The last thing you want is a missed step or configuration problem stopping you in your tracks.
This checklist covers everything you need to tick off before going live. Some steps are optional depending on your setup.
Core concepts
Allow listing: Configuring your email security tools to let CybSafe simulation emails through without being blocked, quarantined, or scanned.
Test campaign: A campaign sent only to yourself (Test campaign feature) or a small admin group to confirm emails are being delivered correctly. (Filtered phishing campaign)
Pilot campaign: A small-scale campaign sent to a subset of people to validate delivery across different setups before a full rollout.
Report button integration: Connecting your existing phishing report button (Microsoft, Google, or third-party) to send reporting data back to CybSafe.
High Level checklist
Allowlisting
Report phishing button integration
Run a test campaign
Mark allowlisting as complete
Run a pilot campaign
Create custom templates
Create custom landing pages
Create custom intervention pages
Plan your communication
Allow listing
Allow listing is the foundation of successful phishing simulation delivery.
How you configure it depends on your infrastructure and security tooling.
Read our detailed allow listing guide for full instructions.
Microsoft 365 environments
Exchange connector
Configure an Exchange connector if this is your preferred method, it is ours!
Read more here.
You can also simply allow list our IPs and links in all your email tooling.
Defender advanced delivery
Add our IPs to the Advanced delivery page in Microsoft Defender.
This is essential for Microsoft 365 customers and tells Defender to trust our simulation emails.
Safe links policy
Add our links as exceptions to your Safe links policy.
Without this, Microsoft may rewrite our URLs, which breaks click tracking.
Anti-phishing policy
Make sure any anti-phishing policies don't block our emails.
Check for impersonation protection rules that might flag our sender domains.
Mimecast environments
If you use Mimecast, you'll need to configure several exceptions:
Add us as an exception from your anti-spoofing policy.
Define us as a permitted sender by adding a new policy.
Add us as an exception to your URL protection policy.
Add us as an exception to your impersonation protection policy.
Each of these is critical. Missing even one can cause delivery failures or tracking problems.
Google Workspace environments
Add our IPs as exceptions in Google Workspace's spam, phishing, and malware configuration. Google handles allow listing differently from Microsoft, so make sure you follow our Google-specific guide.
Proofpoint environments
If you use Proofpoint, you'll need to configure several exceptions:
Add our IPs to the Safe Sender List at an Account-Level.
This tells Proofpoint to trust emails from our sending infrastructure.Add us as an exception to your anti-spoofing policy.
Without this, Proofpoint may flag our simulation emails as spoofed.Add our link domains to your URL protection and/or URL defence policy as exceptions.
This prevents Proofpoint from rewriting our URLs, which breaks click tracking.
Proofpoint's configuration interface varies between Proofpoint Essentials and Proofpoint Enterprise, so the exact steps depend on which version you use.
Consult Proofpoint's documentation for your specific setup.
Link inspection exceptions (all environments)
Add our link domains to any safe link or URL inspection policy exceptions:
l.cs-mail-sender.com – used in phishing simulation emails
cs-portalintranet.com – used for landing pages
This is crucial. Network devices, proxies, and email security tools often inspect links automatically. Without these exceptions, those inspections register as clicks in your reports, creating false positives.
You'll see "clicks" from people who never actually clicked anything.
If you're seeing multiple clicks happening at exactly the same time, or clicks registering within seconds of email delivery, link inspection is almost certainly the cause. You can obtain the IP address registered for the click from the Phishing report > Activity Log to identify which tool within your infrastructure requires further allowlisting.
Important: Microsoft and Google require different email delivery configurations. Make sure your CybSafe platform settings match your email provider.
Microsoft 365 customers should use the "Default" configuration, while Google customers need "Expanded domains".
Check our platform settings guide for details.
Set up report button integration (recommended)
We strongly recommend connecting your existing phishing report button to CybSafe. This captures simulation reporting behaviour and gives you accurate data on how your people respond to suspicious emails.
Why this matters
Without this integration, you'll only see who clicked or submitted data. You won't know who correctly identified and reported the simulation.
Reporting behaviour is arguably the most valuable metric for measuring security awareness.
How to set it up
Configure your report button to forward reported emails to CybSafe. The setup process varies depending on whether you use:
Microsoft's built-in Report button
Google's Report phishing button
A third-party button.
