WOLFCORE LTD · Help & Support

Email Deliverability & Allowlisting Guide

Version 1.0 · Effective 12 June 2026

For: Your IT / Security Administrator
Purpose: Ensure authorised phishing-simulation emails reach your users' inboxes
Provided by: Wolfcore Ltd · Phishy

Why this guide is needed

Phishy runs authorised phishing-simulation campaigns against your own staff, with your written permission, as part of your security-awareness programme. By design, these emails are built to look like real phishing attempts — that's the whole point of the exercise.

The consequence is that your own email security stack will try to filter, quarantine, or banner them before your users ever see them. To run an accurate simulation, your administrator needs to create a deliberate, scoped, reversible exception for Phishy's specific sending infrastructure.

This is standard practice. Every major simulation provider (KnowBe4, Proofpoint, Microsoft's own Attack Simulation Training) requires the same step. The exception applies only to Phishy's named domains and IP addresses listed below — it does not weaken your filtering for anyone else.

Security note: This is a precise allowlist for known, authorised infrastructure — not a blanket "trust all" rule. Scope it exactly to the values in Section 1, review it periodically, and remove it when your engagement ends. See Section 5.

1. Phishy sending infrastructure (the values to allowlist)

Sending domains (From / DKIM) it-helpdesk-secure.com · mail-account-services.com · corporate-notify.com · payroll-portal-online.com · team-collab-notify.com
Envelope / MailFrom sending subdomains em8876.it-helpdesk-secure.com · em6985.mail-account-services.com · em4931.corporate-notify.com · em3314.payroll-portal-online.com · em2645.team-collab-notify.com
Sending IP address(es) Provided by Phishy for your engagement
Simulation link domain(s) Provided by Phishy for your engagement
Not every campaign uses every domain. Allowlisting all five now means no re-configuration later, regardless of which pretext is used.

2. Microsoft 365 / Exchange Online (Microsoft Defender)

This is the correct and only fully supported method. Microsoft Defender no longer honours the Outlook Safe Senders list or the IP Allow List (connection filtering) for simulated phishing — those will be overridden. Use the Advanced Delivery policy instead.

Steps

  1. Sign in to the Microsoft Defender portal at https://security.microsoft.com/advanceddelivery (or navigate: Email & collaboration → Policies & rules → Threat policies → Advanced delivery, under Rules).
  2. Select the Phishing simulation tab.
  3. Click Add (first time) or Edit (if entries already exist). The third-party phishing simulation panel opens.
  4. Domain — add Phishy's sending domains and sending subdomains from Section 1 (you can add up to 50). Enter each value and press Enter.
  5. Sending IP — add Phishy's sending IP address(es) from Section 1. (Required — Advanced Delivery will not function on domain alone.)
  6. Simulation URLs to allow — add Phishy's simulation link domain(s) in the format *.example.com/*.
  7. Click Save, then Close.

If links are still rewritten or blocked (Safe Links)

If simulation links are rewritten or land on a "suspicious website" warning, add a Safe Links URL exemption for the simulation link domain(s):
Email & collaboration → Policies & rules → Threat policies → Safe Links → (your policy) → Do not rewrite the following URLs → add https://*.<simulation-domain>/*.

If your mail routes through a third-party gateway

If your domain's MX record does not point directly to Microsoft 365 (i.e. mail flows through a Secure Email Gateway such as Mimecast or Proofpoint first), Advanced Delivery alone is not sufficient — you must also allowlist Phishy at the gateway. See Section 4.

3. Google Workspace (Gmail)

Configure in the Google Admin console: Apps → Google Workspace → Gmail → Spam, phishing and malware (direct link: https://admin.google.com/ac/apps/gmail/spam). Select your top-level organisation first.

As of early 2026, Google tightened how it handles mail from shared sending platforms, so the spam-bypass rule (Method A) is the primary step, with the inbound gateway (Method B) added only if warning banners persist.

Method A — Spam bypass rule (primary, domain-based)

  1. Scroll to the Spam section and click Configure (or Add another rule).
  2. Name it e.g. Phishy Simulation — Spam Bypass.
  3. Tick "Bypass spam filters and hide warnings for messages from senders or domains in selected lists."
  4. Click Create or edit list, create a list named Phishy Simulation Domains, and add Phishy's sending domains from Section 1. Save the list, then assign it to the rule.
  5. Save.

Method B — Inbound gateway (only if banners still appear; IP-based)

  1. In the same Spam, phishing and malware screen, find Inbound gateway and click Edit.
  2. Tick Enable. Under Gateway IPs, click Add and enter Phishy's sending IP address(es) from Section 1.
  3. Leave "Reject all mail not from gateway IPs" unchecked.
  4. Tick "Require TLS for connections from the email gateways listed above."
  5. Tick "Message is considered spam if the following header regexp matches" and enter a random string unlikely to ever appear in real mail (e.g. qx7zzr-not-a-real-header).
  6. Tick "Disable Gmail spam evaluation on mail from this gateway; only use header value."
  7. Save.
Changes can take up to 24 hours to apply. All changes are recorded in the Admin console audit log.

4. Third-party email gateways (Mimecast, Proofpoint, Barracuda, etc.)

If your inbound mail passes through a Secure Email Gateway (SEG) before reaching Microsoft 365 or Google, you must also allowlist Phishy at the gateway — the native steps above only cover the platform behind it. (Not sure if you have a gateway? If your domain's MX record points somewhere other than Microsoft or Google, you do.)

If you use a gateway not listed here, contact Phishy and we'll provide a gateway-specific sheet.

5. Other email systems (BT Business, Yahoo, consumer mailboxes)

BT Business email runs on Microsoft 365 / Exchange Online — both BT's "Business Email Lite" and its Office 365 plans are hosted on Microsoft's platform. So there is no separate "BT" allowlist: your administrator uses the Microsoft 365 steps in Section 2 via the Microsoft 365 / Defender admin portal.

Consumer mailboxes — Yahoo, btinternet.com, AOL, Outlook.com / Hotmail, personal Gmail: these are personal email services with no organisation-level admin console, so there is no central way to allowlist a sender across your team. They are not suitable for a managed, organisation-wide phishing simulation. If your staff receive work email on consumer mailboxes, the right fix is to move them onto a business platform (Microsoft 365 or Google Workspace) — which also gives you the security controls a simulation is designed to test.

If you're unsure what hosts your email, your IT provider or your domain's MX record will tell you — or ask Phishy and we'll help you check.

6. Keeping this safe and scoped

This allowlist is a controlled exception, not a permanent hole. To keep it safe:

7. Verifying it worked

Once configured, tell Phishy and we'll send a test simulation to a mailbox you nominate. Confirm that it:

If any of those fail: re-check the gateway (Section 4) and the Safe Links / URL-rewrite exemptions, then re-test. We're happy to troubleshoot with your admin directly.

Questions: contact your Phishy representative at Wolfcore Ltd. — info@wolfcore.co.uk

Related: Help & Support · Legal documents
← Back to the app
© 2026 Wolfcore Ltd · Terms · AUP · Privacy · DPA · Cookies