---
title: "Connect Zoho Mail to Claude: Administer Domains and Group Policies"
slug: connect-zoho-mail-to-claude-administer-domains-and-group-policies
date: 2026-06-19
author: Uday Gajavalli
categories: ["AI & Agents"]
excerpt: "Learn how to connect Claude to Zoho Mail using a managed MCP server. Automate domain verification, DKIM/SPF configuration, and group policy administration."
tldr: "Connect Claude to Zoho Mail using Truto's managed MCP server to automate IT admin tasks. This guide covers bypassing Zoho's complex API quirks, configuring secure tool access, and executing multi-step domain and group policy workflows."
canonical: https://truto.one/blog/connect-zoho-mail-to-claude-administer-domains-and-group-policies/
---
# Connect Zoho Mail to Claude: Administer Domains and Group Policies
If you need to connect Zoho Mail to Claude to automate IT administration, domain verification, or group policy management, you need a [Model Context Protocol (MCP) server](https://truto.one/what-is-mcp-and-mcp-servers-and-how-do-they-work/). This server acts as the translation layer between Claude's natural language tool calls and Zoho's complex REST APIs. You can either build and maintain this infrastructure yourself, or use a [managed integration platform like Truto](https://truto.one/managed-mcp-for-claude-full-saas-api-access-without-security-headaches/) to dynamically generate a secure, authenticated MCP server URL.
If your team uses ChatGPT, check out our guide on [connecting Zoho Mail to ChatGPT](https://truto.one/connect-zoho-mail-to-chatgpt-manage-emails-tasks-and-notes/), explore our broader architectural overview on [connecting Zoho Mail to AI Agents](https://truto.one/connect-zoho-mail-to-ai-agents-automate-inbox-and-admin-workflows/), or learn how to [connect Google to Claude](https://truto.one/connect-google-to-claude-manage-files-folders-workspace-data/) for similar workspace management.
Giving a Large Language Model (LLM) read and write access to an enterprise email system like Zoho Mail is an engineering challenge. You have to handle fragmented data centers, map highly nested JSON payloads for policy updates, and manage strict rate limits. Every time Zoho updates an administrative endpoint, you have to update your server code, redeploy, and test the integration. This guide breaks down exactly how to use Truto to generate a secure, managed MCP server for Zoho Mail, connect it natively to Claude, and execute complex domain and group workflows using natural language.
## The Engineering Reality of the Zoho Mail API
A custom MCP server is a self-hosted integration layer. While the open MCP standard provides a predictable way for models to discover tools, the reality of implementing it against Zoho Mail's APIs is painful. You are not just integrating "email" - you are integrating an entire organization management suite with strict administrative boundaries.
If you decide to build a custom MCP server for Zoho Mail, you own the entire API lifecycle. Here are the specific challenges you will face:
**Fragmented Data Centers and Endpoints**
Zoho does not use a single global API endpoint. Depending on where the customer account was created, API requests must be routed to specific regional domains (`zoho.com`, `zoho.eu`, `zoho.in`, `zoho.com.au`, `zoho.jp`). If your MCP server hardcodes the `.com` endpoint, it will immediately fail for European clients. A managed MCP server abstracts this completely, routing requests to the correct regional endpoint based on the authenticated token.
**The "Zoid" Organization Context Requirement**
Zoho Mail strictly separates personal mailbox operations from organization-wide administrative actions. Almost every administrative endpoint (domains, policies, groups, anti-spam) requires a `zoid` (Zoho Organization ID) in the request parameters. If you expose raw endpoints to Claude, the model will often hallucinate this ID or fail to understand that it must first fetch the organization details before executing a domain update.
**Complex Bulk Payloads for Anti-Spam**
Updating spam settings, DKIM rules, or SPF fail options in Zoho Mail is not a simple boolean toggle. Endpoints like the organization spam bulk update require nested JSON payloads keyed dynamically by the spam category (e.g., passing an array inside a `whiteListEmail` key). Writing an MCP tool schema that reliably instructs an LLM to generate these exact nested structures requires precise JSON Schema definitions.
