How to verify whether an email is genuinely from Zerodha

An email is genuinely from Zerodha only if its sender domain is zerodha.com or one of the ten mailer subdomains Zerodha publishes on its verify-genuine-email support page, and even a genuine email never asks for your password, OTP or PIN. The sender domain, the part of the address after the @ sign, is the one signal a fraudster cannot fake past your email provider’s authentication checks. The logo, the formatting, the tone, the client ID in the body: all of these are copied from real emails and prove nothing.

This guide gives the domain list to check against, explains why the sender domain is the test that matters, sets out what Zerodha will never ask for, and shows how to cross-verify any request inside your own login so you act on real obligations and ignore fabricated ones. It applies to every kind of mail you might receive: weekly statements, document or KYC requests, holdings-authorisation prompts, and the rest. Treat it as the reference the other Zerodha email guides on this site point back to.

Conflict-of-interest disclosure. This guide is published by the WebNotes Editorial Team for informational purposes and is written independently. WebNotes operates a Zerodha account-opening referral programme, disclosed on the pages that carry the referral link; this guide does not carry it and earns no referral commission from the procedure described here.

The eleven authorised domains

Zerodha states on its support portal that it sends emails exclusively from a fixed set of domains. As of June 2026 that list is:

Two facts follow from this list. First, every genuine Zerodha domain ends in zerodha.com or zerodha.net. A message from zerodha-india.com, zerodhabroking.in, kite-zerodha.com or any near-miss is not Zerodha, no matter what the body says. Second, the subdomain matters: mailer.zerodha.net is genuine, but a forged mailer.zerodha.net.scam.ru is not, because the real registrable domain there is scam.ru. Read the address from the @ sign rightward and stop at the last two labels to find the true domain.

Zerodha’s instruction for anything outside this list is explicit: if you get an email claiming to be from Zerodha but sent from any other address, create a ticket and report it.

Why the sender domain is the only reliable test

Modern phishing copies everything visible. The The420.in report on the March 2025 compromise of Zerodha CEO Nithin Kamath’s X account describes a context-aware phishing email that mimicked an official communication closely enough that he clicked it; security researchers quoted in that report note that generative tools now produce mail that reproduces a brand’s wording and layout precisely. So the body, the signature block, even a real-looking client ID prove nothing, because all of it can be lifted from a genuine email the fraudster received or scraped.

The sender domain is different. Email providers verify the sending domain against SPF, DKIM and DMARC records that the domain owner publishes. A fraudster who does not control zerodha.com cannot make Gmail or Outlook accept a message that passes those checks while displaying @zerodha.com as the authenticated sender. They can put Zerodha in the display name, and they can register a lookalike domain they do control, but they cannot pass authentication as the real zerodha.com. That is why you read past the display name to the actual address, and why the domain, not the design, is the test.

This is also why a genuine-looking email from a wrong domain is more dangerous than an obvious one: it is designed to survive a glance. The defence is mechanical, not intuitive. Check the domain every time.

What Zerodha never asks for

A second filter catches scams that spoof or closely mimic the domain. Zerodha never asks, by email, SMS or phone, for any of the following:

• Your Kite login password.
• Your Kite PIN or any standing PIN.
• Any one-time password (OTP) sent to your phone.
• Your two-factor TOTP code from an authenticator app.
• A payment to “unblock”, “reactivate” or “verify” your account.

Every legitimate Zerodha action that needs authentication happens after you log in yourself at kite.zerodha.com or account.zerodha.com , where you enter these secrets into Zerodha’s own page, never hand them to a person or type them into a link from a message. If any communication asks for one of these, it is a scam, full stop, even if the sender domain looks correct. A request for a secret overrides a passing domain check, because the only reason to ask is to steal it.

The corollary protects you when a genuine request and a fake one look alike. A real document or KYC email tells you to log in and act; it never carries the secret or asks you to surrender one.

Never log in from a link in an email

Zerodha’s anti-phishing guidance is built around one rule: the only place you enter your login credentials is kite.zerodha.com, reached by typing it into the address bar yourself. Look at the address bar and confirm it begins with kite.zerodha.com and shows the padlock before entering anything. Even Zerodha’s own partner apps redirect to this domain for the actual login step.

