Whitelisting in Microsoft 365

To ensure phishing simulations and training campaigns reach learners’ inboxes and aren’t blocked or sent to junk, you should whitelist our domains. This guide provides step-by-step instructions for organisations using Exchange Online Protection (EOP) and Microsoft Defender for Office 365.

In this Article:

Exchange Online (EOP): Bypass Spam Filtering Rule

Office 365 Defender

Advanced Delivery Policy ( Defender )

Test Campaign

Troubleshooting

Exchange Online (EOP): Bypass Spam Filtering Rule


All mail systems have spam filtering. The steps below outline how to disable all spam checks for our phishing simulation emails, ensuring you won't experience issues with 100% clicked/opened emails ( false positives), even if learners don't interact with them.


  1. Log in to your O365 Exchange Admin Center.
  2. Select Mail Flow > Rules and Add a rule.
  3. Click Create a new rule.

  1. Name the rule (e.g. Phishing Simulator Whitelist).
  2. Under Apply this rule if..., choose The sender... > domain is.... and add the following domains:
  1. Click Save.

  1. Under Do the following, choose Modify the message properties > Set the spam confidence level (SCL) and select Bypass Spam Filtering, which will set the value of SCL to -1.
  2. Click on the Next button.
  3. Leave the Set Rule settings as is, proceed to the Review and Finish window and Save the rule.
  4. Return to the Rules Page > Enable Rule ( it is off by default), and priority is set to 0.

*Allow up to 60 minutes for the changes to take effect.

Technical details can be found here: Whitelisting Technical Information.

Office 365 Defender


Microsoft Defender for Office 365 includes advanced security features like Safe Links, Safe Attachments, and URL scanning. These protections can sometimes block or rewrite parts of our phishing simulations,  including learning pages, tracking links, or landing pages, which may cause false positives or prevent campaigns from tracking correctly.


Complete all Defender whitelisting steps below (Safe Links, Anti-Spam, and Advanced Delivery Policy) depending on your plan to ensure simulation emails and learning pages will be delivered safely and fully functional.


  • Plan 1: Configure the Mail Flow Rule (Bypass Safe Links).
  • Plan 2: Configure Safe Links and Anti-spam policies.

Note: Don’t configure both plans, as they can conflict. Unsure which plan applies? Follow Plan 2. If Safe Links options aren’t available, your organisation is on Plan 1.

Plan 1: Mail Flow Rule ( Bypass Safe Links)


To configure the mail flow rule to bypass ATP link processing by header:

  1. Access your O365 Exchange Admin Center.
  2. Select Mail Flow > Rules and Add a rule.
  3. Click Create a new rule.

  1. Name the rule (e.g Phishing Simulator Link Bypass)
  2. Under Apply this rule if..., choose The sender... > domain is.... and Add:
  1. Click Save.
  2. Under Do the following… choose Modify the message properties… > Set a message header.
  3. Insert below into the "Enter text" fields:
  • Click the first *Enter text... link and set the message header to X-MS-Exchange-Organization-SkipSafeLinksProcessing
  • Click the second *Enter text... link and set the value to 1
  1. Click Next.
  2. Leave all settings in Set rule settings as their default values.
  3. Review and click Finish to apply the rule.

*Allow up to 1 hour for the changes to take effect.

After completing Plan 1, proceed to set up the Advanced Delivery Policy (Defender).

Plan 2: Safe Links & Anti Spam Policies


Step 1: Anti Spam Policy ( Allow our Sending Domains)


  1. Navigate to the Microsoft 365 Defender Portal > go to Email & collaboration
  2. Under Policies & Rules 
  3. Select Threat Policies 
  4. Select Anti-spam

  1. Select the Anti-spam inbound policy ( Default).
  2. Click Edit allowed and blocked senders and domains.

  1. Under Allowed domains, click Add Domains, pressing enter after each:
  1. Click Save.

*Allow up to 1 hour for the changes to take effect.

Step 2: Safe Links Policy ( Allow our Landing Pages)


By default, Microsoft Defender blocks certain elements, including our learning pages. To prevent that, certain domains used by SoSafe must be added to a policy in Microsoft Defender for Microsoft 365. Doing so only takes a few minutes, and we have prepared a step-by-step guide to make things easy for you.


