Skip to main content

How to guide: PHISH allowlisting for Google

A how to guide for allow listing PHISH for Google technology stacks

Written by Sam Hopwell
Updated over a week ago

Introduction

This guide shows you how to make all the necessary allowlisting changes to ensure emails from CybSafe PHISH reach people in your organisation.

This guide is based on a setup using Google Workspace and Gmail.

Updated February 2026 — additional configuration steps required to resolve PHISH email delivery issues with Google Workspace

Why has this guide been updated?

In February 2026 Google changed the way it handles emails from our sending IP addresses, which has caused delivery issues for some customers running phishing simulations. The additional steps in this guide (configuring a spam filter bypass rule and an inbound gateway) are required to ensure CybSafe PHISH emails continue to land in your users' inboxes without being quarantined or flagged with spam warnings.

Direct Mail Injection (DMI) coming soon

We are also working on introducing Direct Mail Injection (DMI) as an alternative delivery method for Google Workspace customers. DMI bypasses traditional email routing entirely by injecting phishing simulation emails directly into users' mailboxes via the Gmail API, removing the need for IP allowlisting and gateway configuration. This feature will be available soon — watch for updates in our release notes.

If you use an external email scanning service (e.g. FireEye ETP, Mimecast, MessageLabs or Proofpoint), you will also need to allow CybSafe emails on their system. Please consult their documentation for details — links are provided in the additional resources section below.

Step-by-Step Guide

Step 1: Add CybSafe IPs to the Email Allowlist

As a Google Workspace admin, go to Spam, Phishing and Malware, or navigate to:

Google Admin → Google Workspace → Gmail → Spam, phishing and malware

Under Email allowlist, add the following IPs:

54.78.3.99, 54.74.7.50, 34.254.53.189, 34.252.200.43, 34.246.164.195

Save your changes.

Step 2: Create a Spam Filter Bypass Rule

Still within Spam, phishing and malware, scroll to the Spam section and create a new setting (or edit an existing one). Name it CybSafe PHISH.

Configure the following:

Options:

  • Leave "Be more aggressive when filtering spam" unchecked

  • Leave "Put spam in administrative quarantine" unchecked

Options to bypass filters and warning banners:

  • Check — "Bypass spam filters for internal senders"

  • Leave unchecked — "Bypass spam filters for messages from senders or domains in selected lists"

  • Check — "Bypass spam filters and hide warnings for messages from senders or domains in selected lists"

    • Click "Use existing list" or "Create or edit list" and add the CybSafe Phishing Domains list. If the list doesn't exist yet, create it and add all CybSafe phishing sending domains (available from the CybSafe Allowlisting Reference Guide). Note you can bulk insert the domains when creating a new list. There is a comma-separated list of domains available at the bottom of the reference guide.

  • Leave unchecked — "Bypass spam filters and hide warnings for all messages from internal and external senders (not recommended)"

Click Save.

Your configuration should look like this:

Step 3: Configure the Inbound Gateway

Navigate to:

Google Admin → Google Workspace → Gmail → Spam, phishing and malware → Inbound gateway

Enable the inbound gateway and configure the following:

1. Gateway IPs

Add each of the following IP addresses individually:

IP Address

54.78.3.99

54.74.7.50

34.254.53.189

34.252.200.43

34.246.164.195

Then configure the remaining options:

  • Leave unchecked — "Automatically detect external IP (recommended)"

  • Leave unchecked — "Reject all mail not from gateway IPs"

  • Check — "Require TLS for connections from the email gateways listed above"

2. Message Tagging

  • Check — "Message is considered spam if the following header regexp matches"

  • In the Regexp field, enter the following value exactly:

(\\W|^)(thisisatestnotmatch)(\\W|$)

  • Select "Message is spam if regexp matches"

  • Check — "Disable Gmail spam evaluation on mail from this gateway; only use header value"

Click Save.

Your configuration should look like this:

Step 4: Configure External Mail Scanning Services (if applicable)

If you use an external mail scanning service (e.g. Mimecast, Proofpoint, FireEye ETP), make the necessary allowlisting changes there as well. See additional resources below for guidance.

You may also want to consider adding a custom spam filter.

Step 5: Test Your Changes

Use the test phishing campaign feature on CybSafe to verify that emails are being delivered correctly to your users' inboxes without spam warnings.

Test your changes using the test phishing campaign feature on CybSafe.

Additional resources

Allowlisting tutorial

Allowlisting reference guide

Mimecast guidance

Proofpoint guidance

Custom spam filter guidance

Related Articles
How to add CybSafe to your allow list
Additional allowlisting information for Mimecast
Report phishing integration with CybSafe
Reference guide: Details to allowlist PHISH
How to Guide: PHISH allowlisting for Microsoft
Did this answer your question?