**Strict Rate Limits Without Safety Nets**
Zoho Mail enforces rate limits based on both concurrent connections and requests per minute/day. When these limits are hit, Zoho returns an HTTP 429 response. Truto handles this in a specific, predictable way: Truto does not absorb, retry, or apply exponential backoff to these rate limit errors. Instead, when Zoho returns an HTTP 429, Truto passes the error directly to the caller, normalizing the upstream rate limit information into standard IETF headers (`ratelimit-limit`, `ratelimit-remaining`, `ratelimit-reset`). Your MCP client or agent orchestrator is fully responsible for reading these headers and implementing its own retry and backoff logic.
## How to Generate a Zoho Mail MCP Server with Truto
Truto dynamically generates MCP tools from an integration's existing resources and documentation records. You do not have to write custom JSON-RPC handlers or manually define parameters.
There are two ways to generate a secure Zoho Mail MCP server using Truto: via the UI or programmatically via the API.
### Method 1: Via the Truto UI
If you are an IT admin setting up a workspace integration manually, the UI is the fastest path.
1. Navigate to the integrated account page for your connected Zoho Mail instance in the Truto dashboard.
2. Click the **MCP Servers** tab.
3. Click **Create MCP Server**.
4. Select your desired configuration. You can restrict the server to specific operations (like `read` or `write`) or specific tool tags.
5. Copy the generated MCP server URL (e.g., `https://api.truto.one/mcp/a1b2c3d4e5f6...`).
### Method 2: Via the Truto API
If you are building a product that deploys AI agents for your customers, you should provision MCP servers programmatically. Make a `POST` request to `/integrated-account/:id/mcp`.
```bash
curl -X POST https://api.truto.one/integrated-account/YOUR_ACCOUNT_ID/mcp \
-H "Authorization: Bearer YOUR_TRUTO_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "Zoho IT Admin MCP",
"config": {
"methods": ["read", "write", "custom"]
}
}'
```
The response contains the secure token URL that you will pass to Claude:
```json
{
"id": "mcp_12345abcde",
"name": "Zoho IT Admin MCP",
"config": {
"methods": ["read", "write", "custom"]
},
"expires_at": null,
"url": "https://api.truto.one/mcp/a1b2c3d4e5f67890"
}
```
This URL contains a hashed cryptographic token. It is fully self-contained. The URL alone routes the JSON-RPC requests, authenticates against Zoho Mail using the correct regional data center, and handles the token refresh lifecycle.
## Connecting the Zoho Mail MCP Server to Claude
Once you have the Truto MCP URL, you need to register it with your Claude client. You can do this through the visual interface or by modifying the desktop configuration file.
### Method A: Via the Claude UI
If you are using Claude Desktop (or ChatGPT's custom connectors):
1. Open Claude Desktop and navigate to **Settings**.
2. Select **Integrations** (or **Connectors** depending on your version).
3. Click **Add MCP Server** or **Add custom connector**.
4. Paste the Truto MCP server URL you generated in the previous step.
5. Click **Add**. Claude will immediately execute an initialization handshake and discover all available Zoho Mail tools.
### Method B: Via Manual Config File
For developers orchestrating Claude Desktop manually or configuring an AI agent environment, you can edit the `claude_desktop_config.json` file directly.
```json
{
"mcpServers": {
"zoho_mail_admin": {
"command": "npx",
"args": [
"-y",
"@modelcontextprotocol/server-sse",
"https://api.truto.one/mcp/a1b2c3d4e5f67890"
]
}
}
}
```
When Claude restarts, it will use the Server-Sent Events (SSE) transport to connect to Truto and load the tools.
## Hero Tools for Zoho Mail Administration
By leveraging Truto's proxy architecture, Claude gets immediate access to Zoho Mail's administrative endpoints. Here are the highest-leverage tools for automating domain and group policy management.
### List All Zoho Mail Domains
Before an AI agent can configure DKIM or SPF, it needs to know what domains are registered to the organization. This tool retrieves all domains and their verification statuses.
