Zoom Mail and Calendar Services Explainer

Zoom Mail and Calendar Services Overview

These pages provide an introduction to the Zoom Mail and Zoom Calendar Services, not to be confused with the Zoom Mail and Zoom Calendar Clients. This section primarily details an overview of the Zoom-provided services for email and calendaring.

Zoom Mail Service is a full-featured email solution enhanced by advanced security technologies

Zoom Mail is Zoom's full-featured email service, designed to centralize communication workflows within a single, cohesive platform alongside Zoom's comprehensive suite of collaboration tools—including Zoom Meetings, Zoom Phone, Zoom Contact Center, and Zoom Team Chat. Zoom Mail provides secure email transportation methods, including end-to-end encrypted emails between two active Zoom Mail users on the same account (as further described below), and password-expiring, server-side encryption for external email recipients. Standard email protocol—plain text delivered over a TLS connection—is also supported.

Zoom Mail Service offers three encryption methods: end-to-end encryption, server-side password expiration, and plain text over TLS

Zoom Mail Services offers users three encryption methods for protecting emails:\

1. End-to-end encryption, using local, device-generated keys—optional and exclusively available between active Zoom Mail users on the same account; availability depends on a variety of factors including whether sender and receiver have already generated encryption keys, Zoom client version, and configuration of user or account level settings.

2. Server-side encryption, with password-expiring emails.

3. Encryption in transit using TLS, securing plaintext emails as they travel between servers (how most email services work).

Zoom Mail Service also comes with the Zoom Calendar Service

Alongside Zoom Mail Service, users gain access to Zoom Calendar Service—a fully integrated calendar within the Zoom client that enables scheduling meetings and appointments, either for themselves or, with the proper permissions, on behalf of others.

Zoom Mail and Calendar Services supports core user and business-grade email features and functionality

The Zoom Mail and Calendar Services supports core user and business-grade email features and functionalities, including but not limited to:

Zoom Mail and Calendar Services are currently only available for customer accounts hosted on Zoom’s United States or European infrastructure

Customers hosted on Zoom’s European or United States global infrastructure can currently purchase Zoom Mail and Calendar Services. Zoom Mail and Calendar Services are not available for accounts hosted on other region-specific infrastructure (e.g., India, Australia, Singapore, etc.).

Zoom Mail Service and Calendar Service Encryption Methods

End-to-End Encrypted Emails

By default, Zoom Mail Service offers optional end-to-end encrypted email between active Zoom Mail Service users on the same account

By default, Zoom Mail Service supports end-to-end encryption (E2EE) for emails sent between two active users on the same account, as long as both the account and users are configured to allow it. With end-to-end encryption, messages are encrypted on the sender's device and can only be decrypted on the recipient's device—no one else, including Zoom, can read the content. If Device Managed Encryption is enabled, however, authorized account admins may also have access.

When sending an end-to-end encrypted email, the Zoom Workplace app clearly marks outgoing messages accordingly. These messages are protected with client-generated encryption keys, transmitted over TLS 1.2, and stored on Zoom's servers in encrypted form, helping ensure their content remains inaccessible to Zoom and unauthorized parties, though designated Device Managed Encryption administrators can access encryption keys to decrypt content when necessary—for example, for user recovery or legal discovery purposes.

More information on Zoom Mail Service’s encryption design can be found in our Cryptography Whitepaper.

End-to-end encrypted emails can be sent to users on other accounts so long as both domains enable the “encryption across domain” setting

By default, end-to-end encrypted emails can only be exchanged between users in the same account. However, if admins from two different domains enable the Encryption across domain option in Domain Management, users in those domains can send end-to-end encrypted emails to each other.

If this setting is not enabled, encrypted emails sent across accounts will use the password-expiring encryption method as the fallback.

The Zoom Mail Service uses device-based encryption keys, which are used to grant new devices access to old data

As part of Zoom Mail Service’s design, every authorized device generates its own device-specific keys, in addition to per-user keys that are shared across all authorized devices. These per-user keys are what enable encryption and decryption of email content on each device.

When a new Zoom Mail Service device is added, fresh per-user keys are created and distributed to all devices, ensuring equal access to new email data. For security, however, newly added devices do not automatically gain access to older data or the keys that protect it.

To access historical emails, an already-authorized device must share the relevant per-user keys with the new device. If no existing device grants access, the new device cannot decrypt or view past emails. When access is granted, the devices complete a private key exchange using each device’s unique device-specific key pair.

