Whitelisting Basics
This guide is intended for administrators who need to understand why whitelisting is essential and the core concepts behind it, to ensure accurate reporting and uninterrupted delivery of simulated phishing tests and training content.
Why Whitelisting is Necessary
Do I really need to whitelist?
YES, YOU DO!
Our simulated phishing emails are intentionally crafted to mimic real-world attacks. Because of this, mail security systems cannot reliably distinguish between an actual attack and one of our simulations.
Without whitelisting:
- Emails may be delivered inconsistently
- Some messages may be blocked silently
- Others may land in Junk/Spam
- Results become unreliable and misleading
Whitelisting ensures:
- Accuracy - Prevents inconsistent delivery and guarantees reliable tracking
- Integrity - Ensures your security awareness metrics reflect human behaviour, not security software interference
What is Email Whitelisting?
Email whitelisting (also known as safelisting or allowlisting) is the process of approving trusted senders in your email security systems.
Whitelisting can be configured by:
- Domain (Recommended)
- IP address
- Hostname
- Email header values
- Return-Path / Mailer From domains
Note: We recommend domain-based whitelisting as the primary method, especially if you use a cloud-based spam filter such as Microsoft 365, Google Workspace, Mimecast, Barracuda, etc.
All technical whitelisting information (domains, IPs, etc.) is available here:
Whitelisting Web Content (Gateway/Firewall/Proxy)
Your gateway, firewall, or proxy may block content required for:
- Training videos
- Landing page functionality
- Cookies
- Images
- JavaScript
To ensure learners can view training content and complete landing pages successfully, whitelist:
- App Domain: app.goldphish.com
- Phishing Simulation Landing Page URL: app.goldphish.com/* (Whitelist all paths on this domain)
*This prevents filtering tools from stripping or blocking required web elements.
Whitelisting Best Practices and Testing
Before launching a full baseline test:
- Send a small campaign to 1–2 admin users.
- Confirm delivery, click tracking, and landing page access.
- Once verified, delete or hide the test campaign to avoid affecting organisational reporting.
Routine Maintenance
Review whitelisting rules quarterly to ensure they haven’t been overwritten by:
- Policy changes
- System updates
- Server migrations
- Security software updates
Troubleshooting / Diagnosis Tips
If test emails are not getting through, use these scenarios to diagnose the issue:
| Scenario | Diagnosis / Likely Cause |
Email is sent to an external domain (e.g., a personal Gmail account) and it arrives, but fails to reach your internal company domain. |
The issue is localised to your company's email security environment. Your internal mail server, gateway, or another security layer is blocking the message. Review the Sender/Mailer Domain, IP Whitelisting and bypass rules. |
Email is sent to several people in your company; some users receive it, and some do not. |
The issue is localised and inconsistent. This is often caused by user-specific rules (e.g., the email went to a user's spam/junk folder) or it indicates multiple internal filtering layers, inconsistent or partially applied whitelisting or group-based filtering policies. |
Platform Specific Whitelisting Guides
For step - by - step instructions, see guides below:
Whitelisting Assistance
If emails still fail to deliver after following our guides, contact your service provider and share this message:
“Our organisation is using a security awareness platform that sends simulated phishing and training emails. We need to ensure all platform emails are successfully delivered. Could you help us whitelist the Security Awareness Platform domains and IPs listed in the attached technical document?”
If you need a hand, reach out to our Support Team via email at support@goldphish.com.🚀🛠️