Should I use shared IP addresses for phishing simulation emails?

9 Marketer opinions 5 Expert opinions 5 Technical articles 3 Resources

Summary

Experts and email marketers overwhelmingly advise against using shared IP addresses for phishing simulation emails. This consensus is driven by the potential for significant damage to sender reputation, leading to blacklisting and deliverability issues that impact all users sharing the IP. Key recommendations include using dedicated infrastructure (separate IPs and domains), limiting sending scope, avoiding tracking mechanisms, adhering to bulk sender guidelines, and carefully planning simulations to minimize negative repercussions and ensure compliance with organizational policies and legal regulations.

Key findings

Reputation at Risk: Shared IPs for phishing simulations can severely damage sender reputation.
Blacklisting Threat: Recipient reports can lead to IP blacklisting, affecting all users on that IP.
Dedicated Infrastructure Needed: Dedicated IPs and domains are crucial for isolating simulations.
Tracking is Dangerous: Avoid tracking links to prevent easy identification and maintain test integrity.
Careful Simulation Planning: Poorly planned simulations can backfire, causing frustration and reputational harm.
SPF Concerns: Using includes in SPF records is a security risk; use the actual IP for dedicated IPs.

Key considerations

Dedicated Setup: Implement dedicated IPs and domains specifically for phishing simulation campaigns.
Limited Sending: Restrict sending to a single, controlled receiving domain for safety.
Tracking Avoidance: Disable tracking mechanisms within simulation emails.
Adherence to Guidelines: Comply with bulk sender guidelines and relevant regulations.
Careful Planning: Plan simulations thoughtfully to minimize disruption and maximize employee education.
Transparent Communication: Inform employees about the simulations beforehand to avoid unnecessary stress.
Reputation Monitoring: Continually monitor sender reputation and deliverability metrics.

What email marketers say
9Marketer opinions

The consensus is that using shared IP addresses for phishing simulation emails is generally not recommended due to the potential negative impact on sender reputation and deliverability. These simulations can lead to recipients reporting the emails as spam or phishing, resulting in IP blacklisting and affecting other users sharing the IP. Dedicated infrastructure and careful planning are advised to mitigate these risks.

Key opinions

Reputation Risk: Phishing simulations on shared IPs can damage sender reputation, leading to deliverability issues.
Blacklisting: Recipient reports of phishing attempts may cause the shared IP to be blacklisted.
Impact on Others: Negative consequences can extend to other users sharing the IP address.
Need for Isolation: Dedicated infrastructure is recommended to isolate phishing simulations from regular email traffic.
Careful Planning: Poorly executed simulations can backfire and damage employee trust and company reputation.

Key considerations

Dedicated Infrastructure: Consider using dedicated IPs and domains specifically for phishing simulations.
Careful Planning: Thoroughly plan the simulation to avoid causing undue stress or frustration among employees.
Limited Scope: Limit sending to one receiving domain for safety and control.
Transparency: Communicate the purpose of the simulation to employees beforehand to manage expectations.
Compliance: Ensure simulations comply with organizational policies and legal regulations.

Marketer view

Email marketer from SearchSecurity explains that using shared IP addresses for phishing simulations could lead to the IP being blacklisted if recipients report the emails as phishing, affecting other users on the shared IP.

November 2021 - SearchSecurity

Marketer view

Email marketer from Mailjet emphasizes that maintaining a good sender reputation is key for email deliverability. Using shared IPs for phishing simulations may damage this reputation if the emails are flagged as spam, thus impacting other users sharing the same IP.

March 2023 - Mailjet

Marketer view

Email marketer from Heimdal Security responds that if phishing simulations are not conducted carefully, they can backfire and lead to a negative impact on the company's reputation and the trust of its employees. Always use a dedicated IP to isolate these tests.

September 2024 - Heimdal Security

Marketer view

Email marketer from Email Geeks shares that sending should be limited to one receiving domain used by test subjects as a safety net, and that this is something they would do as an ESP employee after confirming the legitimacy of the case.

April 2024 - Email Geeks

Marketer view

Email marketer from SaneBox responds that poorly planned phishing simulations can backfire, leading to employee frustration and potentially damaging the company's reputation if the simulation is too realistic and causes undue stress. They suggest careful planning and communication.

October 2022 - SaneBox

Marketer view

Email marketer from Reddit shares that performing phishing tests on shared IP addresses is risky, as negative feedback (spam reports) can negatively impact the IP's reputation, affecting the deliverability of other users' emails. They recommend using a separate IP range.

September 2024 - Reddit

Marketer view

Email marketer from SecurityStackExchange discusses the ethics of phishing tests, noting that even if the test is for a good cause, it may have unintentional consequences, like the IP address used being reported and blacklisted by users.

March 2022 - SecurityStackExchange

Marketer view

Email marketer from Proofpoint shares that using dedicated infrastructure for phishing simulations ensures that any negative impact on IP reputation does not affect legitimate email traffic. They also recommend segmenting users for targeted simulations.

November 2023 - Proofpoint

Marketer view

Email marketer from InfoSec Institute explains that performing simulated phishing attacks from the same infrastructure as production emails is not a good idea. You could potentially flag your domain and IP address as malicious, especially if there is no warning to the targets of the simulation.

January 2022 - InfoSec Institute

What the experts say
5Expert opinions

Experts strongly advise against using shared IP addresses for phishing simulations due to the risk of damaging sender reputation and impacting other users on the shared IP. They recommend using dedicated infrastructure, including separate IPs and domains, and avoiding practices that could lead to misclassification or identification of the sending source. Furthermore, using dedicated IPs allows more control over sender reputation.

