![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(89.60000000000001, 0%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECI%3C/text%3E%3C/svg%3E)
Microsoft 365 and Office | Microsoft 365 Defender | Other | Windows
An integrated threat protection solution designed to detect, investigate, and respond to cyber threats across Microsoft 365 services.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 39%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKH%3C/text%3E%3C/svg%3E)
Hi Collins Igwubor,
Welcome to Microsoft Q&A forum.
I understand your frustration at the moment with this issue. Here are some troubleshooting steps you can try to resolve the issue.
Verify Advanced Delivery Configuration
- Triple-check entries:
- Sending IP: Must match the public IP of your GoPhish server (use curl ifconfig.me from the server to confirm).
- Sending Domain: Should be the exact domain in the From: header (e.g., @simdomain.com), not just the root domain.
- Custom Header: Ensure the header key/value (e.g., X-PhishSim: true) is identical in both Defender and GoPhish (case-sensitive).
- Portal Path: Microsoft 365 Defender > Policies & rules > Threat Policies > Advanced delivery (under "Rules" section) > Phishing simulation.
Check Email Authentication
- SPF Record: Confirm your GoPhish server's IP is explicitly included in the SPF record of the sending domain. Example: v=spf1 ip4:<GoPhish_IP> include:_spf.microsoft.com ~all
- DKIM: Ensure emails are signed with DKIM using a valid selector. Verify with tools like MXToolbox.
- DMARC: Policy should be p=none or p=quarantine (not p=reject) during testing. Use DMARC Inspector to validate.
Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above links.
Inspect Email Headers
Retrieve headers from a quarantined email (via Defender Quarantine):
- Look for X-Forefront-Antispam-Report or Authentication-Results headers.
- Key clues:
- SFV:SPM (Spam) or SFV:SPO (Spoofing) indicate filtering issues.
- CIP:<IP> should match your allowed IP.
- Check if Authentication-Results shows spf=pass, dkim=pass, dmarc=pass.
Troubleshoot Delivery Issues
- Message Trace (via Exchange Admin Center):
- Filter by sender/recipient to see the delivery path and blocking reason.
- Look for events like "High confidence phishing" or "Filtered as spam".
- Temporary Bypass: Test with a safe sender list (add GoPhish IP/domain to Tenant Allow List under Defender > Policies & rules > Threat Policies > Tenant Allow/Block Lists).
Hope this helps. Feel free to get back if you have other questions.
Best regards,
Kai Ho | Microsoft Q&A Support Specialist
-----------------------------------------------------------------------------------------------------------
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment."
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.