Short answer:
Xink reroutes emails through Microsoft 365 to apply signatures. This adds connectors and a transport rule, and may require fine-tuning in complex environments to avoid delivery or authentication issues.
Xink ReRouter accepts messages from Microsoft 365, applies the email signature, and returns the messages back to your Microsoft 365 tenant.
Whether you configure server-side (rerouting) using the Web Console or PowerShell, the following objects are created in Microsoft 365:
- Outbound connector – routes messages from Microsoft 365 to Xink.
- Transport rule – identifies which messages should be routed to Xink.
- Inbound connector – receives processed messages back from Xink.
These components work well in standard Microsoft 365 environments. However, in more complex setups, administrators may need to adjust the configuration to align with existing mail flow and security policies.
Mail flow behavior
By default, the Xink transport rule is configured to match all outbound emails from your organization.
This means every email is routed to Xink, processed, and then returned to Microsoft 365 via the inbound connector.
While this ensures consistent signature application, the rerouting process introduces some changes:
- The message is no longer treated as sent by an authenticated Microsoft 365 user.
- It is instead processed as a message relayed via an “on-premises” source.
- This can impact delivery to systems that require authenticated senders.
Examples include:
- Distribution groups with restricted access
- Shared mailboxes or resource mailboxes
- Meeting rooms and calendar systems
In these cases, emails may not be delivered as expected. Learn how to exclude mailbox resources from rerouting.
Additional changes include:
- Email content is modified when the signature is applied
- DKIM signatures are removed (and may be reapplied later)
- Extra Received headers are added, which may affect spam filtering
Fine-tuning recommendations
To optimize performance and avoid unintended side effects, consider adjusting the configuration:
1. Refine the transport rule
The default rule “Xink-Auto-ReRouting-Catcher” applies broadly.
You can improve this by:
- Targeting only users or groups that require signatures
- Excluding specific mailboxes or systems
Important: Always keep the exception for the header X-Xink-Handled: Yes to prevent mail loops.
2. Update SPF records
Add Xink to your domain’s SPF record to align with Microsoft 365 recommendations for third-party services.
See how to update SPF records.
This helps reduce false positives in spam filtering.
3. Allowlist Xink servers
Add Xink server IP addresses to your allowlist or whitelist.
View the allowlist configuration steps.
4. Enable DKIM support (optional)
To maintain DKIM alignment after processing, enable DKIM support for your domains.
Summary
Server-side rerouting ensures consistent signature application across all devices and platforms.
However, because emails are modified and reprocessed, administrators should review and adjust mail flow rules, authentication settings, and filtering policies to ensure smooth delivery and optimal performance.
