We recommend forwarding this article to IT administrators responsible for mailboxes and gateways (e.g. Azure & Mimecast), and internet traffic gateways.

Allow list for browser and app

app.cybsafe.com is the fully qualified domain name in use.

Other external URLs in use:

Allow list for receiving emails

⚠️ To guarantee authenticity all of our emails are sent securely and signed with a DKIM signature. We highly recommend instead of IP based checks that you instead verify our email authenticity via our DKIM and SPF checks in your mail solution.

For mail servers and mail gateways

To make sure our emails reach people, you need to arrange for the following IP addresses and domains to be allow listed in your mail servers:

For more information around this, please click here.

  • Registration, News and Administration – IP / cybsafe.com

Both these IP addresses are dedicated to CybSafe.

If you are using a mail filter, both your email solution and inbound gateway (Filter) need to use allow list rules be allowlisted

For Office 365

To allow the training reminders and simulated phishing emails to reach your people, the CybSafe servers must be allow-listed on your mail platform(s). This is usually either Office365 or an on-premise mail server. If you use an external email scanning service (e.g. FireEye ETP, Mimecast, MessageLabs or Proofpoint), you will also need to allow CybSafe emails on their system. Please consult their documentation for details of how to do this.

Mail Flow Rules

To add the emails to your allow list on Office365 or an on-premise exchange server, please perform the following steps:

  1. Login to the Office 365 Admin centre > open the Exchange admin centre (you may need to click “show all” first).

  2. Navigate to “Rules” under “Mail Flow”.

  3. Click on the Plus icon to add a new rule, and select “Bypass Spam filtering” from the drop-down.

  4. Create a new rule with the following settings:

  • Name – “Allow CybSafe emails”

  • Apply this rule if – “A Message Header includes…” > “Any of these words”Header name – “Authentication-Results”Words or phrases – “cs-mail-sender.com” and “cybsafe.com”

Leave all other settings as default; once complete, it should look like this:

"The configuration of the allow-list on Office 365 is now complete. If you have an external mail filtering service, you should apply the relevant settings according to your providers documentation. You can also use the IP addresses and instead of the FDQNs cs-mail-sender.com and cybsafe.com respectively."

You may also need to allow list other domains to access our videos and Awareness Toolkit assets. Check this page for more details.

Note – the domains “cs-mail-sender.com” and “cybsafe.com” are used in the MailFrom attribute as per RFC 5321, not in the From attribute as defined in RFC 5322. This ensures that even when the “From” address seen in the email does not match – which is the case for phishing emails - the rule will still be applied.

Exchange Online Protection - advanced delivery policy

Exchange Online Protection (EOP) does not allow safe lists or filtering bypass for messages that are identified as malware or high confidence phishing. But, there are specific scenarios that require the delivery of unfiltered messages such as a CybSafe Phishing Campaign.

Follow the steps in this Microsoft article to ensure delivery of our Emails.

Configure the delivery of third-party phishing simulations to users and unfiltered messages to SecOps mailboxes


If you're using Mimecast Email Security you can allow list CybSafe to permit our simulated phishing emails and training invitations through to your end users.

In this article, "Additional Allowlisting Information for Mimecast", you’ll find instructions for several different policies, which you’ll need to add to your Mimecast console to allow the use of CybSafe.

Still have any questions?

If you still have questions, you can contact the CybSafe team via support@cybsafe.com. We’re on hand to help resolve any further issues!

Did this answer your question?