Configuring Gmail for Secure Schools Phishing Simulations

Have more questions? Submit a request
Without completing this step, it's likely that phishing simulation emails may be regarded as spam and/or phishing by Google's scanning systems and blocked. At the same time, it's also important not to undermine the inbuilt security features of Google Workspace and Gmail that could allow an attacker to spoof the domain names used by our phishing simulator.
To ensure that Secure Schools Phishing Simulations are successful and safe, the school or trust's email environment must be configured to recognise the emails as trusted phishing simulations.
The objectives of this guide are as follows:
  • Gmail takes no action for Secure Schools Phishing Simulations
  • Keep SPF, DKIM and DMARC controls in place
  • Keep malware controls in place.
With the above in mind, follow these step-by-step instructions to allow Secure Schools Phishing Simulation emails through the Gmail filters while maintaining SPF, DKIM and DMARC controls.

Allow listing Secure Schools' Phishing Domain

Step 1: Log into
From the vertical menu, click on Apps and click on Overview from the drop-down list, then select Google Workspace.

Step 2: Select Gmail
Step 3: From the Gmail settings, scroll down and click on 'Spam, Phishing and Malware'.
Step 4: On the Spam section, click on CONFIGURE

Step 5: Add a description (e.g., Secure Schools Phishing Domain).
Click on Create or edit list
Step 6: Click on ADD ADDRESS LIST

Step 7: Add the Secure Schools Phishing Domains listed below, ensuring to leave 'Authentication required (received mail only)' ticked for each.









Please note that the above list is regularly updated and may include additional domains not included in the screenshots.


Step 8: Once each has been entered, click Save.
Step 9: Click on Use existing list

Step 10: Select the address list you created.
Step 11: Click Save.
Step 12: Navigate back to the Gmail Settings page and select Compliance

Step 13: Navigate to the Content Compliance section.

Step 14: Click Add a rule.

Note: If you have previously created a Content Compliance rule, this option will be called Add Another Rule.

Step 15: In the Email messages to affect field, select the Inbound and  Internal - receiving check boxes.

Step 16: Under the Expressions tab, click the first drop-down menu.

Step 17: From the first drop-down menu, select if ANY of the following match the message and click Add.

Step 18: Update the settings in the Add expressions that describe the content you want to search for in each message area. For more information about these settings, see the screenshot and list below:

i) From the first drop-down menu, select Advanced content match.
ii) In the Location field, select Full headers.
iii) In the Match type field, select Contains text.
iv) In the Content field, enter the header text. The Secure Schools header is X-PHISHTEST.
v) Click Save.
Step 19: If the above expressions match, do the following field, select the Bypass spam filter for this message check box under Spam, and click Save
Congratulations, your school or trust's Google Workspace tenancy has been configured to receive phishing simulation emails safely!

Articles in this section

Was this article helpful?
0 out of 0 found this helpful
  • Fow how-to and support videos please visit our channel