Connect Zoho Mail to Claude: Administer Domains and Group Policies

If you need to connect Zoho Mail to Claude to automate IT administration, domain verification, or group policy management, you need a Model Context Protocol (MCP) server. This server acts as the translation layer between Claude's natural language tool calls and Zoho's complex REST APIs. You can either build and maintain this infrastructure yourself, or use a managed integration platform like Truto to dynamically generate a secure, authenticated MCP server URL.

If your team uses ChatGPT, check out our guide on connecting Zoho Mail to ChatGPT, explore our broader architectural overview on connecting Zoho Mail to AI Agents, or learn how to connect Google to Claude for similar workspace management.

Giving a Large Language Model (LLM) read and write access to an enterprise email system like Zoho Mail is an engineering challenge. You have to handle fragmented data centers, map highly nested JSON payloads for policy updates, and manage strict rate limits. Every time Zoho updates an administrative endpoint, you have to update your server code, redeploy, and test the integration. This guide breaks down exactly how to use Truto to generate a secure, managed MCP server for Zoho Mail, connect it natively to Claude, and execute complex domain and group workflows using natural language.

The Engineering Reality of the Zoho Mail API

A custom MCP server is a self-hosted integration layer. While the open MCP standard provides a predictable way for models to discover tools, the reality of implementing it against Zoho Mail's APIs is painful. You are not just integrating "email" - you are integrating an entire organization management suite with strict administrative boundaries.

If you decide to build a custom MCP server for Zoho Mail, you own the entire API lifecycle. Here are the specific challenges you will face:

Fragmented Data Centers and Endpoints Zoho does not use a single global API endpoint. Depending on where the customer account was created, API requests must be routed to specific regional domains (zoho.com, zoho.eu, zoho.in, zoho.com.au, zoho.jp). If your MCP server hardcodes the .com endpoint, it will immediately fail for European clients. A managed MCP server abstracts this completely, routing requests to the correct regional endpoint based on the authenticated token.

The "Zoid" Organization Context Requirement Zoho Mail strictly separates personal mailbox operations from organization-wide administrative actions. Almost every administrative endpoint (domains, policies, groups, anti-spam) requires a zoid (Zoho Organization ID) in the request parameters. If you expose raw endpoints to Claude, the model will often hallucinate this ID or fail to understand that it must first fetch the organization details before executing a domain update.

Complex Bulk Payloads for Anti-Spam Updating spam settings, DKIM rules, or SPF fail options in Zoho Mail is not a simple boolean toggle. Endpoints like the organization spam bulk update require nested JSON payloads keyed dynamically by the spam category (e.g., passing an array inside a whiteListEmail key). Writing an MCP tool schema that reliably instructs an LLM to generate these exact nested structures requires precise JSON Schema definitions.

Strict Rate Limits Without Safety Nets Zoho Mail enforces rate limits based on both concurrent connections and requests per minute/day. When these limits are hit, Zoho returns an HTTP 429 response. Truto handles this in a specific, predictable way: Truto does not absorb, retry, or apply exponential backoff to these rate limit errors. Instead, when Zoho returns an HTTP 429, Truto passes the error directly to the caller, normalizing the upstream rate limit information into standard IETF headers (ratelimit-limit, ratelimit-remaining, ratelimit-reset). Your MCP client or agent orchestrator is fully responsible for reading these headers and implementing its own retry and backoff logic.

How to Generate a Zoho Mail MCP Server with Truto

Truto dynamically generates MCP tools from an integration's existing resources and documentation records. You do not have to write custom JSON-RPC handlers or manually define parameters.

There are two ways to generate a secure Zoho Mail MCP server using Truto: via the UI or programmatically via the API.

Method 1: Via the Truto UI

If you are an IT admin setting up a workspace integration manually, the UI is the fastest path.

1. Navigate to the integrated account page for your connected Zoho Mail instance in the Truto dashboard.
2. Click the MCP Servers tab.
3. Click Create MCP Server.
4. Select your desired configuration. You can restrict the server to specific operations (like read or write) or specific tool tags.
5. Copy the generated MCP server URL (e.g., https://api.truto.one/mcp/a1b2c3d4e5f6...).

Method 2: Via the Truto API

If you are building a product that deploys AI agents for your customers, you should provision MCP servers programmatically. Make a POST request to /integrated-account/:id/mcp.

curl -X POST https://api.truto.one/integrated-account/YOUR_ACCOUNT_ID/mcp \
  -H "Authorization: Bearer YOUR_TRUTO_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Zoho IT Admin MCP",
    "config": {
      "methods": ["read", "write", "custom"]
    }
  }'

The response contains the secure token URL that you will pass to Claude:

{
  "id": "mcp_12345abcde",
  "name": "Zoho IT Admin MCP",
  "config": {
    "methods": ["read", "write", "custom"]
  },
  "expires_at": null,
  "url": "https://api.truto.one/mcp/a1b2c3d4e5f67890"
}

This URL contains a hashed cryptographic token. It is fully self-contained. The URL alone routes the JSON-RPC requests, authenticates against Zoho Mail using the correct regional data center, and handles the token refresh lifecycle.

