Whitelisting in Microsoft 365

To ensure phishing simulations and training campaigns reach learners’ inboxes and aren’t blocked or sent to junk, you should whitelist our domains. This guide provides step-by-step instructions for organisations using Exchange Online Protection (EOP) and Microsoft Defender for Office 365.

In this Article:

Exchange Online (EOP): Bypass Spam Filtering Rule

Office 365 Defender

Advanced Delivery Policy ( Defender )

Test Campaign

Troubleshooting

Exchange Online (EOP): Bypass Spam Filtering Rule


All mail systems have spam filtering. The steps below outline how to disable all spam checks for our phishing simulation emails, ensuring you won't experience issues with 100% clicked/opened emails ( false positives), even if learners don't interact with them.


  1. Log in to your Mail Server Portal.
  2. Choose “Exchange message trace” in the left menu. The Exchange Admin Center opens in a new window. 
  3. Under the Mail Flow dropdown menu > Click Rules
  4. Click +Add a rule. A pop-up window opens

  1. Name the rule (e.g. Phishing Simulator Whitelist).
  2. Under Apply this rule if..., choose The sender... > domain is.... and add the following domains:
  1. Click Save.

  1. Under Do the following, choose Modify the message properties > Set the spam confidence level (SCL) and select Bypass Spam Filtering, which will set the value of SCL to -1.
  2. Click on the Next button.
  3. Leave the Set Rule settings as is, proceed to the Review and Finish window and Save the rule.
  4. Return to the Rules Page > Enable Rule ( it is off by default), and priority is set to 0.

*Allow up to 60 minutes for the changes to take effect.

Technical details can be found here: Whitelisting Technical Information.

Office 365 Defender


Microsoft Defender for Office 365 includes advanced security features like Safe Links, Safe Attachments, and URL scanning. These protections can sometimes block or rewrite parts of our phishing simulations,  including learning pages, tracking links, or landing pages, which may cause false positives or prevent campaigns from tracking correctly.


Complete all Defender whitelisting steps below (Safe Links, Anti-Spam, and Advanced Delivery Policy) depending on your plan to ensure simulation emails and learning pages will be delivered safely and fully functional.


Note: Don’t configure both plans, as they can conflict. Unsure which plan applies? Follow Plan 2. If Safe Links options aren’t available, your organisation is on Plan 1.

Plan 1: Mail Flow Rule ( Bypass Safe Links)


To configure the mail flow rule to bypass ATP link processing by header:

  1. Log in to your Email Server Portal
  2. Select Mail Flow > Rules and Add a rule.
  3. Click Create a new rule.

  1. Name the rule (e.g Phishing Simulator Link Bypass)
  2. Under Apply this rule if..., choose The sender... > domain is.... and Add:
  1. Click Save.
  2. Under Do the following… choose Modify the message properties… > Set a message header.
  3. Insert below into the "Enter text" fields:
  • Click the first *Enter text... link and set the message header to X-MS-Exchange-Organization-SkipSafeLinksProcessing
  • Click the second *Enter text... link and set the value to 1
  1. Click Next.
  2. Leave all settings in Set rule settings as their default values.
  3. Review and click Finish to apply the rule.

*Allow up to 1 hour for the changes to take effect.

After completing Plan 1, proceed to set up the Advanced Delivery Policy (Defender).

Plan 2: Safe Links & Anti Spam Policies


Step 1: Anti Spam Policy ( Allow our Sending Domains)


  1. Log in to your Email Server Portal with an administrator account, then select Security.
  2. Under Policies & Rules 
  3. Select Threat Policies 
  4. Select Anti-spam

  1. Select the Anti-spam inbound policy ( Default).
  2. Click Edit allowed and blocked senders and domains.

  1. Under Allowed domains, click Add Domains, pressing enter after each:
  1. Click Save.

*Allow up to 1 hour for the changes to take effect.

Step 2: Safe Links Policy ( Allow our Landing Pages)


By default, Microsoft Defender blocks certain elements, including our learning pages. To prevent that, our domains must be added to a policy in Microsoft Defender for Microsoft 365. Doing so only takes a few minutes, and we have prepared a step-by-step guide to make things easy for you.


