6.2 Emails to Users without Devices

Some users may have a Zoom Mail Service account, but not have logged in on any devices or generated any keys yet. We say that these users are “pre-provision.” For example, the IT team of an organization might create user accounts for every new hire before their start date. We wish to allow pre-provision users to receive emails, but these emails cannot be end-to-end encrypted because the users don’t yet have keys. Instead, when emailing a pre-provision user, the sender flags the email as not E2EE and shares a decryption key with the server, as described earlier. The server stores these emails for the user until they create their first device, at which point the server decrypts and re-encrypts those emails for the user’s first email PUK. Since the server performs the final encryption, these emails will not be signed by the original sender. Pre-provision users are different from users who do have a sigchain, but whose devices are all revoked. The Zoom client doesn’t allow sending emails to such users.