begins with | The respective parameter in the incoming email should begin with the given criteria value. |
| ends with | The respective parameter in the incoming email should end with the given criteria value. |
| is empty | The respective parameter in the incoming email should be empty. |
| is not empty | The respective parameter in the incoming email should not be empty. |
| is group member in | The recipient is a part of the selected group. |
| is not group member in | The recipient is not a part of the selected group. |
| matches | The respective parameter in the incoming email should match the regular expression pattern. |
| does not match | The respective parameter in the incoming email should not match the regular expression pattern. |
| true | The given condition should be true. |
| false | The given condition should be false. |
| is greater than | The respective parameter in the incoming email should only be greater than the given criteria value. |
| is lesser than | The respective parameter in the incoming email should only be lesser than the given criteria value. |
| is greater than or equal to | The respective parameter in the incoming email can be greater than or equal to the given criteria value. |
| is lesser than or equal to | The respective parameter in the incoming email can be lesser than or equal to the given criteria value. |
| is in range | The incoming email's IP address falls within the range entered. |
| is not in range | The incoming email's IP address does not fall in the range entered. |
After selecting the Conditions and the Operating parameters, provide the values with respect to the chosen conditions that need to be verified against. Upon providing these proceed to select the Actions that need to be performed for the emails with the chosen conditions.
The emails that match the specified conditions will be processed as per the actions defined in the alert. Select the necessary action and, if required, provide a value as given in the table that follows:
| Action | Description | Value |
| Show warning message | Displays a warning message | Click Add warning message, enter the text which you want to be displayed as warning and click Add. |
| Append text to subject | Appends a text in the subject | Click Add subject, enter the text which you want to be appended to the subject and click Add. |
| Add custom X-header | Adds a custom value in the header | Click Add header details, provide the header name and value and click Add. |
| Add message above content | Adds a message above the email content for emails matching the given conditions. | Click Add message, enter the message to be added above the email content and select Add. |
| Add message below content | Adds a message below the email content for emails matching the given conditions. | Click Add message, enter the message to be added below the email content and select Add. |
Note:
You can add a maximum of 5 actions to a single alert.
Filter
Once the alerts are created, they are listed under Incoming Alerts home page. You can view and filter the alerts based on their status/action. Follow the below steps to perform the filter operation:
- Select Filter button on the Incoming Alerts home page.
Click the desired status/action from the drop-down. The types of alerts based on the status are:
- Active Alerts - Lists all the alerts where the status is marked active.
- Inactive Alerts - Lists all the alerts where the status is marked inactive.
- Expired Alerts - Lists all the alerts where the set expiry date of the specific alert has been lapsed. However, you can modify the expiry date of an alert by hovering over the status and selecting a different date.
Note: The expired alerts are also included in the filtered list when Inactive Alerts is selected from the Filter drop-down.- Select Action from the Filter drop-down to filter alerts based on the available actions.
Alert processing and priority
Alerts are created to protect users from phishing or fraudulent emails by triggering a warning message that is configured under Incoming Alerts. However, these alerts are handled based on their priority. The types of priority available are:
You can add any number of Incoming alerts to different types of incoming emails. In the case of multiple alerts, the order of processing is determined by the sequence in which they are listed. The alert with the highest priority (1), i.e., the one listed first, will take precedence over alerts with lower priorities (2) listed subsequently. Once an email matches the conditions of a particular alert, the actions specified in the alert will be applied to the email. The same email will not be scrutinized against the subsequent alerts in the list.
When you create an incoming alert, you can choose who the alert applies to or excludes using the Apply To section. Each selection type has its own priority, and the alert is evaluated based on these priorities:
- All Users
- Selected users (priority 2)
- Selected groups/Shared Mailbox (priority 4)
- Exclude users or groups
- Exclude users (priority 1)
- Exclude groups/Shared Mailbox (priority 3)
When an alert is evaluated, the system checks the selected and excluded entities in the order of their priority. This ensures that higher-priority exclusions or inclusions override lower-priority selections.
Below are detailed examples to illustrate this:
Case 1: If a user is added under Exclude users, the alert will not be applied to that user, even if the group they belong to is included under Selected groups/Shared Mailbox. This happens because Exclude users has the highest priority and is processed first.
Case 2: If a user’s group is added under Exclude groups/Shared Mailbox, but the individual user is added under Selected users, the alert will apply to that user. This is because Selected users has a higher priority than Exclude groups/Shared Mailbox.
Case 3: When a user is added under Exclude users, and no other selections are made under the All Users category, the alert will still be applicable to all users by default, except for the users listed under Exclude users. This happens because All Users is considered the default scope for every alert.
Modify Incoming Alert
Follow the below steps to edit an alert:
- Log in to Zoho Mail Admin Console and select Mail Settings on the left pane.
- Navigate to Smart Alerts and select Incoming Alerts.
- Select the alert that requires modification from the list and click Edit in the top right corner.
- Make the necessary changes and click Update.
Additionally, you can search and edit the incoming email alerts based on the associated users. Navigate to the search bar and select the contains or applicable to parameters from the listing as per your requirements. Choose a specific user from the list and press enter. All the incoming alerts containing or associated with that particular user will be displayed. You can then select the alerts from the list and make the required changes.
Enable or Disable an Alert
Follow the below steps to enable or disable an Alert:
- Log in to Zoho Mail Admin Console and select Mail Settings on the left pane.
- Navigate to Smart Alerts and select Incoming Alerts.
- Toggle the status button to ON or OFF in order to enable or disable an alert.
Remove Alerts from the list
In situations where an alert is no longer required or has expired, they can be removed by using the Delete option. Follow these steps to delete an alert:
- Log in to Zoho Mail Admin Console and select Mail Settings on the left pane.
- Navigate to Smart Alerts and select Incoming Alerts.
- To remove an Alert:
- Hover over an existing or expired alert and click the delete icon.
- Alternatively, you can select the desired alert, click Delete on the top menu and choose the required option:
- Delete selected alerts
- Delete all expired alerts
- Delete all alerts
- Click Delete in the confirmation dialog that appears.
When a filter is applied, the Delete drop-down includes additional value of Delete filtered alerts for quick deletion of alerts that satisfies a specific filter.
This will remove the incoming alerts from your list. Please note that once removed, the alerts cannot be retrieved and will be permanently removed from the list.