Can using shared IPs for phishing simulations affect my regular marketing emails?

Yes, absolutely. Shared IPs pool the reputation of all senders using them. If your phishing simulations generate a high volume of spam complaints or land on a blocklist (or blacklist), it will negatively impact the deliverability of all other emails sent from that same shared IP, including your legitimate marketing or transactional campaigns. This is why dedicated IPs are strongly recommended for simulations.

What is the primary risk of using shared IPs for phishing simulations?

The primary risk is reputation contamination. Phishing simulations are designed to mimic malicious emails, and recipients are encouraged to report them. These reports, even if for a legitimate test, can lead to the shared IP being flagged as a source of spam or phishing, resulting in blocklisting (or blacklisting) and impacting all users on that IP.

Should I whitelist my phishing simulation IP addresses and domains?

Yes, it is highly recommended to whitelist the specific IP addresses and domains used for your phishing simulations within your organization's email security solutions. This ensures that the simulation emails bypass your internal spam filters and reach the intended recipients, making the training effective.

How do email providers distinguish legitimate phishing simulations from malicious attacks?

Email providers primarily distinguish legitimate simulations from malicious attacks based on sender reputation, authentication records (SPF, DKIM, DMARC), and feedback loops. For simulations, ISPs may not distinguish them as legitimate without proper whitelisting, which is why isolating them on dedicated IPs and explicitly whitelisting them is crucial to prevent deliverability issues.

What are the benefits of using a dedicated IP for phishing simulations?

Using a dedicated IP for phishing simulations provides isolated reputation control. Any negative feedback from the simulations is confined to that specific IP, protecting the sender reputation of your main email campaigns. It also allows for easier and more precise whitelisting, ensuring your simulations reach their targets without affecting other email streams.

Should I use shared IP addresses for phishing simulation emails? - Sender reputation - Email deliverability - Knowledge base

Phishing simulations are a crucial component of modern cybersecurity training, designed to test employee vigilance and organizational defenses against social engineering attacks. They mimic real-world threats, aiming to educate users on how to identify and report suspicious emails.

However, the very nature of these simulations—sending emails that look like phishing attempts—raises a significant question for deliverability professionals: should these emails be sent from shared IP addresses, or do they require dedicated infrastructure? The choice between shared and dedicated IP addresses can have profound implications for your overall email deliverability and sender reputation.

My experience in email security and deliverability indicates a clear preference, especially when considering the potential for unintended consequences. We need to look closely at how email service providers and blocklists (or blacklists) react to this type of sending behavior.

The inherent risk of phishing simulations

Even though phishing simulations are legitimate security exercises, they inherently carry risks because they intentionally trigger spam filters and user complaints. These emails are designed to look suspicious, prompting recipients to report them as phishing, which is precisely what they should do. Such reports, regardless of the simulation's intent, contribute to negative sending signals to internet service providers (ISPs).

Email providers treat these signals seriously. A high volume of spam complaints or a significant number of users marking the email as phishing can quickly damage an IP's and domain's sender reputation. This negative impact is primarily why using shared IP addresses for such activities is highly discouraged.

When you use a shared IP address, your sending reputation is intertwined with other senders using the same IP. If a phishing simulation from that shared IP generates a wave of complaints or hits a spam trap, it can jeopardize the deliverability of all other legitimate emails sent from that same IP, even those from unrelated campaigns or clients.

The potential for one poor sender or one high-risk activity to negatively affect others on the same IP is a critical concern, especially for email service providers. This ripple effect means that high-spam-related activities, like phishing simulations, need to be carefully isolated.

Why shared IPs are generally unsuitable

Given the risks, using shared IPs for phishing simulations is generally not a good idea. The elevated complaint rates and potential for blocklisting (or blacklisting) from these activities pose a direct threat to the deliverability of all other emails associated with that shared IP. This can lead to legitimate marketing or transactional emails landing in spam folders, affecting your business operations.

This issue becomes even more pronounced when considering how high-spam emails from a shared IP can negatively impact other campaigns. It’s essential to isolate such activities to prevent collateral damage to your overall email program.

Risk of collective damage

When phishing simulations are run on shared IP addresses, any negative feedback, such as spam complaints or direct blacklisting (blocklisting), doesn't just affect the simulation emails. It impacts the collective reputation of the entire shared IP pool. This means all other senders utilizing that IP, even for perfectly legitimate purposes, will suffer from reduced deliverability rates. Their emails may start landing in spam folders, impacting critical communications and revenue streams. The shared nature makes it impossible to isolate the negative impact to just the simulation traffic.

For this reason, the consensus among deliverability professionals is that phishing simulation emails should be sent from infrastructure completely separate from your regular sending. This ensures that any negative signals from the simulations do not compromise your core email deliverability.

