Master NetFlow |

Email Whitelisting Guide

← Back to Support

Why Whitelist Master NetFlow?

To ensure our phishing simulations and training emails reach your employees' inboxes (and not their spam folders), you'll need to whitelist Master NetFlow in your email security system. This is a critical step for accurate security awareness testing.

Important: Without proper whitelisting, your email security may block or quarantine our simulated phishing emails, resulting in inaccurate test results.

Master NetFlow Sending Information

Transactional Emails

Sending Domain: masternetflow.com
From Address: info@masternetflow.com
Purpose: Welcome emails, reports, notifications

Phishing Simulation Emails

Sending Domain: sim.masternetflow.com
Landing Pages: sim.masternetflow.com/*
Purpose: Phishing tests, training simulations

Technical Details for IT Teams

Return-Path Domain:
mta.masternetflow.com
DKIM Selector:
mlsend2
Custom Header:
X-MasterNetflow-Type

Note: Master NetFlow uses MailerSend's shared IP infrastructure. We recommend domain-based whitelisting rather than IP-based whitelisting for more reliable delivery.

Setup Instructions by Platform

Select your email security platform below for step-by-step instructions.

Microsoft 365

Microsoft 365 / Defender for Office 365

Configure Advanced Delivery for phishing simulations

Recommended: Use Advanced Delivery (Method 1) for phishing simulations. This is Microsoft's official way to whitelist third-party phishing simulation vendors.

Recommended Method 1: Advanced Delivery (Phishing Simulations)
1

Open Microsoft 365 Defender Portal

Navigate to security.microsoft.com

2

Navigate to Advanced Delivery

Go to Email & collaborationPolicies & rulesThreat policiesAdvanced delivery

3

Select "Phishing simulation" tab

Click on the Phishing simulation tab at the top of the page.

4

Add Master NetFlow as a third-party phishing simulation

Click + Add and enter the following:

Domain: sim.masternetflow.com
Simulation URLs to allow: https://sim.masternetflow.com/*
5

Save the configuration

Click Add to save. Changes may take up to 30 minutes to propagate.

Method 2: Exchange Transport Rule (Additional Bypass)

If you need additional filtering bypass, create a transport rule:

1

Open Exchange Admin Center

Navigate to admin.exchange.microsoft.com

2

Create a new mail flow rule

Go to Mail flowRules+ Add a rule

3

Configure the rule

Name: Master NetFlow Phishing Simulation Bypass

Condition: The sender domain is sim.masternetflow.com

Action: Set the spam confidence level (SCL) to -1 (bypass spam filtering)

Action: Set header X-MS-Exchange-Organization-SkipSafeLinksProcessing to 1

Method 3: Safe Links URL Exception

To prevent Safe Links from rewriting simulation URLs:

1

Open Safe Links Policy

In Microsoft 365 Defender, go to Policies & rulesThreat policiesSafe Links

2

Edit your Safe Links policy

Select your policy and click Edit protection settings

3

Add URL exceptions

In "Do not rewrite the following URLs", add:

https://sim.masternetflow.com/*
Google Workspace

Google Workspace

Configure Gmail allowlist and content compliance

Step 1 Add to Email Allowlist
1

Open Google Admin Console

Navigate to admin.google.com

2

Navigate to Spam settings

Go to AppsGoogle WorkspaceGmailSpam, Phishing and Malware

3

Create an Email allowlist

Scroll to Email allowlist and add:

sim.masternetflow.com
4

Save changes

Click Save. Changes may take up to 24 hours to propagate.

Step 2 Bypass Spam Filter (Content Compliance)
1

Navigate to Content Compliance

In Gmail settings, go to ComplianceContent compliance

2

Add a new rule

Click Configure or Add another rule

3

Configure the rule

Name: Master NetFlow Phishing Simulation

Email messages to affect: Inbound

Expression:

  • Type: Advanced content match
  • Location: Headers
  • Match type: Contains text
  • Content: sim.masternetflow.com

Action: Bypass spam filter for this message

Step 3 Disable Link Warnings (Optional)

Note: Google's Safe Browsing may show warnings for simulation links. This is expected behavior and actually helps test if employees click through warnings. If you need to disable warnings for accurate testing:

1

Navigate to Safety settings

Go to AppsGoogle WorkspaceGmailSafety

2

Add trusted domains

Under "Links and external images", add sim.masternetflow.com to trusted domains.

Proofpoint

Proofpoint Email Protection

Configure organizational safe sender and URL defense exceptions

Method 1: Organizational Safe Sender List
1

Log in to Proofpoint Admin Console

Access your Proofpoint Protection Server admin interface.

2

Navigate to Safe Sender Lists

Go to Email ProtectionSpam DetectionOrganizational Safe Senders

3

Add Master NetFlow domains

Add the following domains:

sim.masternetflow.com
masternetflow.com
Method 2: URL Defense Exception
1

Navigate to URL Defense settings

Go to Email ProtectionTargeted Attack ProtectionURL Defense

2

Add URL exception

In the URL Rewrite exceptions list, add:

sim.masternetflow.com
3

Configure TAP exception (if using TAP)

Under Targeted Attack Protection, add sim.masternetflow.com to the exception list to prevent URL sandboxing.