Connecting the Zoho Mail MCP Server to Claude

Once you have the Truto MCP URL, you need to register it with your Claude client. You can do this through the visual interface or by modifying the desktop configuration file.

Method A: Via the Claude UI

If you are using Claude Desktop (or ChatGPT's custom connectors):

1. Open Claude Desktop and navigate to Settings.
2. Select Integrations (or Connectors depending on your version).
3. Click Add MCP Server or Add custom connector.
4. Paste the Truto MCP server URL you generated in the previous step.
5. Click Add. Claude will immediately execute an initialization handshake and discover all available Zoho Mail tools.

Method B: Via Manual Config File

For developers orchestrating Claude Desktop manually or configuring an AI agent environment, you can edit the claude_desktop_config.json file directly.

{
  "mcpServers": {
    "zoho_mail_admin": {
      "command": "npx",
      "args": [
        "-y",
        "@modelcontextprotocol/server-sse",
        "https://api.truto.one/mcp/a1b2c3d4e5f67890"
      ]
    }
  }
}

When Claude restarts, it will use the Server-Sent Events (SSE) transport to connect to Truto and load the tools.

Hero Tools for Zoho Mail Administration

By leveraging Truto's proxy architecture, Claude gets immediate access to Zoho Mail's administrative endpoints. Here are the highest-leverage tools for automating domain and group policy management.

List All Zoho Mail Domains

Before an AI agent can configure DKIM or SPF, it needs to know what domains are registered to the organization. This tool retrieves all domains and their verification statuses.

"Fetch all domains registered to our Zoho organization (zoid: 123456789) and tell me which ones are pending verification."

Verify a Zoho Mail Domain

Once DNS records have been updated, this tool triggers Zoho Mail's verification process for a specific domain.

"Trigger the verification process for the domain 'acmecorp.com' in our organization (zoid: 123456789)."

Create a Zoho Mail Domain DKIM

Email deliverability requires proper DKIM signatures. This tool automates the generation of DKIM selectors and keys for a domain.

"Generate a new DKIM record for 'acmecorp.com' (zoid: 123456789) so I can hand the selector and public key to our DNS administrator."

List All Zoho Mail Groups

Distribution lists and shared inboxes rely on groups. This tool lists all groups, their internal IDs, and current configurations within the organization.

"List all the distribution groups in our Zoho organization (zoid: 123456789) and give me the internal zgid for the 'Support Team' group."

Apply Group Moderation

For heavily restricted mailing lists, emails must be approved before distribution. This tool allows Claude to approve or reject pending emails in a group's moderation queue.

"Check the pending moderation queue for the 'All Hands' group (zgid: 987654) and approve the email with moderation ID 112233."

List All Mail Policies

Mail policies dictate what users can and cannot do (e.g., restricting POP/IMAP access or blocking external forwards). This tool fetches the master list of policies.

"List all the mail policies currently configured for our organization (zoid: 123456789)."

Bulk Update SPF Hard-Fail Options

Security audits often require organizations to enforce strict SPF failure handling. This tool updates the organization's antispam configuration to hard-fail emails that fail SPF checks.

"Update the SPF hard-fail option for our organization (zoid: 123456789) to ensure all incoming emails failing SPF are rejected."

Bulk Update Organization Spam Lists

When dealing with a phishing outbreak or a false positive, IT admins need to quickly update organization-wide blocklists or allowlists. This tool accepts arrays of IPs or domains to update specific spam categories.

"Add 'trusted-partner.com' and the IP '192.168.1.50' to the organization's whiteListEmail category for zoid 123456789."

For the complete inventory of available tools and their exact JSON schema definitions, visit the Zoho Mail integration page.

Workflows in Action

With MCP tools exposed, Claude can string together multiple API calls to execute complex administrative runbooks autonomously.

1. The Domain Onboarding Runbook

When a company acquires a new brand or subsidiary, IT must provision the new domain for email, verify it, and generate DKIM records for DNS setup.

"We just added 'newbrand.com' to Zoho. Find its domain ID, trigger the verification check, and if it succeeds, generate a new DKIM record so we can update our DNS."

