Allowlisting in Google Workspace

Conducting a successful security awareness campaign requires full, uninterrupted delivery of the phishing simulation emails to all recipients.
This guide will outline the necessary settings to modify in Google Workspace to make sure the simulation emails will be delivered and not quarantined by Google or sent to “Spam”.

Add Trustifi’s IP Addresses to the Email Allowlist

To allowlist our IP addresses, you’ll need to add our IP addresses to your email allowlist in Google Workspace.

To add our IP addresses to your email allowlist, follow the steps below:

1. Log in to your Google Workspace Admin console and click Apps> Google Workspace> Gmail.

   

   
   

2. Click on “Spam, Phishing and Malware“

   

   
   

3. In the Organizational Unit section of the page, select your domain.
   Note: Google Workspace only allows allowlisting by IP address for an entire domain, so you’re unable to allowlist by IP Address for individual organizational units (OUs).

   

   
   

4. In the Email Allowlist section, click on the “edit” icon (pencil) and enter Trustifi’s IP addresses separated by commas:
   3.227.182.193, 54.161.96.109

   

5. Click “Save“.

Add Trustifi’s IP Addresses as Inbound Gateways

When your users receive a simulated phishing email from Trustifi, banners may display in Gmail to say “This message seems dangerous” or “Be careful with this message”.
To prevent these banners from displaying, we recommend to add our IP addresses as inbound gateways.

To add our IP addresses as inbound gateways, follow the steps below:

1. Log in to your Google Workspace Admin console.
   

2. Follow step 2 through step 4 in the section above. These steps will take you to your Spam, Phishing, and Malware settings.
   

3. Enable and configure the Inbound Gateway per the steps below:

   

   
   1. Enter Trustifi’s IP addresses: 3.227.182.193, 54.161.96.109
   2. Ensure the Reject all mail not from gateway IPs check box is not selected
   3. Select the Require TLS for connections from the email gateways listed above check box
   4. Select the Message is considered spam if the following header regexp matches check box. Then, enter a spam header tag that is unlikely to be found in a Phishing Security Test email.
   For example, you could enter this value: “x-doesnotexistanymore:true”
   5. Select the Disable Gmail spam evaluation on mail from this gateway; only use header value check box.
   

4. Click Save. This setting may take up to an hour to deploy to all of your users

Bypassing Trustifi inbound protection

If you are using the Trustifi inbound relay, you will need to add the Trustifi simulation IPs as a bypass in the Trustifi inbound relay in Google Workspace. Follow the steps below to create this bypass:

1. Log in to your Google Workspace Admin console
   

2. Open the Compliance page and scroll down to the “Content Compliance” section
   

3. Find the Trustifi inbound relay rule and click to edit it

   

4. In section 2, click to edit the regex

   

5. Replace the existing regex with this value:
   ^Received[:].+(3[.]93[.]243[.]176|3[.]93[.]139[.]220|3[.]251[.]32[.]127|54[.]195[.]145[.]1|52[.]89[.]220[.]23|52[.]37[.]228[.]167|3[.]227[.]182[.]193|54[.]161[.]96[.]109)

   

6. Save your changes