Authorized devices can revoke other authorized device access

Any authorized device can revoke another device’s access to Zoom Mail Service content. In the event a device’s access is revoked, the device’s keys are invalidated and per-user keys are rotated between all remaining authorized devices.

Users should take care to securely store their backup key to restore access in case of emergencies

Users should securely store a backup key to restore access if all authorized devices are lost, since each new device must be approved by one that’s already authorized. To reduce this risk, Zoom Mail Service prompts users to download a backup key during setup, as Zoom cannot add devices or grant access on behalf of users.

Device Managed Encryption can help restore access if device keys are lost

If enabled on the account, admins can help restore user access to device-encrypted emails through the Device Managed Encryption (also referred to as encryption escrow) feature. Device Managed Encryption lets authorized admins securely access the keys that protect encrypted messages. With this access, they can approve new devices or restore encryption access if someone loses their existing device, helping ensure users can get back into their email without losing important information. More information on Device Managed Encryption is described further down this page.

Password-Expiring Encrypted Emails

Password-expiring emails can be sent to anyone

Unlike end-to-end encrypted emails, which require two users to be on the same Zoom account, password-expiring emails can be sent to any email recipient.

Password-expiring emails are time sensitive and contain an embedded password within the URL

Expiring emails send recipients an email with a time-sensitive link to the original email, with a password embedded in the URL. After the link is sent, the Zoom Mail Service does not retain a copy of the password, exclusively allowing access through the URL.

Expiring emails are encrypted at rest within Zoom Mail Service servers and must be set to expire in one day, week, or month from their postmark. After an expiring email expires, the link is invalidated and the message’s public-facing content is deleted from Zoom Mail Service servers; however, a separate, private copy may persist within the sender’s Sent folder.

Password-expiring emails must be opened in a web browser

When a user receives a password-expiring email, the user must click a link to open the email in a browser window. Password-expiring emails cannot be viewed within the Zoom Mail client.

Encrypted Email Limitations

Encrypted emails are not accessible or available in webmail

Due to the intrinsic design of end-to-end encryption and server-side encryption, emails with this designation cannot be viewed, read, or sent in the webmail client, except when opening a link to a password-expiring email. Consequently, all emails sent from webmail will use plaintext over TLS encryption.

Webmail does not support sending encrypted emails

Users cannot send end-to-end encrypted or password-expiring (server-encrypted) emails from webmail at this time.

Emails sent to a mailing list are not end-to-end encrypted

Emails sent to a mailing list are not end-to-end encrypted, even if all users are Zoom Mail Service accounts authorized and enabled for the feature. Users must send distribution list emails using the password-expiring feature or plaintext over TLS.

Personal copies of outbound emails are stored with encryption in the sender’s Sent folder

Personal copies of encryption-enabled emails (such as end-to-end encrypted or password-expiring messages) are stored in the sender’s Sent folder in encrypted form. Zoom Mail Service servers do not have the keys to decrypt these copies once they are sent. As a result, encryption-enabled emails cannot be viewed through webmail, but remain accessible from the Sent folder on the sender’s authorized devices. In contrast, standard plaintext emails sent over TLS are encrypted at rest using Zoom’s key management system and can be viewed through webmail.

Plaintext Emails (Standard Emails)

Zoom Mail Service offers plaintext and password-expiring emails for recipients using third-party email providers

When emailing non-Zoom Mail recipients, users can choose to send plain text or expiring emails, with both email methods protected by TLS 1.2 in transit whenever possible.

Emails between Zoom Mail Service and third-party email providers are encrypted when stored by Zoom

Emails between Zoom Mail Service users and third-party email services are encrypted when stored by Zoom. Incoming messages from external services are encrypted with client-controlled keys as soon as they’re received, and outgoing messages to external accounts are saved in the sender’s Sent folder using keys provided by Zoom’s key management system.

Calendar Service

The Zoom Calendar Service does not use end-to-end encryption, but events are transmitted over TLS 1.2

The Zoom Calendar Service does not use end-to-end encryption for calendar events. This design allows interoperability between the Zoom Calendar Service and other calendar service providers; otherwise, calendar events and invitations would be unreadable to external parties. However, calendar events are transmitted using TLS 1.2 whenever possible for encryption in transit.

Device Managed Encryption

Device Managed Encryption adds a built-in backup device that lets administrators recover encryption keys and restore access when needed

Device Managed Encryption (also referred to as encryption escrow) is a safeguard that allows an organization to securely hold a copy of the encryption keys used to protect Zoom Mail Service communications. These keys are stored in a controlled system that only designated administrators can access. When Device Managed Encryption is turned on, account members are notified, and a special virtual device is automatically added to their account. This virtual device acts like a backup device that sits alongside a user’s own devices, making it possible for administrators to recover the encryption keys tied to the account and, when required, decrypt email content.

