Email Signature Management for Microsoft 365: Server-Side vs Add-In — What's the Difference?
TL;DR: There are two fundamentally different ways that third-party email signature management tools work in Microsoft 365: server-side routing (signatures added after the email is sent, by routing through the vendor’s infrastructure) and add-in-based injection (signatures added at compose time, within Outlook, before the email is sent). The choice between them affects your GDPR position, what employees see when they compose, how mobile devices are handled, and your IT overhead. This article explains both in plain English so you can ask the right questions when evaluating vendors.
If you’ve been researching email signature management tools for Microsoft 365, you’ll have noticed something: all of them claim to give you centralised control, directory sync, and a visual template editor. The feature lists look remarkably similar.
What they don’t make easy to compare is how they actually work — the underlying architecture that determines what happens to your email between the sender hitting Send and the recipient receiving it.
That matters more than most people realise when they first start evaluating. Two tools with identical feature lists can have completely different implications for your data privacy obligations, your employees’ compose experience, and how you handle mobile devices. The architecture is the product. Everything else is built on top of it.
This article explains the two dominant architectural approaches — server-side routing and add-in-based injection — and what each one means in practice. It doesn’t recommend specific vendors. It gives you the framework to evaluate them yourself.
The Question Most Evaluation Guides Don’t Ask
When most IT admins evaluate email signature tools, they compare features: can it do per-user personalisation, does it have a visual editor, does it support banners, how does it handle replies and forwards?
These are legitimate questions. But they miss the foundational one:
Does this tool add signatures to emails by routing them through its own servers — or by injecting them within Outlook before the email is sent?
The answer to this question determines almost everything else about how the tool behaves, what obligations it creates, and whether it’s the right fit for your organisation’s security and compliance posture.
How Server-Side Routing Works
In a server-side routing architecture, your outbound email doesn’t go directly from Microsoft 365 to the recipient. Instead, it is redirected — via a mail flow connector configured in your Exchange admin centre — through the vendor’s cloud infrastructure. The vendor’s servers receive the email, identify the sender, look up their signature profile, append the correct signature HTML to the message body, and then forward the email to the original recipient.
From the recipient’s perspective, the email arrives looking entirely normal, with the sender’s branded signature at the bottom. From the technical perspective, every email your organisation sends has transited through a third party’s infrastructure in the process.
This is the architecture used by most of the major established vendors in the email signature management market. It works, and for many organisations it’s a perfectly reasonable choice. But it has implications that are worth understanding clearly before you commit.
What server-side routing looks like from the employee’s perspective:
An employee opens Outlook, writes an email, and hits Send. The compose window shows no signature — or shows a signature the employee has manually set themselves, which is separate from and unrelated to the centrally managed one. The centralised signature is invisible to the sender throughout the entire writing process. It appears only on the received copy at the other end.
This is not a minor UX quirk. It’s the source of a specific and recurring problem: employees don’t know their signature is there, so they add their own informal signature below their email text as well, resulting in duplicates on outgoing messages. It also means employees can’t verify their own signature without sending a test message to themselves or a colleague.
What server-side routing means for IT:
Setup involves configuring a mail flow connector in the Exchange admin centre to redirect outbound email through the vendor’s SMTP relay. This isn’t complex, but it does mean your mail flow has a dependency on the vendor’s infrastructure. If the vendor’s service experiences downtime, your outbound email delivery may be affected — vendors typically handle this with fallback routing, but it’s a dependency worth noting.
How Add-In-Based Injection Works
In an add-in-based architecture, a small software component — an Outlook add-in — is deployed to employees’ Outlook clients via the Microsoft 365 admin centre. This add-in activates automatically when an employee opens a new compose window.
At compose time, the add-in identifies the current sender, fetches the appropriate signature (typically from a CDN where the vendor has pre-rendered the HTML for each user), and injects it directly into the email body — before the employee has typed anything.
The email is then sent through Microsoft’s normal mail flow: Outlook → Exchange Online → recipient. The vendor’s infrastructure is not involved in mail delivery at any point.
What add-in injection looks like from the employee’s perspective:
An employee opens Outlook and clicks New Email. Their signature is already there, at the bottom of the compose window, looking exactly as it will to the recipient. They write their message above it and hit Send. The signature is visible throughout the composition process, exactly where they expect it.