Read our report button integration guide for step-by-step instructions.
A note on Outlook Classic mode
If your organisation uses Outlook desktop, be aware that some people may have "Classic mode" enabled. This setting buries third-party report buttons in the interface, making them hard to find.
People in Classic mode often don't report suspicious emails simply because they can't locate the button.
If you're seeing lower-than-expected report rates from certain groups, this could be the cause.
You might need to communicate where to find the report button for people using Classic mode, or work with your IT team to standardise Outlook settings.
Test the integration
Don't skip this step. After configuring the integration:
Send yourself a test campaign.
Report the email using your report button.
Check CybSafe to confirm the report appears.
Be mindful of our report pages refresh rates, typically this is every hour.
Run a test campaign to yourself
Before involving anyone else, run a test campaign to your own email address. This confirms that allow listing is working and emails are being delivered.
What to test
Send yourself a simulation email and check each stage:
Delivery: Did the email arrive in your inbox? (Not spam or quarantine)
Open tracking: Does CybSafe register the email as opened?
Click tracking: Click the link and check it registers in CybSafe.
If you have more than one click, you need to ensure Link inspection exemptions are in place.Landing page: Does the landing page load correctly?
Data submission: Enter data into the fake landing page, does this show in the reporting?
Reporting: Report the email and confirm it appears in CybSafe.
Monitoring delivery
You can track email status in the Phishing activity log.
Note that this report can take up to an hour to refresh, so don't worry if events don't appear immediately.
Mark allow listing as complete
Once you've confirmed test emails are being delivered clicked and interacted with, click "Mark as complete" on the CybSafe IP settings banner on the PHISH page.
Without completing this step, phishing emails won't be sent when you create campaigns. This is a common oversight that catches people out.
Run a pilot campaign
Before rolling out to your whole organisation, run a pilot campaign to a small group of people.
This catches any delivery issues that might not affect your admin account.
Who to include
Pick a diverse group that represents your organisation:
People from different departments.
People in different locations or offices.
People with different email clients (Outlook desktop, Outlook web, mobile).
People with a different setup or from a known unique infrastructure.
This variety helps you catch edge cases. Some delivery issues only affect specific configurations or a locations unique infrastructure
How to create a pilot
Create a normal campaign, but limit the audience to your pilot group. You can do this by:
Creating a specific audience group for your pilot.
Using filters to select a subset of people.
⚠️🚨 Double-check your audience before launching. If you don't limit it, you might accidentally send simulations to your entire organisation. 🚨⚠️
Create custom templates (optional)
You can create custom phishing email templates to match your organisation's context.
Custom templates can reference internal systems, brand names, or topical events that make simulations more realistic.
Create custom landing pages (optional)
Custom landing pages let you control what people see after clicking a simulation link. You might include a specific example of a page your organisation's typically uses.
We recommend making it really obvious it is a fake!
Create custom intervention pages (optional)
Custom intervention pages appear to people who interact with simulations. These are your opportunity to turn a "gotcha" moment into a learning moment.
Note: Only one intervention page can be active on your account at a time.
Make sure you enable the right one before launching.
Plan your communication (recommended)
Before launching, think about how (and whether) you'll communicate with your people about phishing simulations.
Should you tell people simulations are coming?
This depends on your organisation's culture and goals.
Some organisations prefer surprise simulations to get "realistic" data.
But research shows this approach can backfire, creating distrust and anxiety rather than better security behaviour.
CybSafe recommends being transparent.
Let people know simulations are part of your security programme.
You don't need to announce specific timing, but being upfront about the purpose helps:
Build trust rather than a "gotcha" culture.
Frame simulations as learning opportunities, not tests.
Reduce anxiety and negative reactions when people do click.
Encourage reporting rather than hiding mistakes.
What to communicate
If you do communicate, consider covering:
Why you're running simulations (to help people, not catch them out).
What happens if someone clicks (learning, not punishment).
How to report suspicious emails using your report button.
Where to go with questions or concerns.
Keep the tone supportive. The goal is building a culture where people feel comfortable reporting suspicious emails and admitting mistakes.
CybSafe recommends
Every organisation's setup is different, but here are our tips:
Don't skip the pilot.
Running a small pilot catches delivery issues before they affect hundreds of people. Include people with varied setups and locations.Configure report button integration before going live.
