Safelist Hook's sending domains and IPs
Give your IT or mail team the sender domains and sending IPs they must allowlist so phishing simulations reach inboxes instead of being filtered.
Before Hook sends a phishing simulation, your email security stack has to be told to let those messages through. If your gateway, spam filter, or firewall blocks or quarantines them, your users never see the test and your open, click, and report numbers come out wrong — usually artificially clean, which is the most dangerous kind of wrong. Safelisting (also called allowlisting or whitelisting) hands your IT or mail team the exact sender domains and sending IPs to trust so simulations land in real inboxes. You do this once with your IT team before your first real campaign, and again any time you add a template that sends from a new domain.
Before you start
Prerequisites
- You're signed in to Hook as an org admin with the right organization selected in the org switcher.
- You have a line to whoever administers your email security — the IT or mail team that manages your gateway, spam filter, and firewall. They make the actual allowlist changes; you supply the values.
- You know which template(s) you intend to send, since sender domains are per-template. If you're still picking, see Run a phishing campaign.
What you're handing to IT
There are two things to allowlist, and they behave differently:
-
The Hook IP addresses. These are the fixed Hook IPs customers may need to allowlist before simulations launch. They cover mail delivery, landing-page assets, and portal/school infrastructure, and they're the same eight IPs for every simulation, whether it's a manual campaign or an Autopilot program. The current list is:
IP address Purpose 64.191.166.196Phishing email server (US) 64.191.166.197Training email server 64.191.166.198Landing pages and image assets (US) 198.61.254.6Transactional email server 54.80.160.189Portal server (US) 54.88.246.212School/training portal (US) 54.240.70.101Transactional email server 54.240.70.102Transactional email server -
The sender domain(s). Unlike the IPs, the sender domain is per-template — each template sends from its own domain (or a domain you override for that one campaign). Hook surfaces the relevant domain in the campaign wizard so you can read it off for the exact template you're sending.
Always copy the live values from the app
The IPs above are accurate as of this article's date, but the source of truth is the values shown in the product. Copy them straight from the wizard or the previews card (below) rather than transcribing from documentation — that way you catch any change without having to wonder whether the doc is stale.
Where to find the values
Hook shows the safelist values in two places, depending on how you're sending.
In the campaign wizard (manual campaigns)
When you run a manual phishing campaign, the safelist details appear on the wizard's final step, Review & launch, in a panel headed Safelist for delivery. The panel tells you to allowlist the sender domain and IPs in your email gateway and firewall before launching so the simulation reaches user inboxes.
The panel shows:
- Sender domain — the domain for the template you selected. If you
overrode the from-domain for this one campaign, the panel reflects your
override; otherwise it shows the template's own sender domain. If no
domain is resolved, it shows a dash (
—). - Hook IP addresses — the eight IPs listed above, with short labels explaining what each one is used for.
- A Copy IPs button that copies the IPs (comma-separated) to your clipboard and confirms with a toast. Note this button copies the IPs only, not the domain — grab the domain separately.
- A link to the full safelisting guide for teams with a strict email gateway, spam filter, or a specific application that needs app-specific steps. It opens this docs-site guide in a new tab.

In the Autopilot Campaign Previews safelist card
If you run an Autopilot program, the Campaign Previews page carries a Safelist Information card. It instructs you to allowlist the listed domains and IPs in your email gateway and firewall before the campaign launches, and includes a Copy all button that copies everything to your clipboard as a single, labelled block ready to paste into a ticket or email to IT.
In practice this card shows the same eight sending IPs. It has slots for domains as well, but the static domain list ships empty — because, as above, sender domains are per-template and are surfaced in the wizard rather than as a fixed global list. If both lists were ever empty, the card would instead read Safelist information is not yet configured. Contact your administrator for details.

Hand off to IT
Gather the values for what you're sending
Open the Review & launch step of the campaign wizard (for a manual campaign) or the Campaign Previews safelist card (for Autopilot). Click Copy IPs (wizard) or Copy all (previews) to grab the sending IPs, and note the sender domain shown for your template.
Send both to your IT or mail team
Give them two things: the sending IPs to allowlist, and the sender domain(s) for the template(s) you plan to send. Ask them to allowlist these in every layer that filters inbound mail — the email gateway, the spam filter, and the firewall. If they run a strict gateway or a specific mail security product, point them at the full safelisting guide linked from the wizard for app-specific instructions.
Confirm before you go live
Have IT confirm the changes are in place before you launch your first real campaign — or before an Autopilot program goes live. The cheapest way to verify is to send a small pilot campaign to a friendly group (for example, yourself and a couple of teammates) and check the email actually lands in the inbox, not in junk or quarantine.
Safelisting is not recipient-domain authorization
These are two different controls and it's easy to conflate them:
- Safelisting (this article) is something your IT team does on your infrastructure — telling your gateway and firewall to trust Hook's sending IPs and sender domains so simulations arrive.
- Recipient-domain authorization is something you do inside Hook, to prove you're allowed to send simulations to your users' email domains. That's a separate prerequisite handled in PhishingBox — see Authorize recipient domains.
You generally need both: authorize your recipient domains so Hook will send to them, and safelist Hook's sending domains and IPs so those messages aren't filtered on the way in.
Common pitfalls
- Skipping safelisting and trusting the metrics anyway. If sends are filtered, your results look great for the wrong reason. Confirm delivery with a pilot before reading any campaign as a real signal.
- Copying IPs but forgetting the domain. The wizard's Copy IPs button copies only the IPs. The sender domain is per-template — read it off the panel and include it in your handoff to IT.
- Assuming one safelisting covers every template. The IPs are constant, but a template that sends from a new domain needs that domain allowlisted too. When you introduce a new sender domain, send IT the new value.
- Confusing safelisting with recipient-domain authorization. They're separate steps in separate places (see above). Doing one does not do the other.
- Messages still landing in junk after allowlisting. If sends are delivered but filtered, or not arriving at all, work through Troubleshoot phishing delivery.
Related
Run a phishing campaign
Launch a simulation through the four-step wizard, where the safelist panel lives on the final step.
View campaign previews
See the Autopilot Campaign Previews page and its safelist card before a program goes live.
Authorize recipient domains
The separate step that approves your users' email domains in PhishingBox so Hook can send to them.
Troubleshoot phishing delivery
Diagnose simulations that get blocked, filtered, or never arrive.
Manage your phishing template library
Browse stock phishing templates, customize them for your org, save reusable variants, and prune the customs you no longer need.
Browse the training library and build a course selection
Explore the curated course catalog, filter and search, build a selection of up to 12 courses, and hand it off to the enrollment wizard.