Setting Up Whitelisting

Whitelisting Guide

Featured

Before you can begin phishing and training your users, you'll need to whitelist KnowBe4 to ensure that our training notifications and simulated phishing security tests (PSTs) successfully reach your users' inboxes. If you don't whitelist our emails properly, they may be blocked or filtered by your mail server or spam filter.

Tip:For Microsoft 365 users, we recommend Microsoft's Advanced Delivery Policies feature. Advanced Delivery bypasses some of Microsoft's security configurations and allows you to create a secure connection for phishing simulations. For more information, see our How to Use Advanced Delivery Policies in Microsoft 365.

Whitelisting Best Practices

The whitelisting methods that you'll need to use depend on your organization's mail server and spam filter.

When you whitelist our emails, we recommend that you follow the best practices listed below:

  • If you don't have a cloud-based spam filter, we recommend that you whitelist either our IP addresses or our hostnames in your mail server. For information about whitelisting your mail server, see the Whitelist Your Mail Servers section below.
    Note:You don't need to whitelist both IP addresses and hostnames.
  • If you have a cloud-based spam filter, we recommend that you whitelist by email header in your mail server and whitelist by IP address or hostname in your spam filter. For information, see the Whitelisting Your Mail Servers and Whitelisting Your Email and Web Filters sections below.
    Note:You don't need to whitelist both IP addresses and hostnames.

To see which method is best for your organization, you can use our Whitelisting Wizard.

KnowBe4's IP Addresses, Hostnames, and Headers

See below for a list of our IP addresses or hostnames, and headers. You'll need this information to whitelist your organization's mail server and spam filter.

Important:We recommend that you don't whitelist by both IP address and header in your mail server. If you're unsure which method to use, see our Whitelisting Wizard to find out which whitelisting method is best for your organization.

For accounts located at training.knowbe4.com, ca.knowbe4.com, uk.knowbe4.com, and de.knowbe4.com, see the table below:

IP Addresses

Messages Sent

147.160.167.0/26

Note: "/26" indicates the IP range 147.160.167.0 - 147.160.167.63. If your whitelisting provider doesn't allow for an IP range, each IP in this range will need to be entered individually. For more information, see Microsoft's Understand TCP/IP addressing and subnetting basics article.
  • Current IP addresses for training notifications
  • Future IP addresses for PSTs

23.21.109.197

23.21.109.212

  • Current IP addresses for training notifications and PSTs
Important:Make sure to copy and paste these IP addresses exactly, including any periods or forward slashes.

Hostnames

Messages Sent

psm.knowbe4.com

  • KnowBe4 training notifications and PSTs
Important: As a security best practice, we recommend that you don't whitelist by email header on your public email endpoint.

PST Email Header

Email Header Text

X-PHISHTEST

Note: X-PHISHTEST is the default header. If you're using a custom header or header token, you could whitelist by that header. For information on creating a custom header or header token, see our How to Edit Your Account Settings article.

This is a phishing security test from KnowBe4 that has been authorized by the recipient organization.

For accounts located at eu.knowbe4.com, see the table below:

IP Addresses

Messages Sent

147.160.167.0/26

Note: "/26" indicates the IP range 147.160.167.0 - 147.160.167.63. If your whitelisting provider doesn't allow for an IP range, each IP in this range will need to be entered individually. For more information, see Microsoft's Understand TCP/IP addressing and subnetting basics article.
  • Current IP addresses for training notifications
  • Future IP addresses for PSTs

52.49.201.246

52.49.235.189

23.21.109.197

23.21.109.212

  • Current IP addresses for training notifications and PSTs
Important:Make sure to copy and paste these IP addresses exactly, including any periods or forward slashes.

Hostnames

Messages Sent

psm.knowbe4.com

  • KnowBe4 training notifications and PSTs
Important:As a security best practice, we recommend that you don't whitelist by email header on your public email endpoint.

PST Email Header

Email Header Text

X-PHISHTEST

Note: X-PHISHTEST is the default header. If you're using a custom header or header token, you could whitelist by that header. For information on creating a custom header or header token, see our How to Edit Your Account Settings article.

This is a phishing security test from KnowBe4 that has been authorized by the recipient organization.

Whitelisting Your Mail Server

See below for a list of articles that can help you whitelist your organization's mail server. When you whitelist by following the instructions in these articles, you'll need our IP addresses, hostnames, or header information. If you don't see your mail server listed below, contact our support team for assistance.

Note: Your mail server may use rate limiting, which can slow or block the delivery of our PSTs. We recommend that you review the rate-limiting rules for your mail server to ensure that your PSTs will reach your users’ inboxes.