> "Fetch all domains registered to our Zoho organization (zoid: 123456789) and tell me which ones are pending verification."
### Verify a Zoho Mail Domain
Once DNS records have been updated, this tool triggers Zoho Mail's verification process for a specific domain.
> "Trigger the verification process for the domain 'acmecorp.com' in our organization (zoid: 123456789)."
### Create a Zoho Mail Domain DKIM
Email deliverability requires proper DKIM signatures. This tool automates the generation of DKIM selectors and keys for a domain.
> "Generate a new DKIM record for 'acmecorp.com' (zoid: 123456789) so I can hand the selector and public key to our DNS administrator."
### List All Zoho Mail Groups
Distribution lists and shared inboxes rely on groups. This tool lists all groups, their internal IDs, and current configurations within the organization.
> "List all the distribution groups in our Zoho organization (zoid: 123456789) and give me the internal zgid for the 'Support Team' group."
### Apply Group Moderation
For heavily restricted mailing lists, emails must be approved before distribution. This tool allows Claude to approve or reject pending emails in a group's moderation queue.
> "Check the pending moderation queue for the 'All Hands' group (zgid: 987654) and approve the email with moderation ID 112233."
### List All Mail Policies
Mail policies dictate what users can and cannot do (e.g., restricting POP/IMAP access or blocking external forwards). This tool fetches the master list of policies.
> "List all the mail policies currently configured for our organization (zoid: 123456789)."
### Bulk Update SPF Hard-Fail Options
Security audits often require organizations to enforce strict SPF failure handling. This tool updates the organization's antispam configuration to hard-fail emails that fail SPF checks.
> "Update the SPF hard-fail option for our organization (zoid: 123456789) to ensure all incoming emails failing SPF are rejected."
### Bulk Update Organization Spam Lists
When dealing with a phishing outbreak or a false positive, IT admins need to quickly update organization-wide blocklists or allowlists. This tool accepts arrays of IPs or domains to update specific spam categories.
> "Add 'trusted-partner.com' and the IP '192.168.1.50' to the organization's whiteListEmail category for zoid 123456789."
For the complete inventory of available tools and their exact JSON schema definitions, visit the [Zoho Mail integration page](https://truto.one/integrations/detail/zohomail).
## Workflows in Action
With MCP tools exposed, Claude can string together multiple API calls to execute complex administrative runbooks autonomously.
### 1. The Domain Onboarding Runbook
When a company acquires a new brand or subsidiary, IT must provision the new domain for email, verify it, and generate DKIM records for DNS setup.
> "We just added 'newbrand.com' to Zoho. Find its domain ID, trigger the verification check, and if it succeeds, generate a new DKIM record so we can update our DNS."
**Execution Steps:**
1. Claude calls `list_all_zoho_mail_domains` passing the organization's `zoid` to find the internal ID for `newbrand.com`.
2. Claude calls `zoho_mail_domains_verify` using the retrieved domain name.
3. Claude calls `create_a_zoho_mail_domain_dkim` to generate the security keys.
4. Claude returns a summary text containing the TXT record information that the DNS administrator needs to copy.
```mermaid
sequenceDiagram
participant User
participant Claude
participant Truto as Truto MCP Server
participant Upstream as Upstream API (Zoho)
User->>Claude: "Verify newbrand.com and generate DKIM"
Claude->>Truto: Call list_all_zoho_mail_domains(zoid)
Truto->>Upstream: GET /api/organizations/{zoid}/domains
Upstream-->>Truto: Returns domain array
Truto-->>Claude: Returns domain id
Claude->>Truto: Call zoho_mail_domains_verify(domain_name)
Truto->>Upstream: POST /api/organizations/{zoid}/domains/{name}/verify
Upstream-->>Truto: Verification success
Truto-->>Claude: Returns success
Claude->>Truto: Call create_a_zoho_mail_domain_dkim(domain_name)
Truto->>Upstream: POST /api/organizations/{zoid}/domains/{name}/dkim
Upstream-->>Truto: Returns DKIM selector and key
Truto-->>Claude: Returns DKIM details
Claude-->>User: "Verification complete. Here are your DKIM records: ..."