This eliminates the duplicate-signature problem almost entirely — employees can see their managed signature is present, so there’s no reason to add their own. It also means employees can spot if their signature looks wrong (wrong job title, missing photo, outdated banner) and report it, rather than the error propagating unnoticed to every recipient.
What add-in-based injection means for IT:
Deployment uses Microsoft’s Centralised Deployment feature — the add-in is published to all users (or specific groups) directly from the Microsoft 365 admin centre, without touching individual machines. It requires Global Admin or Exchange Admin permissions. Propagation typically completes within 24 hours. There is no mail flow connector to configure and no dependency on a third-party SMTP relay in the mail delivery path.
The Five Practical Differences
1. Compose-time visibility
Server-side: Employees do not see their centralised signature while composing. The signature is invisible until the recipient receives the email.
Add-in: Employees see their signature from the moment the compose window opens. The compose experience reflects exactly what the recipient will receive.
The compose-time visibility difference is the most noticeable day-to-day. For organisations where employees deal with multiple signature variants — different templates for different contexts, time-limited campaign banners — the add-in approach means employees always know which signature is active. With server-side routing, this visibility is fundamentally unavailable.
2. Data flow and GDPR
This is the most consequential difference for organisations subject to UK GDPR or EU GDPR.
Server-side: Every outbound email — including the message body, any attachments, and any personal data in the content — passes through the vendor’s servers for processing. Under GDPR, this makes the vendor a data processor of your email content. This is governed by Article 28 of UK GDPR, which requires a written Data Processing Agreement (DPA) between your organisation and the vendor. Your organisation remains the data controller and is responsible for ensuring the vendor handles the data appropriately.
This is a manageable compliance obligation — reputable vendors will provide a DPA and will be clear about their data retention policies and processing locations. But it is a real obligation that requires active management, and for organisations in regulated industries (financial services, healthcare, legal) it is likely to be flagged by procurement, legal, or your DPO before sign-off.
Add-in: The email body is never processed by the vendor. The add-in fetches a pre-rendered HTML signature from the vendor’s CDN at compose time — it’s pulling a static asset, not transmitting message content. The email itself travels from Outlook through Microsoft’s infrastructure directly to the recipient. The vendor’s data processing relationship is limited to: employee directory attributes used to personalise the signature (name, title, photo), and any analytics on signature impressions (if that feature is used).
This is a materially simpler GDPR position. The vendor is still a data processor for the employee directory sync, and a DPA is still appropriate — but the scope of what they’re processing is far narrower, and email content is not part of it.
One practical test: ask any vendor directly — “Does email content pass through your servers?” A clear answer one way or the other tells you the architecture immediately, regardless of how the marketing materials describe it.
3. Mobile device coverage
This is where server-side routing has a genuine advantage, and it’s worth being honest about it.
Server-side: Because the signature is applied at the mail server level — after the email is sent, regardless of what sent it — it works for emails sent from any client on any device. Outlook on Windows, Outlook on Mac, Outlook Web Access, Outlook Mobile, the iPhone’s built-in Mail app, the Android Gmail app, any third-party mail client that accesses Exchange Online. The signature is always appended, because it’s applied in the mail flow, not in the sending application.
Add-in: The add-in works in Outlook for Windows (new Outlook), Outlook on Mac, Outlook Web Access, and Outlook Mobile (the Microsoft app for iOS and Android). It does not work in native device mail apps — if an employee uses the built-in iOS Mail app or the Android Gmail app to access their company Exchange email, the add-in has no way to inject a signature into those compose windows.
Whether this is a problem depends entirely on your device management posture:
- If your organisation has issued company devices, enrolled them in Intune or another MDM platform, and enforced Outlook Mobile as the email client — the add-in covers you completely.
- If employees use personal devices and choose their own mail apps — you likely have a coverage gap, and server-side routing is more reliable.
- Many organisations fall somewhere in between, and the honest answer is that they accept imperfect mobile coverage from the add-in approach in exchange for the architectural simplicity it offers elsewhere.
If mobile coverage is genuinely critical — for example, if a significant portion of your salespeople use personal phones with native mail apps — this is the factor most likely to lead you toward a server-side solution.
