Whitelist in Google Workspace
Whitelisting Simulated Phishing in Google Workspace (Gmail)
For Secure Practice Simulation Emails
This step-by-step guide is intended for Google Workspace administrators to allow simulated phishing emails from Secure Practice by properly configuring Gmail to recognize and accept messages from specific IP addresses.
Note: You must have an admin role in the Google Workspace Admin Console to perform these actions.
Step 1: Access the Admin Console
-
Visit https://admin.google.com
-
Sign in using your administrator account
Step 2: Navigate to Gmail Settings
-
In the left-hand menu, go to:
Apps → Google Workspace → Gmail -
Under Gmail settings, click on Spam, Phish and Malware
Step 3: Add IPs to the Email Allowlist
-
Click on Email allowlist
- 35.153.237.243(Mail Server)
- 107.22.65.180(Landing Page)
-
Enter the following IP addresses:
-
Click Save
Step 4: Configure Inbound Gateway
This step ensures that Gmail treats the IP addresses above as internal senders, preventing SPF or DMARC validation and suppressing warnings to end-users.
-
Scroll down to the Inbound Gateway section
-
If not already enabled, click the Enable button
-
In the Gateway IPs field, enter the same IP addresses listed earlier
-
Optional:
-
Enable Automatic detect external IP
-
Do not enable “Reject all mail not from gateway IPs” unless already required—this may block all mail delivery if not properly configured
- Enable Require TLS for connections
-
Step 5: Configure Message Tagging
-
Under the Message Tagging section:
-
Check "Message is considered spam if the following header regexp matches"
-
Enter a unique, random string : fg2jl0ah45oahtTK56SGD23fhk2k
-
Check "Disable Gmail spam evaluation"
-
This ensures Gmail skips its spam analysis for messages from the configured IPs.
Step 6: Bypass Spam Filters for Trusted Senders
-
Still under Gmail settings, go to the Spam section
-
Click Configure to create a spam filter bypass rule
-
Check: "Bypass spam filters for messages received from addresses or domains"
-
Click Create or edit list and add the following senders:
- slackj.com
- ttrelli.com
- airbnd.cc
- attlassians.com
- eebbey.com
- lastpasss.net
- my1psswords.com
- zooms.cc
-
For flexibility, uncheck "Authentication required" for
-
Save the address list and the new spam bypass policy
Step 7: Adding Message Header in Compliance
Optional: Temporary Adjustment for Quicker Testing
Google offers a feature called Enhanced Pre-Delivery Message Scanning.
While not recommended to disable permanently, you may consider turning it off briefly to speed up testing and configuration validation.
Additional Systems in Use?
If your organization uses other email or security filtering systems, please refer to the Whitelisting Phishing Overview and ensure proper bypass configurations are in place across all layers.
Reference Documentation Link: https://securepractice.co/guides/whitelisting-google
If you need further assistance, kindly contact our support at support@cytechint.com for prompt assistance and guidance.
No Comments