Dedicated IP addresses for isolation and control

To effectively conduct phishing simulations without risking your primary email reputation, the best approach is to use dedicated IP addresses. This provides the necessary isolation and control over your sending reputation. When a dedicated IP is used solely for simulations, any negative feedback is contained to that IP and does not spill over to your other email campaigns.

Shared IP challenges

Reputation risk: Negative feedback from simulations impacts all senders on the same IP.
Unpredictable deliverability: Deliverability for legitimate emails can fluctuate due to shared reputation issues.
Blocklist exposure: Higher chance of the shared IP being placed on blocklists or blacklists.

Dedicated IP benefits

Isolated reputation: Negative feedback is contained, protecting your primary sending IPs.
Consistent deliverability: Ensures stable deliverability for all other email campaigns.
Easier whitelisting: Allows for precise whitelisting of the simulation IP, bypassing spam filters.

Beyond IPs, it's crucial that simulation domains and any associated landing pages are also hosted on separate infrastructure. This completely decouples your phishing simulation environment from your brand's core digital presence, minimizing the risk of reputational damage.

You must also ensure that the dedicated IPs and domains used for simulations have proper email authentication records, including SPF, DKIM, and DMARC. These records confirm the legitimacy of the sender, even for simulated phishing attempts, and are essential for deliverability. While the goal is for these emails to bypass some filters, proper authentication is foundational for any email sending.

Advanced considerations for running simulations

When setting up phishing simulations, precise control over who receives the emails is paramount. Limit sending only to the specific internal domains or a predefined list of test subjects. This reduces the blast radius if an email bypasses intended whitelisting and gets flagged externally.

Many email security solutions, like those from Guardey, require whitelisting of both sender IP addresses and domains. For Microsoft 365 Defender, this often involves configuring an advanced delivery policy to ensure your simulated phishing emails reach the inbox without being blocked. This step is crucial for the simulations to be effective.

Example SPF record for a dedicated IP

SPF RecordDNS

v=spf1 ip4:203.0.113.4 include:spf.phishing-provider.com -all

This SPF record explicitly lists the dedicated IP address used for simulations. An even better practice, if your phishing simulation provider allows, is to include only the specific IP address and not use an include mechanism that might pull in other, potentially risky, IP ranges. For a deeper dive into SPF, DKIM, and DMARC, check out our simple guide to email authentication.

Finally, be extremely cautious about any tracking links or open tracking URLs associated with your primary sending infrastructure. Ensure that all elements within the simulated phishing email, including embedded links and images, point only to the dedicated simulation domains and not to your main brand domains. This prevents your legitimate domains from being associated with any negative reputation derived from the simulations.

Views from the trenches

Best practices

Always use dedicated IP addresses and domains specifically for phishing simulation campaigns to isolate reputation risk.

Ensure full email authentication (SPF, DKIM, DMARC) is properly configured for your simulation domains and IPs.

Strictly limit the recipient list to only the intended test subjects within your organization.

Implement whitelisting of the simulation IP addresses and domains within your email security solutions.

Regularly review your simulation IP status on common blocklists (blacklists) to ensure clean reputation.

Common pitfalls

Using shared IP addresses, leading to collective blocklisting (blacklisting) and impacting other senders.

Failing to whitelist simulation IPs and domains, causing emails to be blocked or sent to spam.

Including tracking links or images that point to your main brand's domains.

Not having proper SPF, DKIM, and DMARC records set up for simulation domains.

Overlooking the need for separate landing page infrastructure for phishing simulations.

Expert tips

If using an ESP for simulations, explicitly ask for dedicated IPs and ensure no shared include mechanisms are used in SPF.

Consider engaging with anti-phishing systems or major ISPs if running large-scale simulations.

Avoid any tracking of open or click rates that routes through your main email platform.

Periodically check the deliverability of your simulation emails to ensure they bypass filters as intended.

Educate internal security teams on the email deliverability implications of simulations.

Expert view

Expert from Email Geeks says never use a shared IP range for phishing simulations. Dedicated IPs are a must, and they cannot host landing pages on the general infrastructure. All domains should be their own.

2024-01-08 - Email Geeks

Marketer view

Marketer from Email Geeks says they can limit the specific dedicated IP address to send emails only to one particular domain within the mail server configuration as a safety measure for phishing tests.

2024-01-09 - Email Geeks

Best practices for secure phishing simulations

The decision to use shared or dedicated IP addresses for phishing simulation emails significantly impacts your organization's overall email deliverability and sender reputation. While shared IPs might seem convenient or cost-effective, their inherent risk of collective reputation damage makes them unsuitable for such sensitive activities.

The best practice is to always use dedicated IP addresses and separate domains for phishing simulations. This approach ensures that any negative feedback, such as spam complaints or blocklisting (or blacklisting), is contained to the simulation infrastructure, safeguarding your primary email sending reputation.

By meticulously setting up your simulation environment with proper authentication, strict recipient controls, and isolated infrastructure, you can conduct effective cybersecurity training without compromising your ongoing email deliverability.