Whitelisting Basics
When you are sending simulated phishing, there is (luckily) a risk that your spam filter will deny emails from being delivered to your colleagues. By whitelisting our mail servers as a sender, you can ensure that all users receive simulated phishing as intended.
This guide is intended for administrators to allow simulated phishing and training from our Security Awareness Platform.
You will need to complete at least one, and possibly several of the guides mentioned on this page to guarantee delivery of simulated phishing.
What Is An Internet Gateway/Firewall/Proxy Whitelist?
An internet gateway/firewall/proxy is in some cases used by a company to filter internet traffic users will receive in their browsers even before it reaches the user's computer. These filters will block either complete websites (e.g. Facebook.com) or parts of websites like javascript or cookies from reaching the browser. You will need to whitelist our Platform as an allowed website so no content gets blocked (e.g. authentication cookies, training videos, or images). There are various services that do this kind of filtering and you will need to talk to your IT professional in your company to ask if you are using one and if you are, to whitelist our platform on that client.
Domain to whitelist: app.goldphish.com
What Is An Email Whitelist?
An email whitelist (or 'safelist'/'allowlist') is a list of approved or 'safe' senders specified by you in your security systems. They are usually denoted by IP address, domain, hostname, or email header. Whitelisting is an important step to ensuring deliverability before launching training campaigns or using the phishing simulator.
Do I Really Need To Whitelist?
YES, YOU DO! The reason for this is that our simulated phishing emails are exactly that! Our templates are designed to look and feel like the real thing, with the exception of not carrying any malicious code. However, perimeter protection systems and email security software cannot know (and luckily won't try to guess) whether a detected suspicious phishing email is real or simulated.
As such, you need to tell your mail environment to allow our emails through (in a process known as whitelisting).
If you do not whitelist our servers in your mail environment, there is no accurate way to know if all emails within a test are actually reaching their destination. Some may end up in junk, some in spam folders, and others may be blocked completely - so your campaign test data would not be very reliable.
It is essential to whitelist our mail servers in order to have accurate data throughout the lifecycle of security awareness training.
Which Method Is Right For Me?
We recommend whitelisting our domains (see below) as the primary method. If you are using a cloud-based spam filter, you need to whitelist by domain in your spam filter.
Our whitelisting technical information can be found here: Whitelisting Technical Information.
Whitelisting Best Practices
PRO TIP: Conduct a preliminary test campaign before you launch your first training campaign or baseline phishing test.
We recommend that you run at least one campaign that is limited in scope to only one or two administrative users who can confirm receipt and tracking of clicks on phishing links. This should be done before the baseline test and will confirm that our system onboarding emails or simulated phishing emails are getting through any spam/firewall protection.
As soon as you are done with your preliminary test, you should delete or hide the campaign so that it will not interfere with your reports or risk score.
For diagnosis purposes, if emails are not getting through, send the test email to another location, another person on a different domain, and another person on the same domain. If the mail sends to a different domain and no one on one specific domain, it has to be their mail servers. If it is sent to some people but not others it can't be a portal problem. If it is sent to one person within a domain but not another it could be in the spam folder, or it's a user problem, or their system has some kind of multi-tiered distribution system with different levels of security.
Keeping your whitelisting up-to-date is a must! Make it a routine to review and freshen up your whitelisting settings every quarter. This way, you'll enjoy a smooth flow of system emails, including essential training and simulated phishing. Using extra email security systems like Microsoft Defender, Bitdefender, Proofpoint, ESET, Spam Titan, or others? Check out our Whitelisting Guides for some additional details. Let's keep your email world secure and hassle-free!🚀
Whitelisting Assistance
Our Technical Support team can provide some help with whitelisting issues. However, there are many different kinds of mail filtering services and providers in use so take into consideration the various products or services you may be using in your mail or web environment to prevent issues with deliverability.
If your campaign emails are not being received by your recipients after following the whitelisting steps outlined above, we recommend communicating directly with your service provider to properly whitelist the platform.
Shown below is an email you may want to send to your service provider's support team to request whitelisting assistance. This message will help them understand the services the platform provides:
" Our organisation is using a security training platform that provides simulated phishing tests and training for our company's employees. We would like to whitelist all platform simulated phishing tests and training emails so that they successfully reach the inboxes of our employees. Would you please help us whitelist the Security Awareness Platform domains?"
The two most common mail clients are Microsoft 365 Outlook and Gmail.
To whitelist properly for these platforms reference the guides below: