How to Whitelist by Content Compliance in Google Workspace
You can bypass Google Workspace's spam filters by applying a content compliance rule to our IP addresses. This rule will allow our simulated phishing emails to be delivered to your user's inboxes. The Content Compliance whitelisting method involves two steps in Google Workspace: adding KnowBe4's IP addresses to the Email Whitelist, and enabling whitelisting by Content Compliance.
Content compliance is an alternative method to whitelisting by IP address in our Whitelisting by IP Address in Google Workspace article. We recommend using the content compliance method if you have an existing inbound gateway to use the content compliance rule or if you are unable to configure the inbound gateway.
Note: This article reflects current best practices for whitelisting with your provider. Please be aware that your mail service provider may make changes to how their systems analyze our emails at any time. If you are experiencing issues whitelisting using the procedure below, contact our support team.
This method of whitelisting is a two-part process. To navigate to the steps for each part of the process, click the jump links below.
Add KnowBe4's IP Addresses to Your Google Workspace Whitelist
First, you’ll need to add KnowBe4’s IP addresses to your IP allow list for Google Workspace. Once you add KnowBe4’s IP addresses to your IP allow list, you can enable whitelisting by content compliance.
Note: These instructions in this section were gathered from Google's Email Whitelist in Google Workspace article.
To add KnowBe4’s IP addresses to your Google Workspace whitelist, follow the steps below:
- Log in to the Google Admin portal and click Apps.
- Click Google Workspace.
- Click Gmail.
- Click Spam, Phishing and Malware.
- Under the Organizational Unit section, highlight your domain. Do not select a sub-organizational unit (OU).
Note: Google Workspace does not allow whitelisting by IP address for individual OUs. You can only whitelist by the entire domain.
- In the Email whitelist section, enter our IP addresses. Make sure to separate each IP address with a comma. For a current list of our IP addresses, see the IP Addresses, Hostnames, and Header Information section of our Whitelisting by Content Compliance in Google Workspace article.
- Click Save.
Enable Whitelisting by Content Compliance
After you have added KnowBe4’s IP addresses to your Google Workspace whitelist, you can enable whitelisting by content compliance.
Note: The instructions provided were gathered from Google’s Set up rules for advanced email content filtering article.
To enable whitelisting by content compliance, follow the steps below:
- Log in to your Google Admin portal and select Apps.
- Select Google Workspace.
- In the Showing status for apps in all organizational units area, click Gmail.
- In the Gmail area, click Compliance.
- Navigate to the Content compliance section.
- Click Add a Rule.
Note: If you have previously created a content compliance rule, this option will be called Add Another Rule.
After you click Add a Rule or Add Another Rule, configure your content Content compliance by following the steps below:
- In the Email Messages to Affect area, select the Inbound check box.
- In the If ANY of the following match the message area, create an expression with the following settings:
- From the first drop-down menu, select Metadata match.
- From the Attribute drown-down menu, select Source IP.
- From the Match type drop-down menu, select Source IP is within the following range.
- In the Source IP is within the following range field, enter one of KnowBe4's IP addresses. For the most up-to-date list of our IP addresses, see the IP Addresses, Hostnames, and Header Information section of our Whitelisting Data and Anti-Spam Filtering Information article.
- Click Save.
- Repeat the three steps above for each of our IP addresses.
- In the If ANY of the following match the message section, add another expression with the settings in the screenshot and list below:
- From the first drop-down menu, select Advanced content match.
- From the Location drop-down menu, select Full headers.
- From the Match type drop-down menu, select Contains text.
- In the Content field, enter "X-PHISHTEST".
- Click Save.
- In the If the above expressions match, do the following area, select the check boxes in the screenshot and list below:
- Under Spam, select the Bypass spam filter for this message check box.
- Under Encryption, select the Require secure transport (TLS) check box.
Note: If your organization uses Google Workspace, you’ll also need to disable the return-path header in your KMSAT Account Settings before sending phishing tests. For more information, see our How to Change the Return-Path Header in Your Account Settings.