Configuring Zoho Mail for MailShield

To allow MailShield to protect your organisation, you need to route your incoming emails through our security filters and configure Zoho Mail to send your outgoing emails through our secure gateway.

Do not worry if this sounds highly technical. It is essentially like filing a change-of-address form with the post office, and the process only takes a few minutes.

Setting up inbound protection (MX Records)

Mail Exchange (MX) records dictate where your incoming mail is delivered. We need to point them to MailShield so we can intercept threats before they reach your Zoho inboxes.

If Zoho manages your DNS:

1. Log into the Zoho Mail Admin Console.
2. Navigate to Domains and click on your primary domain.
3. Select the DNS Settings tab.
4. Delete existing records: Locate the existing Zoho MX records (e.g., mx.zoho.com and mx2.zoho.com) and delete them. If you leave your old records active, spammers will bypass our security filters.
5. Add the new record: Add a new MX record.
6. Set the Host to @.
7. In the Value or Points to field, paste the incoming server address provided in your MailShield dashboard (typically seg-in.cadmuscyber.com).
8. For Priority, type 10. Click Save.
9. Return to the Fix MX Records page in your MailShield dashboard and click Run DNS Verification.

(Note: If your DNS is managed externally at a registrar like GoDaddy or Cloudflare, update your MX records there instead).

Securing outbound emails

To protect your outgoing emails and ensure they do not end up in your clients' junk folders, you must configure Zoho to route outbound mail through MailShield.

Generate your Smart Host credentials

1. In the MailShield portal, navigate to the Outbound Setup page and click Generate Outbound Profile.
2. The system will provide you with a Smart Host address, a username, and a secure SMTP password. Copy this password immediately.

Configure Email Routing in Zoho

1. In the Zoho Mail Admin Console, go to Mail Settings > Email Routing.
2. Select Add Route.
3. Choose Smart Host as the routing method.
4. Enter your MailShield Smart Host address (e.g., seg-out.cadmuscyber.com) and set the port to 587.
5. Enable Authentication and enter the username and password you generated in the MailShield portal.
6. Save the configuration and ensure this routing rule is applied to your external outbound emails.

Updating your SPF and DKIM records Finally, you must authorise MailShield to send on your behalf.

1. In your DNS settings, edit your existing SPF (v=spf1) record to include MailShield. It should look similar to this: v=spf1 include:zoho.com include:_spf.cadmuscyber.com ~all.
2. Add a new TXT record. Set the Name to cadmus._domainkey.
3. Paste the long cryptographic DKIM key from your MailShield dashboard into the Value field and save.

Waiting for the changes

Once you have saved these records, return to the MailShield Outbound Setup page and click Verify DNS.

The internet acts like a giant, slow-updating address book. It can take anywhere from a few minutes to a few hours for these DNS changes to spread globally. Your MailShield dashboard will automatically confirm once everything is perfectly aligned.