Top Articles

    How to boost your Email Security Score

    What is Email Security Score?

    Email Security Score represents an organization's defence against all kinds of email threats. There are multiple factors that help you achieve utmost email security, such as the email routing server, email header, and email content. Below are a few vital parameters that help define email security score:

    • MX Records

    • SPF Records

    • DKIM

    • DMARC

    • DNSBL

    • TFA   

    What is the need for Email Security? 

    One can easily say, email is the backbone of any organization. You can use emails for personal and professional reasons. In either case, users may become victims of fraudsters and hackers if the email security mechanism is weak. To ensure your data is safe from fraudulent activities such as spams, spoofed and malicious emails, it is a best practice to maintain a good email Security Score.

    What is MX? 

    Mail Exchanger (MX) records are configurations that an administrator does in the domain registrar's Domain Name System (DNS). Without pointing the MX records, you cannot receive emails in your organization.

    What is SPF? 

    Sender Policy Framework (SPF) is a text record associated with your domain. It helps to determine the servers authorised to deliver emails under a specific domain name. In the event of SPF Failure or SPF Soft Failure, emails are flagged as spam.

    What is DKIM? 

    DomainKeys Identified Mail (DKIM) is an email authentication method which uses encryption to ensure if an email is sent from a legitimate domain. It uses a technique called "public key cryptography" to verify that an email was sent from an authorized mail server. In case of DKIM failure, emails are detected as spam.

    What is DMARC? 

    Domain-based Message Authentication Reporting and Conformance (DMARC), is an email authentication protocol. It builds on the widely deployed SPF and DKIM protocols. Additionally, it includes a reporting function that allows senders and receivers to monitor and protect their domain from fraudulent email.

    What is DNSBL? 

    DNS Blacklist (DNSBL) is a consolidated blocked list based on user spam marking, abuse patterns, and certain third-party blocklists. The mail server's DNSBL lists will automatically flag or reject email messages, if they look to be spam.

    What is TFA? 

    Two-factor Authentication (TFA), acts as an additional layer of security to secure organization accounts with the combination of a password and authentication from the user's mobile device. The second level of authentication can be either a secure token or any form of biometrics. The probability that a user's password and a secure token get hacked is impossible.

    How to improve your Security Score in Zoho Mail Admin Console? 

    Zoho Mail Admin Console has rich spam protection features that help to improve your organization's email security score. Some of the Admin Console features that allows you to enhance security score are:

    • Organization-wide TFA

    • MX Record Configuration

    • SPF Record Configuration

    • Suspicious Login Alerts

    • S/MIME Configuration

    • DKIM Configuration

    • DMARC Policy

    To know more about the security setting options available in Admin Console, refer to the Configure Email Security Settings section. Refer to the Security & Compliance Dashboard help page to learn more.

    Configure Email Security Settings

    In order to achieve an ideal Security Score, you must configure the most secure option available in Admin Console. The security options mentioned in the below procedure are merely recommendations. Exercise caution when you choose the security option for your organization.

    1. Login to Zoho Mail Admin Console.

    2. Navigate to Domains, select your domain name and select Email Configuration.

    3. Click the links below if you did not configure these records at the time of domain verification:

      1. Refer to this page to configure MX, SPF and DKIM records ( OR
        Help Pages?
        MX -

      2. SPF -

      3. DKIM -

    4. To configure DMARC refer to this page - 

    Note: In general, the MX, SPF, and DKIM records will be configured at the time of setting up your organization in Zoho Mail Admin Console.

    1. After you complete Email Configuration, continue with the below steps.

    2. Select Security & Compliance from the left pane. Security and Compliance Dashboard appears and displays your organization's current Security Score.

      1. Select Security and turn ON the Two-factor Authentication toggle switch. Enter your password and click Enable.

      2. Select Suspicious Login under the Security section and toggle ON the Suspicious Login Alerts.

      3. Select S/MIME and turn ON the S/MIME toggle switch.

    3. Navigate to the Roles and Privileges section, select Privileges and toggle OFF the Allow personal groups with external users.

    4. Navigate to the Spam Control section and select Trusted List.

    5. Ensure there are no email addresses added to the Trusted Email Addresses list in the Emails tab.

    6. Select the Domains tab and ensure your domain is not added to the Trusted Domains list.

    7. Navigate to the Spam Verification section and configure the security settings as per the below table:



    Action on SPF failure

    Temporary reject/ Permanent reject/ Move to quarantine

    Action on DKIM failure

    Temporary reject/ Permanent reject/ Move to quarantine

    Action on DMARC failure

    Move to spam/ Move to quarantine

    Action on DNSBL failure

    Permanent reject


    Image with all settings highlighted

    1. Navigate to the Internationalized Spam section. Follow these steps in the Language tab:

      1. Select Allowed languages only or Block chosen languages from the Spam processing action drop-down

      2. Select the languages that you wish to allow or block.

    2. Select the Country tab and follow these steps:

      1. Click Add and select the countries for spam processing.

      2. You can either Mark as spam, Reject email or Move to quarantine.

    3. Navigate to the Phishing & Malware section and toggle ON Cousin Domain Verification under Cousin Domains.

    4. Select Display Name Spoofing under Phishing & Malware and follow these steps:

      1. Select the desired Email Delivery Action and click Add.

      2. You can either Search and add organization users or Add using email addresses.

    5. After you complete the above steps, select Dashboard under Security & Compliance. You can witness an increase in your Security Score.

    If the score is not 100% yet, follow these steps:

    1. Click Incomplete from the Dashboard to view the list of settings that are not configured.

    2. Click Configure now and review the settings from the page that appears.

    Note: This feature is applicable only to organizations that user one of our paid plans.