4. Deployment and ongoing IT overhead
Server-side: Initial setup involves configuring a mail flow connector in Exchange Online to route outbound email through the vendor’s relay. This is a one-time configuration task but it does create an ongoing dependency: the vendor’s relay is now in your outbound mail path. Any changes to that configuration — connector updates, vendor infrastructure changes — may require IT involvement. Some organisations run a server-side signature tool alongside Outlook Mobile, which introduces a hybrid complexity: mobile emails go through the relay and get signatures, desktop emails bypass it and get add-in signatures, creating a risk of duplication or inconsistency if both are active simultaneously.
Add-in: Once deployed via Centralised Deployment, the add-in propagates to all assigned users automatically and silently. There is nothing in the mail flow to maintain. Template changes are made by the template administrator (typically marketing or comms) and publish immediately to all users without any IT involvement. Add-in updates pushed by the vendor are applied automatically at the next Outlook launch, with no admin action required.
5. Sent Items and reply thread behaviour
Server-side: Because the signature is added after the email is sent, the copy stored in the employee’s Sent Items folder in Outlook does not contain the signature. The employee sent a message; the vendor added a signature to it in transit; the delivered copy has the signature, but the Sent Items copy does not. This is a known limitation of server-side architecture, and Microsoft’s own documentation on transport rules notes explicitly that displaying signatures in Sent Items is not possible with server-side approaches.
For most organisations this is an acceptable tradeoff. For organisations where legal or compliance teams need to audit sent email content as delivered — financial services firms with MiFID II obligations, for example — it can be a practical problem.
Add-in: Because the signature is injected into the compose window before Send is pressed, the version of the email stored in Sent Items does contain the signature. What you see in Sent Items is what the recipient received.
Head-to-Head Summary
| Server-Side Routing | Add-In Injection | |
|---|---|---|
| Compose-time preview | ✗ Signature invisible to sender | ✓ Visible from compose window opening |
| Email content through vendor servers | ✓ Yes — all outbound email | ✗ No — never |
| GDPR data processor scope | Email content + directory data | Directory data only |
| Mobile coverage (native mail apps) | ✓ All clients | ✗ Outlook Mobile only |
| Mobile coverage (Outlook Mobile) | ✓ Yes | ✓ Yes |
| Sent Items contains signature | ✗ No | ✓ Yes |
| Deployment method | Exchange connector / mail flow rule | M365 Centralised Deployment |
| IT dependency in mail flow | Yes — vendor relay in outbound path | No — mail flow unchanged |
| Template updates require IT | No | No |
| Best fit | Mixed device environments, BYOD policies, where mobile native app coverage is essential | Standardised M365 device environments, regulated industries, privacy-conscious organisations |
Which Architecture Is Right for Your Organisation?
The honest answer is that it depends on two things: your device landscape and your compliance posture.
If you have a standardised device environment — company-managed devices, Outlook enforced as the email client across Windows, Mac, and mobile — the add-in architecture covers you completely and gives you the simpler compliance position. There’s no reason to route email through a third party’s infrastructure when the add-in handles the job within Microsoft’s ecosystem.
If you have a BYOD environment where employees use personal devices and a mix of mail apps, and mobile coverage is non-negotiable — server-side routing is more reliable. Accept the GDPR overhead as a managed compliance obligation, get your DPA in place, and make sure you understand exactly what data the vendor retains and for how long.
If you’re in a regulated industry with heightened sensitivity around email content leaving your Microsoft environment — financial services, healthcare, legal, any sector with specific data handling requirements — the add-in approach’s narrower data processing footprint is worth taking seriously. It is likely to be the argument your DPO or compliance team finds most compelling.
If you’re evaluating from a cost and simplicity perspective — all else being equal, the add-in approach requires less ongoing IT maintenance. No mail flow connector to manage, no relay dependency in your outbound path, template changes handled entirely by the template administrator.
Neither architecture is objectively better. Both are used successfully by large organisations. The question is which set of tradeoffs fits your environment.
A Note on Vendors That Offer Both
Some vendors offer both deployment modes — typically a server-side relay option and an Outlook add-in option — sometimes in different product tiers, sometimes as configurable settings within the same product. This sounds like the best of both worlds but introduces a different risk: running both modes simultaneously can result in signatures being applied twice to the same email, once by the add-in at compose time and once by the relay in transit.