Reporting behaviour is your most valuable metric. Without it, you're missing half the picture.Avoid forwarding simulation emails to report them.
When someone forwards a simulation email and another person (or tool) interacts with it, those actions get recorded against the original recipient.
This creates false positives, use a report button integration instead.
Watch for auto-forwarding rules.
Some people set up auto-forwarding to personal email addresses.
When they receive a simulation, it gets forwarded to their personal account, where external security tools scan and "click" the links.
This creates false positives against the original recipient, and you won't know why. If you see repeat clickers with suspicious patterns, auto-forwarding is worth investigating.
Watch out for security tool interference.
Email security tools often scan emails automatically, which can register as opens and clicks in your reports. If you see multiple opens and clicks happening at exactly the same time, it's likely a security tool, not a person.
Allow listing should prevent this, but it's worth checking.
Test thoroughly before full rollout.
Send test campaigns to yourself first, then run a pilot.
This two-step approach catches most problems before they affect your broader audience.
Be transparent with your people.
Let them know simulations are part of your security programme.
Frame it as learning, not testing. This builds trust and encourages reporting.
Troubleshooting delivery issues
Sometimes emails don't arrive as expected, even with correct allow listing.
Here's what to check.
Emails delayed or not arriving
If simulation emails are taking a long time to arrive (or not arriving at all), several things could be happening:
Check your allow listing first.
Most delivery problems come back to incomplete allow listing. Double-check every policy and tool in your environment.
Large campaign volumes. Sending to thousands of people at once can trigger throttling with your mail server.
Consider spreading large campaigns over multiple days or times.
What to do if delivery problems persist
If you've verified your allow listing and emails still aren't arriving:
Check the Phishing activity log for delivery status.
Look for patterns (specific domains, locations, or email clients affected).
Contact CybSafe support with details of the issue.
We can check our email provider logs to see what's happening on our end.
We can help investigate and provide additional information to help your internal troubleshooting.
FAQ
Why are emails showing as opened when people haven't opened them?
This usually means a security tool is scanning emails before they reach inboxes. The scanning triggers our tracking as an "open".
Check your allow listing configuration, particularly for tools like Mimecast, Proofpoint, or Defender that scan email content.
Why do I see clicks and credential submissions at the exact same time?
Security tools sometimes "click" links and even submit test data to landing pages as part of their scanning. If you see multiple events happening simultaneously, it's almost certainly automated scanning rather than human behaviour.
Make sure you've allow listed our domains in all your security tools.
How long does it take for the activity log to update?
The Phishing activity log can take up to an hour to refresh.
If you've just sent a test campaign, give it some time before troubleshooting.
What if my test emails are going to spam or quarantine?
This means your allow listing isn't configured correctly.
Check that you've added our IPs and domains to all relevant policies in your email security tools.
Microsoft 365 customers should make sure they've configured the Advanced delivery page in Defender.
Can I send simulations to people on personal email addresses?
We don't recommend this. Simulations should only go to corporate email addresses where you have appropriate allow listing configured. Sending to personal addresses (like Gmail or Yahoo) will likely result in emails being blocked or marked as spam.
What happens if someone forwards a simulation email?
If someone forwards a simulation to another person or to a shared mailbox, any interaction with that forwarded email gets recorded against the original recipient.
This creates inaccurate data. Encourage people to use the report button rather than forwarding suspicious emails.
Why isn't my report button integration working?
First, check you've configured it correctly by following our integration guide.
Check that your mail flow rules are configured correctly and that you're using the right report button (Microsoft's built-in button vs add-ins have different configurations).
The priority of the rule and any rules that run before may impact the reporting rule. Check the priority and also check for any other rules that stop processing rules.
Can I run campaigns during specific times only?
Yes. When creating a campaign, you can set operating hours to control when emails are sent.
CybSafe will also respect individual time zones if you've imported this data from your identity provider.
My emails are being delayed by hours. What's happening?
Email providers like Microsoft sometimes throttle connections, which delays delivery. This can happen even with correct allow listing if the volume of incoming emails is large.
If delays are significant (more than a few hours), contact CybSafe support so we can investigate on our end.
Should I tell people we're running simulations?
We recommend being transparent. Let people know simulations are part of your security programme without announcing specific timing.
This builds trust and frames simulations as learning opportunities rather than tricks.
