Whitelisting in Microsoft 365

To ensure that phishing simulations and training campaigns are delivered to inboxes without being blocked or sent to junk, you need to whitelist our domains. This guide provides step-by-step instructions for organisations using Exchange Online Protection (EOP) and Microsoft Defender for Office 365.

In this Article:

Exchange Online Only (EOP) - Mail Flow Rule

Office 365 Defender

Plan 1: Mail Flow Rule

Plan 2: Safe Links & Anti Spam Policies

Test Campaign

Troubleshooting

Exchange Online Only (EOP) - Mail Flow Rule


If your organisation uses Exchange Online Protection (EOP) without Microsoft Defender, configure a Mail Flow Rule to bypass spam filtering:


  1. Log in to your O365 Exchange Admin Center.
  2. Select Mail Flow > Rules and Add a rule.
  3. Click Create a new rule.

  1. Name the rule (e.g. Phishing Simulator Whitelist).
  2. Under Apply this rule if..., choose The sender... > domain is.... and add the following domains:
  1. Click Save.

  1. Under Do the following, choose Modify the message properties > and select Set the spam confidence level (SCL).
  • In the pop-up, set the spam confidence level (SCL) to -1 and click Save.
  1. Click Next to proceed through the remaining steps, then Finish to apply the rule.
  2. Return to the Rules page and enable the rule ( it is off by default).👇🏼

*Allow up to 30 minutes for the changes to take effect.

Technical details can be found here: Whitelisting Technical Information.

Office 365 Defender


If you have Microsoft Defender for Office 365, you'll need to use more advanced methods to ensure your simulated emails bypass its protections.


  • If you use Plan 1, configure the Mail Flow Rule.
  • If you use Plan 2, configure the Safe Links and Anti-spam policies.
  • Don’t configure both plans, as they can conflict
  • Not sure which plan you have? Follow Plan 2. If Safe Links isn’t available, you’re on Plan 1

Plan 1: Mail Flow Rule


This is a simpler, but less comprehensive method for organisations with Defender for Office 365 Plan 1. It is a good fallback option if more advanced methods are not available. This method will bypass Safe Links but does not address other advanced protections.

  1. Access your O365 Exchange Admin Center.
  2. Select Mail Flow > Rules and Add a rule.
  3. Click Create a new rule.

  1. Name the rule (e.g Phishing Simulator Link Bypass)
  2. Under Apply this rule if..., choose The sender... > domain is.... and Add:
  1. Click Save.
  2. Under Do the following… choose Modify the message properties… > Set a message header.
  • Header name: X-MS-Exchange-Organization-SkipSafeLinksProcessing.
  • Set the value to:  1
  1. Click Next.
  2. Leave all settings in Set rule settings as their default values.
  3. Review and click Finish to apply the rule.

Plan 2: Safe Links & Anti Spam Policies


Step 1: Anti Spam Policy ( Allow our Sending Domains)


This step ensures the emails aren't marked as spam.


  1. Navigate to the Microsoft 365 Defender Portal > go to Email & collaboration
  2. Under Policies & Rules 
  3. Select Threat Policies 
  4. Select Anti-spam

  1. Select the Anti-spam inbound policy ( Default).
  2. Click Edit allowed and blocked senders and domains.

  1. Under Allowed domains, click Add Domains, pressing enter after each:
  1. Click Save.

Step 2: Safe Links Policy ( Allow our Landing Pages)


This step prevents links in your simulated emails from being rewritten or blocked.


  1. Navigate to the Microsoft 365 Defender Portal > go to Email & collaboration
  2. Select Policies & Rules >Threat Policies > select Safe Links.

  1. Click Create to add a new policy, or Edit policy to modify an existing one.

Note: If you already have Safe Links policies in place, keep in mind that only the policy with the highest priority will apply to users in scope.

  1. Name the policy (e.g., Phishing Simulator Safe Links Exclusions) and add a description. Click Next.
  2. Make sure the policy includes all employees in your organisation. If you already have a group that includes all employees, select the group. Otherwise, select your company’s entire email domain associated with your users' email addresses ( see example below). Once done, click Next.

  1. Under Action on Potentially Malicious URLs within Emails:

Enable: Safe Links (leave turned ON - this rewrites and checks links by default).

Disable:

  • Apply Safe Links to email messages sent within the organisation.
  • Apply real-time URL scanning for suspicious links and links that point to files
  • Wait for URL scanning to complete before delivering the message.
  • Do not rewrite URLs; do checks via Safe Links API only.
  1. Under Click Protection Settings:

Enable:

  • Track user clicks
  • Let users click through to the original URL.

  1. In the "Do not rewrite the following URLs" section > select the link "Manage 1 URLs"
  2. Click to Add URLs and enter the following URL for our landing pages.

âś… app.goldphish.com/*

❌ https://app.goldphish.com

Note: Our domain must be added using the format [rootdomain]/*so you need to enter app.goldphish.com/*

  1. Click Save.
  2. On the Notification page > select Use the default notification text.

  1. Review, click Next > Submit > Done.

*Allow up to 1 hour for Safe Links changes to take effect.

Additional Notes for Third-Party Email Gateways

If your organisation uses services like Proofpoint, Mimecast, or Barracuda, be sure to follow their specific allowlisting documentation. Even with Microsoft 365 configured correctly, third-party filters may block our simulation emails.

For more info, visit our Third Party Whitelisting guides.

Test Campaign


After completing any of the above methods, send a test phishing campaign to a small group of users to confirm:

  • Emails are received in their inbox (not junk or quarantine).
  • User clicks on links are accurately tracked within the campaign dashboard.

Troubleshooting


  • Emails not received: Double-check that all domains are spelt correctly. Allow up to 60 minutes for changes to propagate.
  • Links blocked: Ensure your Safe Links includes the app.goldphish.com/* exclusion.
  • Emails ending up in Spam: Double-check that the domains are correctly added to your Anti-Spam policy.
  • False positives (100% opens/clicks): This often indicates automated security scanning from a third-party gateway (like Mimecast or Proofpoint). You'll need to whitelist our domains in that system as well.

Questions? Feel free to contact us at support@goldphish.com.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Us Contact Us

Related Articles