diff --git a/README.md b/README.md
index 4c92115f..d0f13a5f 100644
--- a/README.md
+++ b/README.md
@@ -1009,7 +1009,8 @@ Update alias note. In the future, the endpoint will support other updates (e.g.
 Input:
 - `Authentication` header that contains the api key
 - `alias_id` in url.
-- `note` in request body
+- (optional) `note` in request body
+- (optional) `mailbox_id` in request body
 
 Output:
 If success, return 200
diff --git a/app/api/views/alias.py b/app/api/views/alias.py
index 62e6182b..f8a067ec 100644
--- a/app/api/views/alias.py
+++ b/app/api/views/alias.py
@@ -19,7 +19,7 @@ from app.dashboard.views.alias_log import get_alias_log
 from app.email_utils import parseaddr_unicode
 from app.extensions import db
 from app.log import LOG
-from app.models import Alias, Contact
+from app.models import Alias, Contact, Mailbox
 from app.utils import random_string
 
 
@@ -234,8 +234,6 @@ def update_alias(alias_id):
         note: in body
     Output:
         200
-
-
     """
     data = request.get_json()
     if not data:
@@ -247,11 +245,26 @@ def update_alias(alias_id):
     if alias.user_id != user.id:
         return jsonify(error="Forbidden"), 403
 
-    new_note = data.get("note")
-    alias.note = new_note
-    db.session.commit()
 
-    return jsonify(note=new_note), 200
+    changed = False
+    if "note" in data:
+        new_note = data.get("note")
+        alias.note = new_note
+        changed = True
+
+    if "mailbox_id" in data:
+        mailbox_id = int(data.get("mailbox_id"))
+        mailbox = Mailbox.get(mailbox_id)
+        if not mailbox or mailbox.user_id != user.id or not mailbox.verified:
+            return jsonify(error="Forbidden"), 400
+
+        alias.mailbox_id = mailbox_id
+        changed = True
+
+    if changed:
+        db.session.commit()
+
+    return jsonify(ok=True), 200
 
 
 @api_bp.route("/aliases/<int:alias_id>", methods=["GET"])
@@ -374,8 +387,6 @@ def delete_contact(contact_id):
         contact_id: in url
     Output:
         200
-
-
     """
     user = g.user
     contact = Contact.get(contact_id)
diff --git a/tests/api/test_alias.py b/tests/api/test_alias.py
index 1b294619..5ada525f 100644
--- a/tests/api/test_alias.py
+++ b/tests/api/test_alias.py
@@ -6,7 +6,7 @@ from flask import url_for
 
 from app.config import PAGE_LIMIT
 from app.extensions import db
-from app.models import User, ApiKey, Alias, Contact, EmailLog
+from app.models import User, ApiKey, Alias, Contact, EmailLog, Mailbox
 
 
 def test_get_aliases_error_without_pagination(flask_client):
@@ -292,7 +292,38 @@ def test_update_alias(flask_client):
     )
 
     assert r.status_code == 200
-    assert r.json == {"note": "test note"}
+
+
+def test_update_alias_mailbox(flask_client):
+    user = User.create(
+        email="a@b.c", password="password", name="Test User", activated=True
+    )
+    db.session.commit()
+
+    mb = Mailbox.create(user_id=user.id, email="ab@cd.com", verified=True)
+
+    # create api_key
+    api_key = ApiKey.create(user.id, "for test")
+    db.session.commit()
+
+    alias = Alias.create_new_random(user)
+    db.session.commit()
+
+    r = flask_client.put(
+        url_for("api.update_alias", alias_id=alias.id),
+        headers={"Authentication": api_key.code},
+        json={"mailbox_id": mb.id},
+    )
+
+    assert r.status_code == 200
+
+    # fail when update with non-existing mailbox
+    r = flask_client.put(
+        url_for("api.update_alias", alias_id=alias.id),
+        headers={"Authentication": api_key.code},
+        json={"mailbox_id": -1},
+    )
+    assert r.status_code == 400
 
 
 def test_alias_contacts(flask_client):