Advanced Delivery Policies in Microsoft Defender for Office 365

In this article, you'll learn how to whitelist KnowBe4 using advanced delivery policies, Microsoft's recommended method for whitelisting our Phishing Security Tests (PSTs). If you prefer video tutorials, you can also watch our Whitelisting by Advanced Delivery Policies in Microsoft 365 video. For more information, see Microsoft's article on advanced delivery policies

Important:Some whitelisting functions may be limited to customers outside of the US which may cause issues when using the KMSAT console.

If your messages still aren’t delivering after configuring your advanced delivery policy, we recommend setting up smart hosting. Without smart hosting, some filters cannot be disabled, which may impact the delivery of PSTs. Smart hosting PSTs allow you to bypass these filters.

Important:If your domain's mail exchange (MX) record does not point to Microsoft 365 and emails are routed to another domain before your domain, you’ll need to create a smart host.

To configure your advanced delivery policies, you'll need to ensure you have the appropriate permissions in your Microsoft 365 account and settings in your KnowBe4 account.

Note:Before you can configure your advanced delivery policies, you’ll need to copy up to 30 phish link root domains you currently use or plan to use for PSTs and save these in a place you can access later. We also recommend you hide any root domains you’re not using in your advanced delivery policies. For more information, see our Manage Phish Link Domains article.

Update Your Microsoft 365 Permissions

To create, modify, or remove settings in an advanced delivery policy, you’ll need to be a member of the Security Administrator role group in the Microsoft Security & Compliance Center and the Organization Management role group in Microsoft Exchange Online.

For read-only access to an advanced delivery policy, you’ll need to be a member of the Global Reader or Security Reader role groups. For more information about Microsoft permissions, see Microsoft’s Permissions in the Microsoft 365 Defender portal and Permissions in Exchange Online articles.

Important:To have the best experience with advanced delivery policies, we also recommend adding KnowBe4 to your domain's Sender Policy Framework (SPF) record. For more information, see our Add KnowBe4 to Your Sender Policy Framework (SPF) Record article.

Update Your KnowBe4 Account Settings

To configure an advanced delivery policy for KnowBe4, you’ll need to first update your DKIM settings in your KnowBe4 account by following the steps below.

Important:If you're using the free PST, contact our support team for a list of phishing domains.
  1. Log in to your KnowBe4 account, then navigate to Account Settings > Phishing > Phishing Settings.
  2. In the Phishing Email Headers section, select the Enable DKIM Signature check box.
  3. Ensure the Use KnowBe4's Signing Domain setting is selected.
  4. Click Save DKIM Settings.

Add Your Advanced Delivery Policy

To add your advanced delivery policy, follow the steps below:

  1. Log in to your Microsoft 365 account.
  2. From the menu on the left side of the page, select Admin. You'll be taken to the Microsoft 365 admin center.
  3. Navigate to Admin centers > Security. Or, you can directly log in to your Microsoft 365 Defender portal
  4. Under the Email & collaboration section, navigate to Policies & rules > Threat policies > Advanced delivery.
  5. On the Advanced delivery page, select the Phishing Simulation tab.
  6. Click the Edit icon.
    Important:If you don't have any configured phishing simulations, click the Add icon.
  7. In the Edit third-party phishing simulation modal, adjust the following settings. You should use the settings for your specific region:
    1. Domain: Enter the sending domains for your specific region using the table below.


    2. Sending IP: Enter the sending IP addresses for your specific region using the table below.
      Region IP Addresses,,,,,,,,,
    3. Simulation URLs to allow: Paste your phish link root domains you copied earlier. Adjust the format to the recommended URL format syntax: **.
  8. (Optional) To spoof your domain or to use spoofing in the delivery of PSTs, you will need to add the spoof intelligence policy from our Spoof Intelligence Allow/Block List for Microsoft 365 article.
Tip: To ensure that you have whitelisted correctly, see our Verify Your Whitelisting article.

Can't find what you're looking for?

Contact Support