Email Ingestion Option

What are my options for ingesting email into Dropzone?

Dropzone supports multiple flexible methods for ingesting emails, depending on your environment and workflow:

• Native Microsoft 365 integration (recommended)

• Forwarded/shared mailbox ingestion

• API-based ingestion (EML/MSG files)

• SOAR or webhook-driven ingestion

Each option is outlined below.

What is the recommended approach?

Microsoft 365 (Graph API / Defender integration)

This is the most common and recommended method.

With this setup, Dropzone automatically ingests:

• User-reported phishing emails (e.g., via “Report Phish” button)

• Emails flagged by Microsoft Defender

✅ Benefits

• No manual forwarding required

• Full access to mailbox and user context

• Seamless integration into existing security workflows

Can we use a shared mailbox or forwarded inbox?

Yes.

You can configure your environment so that reported emails are forwarded to a central mailbox, which Dropzone monitors or integrates with.

Common use cases

• KnowBe4 or other phishing-reporting tools

• Emails routed through a ticketing system

• Existing SOC workflows using shared inboxes

✅ Benefits

• Simple to set up

• Minimal engineering effort

• Works with existing processes

Can we send emails directly via API?

Yes.

Dropzone provides APIs to submit raw email files (.eml or .msg) for analysis.

How it works

1. Extract the full email file from your system

2. Send it to Dropzone via API

✅ Benefits

• Full-fidelity analysis (headers, attachments, body)

• Highly customizable ingestion pipelines

• Ideal for automation via SOAR, scripts, or serverless functions

Can we integrate through our SOAR or SIEM?

Yes.

If you have a SOAR or SIEM platform, you can push email alerts or artifacts to Dropzone via webhook/API.

✅ Benefits

• Centralized ingestion alongside other alerts

• Fits into existing automation workflows

• No need to change upstream processes

Do you support direct email (SMTP-style) ingestion?

Yes — Dropzone supports direct email ingestion using a raw email submission approach, similar in concept to SMTP.

How it works

1. A user reports or forwards an email (e.g., phishing report)

2. Your system (mail server, SOAR, or automation) captures the full raw email

3. The email is preserved in its original format as a .eml or .msg file

4. That file is sent directly to Dropzone via its email ingestion endpoint

Dropzone performs full analysis, including:

• Headers and routing details

• Body content and links

• Attachments and embedded artifacts

⚠️ Important

Dropzone does not function as a traditional mail server. Instead, it analyzes complete email objects, ensuring full fidelity and deeper investigation.

When to use this approach

• You want a simple “forward → analyze” workflow

• You already have automation that can extract raw emails

• You prefer not to rely on deep integrations (e.g., M365 APIs)

Can Dropzone analyze quarantined emails?

Yes, with additional configuration.

• Requires expanded permissions in Microsoft 365

• Typically involves Exchange Online / PowerShell setup

ℹ️ Note

Most customers prioritize reported emails rather than quarantined messages due to simpler setup.

Does Dropzone provide an email server?

No.

Dropzone integrates with your existing email infrastructure:

• You retain control of mail flow and security policies

• Dropzone connects via APIs or ingestion pipelines

How do I choose the right approach?

• Microsoft 365 integration → best overall experience

• Shared mailbox → fastest to deploy

• API ingestion → most flexible

• SOAR/webhooks → best for mature SOC environments

How does email ingestion fit into Dropzone?

Depending on your setup, email ingestion can function as:

• Alert source → triggers investigations (e.g., reported phishing emails)

• Data source → enriches investigations with mailbox and message context

This flexibility allows Dropzone to integrate into your existing security architecture without requiring workflow changes.

Need help deciding?

Your Dropzone team can help design an ingestion strategy tailored to your tools, workflows, and security goals.