If your mail server is Microsoft 365, see the articles listed below:

If your mail server is Exchange 2007 or 2010, see the articles listed below: 

If your mail server is Exchange 2013, 2016, or 2019, see the articles listed below:

If your mail server is Google Workspace, see the articles listed below:

Note:Due to upcoming changes from Google, we recommend using Direct Message Injection (DMI) as your default whitelisting configuration. For more information about these changes, see Google's Gmail updates
Important:If you're using Google Workspace, you'll also need to disable the return-path header on our PSTs. For more information, see our How to Change the Return-Path Header in Your Account Settings article.

Whitelisting Your Spam Filter

See below for a list of articles that can help you whitelist your spam filter. When you whitelist by following the instructions in these articles, you'll need our IP addresses, hostnames, or header information.

Note:If you're whitelisting for endpoint web filtering, you may need a list of our phishing and landing domains. For a list of these domains, contact our support team.
Tip: Securence and Mailprotector have whitelisted our IP addresses in their system globally, so you don't need to whitelist our emails for either of these spam filters.
Note: Your spam filter may use rate limiting, which can slow or block the delivery of our PSTs. We recommend that you review the rate-limiting rules for your spam filter to make sure that our PSTs will reach your users’ inboxes.

Running a Test Campaign

Once you've whitelisted by using the recommendations above or by using our Whitelisting Wizard, we recommend creating a test phishing campaign to make sure your whitelisting is working properly.

We recommend that you include only yourself or a small group of users in this campaign. Then, you or the users in the campaign will need to confirm that you've received the PST from the campaign. Finally, you'll need to have a user click a simulated phishing link in the PST to make sure clicks are being tracked successfully. For more information about creating phishing campaigns, see our Creating and Managing Phishing Campaigns article. 

Note:Once you've tested your whitelisting with the test phishing campaign, we recommend that you delete or hide the campaign so it doesn't interfere with your reports or Risk Scores.

Additional Configurations

Once you've whitelisted by following our recommendations, there are additional configurations that you may need to use to whitelist. For more information, see the subsections below. 

Adding KnowBe4 to Your SPF Records

To allow KnowBe4 to send PSTs on your behalf, you can add KnowBe4 to your Sender Policy Framework (SPF) records. For more information, see our Adding KnowBe4 to Your Sender Policy Framework (SPF) Records article.

Adding DKIM Signatures

All of our training notifications include a DomainKeys Identified Mail (DKIM) signature automatically. For accounts in the US, the signing domain is training.knowbe4.com and for accounts in the EU, the signing domain is eu.knowbe4.com.

You can also add a DKIM signature to our PSTs. For more information, see our How to Enable and Customize DKIM Signatures article.

Avoiding Link Testing and Intent Analysis

Sometimes, common spam filters such as Barracuda, Symantec, Websense, and MessageLabs will have link-following or link-inspection options. If enabled, these options may result in skewed click-through rates or click-through rates showing 100%.

You can whitelist or exempt our emails from being affected by these options. You can also disable these options for the duration of a phishing campaign. For more information, see our Showing 100% Click Through on Phishing Tests article.

Using Smart Hosting

If you can't whitelist our mail servers or your spam filter impacts the delivery of PSTs, you can allow our emails to bypass your spam filter by using smart hosting. For more information, see our Smart Hosting for Phishing Security Tests article.

Important:After smart hosting, post-delivery inbox filtering may still interfere with email delivery or attachment functionality.

Troubleshooting

If you're experiencing issues with whitelisting, we recommend that you see our Whitelisting Wizard. Additionally, see the subsections below for troubleshooting situations that can help you.

If you don't see the issue you're looking for, contact our support team for assistance.

Email from KnowBe4 Sent to Junk or Spam

We may send you emails about updates to our products, such as new features and templates, or our employees may check in with you to see how things are going. To make sure these emails aren’t sent to your Junk or Spam folder, you can whitelist emails from knowbe4.com and knowbe4.mail.intercom.io.

If you're using Microsoft 365, see our Whitelisting emails from KnowBe4 in Microsoft 365 article for more information. If you’re using Google Workspace, see our Whitelisting by IP Address in Google Workspace article for more information.

Third-Party Whitelisting Assistance

Our support team will provide whitelisting assistance as much as possible. However, because there are many different spam-filtering services and mail server providers, we recommend that you contact your service provider for assistance.

If you would like, you can use the template below to send a request to your service provider's support team:

Our organization uses KnowBe4, a security awareness training platform that provides simulated phishing tests and training for our employees. We would like to whitelist all of KnowBe4’s simulated phishing tests and training notifications to ensure they successfully reach our employees' inboxes. Please provide us with any whitelisting assistance that may help.

Can't find what you're looking for?

Contact Support
circle-arrow-up