When running phishing simulations, you might find that Office 365 blocks or flags your test emails as unsafe. To make sure these emails are delivered successfully to your users' inboxes, you can whitelist the domain. Here's how to do it step by step.
Note: These steps are only applicable for users with an administrator account in the company's Office 365 workspace. Regular users or those without admin privileges will not be able to implement these changes. Please contact your IT administrator if you need assistance.
Step 1: Access the Microsoft 365 Defender Portal
- Log into the Microsoft 365 Defender Portal using your admin credentials.
- In the left-hand menu, go to Email & Collaboration.
- Under Policies & Rules, select Threat Policies.
Step 2: Adjust Anti-Spam Policies
- Click on Anti-Spam Policies in the Threat Policies section.
- Either edit an existing policy or create a new one by clicking + Create policy.
- In the policy settings, look for the Allowed Senders and Domains section.
- Add your phishing simulation domain (
dyna-sim.com) to the allow list. - Save the changes to the policy.
Step 3: Set Up a Mail Flow Rule (Transport Rule)
- Open the Exchange Admin Center (you can find it in the Microsoft 365 Admin Center under Exchange).
- Go to Mail Flow and click on Rules.
- Create a new rule by clicking + Add a rule and selecting Create a new rule.
- Give the rule a name like "Phishing Simulation Whitelist."
- In the Apply this rule if section, choose The sender domain is and enter the phishing domain (
dyna-sim.com). - Under Do the following, set the action to Modify the message properties → Set the spam confidence level (SCL) to... → Bypass Spam Filtering.
- Save the rule.
Step 4: Test the Configuration
- Send a test email from your phishing simulation domain (
dyna-sim.com) to a user in your organization. - Check if the email lands directly in the inbox without being flagged as spam or quarantined.
- Verify that the phishing simulation emails are being delivered as expected.