Configure Microsoft 365 Exchange for the Templafy-hosted Email Signature Server

About this article

In this article we will be creating and configuring a mail flow rule and the connectors in the Exchange Online Admin Center. These will identify the e-mails that will be redirected through the Templafy Email Signature Server cluster for processing.

• Step 1. Create the Inbound Connector
  • Configure Inbound certificate-based connector authentication.
  • Configure Smart Hostname
  • Add the Templafy managed DNS SPF entry to the DNS records for domains.
• Step 2. Create the Outbound Connector
  • Configure transport rule only Connector activation.
  • Configure Smart Host based Routing. 
  • Configure Outbound certificate-based connector authentication. 
  • Validate the Outbound Connector
• Step 3. Create the mail flow rule
• Step 3a. Add the message targeting under the "Apply this rule if" section
• Step 3b. Add the redirect to the Inbound Connector under the "Do the following" section
  • set secret key validation.
• Step 3c. Add the three required exceptions under the "Except if" section
  • Add the exception for excluding the processed emails that are returned from the ESS
  • Add the exception for excluding the emails already processed by a Templafy Email Signature add-in OR the exception for excluding only the unsupported email types
  • Add the exception for Permission controlled emails
• Step 3d. Enable the new mail flow rule and set the priority to the highest
• Step 4. Add Smart Hostname to accepted domains. 
• Related articles

Prerequisites

Step 1. Create the Inbound Connector

• Navigate to https://admin.microsoft.com/ in the web browser of your choice. Or go directly to https://admin.exchange.microsoft.com/

• Click Show all

• Click Exchange

• Click Mail flow and then Connectors

• Click [+ Add a connector]

• New connector

  • The Connection from option should be set to the 'Your organization's email server' setting.
  • The Connection to option will remain on the 'Office 365' setting.
  • Click [Next]

     

• Connector name

  • Enter a name for the connector: templafy-ess-inbound-cert

  • The What do you want to do after connector is saved? section checkboxes, as defaulted, should both remain enabled.
  • Click [Next]

• Authenticating sent email

  • Choose the, defaulted, 'By verifying that the subject name on the certificate...' option.

  • The subject name for Templafy-hosted ESS will be: [tenant-name].templafy-ess.com (replace the `[tenant-name]` with the unique name of the Templafy tenant in production.)

    Add the Templafy managed DNS SPF entry to the DNS records for each sending domain. To ensure the Email Signature Server is identified as authorized to process mail for your domains it is important to add the Templafy-managed DNS entry for your cluster region., [essprod0|essaue0|essuse0].templafy-ess.com, to the DNS SPF record for each domain that may be sending emails through the Templafy Email Signature Server for processing. nslookup -type=txt templafy.com An example (SPF Record): v=spf1 include:essprod0.templafy-ess.com -all SPF entry Configuration, Setup, and Verification.

  • Click [Next]

     

• Review connector

  • Click [Create connector]

     

Step 2. Create the Outbound Connector

• Click [+ Add a connector]

• New connector

  • The Connection from option should be set to the 'Office 365' setting.
  • The Connection to option should remain on the default 'Your organization's email server' setting.
  • Click [Next]

     

• Connector name

  • Enter a name for the connector: templafy-ess-outbound-cert
  • Under the What do you want to do after connector is saved? section checkboxes, as defaulted, should both remain enabled.
  • Click [Next]

     

• Use of connector

  • Choose the 'Only when I have a transport rule set up that redirects messages to this connector' option.

  • Click [Next]

     

• Routing

  • Specify a smart host name (public cluster hostname)
  • For Templafy-hosted ESS this is: [tenant-name].templafy-ess.com
    (replace `[tenant-name]` above with the unique name of the Templafy tenant in production.)
  • Click the [+] sign.

  • Click [Next]

     

• Security restrictions

  • Choose the 'Issued by a trusted certificate authority (CA)' option
  • Enable/Select the 'Add the subject name or subject alternative name (SAN) matches this domain:' checkbox.
  • Enter hostname [tenant-name].templafy-ess.com the same as above.
  • Click [Next]

     

• Validation email

  Outbound connector validation is REQUIRED for Microsoft Exchange (through Exchange Online Protection) to trust the connectors.

  • Provide an email address from inside of your domain.

  • Click [+]

  • Click [Validate]

  • There will be a three-step validation progress bar. This will take one to two minutes to complete.

  If the second step of the test fails. Check if other connectors are already configured that could be intercepting the incoming validation email. Add an Exception for the built-in senderO365ConnectorValidation@<yourrdomain.tld> to this other connector's mail flow rule.   If the connector had previously been saved in a failed validation state. Open the connector and at the bottom of the pane click [Validate this connector]. Repeat the validation process as described above.

   

• Click [Save]  

   

Step 3. Create the mail flow rule

• Go to Rules
• Click [+ Add a rule] -> 'Create a new rule...'

