You need Exchange Administrator or Global Administrator permissions in Microsoft 365.
When a user sends an email, Exchange routes it to Badex via the outbound connector. Badex applies the correct signature based on the sender's Azure AD profile, then redelivers the email through Microsoft Graph API — fully authenticated, SPF, DKIM and DMARC compliant. No inbound connector needed.
What this script creates:
Step 1 — Install the Module
Open PowerShell as Administrator and install the Exchange Online Management module:
Install-Module ExchangeOnlineManagement -Scope CurrentUser -Force
Import-Module ExchangeOnlineManagementStep 2 — Connect to Exchange Online
Connect-ExchangeOnline -UserPrincipalName admin@yourcompany.comA browser window will open for Microsoft authentication. Sign in with your admin account.
Step 3 — Create the Outbound Connector
Routes outbound mail through Badex Signature for processing and signature injection:
New-OutboundConnector `
-Name "BADEX Signature Outbound Connector" `
-ConnectorType Partner `
-SmartHosts "smtp.signature.badex.app" `
-UseMXRecord $false `
-TlsSettings EncryptionOnly `
-IsTransportRuleScoped $true `
-Enabled $trueStep 4 — Create Transport Rules
Two rules are needed — one for external mail and one for internal mail. Both skip calendar items and already-processed emails to prevent loops:
# Rule 1: External mail
New-TransportRule `
-Name "BADEX Signature Route Rule" `
-Priority 0 `
-FromScope InOrganization `
-SentToScope NotInOrganization `
-RouteMessageOutboundConnector "BADEX Signature Outbound Connector" `
-ExceptIfHeaderContainsMessageHeader "X-BADEX-Signature-Processed" `
-ExceptIfHeaderContainsWords "1" `
-ExceptIfFromAddressMatchesPatterns "<>" `
-ExceptIfMessageTypeMatches Calendaring `
-StopRuleProcessing $true
# Rule 2: Internal mail
New-TransportRule `
-Name "BADEX Signature Internal Rule" `
-Priority 1 `
-FromScope InOrganization `
-SentToScope InOrganization `
-RouteMessageOutboundConnector "BADEX Signature Outbound Connector" `
-ExceptIfHeaderContainsMessageHeader "X-BADEX-Signature-Processed" `
-ExceptIfHeaderContainsWords "1" `
-ExceptIfFromAddressMatchesPatterns "<>" `
-ExceptIfMessageTypeMatches Calendaring `
-StopRuleProcessing $trueStep 5 — Verify the Setup
# Check connector
Get-OutboundConnector -Identity "BADEX Signature Outbound Connector" | Format-List Name,Enabled,SmartHosts,IsTransportRuleScoped
# Check transport rules
Get-TransportRule -Identity "BADEX Signature Route Rule" | Format-List Name,State,Priority
Get-TransportRule -Identity "BADEX Signature Internal Rule" | Format-List Name,State,PriorityExpected output:
Name : BADEX Signature Outbound Connector
Enabled : True
SmartHosts : {smtp.signature.badex.app}
IsTransportRuleScoped : True
Name : BADEX Signature Route Rule
State : Enabled
Priority : 0
Name : BADEX Signature Internal Rule
State : Enabled
Priority : 1Step 6 — Test
Send a test email from Outlook to an external address (e.g., Gmail). Verify that:
- Your signature appears correctly at the bottom of the email
- SPF shows as PASS in Gmail's "Show original"
- DKIM shows as PASS
- DMARC shows as PASS
You can send to check-auth2@verifier.port25.com to receive an automatic deliverability report.
Remove / Uninstall
To remove Badex Signature and restore normal mail flow:
Remove-OutboundConnector -Identity "BADEX Signature Outbound Connector" -Confirm:$false
Remove-TransportRule -Identity "BADEX Signature Route Rule" -Confirm:$false
Remove-TransportRule -Identity "BADEX Signature Internal Rule" -Confirm:$falseGo to Microsoft 365 → Connector Script in your dashboard to get a pre-filled script with your exact domain and settings — ready to copy and run.