Help Centre

Our platform

Phishing Simulator

Configuring Gmail for Secure Schools Phishing Simulations

Critical configuration information to ensure the successful implementation of our Phishing Simulations

Without completing this step, Google's scanning systems will likely regard phishing simulation emails as spam or phishing and block them. At the same time, it's also important not to undermine the inbuilt security features of Google Workspace and Gmail, which could allow an attacker to spoof the domain names used by our phishing simulator.

To ensure that Secure Schools Phishing Simulations are successful and safe, your organisation's email environment must be configured to recognise the emails as trusted phishing simulations.

The objectives of this guide are as follows:

Gmail takes no action for Secure Schools Phishing Simulations
Keep SPF, DKIM and DMARC controls in place
Keep malware controls in place.

With the above in mind, follow these step-by-step instructions to allow Secure Schools Phishing Simulation emails through the Gmail filters while maintaining SPF, DKIM and DMARC controls.

Email Allowlist

Step 1: Log into admin.google.com
From the vertical menu, click on Apps:

Then Google Workspace, and then Gmail:

Step 3: From the Gmail settings, scroll down and click on 'Spam, Phishing and Malware'.

Step 4: Select Email allowlist and enter the Secure Schools' sending IP address: 185.250.239.80 (details) and select Save

Inbound Gateway

Step 1: Now scroll down to Inbound Gateway and click on it to edit.

Step 2: Enable the Gateway IPs option and add the IP address from the previous step, 185.250.239.80, by clicking Add, and then Save

Step 3: Both Automatically detect external IP (recommended) and Reject all mail not from gateway IPs should not be selected:

Ensure that Require TLS for connections from the email gateways listed above is selected.

Step 4: In 2. Message Tagging, tick the box and enter a random, long alphanumeric string. This should be unique and different from the example, as it will be used to bypass spam checking.

Select Message is spam if regexp matches, and ensure Disable Gmail spam evaluation on mail from this gateway; only use header value is ticked.

Step 5: Click on Save

Approved Senders List

Next, you'll need to create an approved senders list containing the domains used by Secure Schools' phishing simulations.

Step 1: Scroll to the Spam section and click on Configure (or Add another rule if you have existing rules) to edit

Spam

Step 2: Add a descriptive name and leave the Options unticked

Step 3: Ensure Bypass spam filters for internal senders, Bypass spam filters for messages from senders or domains in selected lists, and Bypass spam filters and hide warnings for messages from senders or domains in selected lists are all selected, but not the last option:

Filters and Banners

Step 4: If you haven't created a list yet, you'll need to select Create or edit list on one of the above options. In the new tab, select Add Address List

Manage address lists

Step 5: Add the Secure Schools Domains, ensuring the Authentication required toggle is off for each domain, and click Save.

Edit Address List

Step 6: Return to the previous tab with the Add setting pop-up open and add the domain list you created to the Bypass spam filters options and click Save

Image URL Proxy

Finally, you'll need to ensure that images are displayed within the messages for accurate tracking and a more realistic experience.

Step 1: In the Settings for Gmail menu, scroll down and select End User Access

End User Access

Step 2: Select the Image URL proxy allowlist

End User Access 2

Step 3: Enter the appropriate domain for your region and click Save.

Ensure the domain is entered in full, including the trailing slash /, or it will be rejected when trying to save.

Image URL Proxy Allow

This should complete the process and allow phishing simulations to run successfully.

Note: It can take up to 24 hours for the rules and filters to be applied.