Execution Steps:

1. Claude calls list_all_zoho_mail_domains passing the organization's zoid to find the internal ID for newbrand.com.
2. Claude calls zoho_mail_domains_verify using the retrieved domain name.
3. Claude calls create_a_zoho_mail_domain_dkim to generate the security keys.
4. Claude returns a summary text containing the TXT record information that the DNS administrator needs to copy.

sequenceDiagram
    participant User
    participant Claude
    participant Truto as Truto MCP Server
    participant Upstream as Upstream API (Zoho)

    User->>Claude: "Verify newbrand.com and generate DKIM"
    Claude->>Truto: Call list_all_zoho_mail_domains(zoid)
    Truto->>Upstream: GET /api/organizations/{zoid}/domains
    Upstream-->>Truto: Returns domain array
    Truto-->>Claude: Returns domain id
    Claude->>Truto: Call zoho_mail_domains_verify(domain_name)
    Truto->>Upstream: POST /api/organizations/{zoid}/domains/{name}/verify
    Upstream-->>Truto: Verification success
    Truto-->>Claude: Returns success
    Claude->>Truto: Call create_a_zoho_mail_domain_dkim(domain_name)
    Truto->>Upstream: POST /api/organizations/{zoid}/domains/{name}/dkim
    Upstream-->>Truto: Returns DKIM selector and key
    Truto-->>Claude: Returns DKIM details
    Claude-->>User: "Verification complete. Here are your DKIM records: ..."

2. The Phishing Incident Response

If an employee reports a phishing domain bypassing spam filters, IT needs to audit current policies and immediately add the domain to the organization's blocklist.

"We are getting phishing emails from 'bad-actor-domain.com'. Check our current SPF hard-fail settings to make sure they are active, then add 'bad-actor-domain.com' to our organization spam blocklist."

Execution Steps:

1. Claude calls zoho_mail_antispam_spf_bulk_update (or the retrieval equivalent) to verify that SPF hard-failing is enabled.
2. Claude calls zoho_mail_organization_spam_bulk_update, structuring the JSON body to include spamCategory: "blackListDomain" and passing the array ["bad-actor-domain.com"].
3. Claude reports back that the domain has been globally blocked for the organization.

3. Moderating the Executive Mailing List

Administrative assistants often need to monitor restricted distribution lists and approve legitimate messages that get caught in the moderation queue.

"Check the moderation queue for the 'Executive Updates' group. If there are any pending emails from 'ceo@ourcompany.com', approve them."

Execution Steps:

1. Claude calls list_all_zoho_mail_groups to resolve the string "Executive Updates" to its zgid.
2. Claude calls list_all_zoho_mail_group_moderation using the zoid and zgid.
3. Claude parses the returned array. Finding an email from the CEO, it extracts the moderationId.
4. Claude calls zoho_mail_group_moderation_moderate with the approval action.

flowchart TD
    A["Get Group ID<br>list_all_zoho_mail_groups"] --> B["Check Queue<br>list_all_zoho_mail_group_moderation"]
    B --> C{"Sender == CEO?"}
    C -->|Yes| D["Approve Email<br>zoho_mail_group_moderation_moderate"]
    C -->|No| E["Leave in Queue"]

Security and Access Control

Exposing enterprise email infrastructure to an LLM requires strict security boundaries. Truto provides multiple layers of control over your MCP servers to ensure agents only access what they absolutely need.

• Method Filtering: You can configure an MCP token to only expose specific HTTP methods. Passing methods: ["read"] ensures the agent can query domains and lists, but cannot physically alter DKIM records, blocklists, or groups.
• Tag Filtering: Integration endpoints in Truto are tagged by resource type. You can restrict an MCP server to only expose tools tagged with admin or spam_control, keeping the agent entirely walled off from personal inbox tools.
• Extra Authentication (require_api_token_auth): By default, possessing the MCP URL grants access. By enabling require_api_token_auth: true, Truto forces the MCP client to also pass a valid Truto API token in the Authorization header, preventing leaked URLs from being exploited.
• Automatic Expiration (expires_at): For temporary workflows - like granting a contractor AI agent access to audit your DNS settings - you can set an ISO timestamp. The Truto infrastructure will automatically delete the database record and purge the token from edge storage the moment it expires.

By combining these controls, you can deploy least-privilege MCP servers tailored to specific personas. A "Domain Auditing Agent" gets a read-only token, while an "IT Response Agent" gets a highly scoped token that expires at the end of the shift.

Connecting Claude to Zoho Mail does not require building an OAuth flow from scratch, maintaining custom JSON mappings, or fighting with the "zoid" requirement. By leveraging Truto's managed MCP architecture, you instantly equip your AI agents with a comprehensive, fully documented toolkit to execute enterprise IT operations safely.