Summary
Experts and email marketers overwhelmingly advise against using shared IP addresses for phishing simulation emails. This consensus is driven by the potential for significant damage to sender reputation, leading to blacklisting and deliverability issues that impact all users sharing the IP. Key recommendations include using dedicated infrastructure (separate IPs and domains), limiting sending scope, avoiding tracking mechanisms, adhering to bulk sender guidelines, and carefully planning simulations to minimize negative repercussions and ensure compliance with organizational policies and legal regulations.
Key findings
- Reputation at Risk: Shared IPs for phishing simulations can severely damage sender reputation.
- Blacklisting Threat: Recipient reports can lead to IP blacklisting, affecting all users on that IP.
- Dedicated Infrastructure Needed: Dedicated IPs and domains are crucial for isolating simulations.
- Tracking is Dangerous: Avoid tracking links to prevent easy identification and maintain test integrity.
- Careful Simulation Planning: Poorly planned simulations can backfire, causing frustration and reputational harm.
- SPF Concerns: Using includes in SPF records is a security risk; use the actual IP for dedicated IPs.
Key considerations
- Dedicated Setup: Implement dedicated IPs and domains specifically for phishing simulation campaigns.
- Limited Sending: Restrict sending to a single, controlled receiving domain for safety.
- Tracking Avoidance: Disable tracking mechanisms within simulation emails.
- Adherence to Guidelines: Comply with bulk sender guidelines and relevant regulations.
- Careful Planning: Plan simulations thoughtfully to minimize disruption and maximize employee education.
- Transparent Communication: Inform employees about the simulations beforehand to avoid unnecessary stress.
- Reputation Monitoring: Continually monitor sender reputation and deliverability metrics.
What email marketers say
9 marketer opinions
The consensus is that using shared IP addresses for phishing simulation emails is generally not recommended due to the potential negative impact on sender reputation and deliverability. These simulations can lead to recipients reporting the emails as spam or phishing, resulting in IP blacklisting and affecting other users sharing the IP. Dedicated infrastructure and careful planning are advised to mitigate these risks.
Key opinions
- Reputation Risk: Phishing simulations on shared IPs can damage sender reputation, leading to deliverability issues.
- Blacklisting: Recipient reports of phishing attempts may cause the shared IP to be blacklisted.
- Impact on Others: Negative consequences can extend to other users sharing the IP address.
- Need for Isolation: Dedicated infrastructure is recommended to isolate phishing simulations from regular email traffic.
- Careful Planning: Poorly executed simulations can backfire and damage employee trust and company reputation.
Key considerations
- Dedicated Infrastructure: Consider using dedicated IPs and domains specifically for phishing simulations.
- Careful Planning: Thoroughly plan the simulation to avoid causing undue stress or frustration among employees.
- Limited Scope: Limit sending to one receiving domain for safety and control.
- Transparency: Communicate the purpose of the simulation to employees beforehand to manage expectations.
- Compliance: Ensure simulations comply with organizational policies and legal regulations.
Marketer view
Email marketer from SearchSecurity explains that using shared IP addresses for phishing simulations could lead to the IP being blacklisted if recipients report the emails as phishing, affecting other users on the shared IP.
4 Jun 2024 - SearchSecurity
Marketer view
Email marketer from Mailjet emphasizes that maintaining a good sender reputation is key for email deliverability. Using shared IPs for phishing simulations may damage this reputation if the emails are flagged as spam, thus impacting other users sharing the same IP.
30 Mar 2022 - Mailjet
What the experts say
5 expert opinions
Experts strongly advise against using shared IP addresses for phishing simulations due to the risk of damaging sender reputation and impacting other users on the shared IP. They recommend using dedicated infrastructure, including separate IPs and domains, and avoiding practices that could lead to misclassification or identification of the sending source. Furthermore, using dedicated IPs allows more control over sender reputation.
Key opinions
- Shared IPs Risky: Shared IP ranges should not be used for phishing simulations due to potential damage to sender reputation.
- Dedicated Infrastructure: Dedicated IPs and domains are crucial for isolating phishing simulations.
- Tracking Avoidance: Avoid adding tracking to links or open tracking URLs to prevent identification and ensure test integrity.
- Direct IP for Dedicated: If using a dedicated IP, use the direct IP instead of includes in SPF records for security reasons.
- Control over reputation: Dedicated IP gives more control over sender reputation
Key considerations
- Separate IPs and Domains: Set up dedicated IPs and domains specifically for phishing simulations to prevent impact on regular email traffic.
- No Tracking: Ensure that tracking mechanisms are disabled to avoid leaving traces of your infrastructure.
- SPF Configuration: Properly configure SPF records, using the direct IP for dedicated IPs, to enhance deliverability and security.
- Reputation Monitoring: Monitor your sender reputation when engaging in phishing tests
Expert view
Expert from Word to the Wise explains that sending any type of mail, including phishing simulation, from shared IP addresses carries the risk of damaging sender reputation if the messages are misclassified by recipients, hurting deliverability for other senders on the shared IP.
21 Oct 2022 - Word to the Wise
Expert view
Expert from Email Geeks advises that if a client is on a dedicated IP, don't use an include: use the actual IP because includes are AWFUL and a security risk.
2 Dec 2024 - Email Geeks
What the documentation says
5 technical articles
Technical documentation from AWS, Microsoft, Spamhaus, RFC Editor and Google recommend against using shared IP addresses for phishing simulations. These simulations can be perceived as undesirable, leading to blacklisting, deliverability issues, and negatively impacting sender reputation for all users on the shared IP. Compliance with organizational policies, legal regulations, and bulk sender guidelines is emphasized, along with the use of dedicated infrastructure to avoid these consequences.
Key findings
- Reputation Control: Dedicated IP addresses offer greater control over sender reputation, critical for activities like phishing simulations.
- Risk of Blacklisting: Shared IPs used for unsolicited emails (including simulations) risk being added to blocklists, impacting all users.
- Compliance Required: Phishing simulations must adhere to organizational policies, legal regulations, and bulk sender guidelines.
- SPF Ineffectiveness: Even with SPF records, shared IPs can still negatively impact sender reputation and deliverability.
- Undesirable activity: Phishing simulations may be considered undesirable.
Key considerations
- Dedicated Infrastructure: Utilize dedicated IP addresses to isolate phishing simulations and prevent unintended consequences.
- Reputation Monitoring: Monitor sender reputation metrics to ensure deliverability and address any issues promptly.
- Policy Adherence: Ensure that phishing simulations align with all relevant organizational policies and legal frameworks.
- Bulk Sender Guidelines: Follow established bulk sender guidelines, even for simulations, to maintain email deliverability.
Technical article
Documentation from Microsoft explains that phishing simulations should comply with organizational policies and legal regulations. They advise using dedicated infrastructure to prevent unintended consequences like IP blacklisting, which can affect genuine email traffic.
20 May 2025 - Microsoft Learn
Technical article
Documentation from Google emphasizes that bulk sender guidelines should be followed for all emails, including phishing simulations. If an IP address is flagged as sending unwanted mail, it will hurt the deliverability of the sender. Google recommends all email simulations be done on a separate dedicated IP.
17 Jul 2022 - Google
Are abuse reports and feedback loops (FBLs) still useful in email marketing, and how do they work with different email clients?
Can I use DMARC with shared IP addresses?
How can email senders and users prevent and identify phishing emails?
How can I protect my domain from being spoofed and blacklisted?
Should I separate transactional and marketing emails?
What is a shared IP address and how does it affect email deliverability?