  1. Navigate to the Microsoft 365 Defender Portal > go to Email & collaboration
  2. Select Policies & Rules >Threat Policies > select Safe Links.

  1. Click Create to add a new policy, or Edit policy to modify an existing one.

Note: If you already have Safe Links policies in place, keep in mind that only the policy with the highest priority will apply to users in scope.

  1. Name the policy (e.g., Phishing Simulator Safe Links Exclusions) and add a description. Click Next.
  2. Make sure the policy includes all employees in your organisation. If you already have a group that includes all employees, select the group. Otherwise, select your company’s entire email domain associated with your users' email addresses ( see example below). Once done, click Next.

  1. Under Action on Potentially Malicious URLs within Emails:

Enable: Safe Links (leave turned ON - this rewrites and checks links by default).

Disable:

  • Apply Safe Links to email messages sent within the organisation.
  • Apply real-time URL scanning for suspicious links and links that point to files
  • Wait for URL scanning to complete before delivering the message.
  • Do not rewrite URLs; do checks via Safe Links API only.
  1. Under Click Protection Settings:

Enable:

  • Track user clicks
  • Let users click through to the original URL.

  1. In the "Do not rewrite the following URLs" section > select the link "Manage 1 URLs"
  2. Click to Add URLs and enter the following URL for our landing pages.

✅ app.goldphish.com/*

❌ https://app.goldphish.com

Note: Our domain must be added using the format [rootdomain]/*so you need to enter app.goldphish.com/*

  1. Click Save.
  2. On the Notification page > select Use the default notification text.

  1. Review, click Next > Submit > Done.

*Allow up to 1 hour for Safe Links changes to take effect.

After completing Plan 2, proceed to set up the Advanced Delivery Policy (Defender).

Advanced Delivery Policy ( Defender )


  • In the Microsoft 365 Defender portal > select Security > Policies & Rules > Threat policies.
  • Under Rules, select Advanced delivery.
  • Select the tab called Phishing simulation and then select Edit.
  • A new window titled Edit third-party phishing simulations will open.

In the corresponding fields, enter:


  1. Our sending domains.
  1. Our IP Addresses.
  • 161.38.204.226
  • 141.193.32.11
  • 77.68.84.212
  1. Simulation URLs to allow
  1. Click Save to finish the process.

*Allow up to 1 -24 hours for changes to take effect.

Tip: If you have issues adding IPs, try a different browser (Edge or Firefox) or clear your browser cache.

👉🏼You can find our Domains and IPs in our Whitelisting Technical Information guide.

Test Campaign


Before running a full campaign, ensure all whitelisting is complete.


Third-Party Email Security Services

  • If your organisation uses services like Proofpoint, Mimecast, Barracuda, or others, whitelist our domains and IPs.
  • Third-party services may block, scan, or simulate clicks on emails.

Endpoint Detection & Antivirus

  • Ensure EDR solutions (Carbon Black, SentinelOne, etc.) and antivirus software (ESET, TrendMicro, etc.) allow our domains and IPs.

Refer to our Third-Party Whitelisting guides for help.

Test

  • Send a small test campaign to 2–3 users to verify:
  • Emails reach inboxes
  • Clicks and opens are accurately tracked in the dashboard

Troubleshooting


Emails not received: Run a Message Trace to see if rules or policies are blocking or redirecting emails.

  • Check the email status: delivered, filtered as spam, quarantined, or failed.
  • Identify which rule or policy acted on the email (anti-spam, anti-phishing, or Safe Links).

Emails land in junk despite whitelisting: Review the email message headers for more details.

  • Instructions for viewing headers in O365 are available in the support portal.

External /Banner Messages: Some organisations have a policy that flags emails from outside the company with a banner (e.g., “This email did not originate within xxx”).

  • Double-check that our domains are added in both Mail Flow rules and Microsoft Defender policies.
  • Confirm that the Advanced Delivery Policy (Phishing simulation) includes: Domains: mail.goldphish.com, mail.emailsupport.me
  • Once these steps are applied correctly, simulation emails will arrive in inboxes without the external warning.

Questions? Feel free to contact us at support@goldphish.com.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Us Contact Us

Related Articles