Tip of the day

Support tickets can be submitted directly from application

EMAIL

Estimated reading: 7 minutes 704 views

Cellosign can send emails to your users and clients for invitations, reminders, alerts and more. On cloud installations, we use third-party providers to post and manage email traffic by default.

Using our integrations, you can connect Cellosign to your own email delivery service instead. Two delivery modes are available:

  • SMTP — your organization’s standard SMTP server.
  • Microsoft Graph sendMail — for Microsoft 365 tenants that require OAuth2 instead of SMTP.

You choose the mode from the Email Delivery Mode dropdown when adding the integration.

Why do I need this?

There are a few good reasons to integrate with your organization’s email service:

  1. Control the sender address. By default, Cellosign emails are sent from a Cellosign address such as “invite@cellosign.com”. A custom integration lets you send from your own address, for a more familiar experience for your clients.
  2. Tighter control over outbound email. Manage your own outbound email traffic and content.
  3. Meet your IT policy. If your Microsoft 365 tenant blocks SMTP AUTH, the Microsoft Graph mode lets Cellosign send through Graph with OAuth2 instead.

Fallback between integrations

You can add as many integrations as you need so they serve as fallbacks for one another. For example, if you have two SMTP integrations, SMTP1 and SMTP2, and SMTP1 fails to respond, Cellosign automatically tries to send through SMTP2.

You can also enable the Use system wide SMTP fallback option (see the field tables below) so that Cellosign’s own SMTP service is used if your integration fails — making sure your emails still reach recipients. This works for both delivery modes.

Setting up SMTP

To add an SMTP integration:

  1. On the dashboard, click Integrations.
  2. Locate the SMTP integration pane.
  3. Click Add.
  4. Set Email Delivery Mode to SMTP.

Fill in the fields:

FieldWhat it’s for?
AliasA name to identify this integration.
SenderThe name that appears as the sender on the email. The sender can be formatted per RFC 5322 — for example: Your Company <email@company.com>.
Use system wide SMTP fallbackWhen turned on, if your SMTP fails to respond, Cellosign’s own SMTP is triggered so your emails still reach recipients.
HostThe host address (DNS name). You may use an IP address, but without TLS/SSL — those options require certificate validation, which cannot be performed against an IP.
PortThe port to connect on. Note: port 25 is not supported on Cellosign cloud installations.
SSLSwitch SSL on or off as required by your SMTP protocol. Use only when the host is a domain name, not an IP.
TLSSwitch TLS on or off as required by your SMTP protocol. Use only when the host is a domain name, not an IP.
AuthenticationSelect the authentication type: Simple or No Auth (see below).
UserThe username for authentication.
PasswordThe password for authentication.

Save the integration, then test it: enter an email address under Recipient and click Test.

Authentication types

  • Simple — uses the standard SMTP authentication protocol and requires a username and password.
  • No Auth — requires no authentication at all. This is not a recommended approach. If your SMTP relay has no other way to authenticate, make sure to whitelist the relevant Cellosign IP addresses.

Setting up Microsoft Graph sendMail (OAuth2)

In addition to classic SMTP, Cellosign can deliver email through the Microsoft Graph sendMail API. This option is intended for Microsoft 365 organizations whose IT policy blocks SMTP AUTH and requires applications to send email using OAuth2 App-Only (client credentials) authentication.

Why do I need this?

When this mode is selected, Cellosign does not connect to an SMTP server. Instead, it obtains an OAuth2 token from your Azure AD (Microsoft Entra ID) tenant and posts the email through Microsoft Graph on behalf of the sender mailbox you configure. All Cellosign email types are supported: invitations, reminders, result emails and failure notifications.

  1. Your Microsoft 365 tenant disables SMTP AUTH, so classic SMTP relay is not allowed by your organization.
  2. You want emails authenticated with modern OAuth2 credentials instead of a stored SMTP username and password.
  3. You want every send and token acquisition recorded in the Cellosign audit log.

Prerequisites in Azure

Before configuring the integration in Cellosign, your Azure administrator must prepare the following in your tenant:

  1. App registration in your Azure AD tenant, with a client secret.
  2. Application permissions Mail.Send and Mail.ReadWrite, with tenant admin consent granted. Mail.ReadWrite is required for sending emails with large attachments (see below).
  3. An Application Access Policy that scopes the application to the specific sender mailbox(es) only. This is a least-privilege measure that prevents the application from sending as arbitrary users in your organization.

The following Microsoft Graph calls are used by the integration, with the permission each one requires:

Graph callHTTPPermission
Send mailPOST /users/{sender}/sendMailMail.Send
Create draftPOST /users/{sender}/messagesMail.ReadWrite
Add inline attachmentPOST .../messages/{id}/attachmentsMail.ReadWrite
Create attachment upload sessionPOST .../attachments/createUploadSessionMail.ReadWrite
Upload attachment chunksPUT {uploadUrl}— (pre-authenticated URL, no token)
Send draftPOST .../messages/{id}/sendMail.Send (draft created via Mail.ReadWrite)
Delete draftDELETE .../messages/{id}Mail.ReadWrite

Step 1: Create a Microsoft Graph credential (Secrets integration)

The Azure credentials are stored as a Secrets integration in the same project:

  1. At the dashboard click integrations and locate the Secrets pane.
  2. Add a client secret integration of type Microsoft Graph (msgraph) with your tenant, client ID and client secret.
  3. Save and make sure the integration is active.

Step 2: Add the email integration

  1. At the dashboard click integrations.
  2. Locate the SMTP integration pane and click “Add”.
  3. Select the Microsoft Graph sendMail mode and fill in the fields below.
FieldWhat it’s for?
AliasProvide an alias for the integration.
SenderThe mailbox address emails are sent from. This must be a real mailbox in your tenant, and it must be included in the Application Access Policy configured in Azure.
System wide fallbackIf fallback is turned on, then in case the Microsoft Graph send fails, Cellosign SMTP is triggered to make sure your emails are posted. We strongly recommend turning this option on so email delivery continues even when the Microsoft integration is unavailable.
Azure AD Credential (msgraph)Select the active Microsoft Graph client-secret integration (from Step 1) that holds the tenant, client ID and client secret for this project.

Save the integration and test it by entering an email address under “Recipient” and clicking “Test”. The test verifies the configuration end-to-end: a token is acquired from your tenant and a test email is sent through Microsoft Graph.

Good to know

  • Large attachments: emails up to 15 MB are supported. Messages with large attachments are sent automatically using the Microsoft Graph draft and upload-session flow, which is why the Mail.ReadWrite permission is required.
  • Audit log: token acquisitions and the result of every send (success or failure) are written to the project audit log. Recipient addresses are masked in audit records.
  • Fallback behavior: when a Graph send fails and system wide fallback is enabled, the failure is recorded in the audit log before the fallback SMTP attempt, so failures are always visible even when the fallback succeeds.
  • Classic SMTP is unchanged: existing SMTP integrations continue to work exactly as before; this is an additional mode, not a replacement.

Troubleshooting

  • 401/403 from Microsoft Graph: verify the client secret is valid and not expired, that Mail.Send and Mail.ReadWrite application permissions were granted with admin consent, and that the Application Access Policy includes the configured sender mailbox.
  • Large emails fail while small ones succeed: the Mail.ReadWrite permission is most likely missing — it is required for the draft and upload-session flow used for large attachments.
  • Need to revert? Switch the project back to a classic SMTP integration (or deactivate the Graph integration); the SMTP path is unaffected and immediately usable.

Leave a Comment

Share this Doc

EMAIL

Or copy link

CONTENTS