The practical instruction, then, is to treat every login link inside an email as untrustworthy by default. You lose nothing by ignoring it: if a real action is pending, you reach it by opening Kite or Console directly. A phishing page works only if you arrive through its link and type your password into it; deny it that and the attack fails. Pairing this with TOTP two-factor authentication, where the six-digit code changes every minute and is useless to a fraudster a moment later, means even a captured password does not hand over your account.

How to cross-verify a request inside your account

Most Zerodha emails that prompt action fall into a few categories: a weekly statement , a request to re-submit documents , a request to update KYC details , a prompt to authorise holdings for a sale, or a notice about your bank proof . For each, the safe path is the same and does not depend on the email at all.

Open account.zerodha.com yourself and log in. A genuine KYC or document obligation surfaces there: a re-KYC prompt, a flagged field, a pending step. A holdings-authorisation requirement appears in your order flow when you sell without DDPI . If you raised or received a real ticket, it is listed at support.zerodha.com under your tickets. When the email’s claim matches something visible inside your own login, it is real and you complete the action there, ignoring the email’s links. When nothing inside your account corresponds to the email, the email is fabricated and you report it. This single habit, verify inside, act inside, neutralises the entire class of “your account needs attention” scams.

Calls, SMS and social media

The same logic extends beyond email. Zerodha confirms it does not share client details with third parties and does not call clients offering paid trading courses or guaranteed-return schemes. It has publicly flagged impersonation rings, including a fake “Market Movers” group falsely claiming to be run by Nithin Kamath and a counterfeit “ZeradhA” app used for manipulation, both reported to cybercrime authorities. For SMS, the giveaway is again the link: a text pushing you to a login page that is not kite.zerodha.com is phishing. For social media, rely only on Zerodha’s official handles ; impersonation accounts are common. Treat any call demanding an OTP, password or immediate payment as a scam and verify independently before acting.

See also

• Zerodha
• Zerodha cyber security
• Zerodha hack and security incidents
• How to secure your trading account
• How to set up TOTP on Zerodha
• How to reset 2FA on Zerodha
• Zerodha weekly statement email
• How to respond to a document re-submission email from Zerodha
• How to respond to a KYC update email from Zerodha
• How to respond to an email asking you to authorise holdings
• How to fix not receiving emails from Zerodha
• How to verify a call claiming to be from Zerodha
• Zerodha official social media handles
• Does Zerodha solicit fund transfers
• How to stop stock-tip SMS forwarded as Zerodha
• How to create a ticket at Zerodha
• Zerodha Console
• Kite by Zerodha
• How to re-KYC at Zerodha
• How to sign DDPI at Zerodha
• Zerodha eDIS TPIN OTP
• Know your customer (KYC)
• Zerodha bank proof email
• Zerodha trade SMS alerts
• Zerodha investor charter
• Is Zerodha safe

External references

• Zerodha support: How to verify if the email from Zerodha is genuine?
• Zerodha: Beware of the phishing scam (Z-Connect)
• Zerodha: Official accounts on social media platforms (Z-Connect)
• SEBI investor website (Saa₹thi) on safe trading practices
• CERT-In, Indian Computer Emergency Response Team

References

1. Zerodha support, How to verify if the email from Zerodha is genuine? (authorised sender-domain list, as of 20 June 2026).
2. Zerodha, Beware of the phishing scam, Z-Connect (only legitimate login domain is kite.zerodha.com; enable TOTP two-factor authentication).
3. The420.in, report on the phishing compromise of Zerodha CEO Nithin Kamath’s X account (March 2025), on AI-assisted brand-spoofing email.
4. SEBI circular SEBI/HO/MIRSD/TPD/P/CIR/2023/167 on investor protection and cyber-security and cyber-resilience framework for stockbrokers, 7 October 2023.
5. CERT-In advisories on phishing and credential-harvesting attacks, Indian Computer Emergency Response Team.

WebNotes Editorial Team prepares factual how-to guides based on publicly available regulatory documents and broker disclosures. WebNotes is not affiliated with Zerodha Broking Limited. The authorised-domain list and procedures are subject to change; verify the current list at support.zerodha.com before acting.