How to configure mails for Phishing Simulation

11 hours ago
sorb
3 minutes

Problem Statement

Organizations often run security awareness phishing simulations using Sorb Security platform.

Sorb Security intentionally sends emails that resemble phishing attacks in order to measure user awareness and train employees to recognize suspicious messages.

However, modern email systems such as:

  • Microsoft 365
  • Google Workspace
  • Zimbra Collaboration

contain built-in anti-spam, anti-phishing, and spoofing protections. Because simulation emails closely resemble real phishing attacks, these protections may:

  • Quarantine the email
  • Deliver it to the spam folder
  • Reject the message during SMTP
  • Rewrite or block links
  • Trigger impersonation protection

As a result, authorized phishing simulation campaigns may fail to reach users, preventing security teams from accurately measuring awareness levels.

To ensure successful delivery of simulation emails, administrators must configure controlled allow rules for the simulation platform’s sending infrastructure.

Solution

To allow authorized phishing simulation campaigns, configure the following controls in the email platform:

  1. Allow the simulation platform sending IP ranges
  2. Allow the simulation sender domains
  3. Configure anti-phishing exclusions
  4. Verify successful delivery through message tracking

These configurations should be limited only to Sorb Security Infrastructure.

Sending IP: 36.50.34.0/24 36.50.35.0/24 129.126.138.112/28 192.82.62.32/27
Sender domain: sorbsecurity.com

Solution for Microsoft 365

In Microsoft 365, configuration is performed in the Microsoft Defender security portal and Exchange Admin Center.

Step 1 – Add Domain to Tenant Allow List

Open the security portal: https://security.microsoft.com

Navigate to:

Email & Collaboration
 → Policies & Rules
 → Threat Policies
 → Tenant Allow/Block List

Add a new entry:

Type: Domain
Value: sorbsecurity.com
Action: Allow

Step 2 – Exclude Domain from Anti-Phishing Policy

Navigate to:

Threat Policies
 → Anti-phishing

Edit the active policy.

Under Excluded Senders or Domains, add:

sorbsecurity.com

This prevents simulation emails from being blocked by impersonation detection.

Step 3 – Create Mail Flow Allow Rule

Open the Exchange Admin Center.

Navigate to:

Mail Flow
 → Rules
 → Add new rule

Configure the rule:

Rule Name:
Allow Sorb Security Phishing Simulation Platform
Condition:
Sender IP address is within range Sender IP:
36.50.34.0/24 36.50.35.0/24 129.126.138.112/28 192.82.62.32/27
Action:
Set spam confidence level (SCL) to -1

This ensures the messages are not treated as spam.

Step 4 – Verify Email Delivery

Verify delivery using:

Microsoft Defender
 → Email & Collaboration
 → Explorer

or

Exchange Admin Center
 → Mail Flow
 → Message Trace

Confirm that the simulation email is delivered to the user inbox.

Solution for Google Workspace

In Google Workspace, configuration is performed in the Google Admin Console.

Step 1 – Access the Admin Console

Open:

https://admin.google.com

Navigate to:

Apps
 → Google Workspace
 → Gmail

Step 2 – Add Simulation IPs to the Gmail Allowlist

Navigate to:

Spam
 → Email Allowlist

Add the simulation platform IP ranges.

Example:

36.50.34.0/24 36.50.35.0/24 129.126.138.112/28 192.82.62.32/27

This prevents Gmail from classifying the emails as spam.

Step 3 – Configure Allowed Sender Domains

Navigate to:

Safety
 → Spoofing and Authentication

Add the simulation domain:

sorbsecurity.com

This reduces phishing detection for the authorized simulation sender.

Step 4 – Verify Message Delivery

Use the email log search:

Reporting
 → Email Log Search

Confirm the message was successfully delivered.

Solution for Zimbra

For Zimbra Collaboration, configuration is typically done using Postfix and SpamAssassin allow lists.

Step 1 – Allow Simulation IP Ranges

Add the vendor IP ranges to the Postfix allow list.

Example configuration:

36.50.34.0/24 OK
36.50.35.0/24 OK
129.126.138.112/28 OK
192.82.62.32/27 OK

Restart mail services:

zmmtactl restart

Step 2 – Whitelist Sender Domain

Edit the SpamAssassin configuration:

/opt/zimbra/conf/salocal.cf

Add:

whitelist_from *@sorbsecurity.com

Restart the spam filtering service:

zmamavisdctl restart

Step 3 – Verify Email Delivery

Send a test phishing simulation email and confirm that it is delivered to the mailbox.

Check mail logs:

/var/log/zimbra.log

Please reach out to wecare@sorbsecurity.com if you have any questions.