Phishing Simulation

Google Workspace (GSuite) Whitelisting

Google Workspace (GSuite) Whitelisting

Overview

If your organisation uses Google Workspace (formerly GSuite), you need to configure Gmail and Google Admin to allow PhishGrid simulation emails through without being filtered or marked as spam.

Step 1 — Add approved senders in Google Admin

  1. Go to Google Admin Console (admin.google.com)
  2. Navigate to Apps → Google Workspace → Gmail → Spam, Phishing and Malware
  3. Under Email allowlist, add the PhishGrid sending IP addresses
  4. Click Save

Step 2 — Create a content compliance rule to bypass spam filtering

  1. In Google Admin → Gmail → Compliance
  2. Click Content compliance → Configure
  3. Set the rule to apply to Inbound messages
  4. Under Expressions, add: Sender IP matches the PhishGrid sending IPs
  5. Under Actions, select Bypass spam filter
  6. Click Save

Step 3 — Add domains to the allowlist

  1. Navigate to Gmail → Spam, Phishing and Malware
  2. Under Blocked senders and approved senders, click Approved senders
  3. Add the PhishGrid simulation domains (e.g., mailservers.xyz, secure365.org)
  4. Click Save

Step 4 — Disable link scanning for simulation domains (if applicable)

If your organisation uses Google's link protection (via Workspace Business or Enterprise):

  1. Go to Gmail → Safety → Links and external images
  2. Review whether automatic link scanning is enabled
  3. If possible, add PhishGrid simulation domains to any link exclusion list

Note: Google Workspace does not provide granular link exclusion in all tiers. If link scanning cannot be disabled, consider this when interpreting results — some clicks may be automated.

Verifying whitelisting is working

  1. Send a test campaign to a small group (5–10 users) before launching organisation-wide
  2. Check that emails arrive in the Inbox (not Spam or Promotions)
  3. Check that clicking the simulation link records correctly in PhishGrid
  4. If emails land in Spam, revisit the content compliance rule and sender allowlist
  5. If links appear broken or redirect incorrectly, check link scanning settings

Troubleshooting

Issue Likely cause Fix
Emails in Spam Sending domain not in allowlist Add to Approved Senders
Emails in Promotions Promotional content scoring Use content compliance rule to bypass
Links not tracking Link scanning pre-fetching clicks Disable link scanning or accept bot detection will handle it
No emails received IP not whitelisted Add to Email allowlist in Admin Console