Consent flow for adding Verified-Domain Email Addresses in Zoho One

Consent flow for adding Verified-Domain Email Addresses in Zoho One

Greetings, Zoho One Admins!

To strengthen account security and ensure that users explicitly confirm ownership of their domain-based email addresses, we are introducing a consent flow for adding verified-domain email addresses in Zoho One.

What is the change?

Admins can now add verified-domain email addresses for users who currently belong to an unverified domain.
  1. If the user does not already have a confirmed verified-domain email, the newly added email will be added in the unverified state (with an "Yet to Verify" tag).
  2. A consent email will be sent to the user’s primary email address.
  3. The user must review and approve the added email before it becomes verified.
Previously, all verified-domain email addresses were added directly in the verified state. Now, user approval is required if no confirmed verified-domain email exists.

Why is this change being introduced?

Verified-domain email addresses are central to identity and access management. Allowing them to be added without user consent could lead to misuse of critical admin operations.

By enforcing a consent flow, Zoho One ensures that:
  1. Users explicitly confirm ownership of their verified-domain email addresses.
  2. Admin actions remain secure and transparent.
  3. Critical operations are protected until verification is complete.

When does the consent flow apply?

Scenario 1: No confirmed verified-domain email exists.
  1. Admin-added verified-domain email is added as unverified.
  2. A consent email is sent to the user.
  3. User approval is required before the email becomes verified.
  4. Critical operations and mailbox creation remain blocked until approval.
Scenario 2: At least one confirmed verified-domain email already exists.
  1. Any newly added verified-domain email is stored directly as verified.
  2. No consent flow is triggered.
  3. Mailbox creation and critical operations are available immediately.

How can users review and approve added emails?

Users can approve or reject added emails in two ways:
  1. Go to Zoho Accounts Settings page → My Emails: The added email is shown with a Review option.
  2. Notification Email: Sent to the user’s primary email address with a link to approve or reject the added email.

What restrictions apply while email confirmation is pending?

Until a user's email domain is verified and confirmed, admins cannot perform the following actions:
  1. Reset MFA
  2. Enable/Disable MFA
  3. Generate backup code for a user
  4. Create Mailbox
This step is to prevent unauthorized recovery or access attempts by ensuring that these actions are limited to users belonging to trusted, verified domains.

Regards,
The Zoho One Team