In order to run effective phishing simulations and security awareness training, it’s crucial that legitimate simulation emails and training notifications aren’t blocked or flagged by your organization’s email infrastructure. Below is a quick reference guide for allowlisting (sometimes referred to as “whitelisting”) IP addresses and domains in your email servers, secure email gateways, or filtering solutions.
1. General Best Practices for Allowlisting
- Minimize Your Exceptions
- Only allowlist what is absolutely necessary—IPs and domains associated with our phishing assessments and training services. Avoid sweeping exclusions (e.g., entire TLDs or large IP ranges) unless specifically required.
- Document and Review
- Keep a record of every IP address and domain you allowlist, including the date and reasoning behind the change. Review your allowlist periodically to ensure it remains accurate and current.
- Use Proper Security Configurations
- Whenever possible, configure SPF, DKIM, and DMARC alignment checks to reduce the likelihood of spoofed or malicious emails. If your email filter supports it, set rules that specifically target only our training emails and not other traffic.
- Follow Vendor-Specific Instructions
- Every email gateway or filtering solution has different steps for allowlisting. Refer to your vendor’s documentation for precise instructions on safely adding our IPs and domains.
2. Required IP Addresses
Below are the IP addresses you should allow through your email filters to ensure our phishing simulation and training emails are successfully delivered:
- 3.106.21.22
- 13.237.47.221
When adding these IPs to your allowlist, confirm that you are referencing them only for inbound email traffic associated with our service. This ensures your organization remains secure while allowing authorized messages to pass.
3. Required Sending Domains
We use several sending domains to distribute phishing simulations, training notifications, and related communications. Please add these to your allowlist for inbound email:
codealerting-services.com
authwebmail.com
cloud-notification-services.com
securesupportcloud.com
office-365-notifications.com
webnotifications.net
paypaypal.net
cmail31.com
authenticationsecure.com
verificationweb.net
onlineverify.net
portal-login.net
email-forwarder.net
learn.socialhub.13security.com
Again, be sure to allowlist only these specific domains. This helps prevent overallowlisting, which could increase your organization’s risk.
4. Phishing Website Domains
During phishing simulations, your users may be directed to training or landing pages hosted on our domains. To ensure users can access these sites (and to avoid false positives in web filters), you should allowlist these specific domains for web traffic:
*.authwebmail.com
*.cmail31.com
*.securesupportcloud.com
*.webnotifications.net
*.alerting-services.com
The wildcard (*) indicates that subdomains of these domains may also be used, so you should account for these additional subdomains in your allowlist.
5. Steps to Implement Allowlisting
- Identify Your Email Gateway or Filter
- Common solutions include Microsoft 365 (Exchange Online Protection), Google Workspace, Proofpoint, Mimecast, Barracuda, etc. Each has a specific allowlisting procedure.
- Locate Allowlist or “Safe Senders” Settings
- In your gateway or security solution dashboard, find the section where you can add domains, IP addresses, or senders to your “safe list” or “allow list.”
- Add Required IPs and Domains
- Add the IPs 3.106.21.22 and 13.237.47.221.
- Add each of the sending domains and phishing website domains from the lists above.
- Configure Any Advanced Security Rules
- If your email solution supports advanced policies, create rules that specifically allow traffic from these domains and IPs without bypassing other essential security checks (like SPF, DKIM, and DMARC).
- Test Thoroughly
- After making changes, run test emails to verify that emails are not being quarantined or marked as spam.
- If your organization uses web filtering/proxy solutions (e.g., Cisco Umbrella, Zscaler, etc.), ensure those solutions also allow the domains listed above to avoid blocking access to training pages.
6. Ongoing Maintenance
- Monitor Delivery Reports: Periodically review email logs or reports in your gateway. If you see legitimate simulation emails are still blocked, adjust rules accordingly.
- Security Updates: Keep an eye on vendor updates or changes to their blocklists, as well as any new IPs or domains we might adopt.
- Revisit Policies Annually: Since your organization’s infrastructure or policies may evolve, schedule an annual (or more frequent) review of your allowlist to maintain alignment with best practices.
7. Additional Resources
- Email Service Provider Documentation: Check your specific email or security provider’s documentation for detailed, step-by-step instructions on allowlisting.
- Contact Support: If you encounter issues or need clarification, reach out to our support team or your email service provider’s help desk.
Allowlisting is a fine balance between enabling legitimate communication and maintaining robust security. By precisely configuring your allowlist to include only the domains and IPs from our phishing assessments and training service, you can maintain high delivery rates for simulation emails and training notifications—without compromising on safety.
If you have any questions or need further assistance with allowlisting, please consult your email service provider’s documentation or contact our support team.