```
### 2. The Phishing Incident Response
If an employee reports a phishing domain bypassing spam filters, IT needs to audit current policies and immediately add the domain to the organization's blocklist.
> "We are getting phishing emails from 'bad-actor-domain.com'. Check our current SPF hard-fail settings to make sure they are active, then add 'bad-actor-domain.com' to our organization spam blocklist."
**Execution Steps:**
1. Claude calls `zoho_mail_antispam_spf_bulk_update` (or the retrieval equivalent) to verify that SPF hard-failing is enabled.
2. Claude calls `zoho_mail_organization_spam_bulk_update`, structuring the JSON body to include `spamCategory: "blackListDomain"` and passing the array `["bad-actor-domain.com"]`.
3. Claude reports back that the domain has been globally blocked for the organization.
### 3. Moderating the Executive Mailing List
Administrative assistants often need to monitor restricted distribution lists and approve legitimate messages that get caught in the moderation queue.
> "Check the moderation queue for the 'Executive Updates' group. If there are any pending emails from 'ceo@ourcompany.com', approve them."
**Execution Steps:**
1. Claude calls `list_all_zoho_mail_groups` to resolve the string "Executive Updates" to its `zgid`.
2. Claude calls `list_all_zoho_mail_group_moderation` using the `zoid` and `zgid`.
3. Claude parses the returned array. Finding an email from the CEO, it extracts the `moderationId`.
4. Claude calls `zoho_mail_group_moderation_moderate` with the approval action.
```mermaid
flowchart TD
A["Get Group ID
list_all_zoho_mail_groups"] --> B["Check Queue
list_all_zoho_mail_group_moderation"]
B --> C{"Sender == CEO?"}
C -->|Yes| D["Approve Email
zoho_mail_group_moderation_moderate"]
C -->|No| E["Leave in Queue"]
```
## Security and Access Control
Exposing enterprise email infrastructure to an LLM requires [strict security boundaries](https://truto.one/managed-mcp-for-claude-full-saas-api-access-without-security-headaches/). Truto provides multiple layers of control over your MCP servers to ensure agents only access what they absolutely need.
* **Method Filtering:** You can configure an MCP token to only expose specific HTTP methods. Passing `methods: ["read"]` ensures the agent can query domains and lists, but cannot physically alter DKIM records, blocklists, or groups.
* **Tag Filtering:** Integration endpoints in Truto are tagged by resource type. You can restrict an MCP server to only expose tools tagged with `admin` or `spam_control`, keeping the agent entirely walled off from personal inbox tools.
* **Extra Authentication (`require_api_token_auth`):** By default, possessing the MCP URL grants access. By enabling `require_api_token_auth: true`, Truto forces the MCP client to also pass a valid Truto API token in the Authorization header, preventing leaked URLs from being exploited.
* **Automatic Expiration (`expires_at`):** For temporary workflows - like granting a contractor AI agent access to audit your DNS settings - you can set an ISO timestamp. The Truto infrastructure will automatically delete the database record and purge the token from edge storage the moment it expires.
By combining these controls, you can deploy least-privilege MCP servers tailored to specific personas. A "Domain Auditing Agent" gets a read-only token, while an "IT Response Agent" gets a highly scoped token that expires at the end of the shift.
:::cta{buttonText="Talk to us" buttonUrl="https://cal.com/truto/partner-with-truto"}
Want to automate Zoho Mail administration at scale? Book a technical deep dive with our engineering team to see Truto's MCP architecture in action.
:::
Connecting Claude to Zoho Mail does not require building an OAuth flow from scratch, maintaining custom JSON mappings, or fighting with the "zoid" requirement. By leveraging Truto's managed MCP architecture, you instantly equip your AI agents with a comprehensive, fully documented toolkit to execute enterprise IT operations safely.