Key opinions

Shared IPs Risky: Shared IP ranges should not be used for phishing simulations due to potential damage to sender reputation.
Dedicated Infrastructure: Dedicated IPs and domains are crucial for isolating phishing simulations.
Tracking Avoidance: Avoid adding tracking to links or open tracking URLs to prevent identification and ensure test integrity.
Direct IP for Dedicated: If using a dedicated IP, use the direct IP instead of includes in SPF records for security reasons.
Control over reputation: Dedicated IP gives more control over sender reputation

Key considerations

Separate IPs and Domains: Set up dedicated IPs and domains specifically for phishing simulations to prevent impact on regular email traffic.
No Tracking: Ensure that tracking mechanisms are disabled to avoid leaving traces of your infrastructure.
SPF Configuration: Properly configure SPF records, using the direct IP for dedicated IPs, to enhance deliverability and security.
Reputation Monitoring: Monitor your sender reputation when engaging in phishing tests

Expert view

Expert from Word to the Wise explains that sending any type of mail, including phishing simulation, from shared IP addresses carries the risk of damaging sender reputation if the messages are misclassified by recipients, hurting deliverability for other senders on the shared IP.

September 2023 - Word to the Wise

Expert view

Expert from Email Geeks advises that if a client is on a dedicated IP, don't use an include: use the actual IP because includes are AWFUL and a security risk.

May 2024 - Email Geeks

Expert view

Expert from Word to the Wise notes that using a dedicated IP allows more control over sender reputation, which is crucial for managing any potential negative impact from sending phishing simulations. If you are sending these types of email, ensure you isolate it to a dedicated IP.

January 2025 - Word to the Wise

Expert view

Expert from Email Geeks explains that shared IP ranges should never be used for phishing simulations. The client should have their own IPs, domains and not host landing pages on the infrastructure.

December 2022 - Email Geeks

Expert view

Expert from Email Geeks warns to be very careful not to add tracking to links or open tracking URLs. This is partly because it may mess up their test, but mostly to ensure there’s no trace of the hostnames.

April 2021 - Email Geeks

What the documentation says
5Technical articles

Technical documentation from AWS, Microsoft, Spamhaus, RFC Editor and Google recommend against using shared IP addresses for phishing simulations. These simulations can be perceived as undesirable, leading to blacklisting, deliverability issues, and negatively impacting sender reputation for all users on the shared IP. Compliance with organizational policies, legal regulations, and bulk sender guidelines is emphasized, along with the use of dedicated infrastructure to avoid these consequences.

Key findings

Reputation Control: Dedicated IP addresses offer greater control over sender reputation, critical for activities like phishing simulations.
Risk of Blacklisting: Shared IPs used for unsolicited emails (including simulations) risk being added to blocklists, impacting all users.
Compliance Required: Phishing simulations must adhere to organizational policies, legal regulations, and bulk sender guidelines.
SPF Ineffectiveness: Even with SPF records, shared IPs can still negatively impact sender reputation and deliverability.
Undesirable activity: Phishing simulations may be considered undesirable.

Key considerations

Dedicated Infrastructure: Utilize dedicated IP addresses to isolate phishing simulations and prevent unintended consequences.
Reputation Monitoring: Monitor sender reputation metrics to ensure deliverability and address any issues promptly.
Policy Adherence: Ensure that phishing simulations align with all relevant organizational policies and legal frameworks.
Bulk Sender Guidelines: Follow established bulk sender guidelines, even for simulations, to maintain email deliverability.

Technical article

Documentation from Microsoft explains that phishing simulations should comply with organizational policies and legal regulations. They advise using dedicated infrastructure to prevent unintended consequences like IP blacklisting, which can affect genuine email traffic.

July 2021 - Microsoft Learn

Technical article

Documentation from Google emphasizes that bulk sender guidelines should be followed for all emails, including phishing simulations. If an IP address is flagged as sending unwanted mail, it will hurt the deliverability of the sender. Google recommends all email simulations be done on a separate dedicated IP.

September 2022 - Google

Technical article

Documentation from RFC Editor explains that SPF records help establish sender legitimacy. However, even with SPF, if a shared IP is used to send phishing simulations, it can still negatively impact the sender's reputation and cause deliverability issues.

May 2021 - RFC Editor

Technical article

Documentation from AWS explains that dedicated IP addresses provide more control over sender reputation, which is crucial when conducting activities that might be perceived as undesirable, such as phishing simulations. They recommend monitoring reputation metrics to ensure deliverability.

November 2022 - AWS Documentation

Technical article

Documentation from Spamhaus details that shared IPs used for sending unsolicited emails (even in the context of phishing simulations) may be added to their blocklists. This can significantly impact deliverability for all users on that IP.

May 2023 - Spamhaus

Phishing versus Defence-in-Depth. Why I think simulated phishing ...

Why I think simulated phishing exercises are nearly always a terrible idea, and the end-user is NOT the first or last line of defence.

Medium

NINJIO PLATFORM FAQ | NINJIO

General FAQs What does "Lured" mean within the reports? "Lured" is a general term used to describe user engagement on the platform. When looking at the status of a campaign, this metric includes users who opened the email. In the phishing reports, you can alter the meaning of this metric by clicking the

NINJIO | Gamified Security Awareness

Phishing simulations are blocked, no allowlisting possible? - ESET ...

We have several customers 365 tenants in ECOS at the moment. One of our customers has just migrated to ECOS/365 and they have phishing awareness tests 3 times a year. Last week they did another phishing test, which we first tested out with some test users and they came in the inbox, using the dom...

ESET Security Forum

Can I use DMARC with shared IP addresses?

How can email senders and users prevent and identify phishing emails?

Are abuse reports and feedback loops (FBLs) still useful in email marketing, and how do they work with different email clients?

How can I protect my domain from being spoofed and blacklisted?

Should I separate transactional and marketing emails?

What is a shared IP address and how does it affect email deliverability?