ExSign Integration: Google Workspace OAuth Application Setup (Full Scope / Larger Scope Deployment)

ExSign Email Signatures for Microsoft Exchange Server
Overview
This article provides a complete step-by-step guide to configure a Google Cloud OAuth application and required Google Workspace settings for ExSign integration. It includes OAuth setup, required scopes, credential creation, and Gmail routing (SMTP relay, host, and compliance rules).
1. Create New Project in Google Cloud
  1. Open Google Cloud Console:
     https://console.cloud.google.com/
  1. Sign in using a Google Workspace Admin account
  2. From the top menu, click Select Project
  3. Click New Project
  4. Enter a project name
  5. Click Create

2. Configure OAuth Consent Screen
  1. Open Navigation Menu (☰)

  1. Go to:
     APIs & Services → OAuth Consent Screen
  1. Click Get Started
  1. Fill in the required App Information
    • App Name
    • User Support Email
    • Developer Contact Email

  1. Click Next
  2. Select User Type: External (for organization-wide usage)
  1. Click Next
  2. Enter Contact Information
  3. Click Finish to complete the OAuth consent screen setup
3. Create OAuth Client Credentials
  1. Go to:
     APIs & Services → Credentials
  2. Click Create Credentials → Create OAuth Client 
  1. Select: 
    • Application Type: Web Application
  1. Configure: 
  1. Click Create
  2. Save the following securely: 
    • Client ID
858165626979-***************
    • Client Secret
******************VAbt
 


⚠️ These credentials are required for application authentication and must not be shared publicly.
 

Then navigate to APIs & Services and click on Enabled APIs & Services.

 
 
Next, click on Enable APIs and Services.

 
 
Search for Admin SDK API, then select it and click Enable.

 
 
 

4. Configure OAuth Scopes (Data Access)
Go to:
 OAuth Consent Screen → Data Access
This section defines what Google Workspace data the application is allowed to access.
 
4.1 Your Non-Sensitive Scopes
Non-sensitive scopes are automatically managed by Google and are considered low-risk permissions.
  • These scopes do not usually require manual approval.
  • They provide basic access for standard application functionality.
  • Review them to ensure they match expected application behavior.
👉 No manual configuration is required in most cases for this section.
 
4.2 Your Sensitive Scopes
Sensitive scopes must be added manually and require admin approval.

Add the following scopes:
 


4.3 Important Notes
  • Sensitive scopes require Google Workspace Admin consent
  • These permissions allow read-only access to directory data
  • Any missing scope may result in authentication or API permission errors
  • Ensure the OAuth app is properly authorized before production use

5. Configure Gmail Settings (Google Admin Console)
5.1 Open Gmail Settings
  1. Go to:
     https://admin.google.com/
  1. Navigate to:
     Apps → Google Workspace → Gmail
 
 

 
 
 
6. Configure Mail Routing (Host Setup)
6.1 Add New Route
  1. Go to Hosts
  1. Click Add Route


  1. Configure the following: 
    • Name: ExSign Smart Host
    • Host Type: Single Host
    • Port: 25
 
  1. Enable: 
    • ✔ Require mail to be transmitted via secure TLS connection
  1. Save the configuration
7. Configure SMTP Relay Service
  1. Navigate to:
     Gmail → Routing → SMTP Relay Service
 
 
 


  1. Click Add Another Rule



  2. Configure: 
    • Rule Name: SMTP Relay Service Rule
    • Allowed IP Addresses: Add server IP(s)
    • Encryption: TLS required
  1. Save the rule
8. Configure Content Compliance Rules
8.1 Open Compliance Settings
Navigate to:
 Gmail → Compliance → Content Compliance

 

Click Add Rule
 

8.2 Rule Configuration
Set the following:
  • Rule Name: ExSign Content Compliance Rule
  • Scope: 
    • ✔ Outbound
    • ✔ Internal Sending
  • Condition: 
    • Apply rule if ALL conditions match the message

8.3 Add Expressions (Filters)
Expression 1
  • Location: Envelope Sender
  • Match Type: NOT contains text
  • Content : google.com
Expression 2
Expression 3
  • Location: Full Headers
  • Match Type: NOT contains text
  • Value: X-ExSignProcessed
8.4 Action Settings
If conditions match:
  • ✔ Change Route
  • ✔ Require secure transport (TLS)


Route Selection:
Select:
  • ExSign Smart Host (created earlier)



8.5 Apply to Groups
Select the Groups for which email routing should be applied.

9. Final Step
Click Save to apply all configurations.

Notes
  • Ensure OAuth consent screen is properly configured before creating credentials
  • SMTP relay IP must be whitelisted in Google Workspace
  • TLS encryption is mandatory for secure mail flow
  • Apply routing only to required groups to avoid full domain impact
  • Always perform testing before production rollout
 
For any further query, feel free to send an email to support@hostingcontroller.com.
Article ID: 3501, , Modified: 6/3/2026 at 4:52 AM

Was this article helpful?

Share this article