• Set rule conditions

• Name: templafy email signatures

• Under the Apply this rule if section.

  • Click the Select one dropdown and select: The sender
  • Click the next Select one dropdown and select: is external/internal
  • select sender location will show Inside the organization in the dropdown.
  • Click the [Save] button.
  • Click the [+] Add a condition button next to the is external/internal dropdown.

  • Select The sender... then click the Select one dropdown and select:domain is

  • specify domain

    • [Add] for each Email Domain that is configured in your Templafy tenant Email signatures settings.

      This information is found at your Templafy tenant Admin Center in section Email signatures -> More options -> Settings. How to add or remove Email Domains?

       

    • Click the [Save] button.
      

      Ensure the SPF record is updated with the cluster Connector ESS Smart Hostname, [essprod0|essaue0|essuse0].templafy-ess.com, for each of the domains so Added to the rule in this step. SPF entry Configuration, Setup, and Verification.

     

  • Optional: Group-based user targeting to Email Signature Server

    • We recommend this configuration if you have many systems automated mails that would not be receiving a Templafy managed signature.

    • You can add the condition Sender is a member of... and use a Distribution Group, or Mail Enabled Security Group, of users that are in the Templafy tenant for a managed signature.

       

• Under the Do the following section.

  • Click the Select one dropdown and select: Redirect the message to
  • Click the next Select one and select: the following connector

  • Select connector.

    • Select the templafy-ess-outbound-cert connector from the list.
    • Click [Save]

       

  • Set secret key validation.

    • Click the [+] Add action button next to the the following connector. dropdown.
    • Select Modify the message properties... -> Set a message header
    • Click [Enter Text] for the message header and set the header name to Templafy-EmailSignatureServer-Secret
    • Click [Save]
    • Click [Enter Text] for the message value and set the header value to the GUID value that is provided by your Templafy Solutions Engineer on this implementation.
    • Click [Save]

    Enable sender secret key validation.

     

• Under the Except if section.

  • The Templafy-EmailSignatureServer-Processed custom header is added to the email by the processing ESS instance before it is returned back to the Exchange Online server.

    • Click the Select one dropdown and choose: The message headers...
    • Click the next Select one and choose: includes any of these words/matches these text patterns.
    • Click the Enter text link to specify header name: Templafy-EmailSignatureServer-Processed
      Click [Save]
    • Click the Enter words link to specify words or phrases: true
      Click [Add]
      Click [Save]

       

  • The x-processedbytemplafy -OR- unsupportedformatbytemplafy headers are added by the local Templafy Signature add-ins if they have processed this mail.

    • Click the [+] Add exception button next to the includes any of these words/matches these text patterns. dropdown.
    • Click the Select one dropdown and select: The message headers...
    • Click the next Select one and select: includes any of these words/matches these text patterns.
    • Click the Enter text link to specify header name: x-processedbytemplafy -OR- x-unsupportedformatbytemplafy

      Use the header x-processedbytemplafy if you prefer the emails already processed by Templafy via the Outlook VSTO Plugin on PC or via the Templafy Outlook Web Add-in in to skip the Email Signature Server Use the header x-unsupportedformatbytemplafy if you prefer all the traffic will go to Templafy Email signature for a sanity check (in case the signature was removed by the end users while the add-ins are in use in their sending application) except the non-supported format items (meeting invites and vote feature in Outlook Application for PC)

    • Click [Save]
    • Click the Enter words link to specify words or phrases: true
      Click [Add]
      Click [Save]
      Click [+]

       

  • Add the exception for Permission controlled emails

    • Click the [+] Add exception button next to the first includes any of these words/matches these text patterns dropdown.
    • Click the Select one dropdown and select: The message properties
    • Click the next Select one and select:includes the message type
    • For the select message type select the Permission controlled item in the dropdown.
    • Click the [Save] buttons.

       

• Click the [Next] button.

   

• Set rule settings

  • Enable the checkbox for Stop processing more rules

    The rest of the mail flow rules you may have will be applied when the email is returned back from the ESS solution to Exchange.

  • Click the [Next] button.

     

• Review and finish

  • Click the [Finish] button.
  • The rule will be Saving, this may take a few minutes.
  • Click the [Done] button to complete this step.

     

• Enable the new mail flow rule and set the priority to 0, the highest.

  • Click the newly created rule at the bottom of the list.
  • Click the Enable or disable rule toggle to set the rule Enabled.
    • You must wait at this panel until the operation returns, in green, "Rule status updated successfully."
  • Click Edit rule settings at the top of the panel.
    • Set the Priority textbox to 0
  • Click [Save]
  • The rule will be Saving, this may take a few minutes.
    • You must wait at this panel until the operation returns, in green, "Transport rule updated successfully."
  • Click [Done]

     

• Screenshot examples of a completed rule.

Step 4. Add Smart Hostname to accepted domains.