Mimecast

Mimecast

Configure Permitted Senders and URL Protection bypass

Method 1: Permitted Senders Policy
1

Log in to Mimecast Administration Console

Access your Mimecast admin portal.

2

Navigate to Permitted Senders

Go to AdministrationGatewayPoliciesPermitted Senders

3

Create a new Permitted Senders policy

Click New Policy and configure:

Policy Name: Master NetFlow Phishing Simulation

Applies From: Everyone

Applies To: Everyone

Source:

  • Type: Domain
  • Domain: sim.masternetflow.com

Options:

  • ✓ Skip spam checks
  • ✓ Skip attachment protection
Method 2: URL Protection Bypass
1

Navigate to URL Protection

Go to ServicesURL ProtectionURL Protection Bypass

2

Add bypass rule

Add a new bypass for:

URL Pattern: *sim.masternetflow.com*

3

Save and publish

Save the policy. Changes typically take effect within 15 minutes.

Barracuda

Barracuda Email Security Gateway

Configure Allowed Senders and Link Protection bypass

Method 1: Sender Allow List
1

Log in to Barracuda Admin Console

Access your Barracuda Email Security Gateway.

2

Navigate to Allow/Block List

Go to Block/AcceptSender Domain Allow List

3

Add Master NetFlow domains

sim.masternetflow.com
masternetflow.com
4

Enable "Exempt from all scanning"

Check the box to exempt these domains from spam and virus scanning.

Method 2: Link Protection Bypass
1

Navigate to Advanced Threat Protection

Go to ATP SettingsLink Protection

2

Add URL to bypass list

Under "Do Not Rewrite URLs", add:

*.sim.masternetflow.com/*
FortiMail

FortiMail (Fortinet)

Configure Access Control and Content Profile exceptions

Method 1: Access Control Rule
1

Log in to FortiMail Web UI

Access your FortiMail administration console.

2

Navigate to Access Control

Go to PolicyAccess ControlReceiving

3

Create a new Access Control Rule

Click New and configure:

Status: Enable

Sender Pattern Type: Domain name

Sender Pattern: sim.masternetflow.com

Recipient Pattern: * (all recipients)

Action: Safe

Authentication exemption: Enable

4

Move rule to top

Ensure this rule is processed before other restrictive rules by moving it to the top of the list.

Method 2: Antispam Profile Exception
1

Navigate to Antispam Profiles

Go to ProfileAntiSpam

2

Edit your active profile

Select your antispam profile and click Edit

3

Add to Sender Safe List

Under Safe List tab, add:

Type: Email domain
Pattern: *@sim.masternetflow.com
Method 3: URL Click Protection Bypass
1

Navigate to URL Click Protection

Go to SecurityURL Click Protection

2

Add URL exemption

In the URL exemption list, add:

sim.masternetflow.com
Cisco

Cisco Secure Email (ESA/IronPort)

Configure Sender Group and Mail Policy exceptions

Method 1: Host Access Table (HAT) Configuration
1

Log in to Cisco ESA Web Interface

Access your Cisco Email Security Appliance admin console.

2

Navigate to HAT Overview

Go to Mail PoliciesHAT Overview

3

Create a new Sender Group

Click Add Sender Group and configure:

Name: MasterNetflow_Simulation

Order: Place before SUSPECTLIST

Policy: TRUSTED (or create a custom policy)

Senders:

  • .sim.masternetflow.com (note the leading dot)
  • .masternetflow.com
4

Submit and Commit Changes

Click Submit, then go to Commit Changes to apply.

Method 2: Incoming Mail Policy Exception
1

Navigate to Incoming Mail Policies

Go to Mail PoliciesIncoming Mail Policies

2

Create a new Policy

Click Add Policy and configure:

Policy Name: MasterNetflow_Phishing_Simulation

Editable By (Delegated): As needed

User: All (or specific groups)

3

Configure Policy Settings

For the new policy, configure:

Anti-Spam: Disabled or set to Deliver

Anti-Virus: Deliver (with warning if preferred)

Advanced Malware Protection: Disabled

Graymail: Disabled

Content Filters: Disabled

Outbreak Filters: Disabled

Method 3: URL Filtering Bypass
1

Navigate to URL Filtering

Go to Security ServicesURL Filtering

2

Add to URL Whitelist

Under URL Whitelist, add:

sim.masternetflow.com
3

Disable URL Defanging (if needed)

If using URL defanging, ensure sim.masternetflow.com is excluded from URL rewriting in your Outbreak Filters configuration.

4

Commit Changes

Go to Commit Changes to apply all configurations.

Cisco Cloud Email Security: If you're using Cisco Cloud Email Security (CES), the steps are similar but accessed through the cloud portal. Contact your Cisco representative or Master NetFlow support for cloud-specific guidance.

Need Help with Whitelisting?

Our support team can guide you through the process or configure it remotely.

Verify Your Configuration

After completing the whitelisting steps, we recommend sending a test simulation to verify emails are delivered correctly.

How to test: Go to your Master NetFlow dashboard → CampaignsSend Test Email. Send a test to yourself and verify it arrives in your inbox (not spam) with all links intact.