What is an email allowlist?
An email allowlist is a list of approved or "safe" senders specified by you in your security systems. They are usually denoted by IP Address, hostname or email header.
Do I really need to allowlist?
In a word: Yes
The reason for this is that our simulated phishing emails are exactly that! Our templates are designed to look and feel like the real thing, with the exception of not carrying any malicious code. However, perimeter protection systems and email security software cannot know (and luckily won't try to guess) whether what looks like a phishing email is real or simulated.
As such, you need to tell your mail environment to allow our emails through (in a process known as allowlisting).
If you do not allowlist our servers in your mail environment, there is no accurate way to know if all emails within a test are actually reaching their destination. Some may end up in junk, some in spam folders, others may be blocked completely, so your campaign test data would not be very reliable.
It is essential to allowlist our mail servers in order to have accurate data throughout the lifecycle of security awareness training.
The guide you're reading (as part of our allowlisting quickstart guide) will tell you everything you need to do to get our emails flowing smoothly to your users. It doesn't take very long, and our helpful support team are ready to answer any questions you might have along the way.
Which method is right for me?
We recommend allowlisting our IP addresses or hostname as the primary method. This works best when you're not using a cloud-based spam filter. If you are using a cloud-based spam filter, you may need to allowlist by email header in your mail server and allowlist by IP address in your spam filter.
The reason for this is that when you use a cloud-based spam filter, the emails arrive there first, and are sent from there to your mail server, thus losing the original IP address they came from (ours) and having it replaced with your spam filter's.
Take into consideration the various products or services you may be using in your mail or web environment to prevent issues with deliverability. Our support team is available for assistance.
Pro tip: Conduct a preliminary test campaign before your Baseline Phishing Test.
We recommend that you run at least one phishing campaign that is limited in scope to only one or two administrative users who can confirm receipt and tracking of clicks on phishing links. This should be done before the baseline test and will confirm that our simulated phishing emails are getting through any spam/firewall protection.
As soon as you are done with your preliminary test, you should delete or hide the campaign so that it will not interfere with your reports or risk score.
Our allowlisting technical information can be found here: Allowlisting Technical Information.