Xray allows the user to get email notifications for every violation that was triggered, Either by initial scanning or by Impact Analysis which adds vulnerabilities when the vulnerability database is updated (Database Sync).
In order to trigger email notifications you have to set an email server in Artifactory and you have the following options In Xray Policies configurations:

1. Notify Email policy 
2. Notify watch recipients policy and add the recipients in the watch
3. Set notify deployer to set a notification for the developer who deployed the artifact

See more in the following documentation.

Email notifications can sometimes go wrong. Here are common mistakes that might happen:

1. Email notification is not working
2. The wrong email is getting the email notification
3. Notification is working but I’m seeing errors in the logs about email

Here is how you can debug these issues.
 

Email notification is not working

When email notification is not working it is mainly because your email server is not configured correctly either it wasn’t configured correctly in the beginning or changes were made internally in the email server that was provided to Artifactory and the connection is not longer valid.
In order to check that you can go into the UI to Administration -> General -> Email Server and you will encounter the following screen:

Make sure that you are able to send a test email and that the ‘from’ field (Which is optional only for Artifactory) has an email address.

After you configured it correctly, try to deploy an artifact with violations in order to test that it is now working properly.
 

Wrong email address is getting a notification 

In that case, we will have to check inside the Xray database who are the email participants.
You may use the following query in order to get the email participants in all the watches:select * from watches_emails;
If it’s a long list (Overall not recommended) you may specify:select * from watches_emails where email like %email_address%;
You may specify the watch name it is not suppose to be in by running:select * from watches_emails where watches_tbl_id = (select id from watches where name = ’WATCH_NAME’);
Next, you can search for the policies participants using the following query:select value from policies_rules_notifications where policies_rules_tbl_id=(select id from policies_rules where policies_tbl_id=(select id from policies where name=(select policy from watches_policies where watches_tbl_id=(select id from watches where name=’WATCH_NAME’))));
That's where you can find all the participants who should get the notification and you should find the wrong email and delete it from either the watch or policy using the UI.
 

Notification is working but I’m still seeing errors in the logs about emails

Usually, If email notifications are working there is no reason to worry about error messages in the logs. Error messages from the logs will look like this:
 [ERROR] [37690ac1e713dbb4] [exchange_handler:646     ] [main        ] Worker notification id x failed to process message error: Failed sending email to: gomail: could not send email 1: gomail: invalid address "": email: no address 
This error message occurs when email notifications are not working but also when they are working and Xray is trying to send Email to an Invalid email address or one that doesn’t exist.
You can search in the Artifactory database for all users' email addresses by using the following query:select * from access_users;
You can make sure that all of the users and email recipients in the watch and policies in the watch are having valid emails and if that’s the case then you may check who deployed the artifact by navigating to the artifact in Artifactory.
Sometimes artifacts are deployed by builds or automation without a user behind them and in that case, it will show that they were deployed by an Anonymous user who doesn’t have an email by default. 
In case there is a policy to notify the deployer Xray will try to send the notification to an empty email and will send an error message in the logs.