If you’re evaluating a vendor that offers both modes, ask explicitly how they prevent double-application, and what happens to an email sent from Outlook Mobile (where the add-in is active) that also passes through the server-side relay. The answer should be specific and verifiable, not reassuring but vague.
Summary
The most important question you can ask of any email signature management vendor is: “Does email content pass through your servers?”
Server-side tools route outbound email through the vendor’s infrastructure. They cover all mail clients including native mobile apps, but email content transits a third party — which has material GDPR implications — and employees never see their signature in the compose window.
Add-in-based tools inject signatures at compose time within Outlook. Email is never handled by the vendor. Employees see their signature as they write. The limitation is native device mail apps — coverage requires Outlook Mobile.
Understanding this distinction makes everything else in the vendor evaluation cleaner. Feature lists matter less when you’ve already decided which architectural category fits your organisation.
Frequently Asked Questions
What is the difference between server-side and add-in email signature management?
Server-side tools route outgoing emails through the vendor’s cloud infrastructure, where the signature is appended before the email is delivered to the recipient. Add-in tools install a component in Outlook that injects the signature at compose time — before the email is sent, within the Outlook client itself. The email never passes through the vendor’s servers. The key differences are: server-side covers all mail clients on all devices; add-in tools show the signature in the compose window and keep email content within Microsoft’s infrastructure.
Do I need a Data Processing Agreement with my email signature vendor?
If you’re subject to UK GDPR or EU GDPR, you likely do — but the scope varies significantly by architecture. Server-side tools process the content of outbound emails, making the vendor a data processor of that content under Article 28 of UK GDPR. A DPA is required and should cover data retention, processing location, and security measures. Add-in-based tools don’t process email content, but they do sync employee directory data (names, job titles, photos) to generate personalised signatures — which is also a processing relationship that warrants a DPA, albeit a narrower one. The ICO’s guidance on controllers and processors explains what these agreements must cover.
Do Outlook add-ins work on mobile devices?
Outlook add-ins work in Outlook Mobile for iOS and Android — the Microsoft Outlook app available from the App Store and Google Play. They do not work in native device mail apps (the built-in iOS Mail app, the Android Gmail app, or other third-party mail clients). If employees access company email on personal devices using non-Outlook apps, add-in-based signature tools will not apply to emails sent from those apps.
What is an Outlook add-in, and how is it different from a COM add-in?
An Outlook add-in in the modern sense is a web-based extension built using HTML, CSS, and JavaScript that runs within Outlook’s web view runtime — the same technology works across Outlook for Windows (new Outlook), Outlook for Mac, Outlook Web Access, and Outlook Mobile. COM add-ins (also called VSTO add-ins) are an older architecture based on compiled Windows code, which only works on the classic Windows Outlook desktop client and is not supported in new Outlook for Windows. Modern email signature tools use the web-based add-in model, which is cross-platform and deployed via Centralised Deployment.
If my email signature tool uses server-side routing, does that affect email delivery reliability?
It introduces a dependency: your outbound email passes through the vendor’s relay infrastructure before reaching its destination. Reputable vendors engineer this for high availability and typically operate SLAs in excess of 99.9% uptime. However, if the vendor’s infrastructure experiences an outage, your outbound email delivery may be delayed or affected. Most vendors handle this with fallback routing — if the relay is unreachable, the email is delivered without a signature rather than not delivered at all. Ask your vendor specifically about their fallback behaviour and SLA before committing.
Can I use both server-side routing and an Outlook add-in at the same time?
Some vendors offer both modes, but running them simultaneously creates a real risk of duplicate signatures — the add-in injects a signature at compose time, then the server-side relay appends another in transit. If a vendor offers both, ask specifically how they prevent double-application and what the behaviour is for emails sent from Outlook Mobile where both modes might be active. The answer should be precise and verifiable.
Does the email in my Sent Items folder contain the signature when using a server-side tool?
No. Because server-side tools apply the signature in transit — after the email leaves the sender’s mailbox — the copy stored in Sent Items does not include the signature. The email in Sent Items reflects what was sent, not what was delivered after server-side processing. With add-in-based tools, the signature is injected before Send is pressed, so the Sent Items copy does include it. For most organisations this is a minor inconvenience; for organisations with compliance-driven email archiving requirements, it can be more significant.