Articles on: 👍 Initial Setup

How to allow phishing simulations using email headers on Google Workspace / Google Apps?

To ensure that your employees receive our phishing simulation emails directly in their inbox and not in spam, you need to authorize our phishing simulations.

This procedure allows you to authorize our phishing simulations on your employees' email addresses by identifying our simulations through a specific header on Google Workspace / Google Apps.

This method is only recommended if you have a filtering solution upstream of your reception servers. In practical terms, this means that you need to whitelist our IP on your anti-phishing filter and then apply the header procedure on Google Workspace.

If you don't have an upstream filtering solution for your emails, always prefer to use an IP address-based whitelisting procedure.

Remember to authorize our header or IP on your anti-spam or anti-phishing service to ensure the proper reception of our simulations.

Step 1: Log in to the Google Workspace/Google Apps admin console
Step 2: Access the Gmail compliance settings
Step 3: Add a compliance rule in Gmail
Step 4: Test the successful receipt of phishing simulations


To be able to carry out this procedure, you must have access to the admin console of your Google Workspace/Google Apps account.

Step 1 : Log in to the Google Workspace/Google Apps admin console

Go to to access your admin console.

Step 2 : Access the Gmail compliance settings

Click on Applications

Select Google Workspace

Click on Gmail

Select Compliance at the bottom of the page.

Step 3 : Add a compliance rule in Gmail

Navigate to the Content compliance section

Click on Configure or Add another rule

Give a name to this rule. For example : Arsen - phishing simulation authorization

Select the emails affected by this rule : Inbound and Internal - Received

Under Add expressions that describe the content to be searched in each message, select If ANY of the following elements match the message

Click on Add

In the new window, select Advanced content match.

In Position, choose Full headers.

In Match type, select Contains text.

In Content, enter the header corresponding to your account. This header is specific to your account, click here to learn how to set up the header in your account.

Click on Save.

In the sub-menu If the above expressions match, take the following action, leave Edit the message then check the box Ignore the spam filter for this message

Click on Save.

Step 4 : Test the successful receipt of phishing simulations

The modified settings above may take up to an hour to be operational.

We recommend that you launch a test campaign on a limited number of addresses that you control to ensure the successful receipt of our phishing simulations.

Given the propagation time of the new settings, plan to perform this test one hour after executing this procedure.

Updated on: 23/10/2023

Was this article helpful?

Share your feedback


Thank you!