KnowBe4 SPF and DKIM Setup

Add KnowBe4 to Your Sender Policy Framework (SPF) Record

A Sender Policy Framework (SPF) record is a list of mail servers and domains that are allowed to send emails on your behalf. Adding KnowBe4 to your SPF records allows us to send simulated phishing emails on your behalf and reduces the chance that these emails will be marked as spam or phishing.

To allow KnowBe4's mail servers to send emails on your behalf, add the following line of text to your SPF record:

include:_spf.psm.knowbe4.com

For an example of an SPF record that includes the line of text, see below. The following example uses Google Workspace as the mail server and our US IP addresses:

v=spf1 include:_spf.google.com include:_spf.psm.knowbe4.com ~all

After you update your SPF records, we recommend that you send yourself a test phishing email that spoofs your domain. If you have successfully added KnowBe4 to your SPF record, the email should not go to your Spam folder or be flagged as malicious.

Add KnowBe4’s IP Addresses to Your SPF Record

If you have already added 10 DNS lookups to your SPF record, you’ll need to add our IP addresses to your SPF record. For a list of our IP addresses, see our Whitelisting Guide.

For an example of an SPF record that uses our IP addresses, see below. The following example uses Google Workspace as the mail server:

v=spf1 include:_spf.google.com ip4:23.21.109.197 ip4:23.21.109.212 ip4:147.160.167.0/26 ~all

After you update your SPF records, we recommend that you send yourself a test phishing email that spoofs your domain. If you have successfully added KnowBe4 to your SPF record, the email should not go to your Spam folder or be flagged as malicious.

Enable and Customize DKIM Signatures

KnowBe4’s training emails contain a line of text called a DomainKeys Identified Mail (DKIM) signature that proves it is an authentic KnowBe4 email. We also have the option to enable this feature for phishing emails, if you would like. This guide will show you how to enable DKIM signatures for phishing emails from KnowBe4 and how to use an allowed domain as a custom DKIM signature for both training and phishing emails.

Enabling DKIM Signatures for Phishing Emails

By default, all KnowBe4 training emails contain a DKIM signature, but phishing emails require the account owner to enable this feature first. See below for steps on how to enable DKIM signatures for phishing emails.

1. Log in to your KnowBe4 account.
2. Click on your email in the top-right corner and click Account Settings.
3. Under the Phishing Settings section, select the Enable DKIM Signature check box.

1. Click Save Changes at the bottom of your Account Settings page.

All KnowBe4 phishing emails will now contain KnowBe4’s signing domain and can be used to verify if a phishing email is from KnowBe4 or if it is a real phishing attack. See the section below for information on how to customize the signing domain for phishing and training emails.

Using Custom DKIM Signatures in KnowBe4 Phishing Emails

After enabling DKIM signatures, your organization can adjust the signing domain for your organization’s needs. To use your own signing domain for phishing emails, follow the steps below:

1. Log in to your KnowBe4 account.
2. Click your email in the top-right corner of the page and select Account Settings.
3. Under the Phishing Settings section, select the Enable DKIM signature check box if you haven’t enabled DKIM signatures already.
4. Click Use Your Own Signing Domain.

1. Choose the domain you want to use. To add a domain to this drop-down menu, you will first need to add an allowed domain in your KnowBe4 account. For more information, visit our How to Add and Verify Domains article.

1. Click Create a DKIM Selector for This Domain.

1. Copy the host name and values provided in the fields of the pop-up window.

1. Navigate to your DNS provider and add a TXT record containing the copied information.

1. Once you’ve created the TXT record in your DNS provider, click OK in the DKIM Selectors Details window in your KSAT console.
2. Click Save Changes at the bottom of your Account Settings page.

Using Custom DKIM Signatures in KnowBe4 Training Emails

You can also use custom DKIM signatures for your training emails. To use your own signing domain in training emails, follow the steps below:

1. Log in to your KnowBe4 account.
2. Click your email in the top-right corner of the page and select Account Settings.
3. Under the Training Settings section, select the Enable Custom DKIM Signature check box if you haven’t enabled DKIM signatures already.

1. Choose the domain you want to use. To add a domain to this drop-down menu, you will first need to add an allowed domain in your KnowBe4 account. For more information, visit our How to Add and Verify Domains article.

1. Click Create a DKIM Selector for This Domain.

1. Copy the host name and values provided in the fields of the pop-up window.

1. Navigate to your DNS provider and add a TXT record containing the copied information.

1. Once you’ve created the TXT record in your DNS provider, click OK in the DKIM Selectors Details window in your KSAT console.
2. Click Save Changes at the bottom of your Account Settings page.

For further assistance with this feature, please contact our support team and they will be happy to help.