Deliverability & domains
Land in the inbox, not the spam folder
A phishing test only teaches something if it arrives. PhishSpot provisions and monitors your sending domains end to end — DNS, authentication, TLS and filter whitelisting — so every simulation reaches the people you meant to reach.
Add a domain, and we handle the plumbing
Bring your own domain or lease one from us. PhishSpot provisions the full mail stack through Cloudflare and Postal — no DNS ticket, no waiting on IT.
- SPF, DKIM, MX and return-path generated and published automatically.
- TLS certificates issued and renewed for landing pages and tracking.
- Delegation and verification run in the background and report status as they complete.
- One place to see every domain, its role, and whether it is ready to send.

Everything that keeps you out of the spam folder
Domains, authentication, monitoring and filter whitelisting — managed as one system, not a pile of DNS records.
Three kinds of domain
Platform domains host your landing pages, Secured domains are ones you verify and control, and Custom (BYOD) sending domains are fully managed on your behalf.
BYOD sending domains
Bring a domain you already own. We provision it for sending and keep it warm, so campaigns come from an address your people trust.
Authentication, automatic
SPF, DKIM, MX and return-path records are created and published through Cloudflare and Postal — correctly, every time.
Hourly health checks
Every domain is re-checked each hour: delegation, DNS records, mail flow, SSL, and expiry via RDAP. Problems surface before a campaign does.
Spam-filter whitelisting
Export ready-made allow-list rules in ten formats — Microsoft 365, Google Workspace, Mimecast, Proofpoint, Postfix, SpamAssassin, plus raw TXT, JSON, CSV and Markdown.
Auto-refreshing whitelist
A webhook keeps your whitelist current as sending IPs and domains change — set it once and forget the maintenance.
Delegate once, we handle the records
Point your domain’s nameservers at us a single time. From then on, every record a simulation needs is created, verified and kept healthy automatically.
- Copy two nameservers into your registrar — that’s the whole manual step.
- We watch delegation propagate and confirm the domain the moment it is live.
- DNS, mail and TLS records are managed for you and re-verified every hour.
- Expiry and RDAP checks warn you well before a domain lapses.

Deliverability, explained
How do you keep simulations out of the spam folder?
Two ways. First, we provision each sending domain with correct SPF, DKIM, MX and return-path records and valid TLS, so mail is properly authenticated. Second, we generate ready-to-apply whitelist rules for your mail security — Microsoft 365, Google Workspace, Mimecast, Proofpoint and more — so your gateway trusts the campaign IPs and domains. A refresh webhook keeps those rules current.
Do I have to touch DNS myself?
Only once. You delegate the domain by copying two nameservers into your registrar. After that PhishSpot creates and maintains every record for you and re-checks them hourly.
What’s the difference between Platform, Secured and Custom domains?
Platform domains are ours and host landing pages out of the box. Secured domains are ones you own and verify so we can use them safely. Custom (BYOD) sending domains are your own domains, provisioned end to end for sending and fully managed.
How will I know if a domain breaks?
Every domain is health-checked every hour across delegation, DNS, mail flow, SSL and expiry (via RDAP). If something drifts, it’s flagged in the dashboard before it can affect a live campaign.
Deliverability you don’t have to babysit
Connect a domain and let PhishSpot handle DNS, authentication, TLS and whitelisting — so your simulations always arrive.

