Zoom Mail Service Encryption and Limitations

This article is designed to help you evaluate whether the Zoom Mail Service is a good fit for your organization. This service is designed for small and mid-sized businesses. 

Zoom Mail Service is a Zoom-hosted email provider with end-to-end encryption for emails sent directly between active users on the Zoom Mail Service system. It is designed to prioritize privacy between mail senders and recipients. This means information contained within end-to-end encrypted messages is private, and this information is not accessible to Zoom.

As such, some third party security tools that businesses are accustomed to using on other email platforms are not compatible with Zoom Mail Service.

Note: Zoom cannot disable the end-to-end encryption for the Zoom Mail service at this time.

This article covers:

• User limitations
• Admin limitations
• How encryption is used with Zoom Mail Service
  • E2E Encrypted
  • Server Encrypted
• How to use a custom domain on the Zoom Mail Service

Prerequisites for enabling Zoom Mail Service

• Account owner or admin privileges
• Zoom One Pro or Standard Pro account in the US or Canada

User limitations

• Users can only access Zoom Mail Service and Zoom Calendar Service through the Zoom desktop client. This requires version 5.12.7 or higher.
• Zoom Calendar Service content is not covered by end to end encryption.
• Zoom Mail Service cannot be accessed through the web browser or integrated with third-party mail clients, such as Outlook, Thunderbird, or others.
• There is no ability to preview inline attachments.
• Searching is performed on the user’s local device. Global searching and indexing of messages is not performed (e.g. keywords, associated files, phrase matching, etc.) because the contents are private.
• At this time, emails sent to an email list are not end-to-end encrypted, even if all email list recipients are Zoom Mail Service users.
• Integrations to third-party email services via the Zoom Mail Client are separate offerings; messages sent to or from users of these integrations are not end-to-end encrypted.
• Zoom Mail Service includes spam detection and filtering capability, but because Zoom has no access to the contents of end-to-end encrypted messages, we can only use signals visible to Zoom, such as message metadata, to flag messages as spam. Users should exercise caution when they receive messages tagged as end-to-end encrypted from unknown senders.

Admin limitations

• Zoom Mail Service cannot integrate with any third-party Data Loss Prevention (DLP) software. The end-to-end encryption used for emails between Zoom Mail Service users does not provide the ability to inspect or “peek” at messages to check for sensitive information while participants exchange mail.
• Zoom Mail Service cannot integrate with eDiscovery platforms. These tools require inspection and retrieval of mail contents, data, and associated attributes for evidence preservation.
• This also includes using Zoom Mail Service with other Zoom products and other 3rd-party integrations that leverage email in their workflow. This includes:
  • Zoom IQ: Email integration for deal analytics
  • Contact Center Solutions: Using Zoom Mail Service with encrypted mail as a customer channel queue.
  • Email archiving solutions: Such as Mimecast, Proofpoint, etc., for offloading mail to be retrieved for future use
  • Service Desk, ITSM, CRM Integrations: Using Zoom Mail Service to share emails to opportunities, tickets, and archive information as part of their databases.
• By default, email cannot be accessed by account admins, as only sending and receiving devices store the encryption key needed to decrypt the emails. However, customers who choose a custom domain will also have the option to set up key escrow on their account, which allows a designated escrow admin in an account to receive backup copies of cryptographic keys from all users in that account. Holding copies of these keys will let the escrow admin access all emails in the account, and can allow the admin to help users recover their messages after device loss or other IT failure.

How encryption is used with Zoom Mail Service

The footer of every email handled by the Zoom Mail Service denotes which type of encryption was used when sending or receiving the email: E2E Encrypted or Server Encrypted.

Note: Integrations with 3rd-party email services through the Zoom Mail Client are separate offerings, and messages sent between users of these integrations are not end-to-end encrypted.

E2E Encrypted

Zoom Mail Service is designed to be end-to-end encrypted by default for emails sent and received directly between active Zoom Mail Service users. When an email is end-to-end encrypted, only the users, and, depending on their settings, account owners, or designated account administrators control the encryption key and therefore access to the email content, including body text, subject line, attachments and custom labels applied to messages by users in their inboxes. Information such as the sender and recipients, mimeID, attachment number and size, and timestamps remain in plaintext so Zoom email servers can properly transmit the emails.

To use end-to-end encryption in Zoom Mail Service, users and their recipient(s) must all use email addresses assigned through Zoom Mail Service and be active users with a device associated with each email address. At this time, emails sent to an email list are not end-to-end encrypted, even if all recipients are Zoom Mail Service users.

Recipients of emails sent through Zoom Mail Service can see, save, and share email content with others, including by sharing emails to Zoom Team Chat. If a recipient shares encrypted content with others, for example, by sharing an encrypted email to Team Chat, or forwarding an encrypted email to a third-party recipient without a Zoom Mail Service account, the shared or forwarded content will not be end-to-end encrypted by Zoom. Additionally, designated admins in an account that has opted to use the key escrow feature will have access to all emails in that account, even though those emails will remain encrypted and inaccessible to anyone without the required keys, including Zoom.

Server Encrypted

Emails between Zoom Mail Service users and those using other email services are encrypted when stored by Zoom. Zoom Mail Service encrypts incoming emails from 3rd-party email services as soon as possible upon receipt and does not retain unencrypted copies of outgoing emails to such services after they are successfully sent.

Custom domains on the Zoom Mail Service

All customers will default to the Zoom-provided “zmail.com“ domain, but other domains will be possible in the future.