  1. Log in to your Email Server Portal with an administrator account, then select Security.
  2. Select Policies & Rules, followed by Threat Policies. On this page, select Safe Links.
  3. Click Create to add a new policy, or Edit policy to modify an existing one.

Note: If you already have Safe Links policies in place, keep in mind that only the policy with the highest priority will apply to users in scope.

  1. Give the policy a name and description (e.g., Phishing Simulator Safe Links Exclusions)so you can identify it if you need to make changes in future. Select Next to continue to the Users and domains step.
  2. Add your organisation’s domain(s) in the input box titled Domains. Select Next to continue to the URL & click protection settings step.
  3. Under Action on Potentially Malicious URLs within Emails:

Enable: Safe Links (leave turned ON - this rewrites and checks links by default).

Disable:

  • Apply Safe Links to email messages sent within the organisation.
  • Apply real-time URL scanning for suspicious links and links that point to files
  • Wait for URL scanning to complete before delivering the message.
  • Do not rewrite URLs; do checks via Safe Links API only.
  1. Under Click Protection Settings:

Enable:

  • Track user clicks
  • Let users click through to the original URL.

  1. In the "Do not rewrite the following URLs" section > select the link "Manage 1 URLs". A new dialog will open.
  2. Select Add URLs and enter the following URL for our landing pages.

app.goldphish.com/*

app.goldphish.com/ (excluding the /* will not work).

  1. Click Save.

Note: Our domain must be added using the format [rootdomain]/*so you need to enter app.goldphish.com/*


  1. On the Notification page > select Use the default notification text.

  1. Review, click Next > Submit > Done.

*Allow up to 1 hour for Safe Links changes to take effect.

After completing Plan 2, proceed to set up the Advanced Delivery Policy (Defender).

Advanced Delivery Policy ( Defender )


  1. In the Email Server Portal portal with an administrator account and select Security.
  2. Select Policies & Rules > and then Threat policies.
  3. Under Rules, select Advanced delivery.
  4. Select the tab called Phishing simulation and then select Edit.
  5. A new window titled Edit third-party phishing simulations will open.
  6. In the corresponding fields, enter our Domains and IPs.

👉🏼You can find our Domains and IPs in the Whitelisting Technical Information guide.

*Allow up to 1 -24 hours for changes to take effect.

Test Campaign


To confirm everything is configured correctly (including whitelisting and Phish Reporter), we strongly recommend running a small test.


  1. Run a Test Campaign
  • Target just two or three users internally.
  1. User Action

Ask these users to:

  • Confirm delivery of the email
  • Open the email
  • Click the embedded link
  • Report the email using their Report Phishing button or by forwarding it to your reporting mailbox (depending on your setup)
  1. Confirm the Results
  • View the campaign report to ensure all actions - delivery, click, and report - are correctly logged.

Need more information? See our

Third-Party Whitelisting guides

How to Set up the Phish Reporter Service

Troubleshooting


Troubleshooting / Diagnosis Tips


If test emails are not getting through, use these scenarios to diagnose the issue:

Scenario Diagnosis / Likely Cause

Email is sent to an external domain (e.g., a personal Gmail account) and it arrives, but fails to reach your internal company domain.

The issue is localised to your company's email security environment. Your internal mail server, gateway, or another security layer is blocking the message. Review the Sender/Mailer Domain, IP Whitelisting and bypass rules.

Email is sent to several people in your company; some users receive it, and some do not.

The issue is localised and inconsistent. This is often caused by user-specific rules (e.g., the email went to a user's spam/junk folder) or it indicates multiple internal filtering layers, inconsistent or partially applied whitelisting or group-based filtering policies.

Platform Specific Whitelisting Guides

For step - by - step instructions, see guides below:

Whitelisting Assistance


If emails still fail to deliver after following our guides, contact your service provider and share this message:


“Our organisation is using a security awareness platform that sends simulated phishing and training emails. We need to ensure all platform emails are successfully delivered. Could you help us whitelist the Security Awareness Platform domains and IPs listed in the attached technical document?”

If you need a hand, reach out to our Support Team via email at support@goldphish.com.🚀🛠️

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Us Contact Us

Related Articles