Whitelisting overview: what to whitelist for email delivery

Whitelisting ensures your phishing simulation emails are delivered to your users’ inboxes and are not blocked or quarantined by email security systems.

This article explains what you need to whitelist. For platform-specific instructions, use the step-by-step guides linked below.

What whitelisting is for

Whitelisting is used to improve email delivery. It tells your email environment that Guardey simulation emails are allowed to pass through.

ℹ️ Whitelisting affects email delivery. It does not control landing pages or browser access.

What you must whitelist

To receive Guardey phishing simulations successfully, whitelist:

Sending IP addresses

These are the Guardey IP addresses used to send simulation emails.
Sending domains

These are the domains after @ in the sender email address used by Guardey templates.
Any additional email security tooling

If you use extra filtering tools (for example, a secure email gateway or spam filter), whitelist the same sending IPs and sending domains there as well.

ℹ️ The sending domain does not need to match the landing page domain. That is expected.

Where to whitelist

Choose the correct guide based on your email platform:

If you use another email provider, consult their documentation for whitelisting:

sending IP addresses
sender domains

Should you whitelist all sending domains or only one?

Recommended: whitelist all sending domains

Whitelist all sending domains if you use (or plan to use) randomized campaigns. Randomized campaigns can select from multiple templates, and templates may use different sending domains.

This reduces future maintenance and prevents unexpected delivery issues when you change templates.

Minimal setup: whitelist only the domains you need

If you prefer a minimal setup, you can whitelist only the sending domain(s) used by your current campaign.

Keep in mind:

if you switch templates later, you may need to whitelist additional domains
randomized campaigns typically require more than one domain over time

Sending IP addresses to whitelist

Whitelist the IP addresses below in your email provider:

194.5.85.12
194.5.85.13
194.5.85.14
194.5.85.15
194.5.85.16
194.5.85.17
194.5.85.18
194.5.85.19

Tip: optimize your IP list

Microsoft 365 limits the number of IP entries you can add. To save space, you can add the following CIDR notation:

194.5.85.0/26

Or use an IP range:

194.5.85.8-194.5.85.30

Sending domains to whitelist

Whitelist the domains below either individually or all at once.

ℹ️ These are sending domains (the domain after @). They may differ from landing page domains.

Verify whitelisting with a small test

After whitelisting the sending IPs and sending domains:

Set up a small one-time phishing campaign to yourself or a test group.
Confirm the email arrives in the primary inbox (not spam/junk/quarantine).
If the email is quarantined or blocked, check your email security logs for the reason and verify your whitelisting entries.

Next step

[Campaign] Set up a one-time phishing campaign

Landing pages blocked by firewall or web filtering

Whitelisting helps simulation emails reach inboxes. If users can open the email but cannot access the landing page after clicking, your firewall, proxy, or web filter may be blocking the landing page domain.

This is separate from email whitelisting and must be resolved in your web security tooling.

ℹ️ Tip: If your organization uses strict web filtering, involve your IT/security team to allow the landing page domains used by Guardey simulations.