Device Managed Encryption is designed to support two main scenarios:

• User recovery: Administrators with the right permissions can approve new devices and restore access to encrypted email if a user loses all of their authorized devices.

• Legal discovery: Administrators with the right permissions can request encrypted email from Zoom’s servers and decrypt it to meet compliance or investigation needs.

This system helps ensure that only the sender and recipient can read the content of messages on their personal devices, while also providing a carefully controlled way for administrators to step in when recovery or legal access is required. This balance helps organizations meet compliance needs without weakening the overall security model.

Administrating Zoom Mail Service and Calendar Service

This section details functionality and additional information for the Zoom Mail and Calendar Services.

Admins can enable the Zoom Mail Service and Calendar Service on an account or group level

Account admins or authorized users can enable the Zoom Mail Service and Calendar Service for the entire account or on a group level. Refer to our support documentation for more information on enabling the Zoom Mail Service and Calendar Service.

Admins can choose the default email encryption behavior when configuring a domain

When configuring a domain for the first time, admins can choose the default encryption behavior that will apply to users. This setting cannot be changed once set. The list of options is limited to:

• Only use secure emails.

• Default to secure emails, but users can choose.

• Default to standard emails, but users can choose.

Zoom Mail Service supports custom domains for customers on a Workplace Business account or higher

Companies on a Zoom Workplace Business plan or higher can set up the Zoom Mail Service with a custom email domain with proven ownership. Zoom does not provide domains for purchase and must be purchased through alternative providers.

Zoom Mail Service does not offer domain management services

Zoom Mail Service does not provide domain registration or domain management services. Instead, it works with domains that an organization already owns and configures. Admins are responsible for setting up and managing their own domain records, such as DNS, and then connecting those domains to Zoom Mail Service for use.

Users without a custom domain will have an @zmail.com address and no access to administration features

Users on accounts without a custom domain will use the email domain @zmail.com. The zmail.com domain does not include any administration features and is for basic email access only.

Accounts are allotted different storage based on their plan type

Zoom accounts are granted the following Zoom Mail Service storage based on their plan type:

• Pro: 50GB

• Business: 100GB

• Business Plus: 1TB

• Enterprise: 5TB

The Zoom Mail Service includes built-in spam and security features

To prevent spam email, Zoom Mail uses industry-standard protocols and techniques, such as:

• Domain-based Message Authentication Reporting & Conformance (DMARC)

• DomainKeys Identified Message (DKIM)

• Authenticated Received Chain (ARC)

• Strict Transport Security (MTA STS)

Zoom Mail Service supports integration with third-party email hygiene and additional services, but not for encrypted emails

Zoom Mail Service supports integration with third-party email hygiene tools and add-on services, including advanced spam filtering, data loss prevention, and automatic archiving solutions that rely on server-side scanning. These integrations work with standard Zoom Mail Service communications (i.e., plaintext over TLS). However, when organizations choose to enable end-to-end encryption or other advanced encryption methods, external services that require access to message content will not be able to access those encrypted emails.

The Zoom Mail Service supports up to 25 MB in attachment size

The Zoom Mail Service supports attachments up to 25 MB in size for inbound and outbound emails. Inbound emails with attachments greater than 25 MB will be bounced by the Zoom Mail Service. Alternatively, the Zoom Mail Client will prevent Zoom Mail Service users from uploading attachments exceeding 25 MB.

Zoom Mail supports small-scale email importing

Zoom Mail Service supports small-scale email importing to help organizations move their existing mail into Zoom. For smaller migrations—such as a few hundred users—admins can usually complete the process on their own with built-in tools Zoom provides. Larger, enterprise-scale migrations involving thousands of users require additional planning, and organizations should work directly with their Zoom account team for support.

Users cannot export Zoom Mail Service emails to third-party email services

User emails created or processed through use of the Zoom Mail Service cannot be exported to third-party email services at this time. If a user discontinues their Zoom Mail Service, their emails remain within the service until deletion by the account owner or following account termination.

Zoom Mail Service data is stored within the infrastructural region the Zoom account is provisioned

Zoom Mail Service data is stored within the account’s regional infrastructure. For instance, if an account is hosted on Zoom’s United States-based global infrastructure, the data will reside in the U.S.. If the account is hosted on Zoom’s European infrastructure, the data will reside in Europe.