Skip to main content

Authorizing Phishing Operations

Whitelisting operations on your mail servers

Updated over a month ago

Before testing your employees, you must configure your mail servers to ensure that Arsen’s phishing simulations land in the inbox — not in spam.

This step, known as whitelisting or allow-listing, is essential: without it, emails may be quarantined or flagged as junk, preventing effective awareness training.


1 – Objectives

  • Identify the authorization method that matches your infrastructure (API, IP address, or email headers)

  • Ensure proper deliverability of phishing simulations sent from Arsen

  • Prevent blocking by anti-spam or anti-phishing tools


2 – Prerequisites

  • Have administrator rights on your mail service

  • Know whether an anti-phishing or anti-spam filter exists upstream from your mail servers

  • Have access to DNS settings or mail-flow rules if required


3 – Understanding authorization methods

3.1 – Use API-based authorization (recommended)

This method (Microsoft Email Delivery or Google Email Delivery) offers key advantages:

  • Set up very easily

  • Activate within two clicks

  • Extremely reliable: bypasses security tools (EDR, anti-spam) and guarantees 100% deliverability

3.2 – Use IP-based authorization

  • Simple method, suitable when starting with manual whitelisting

  • Recommended when no additional anti-phishing filter is deployed

3.3 – Use email-header authorization

  • Reserved for environments where an upstream anti-phishing or anti-spam filter requires header-based allow-listing

    This method requires:

  • Whitelisting Arsen’s IP address in the filtering solution

  • Using the custom email headers as a server-side allow-listing rule

4 – Authorize phishing operations by IP address

4.1 – IP addresses to allow

  • 161.38.204.14

  • 185.211.123.249

4.2 – Access implementation guides

5 – Authorize phishing operations using email headers

  • Each Arsen account has a unique header value

  • This value appears in your documentation when sharing whitelisting instructions

Learn more

6 – Follow the appropriate authorization method for your environment

6.1 – If you use Microsoft Office 365

Two options:

6.1.1 – Enable Microsoft Email Delivery API (recommended)

  • Set up very quickly

  • Authorization completed in a few clicks

Learn more

6.1.2 – Use manual whitelisting

  • Without an additional anti-phishing filter: allow Arsen via IP address

  • With an upstream anti-phishing or anti-spam filter:

    • allow via email headers

    • allow Arsen’s IP addresses in the filtering solution

6.2 – If you use Google Workspace

Two options:

6.2.1 – Enable Google Email Delivery API (recommended)

  • Very fast setup

  • Authorization completed in a few clicks

Learn more

6.2.2 – Use manual whitelisting

  • Without additional filtering: allow Arsen’s IP addresses

  • With upstream anti-phishing or anti-spam filtering:

    • use header allow-listing

    • add Arsen’s IP addresses to the filter’s allow list

Related Articles
Configure Microsoft 365 to Authorize the IP Addresses Used in Arsen Simulations
Configure Advanced Delivery Policies
Configure Google Workspace to Authorize the IP Addresses Used in Arsen Simulations
Allow Phishing Simulations via Email Headers in Google Workspace
Create an Allow List for Arsen Domains in Google Workspace
Did this answer your question?